Fourth HIPAA breach for Kaiser

By Erin McCann
Healthcare IT News
Originally published April 7, 2014

Some 5,100 patients treated at Kaiser Permanente were sent HIPAA breach notification letters Friday after a KP research computer was found to have been infected with malicious software. Officials say the computer was infected with the malware for more than two and a half years before being discovered Feb. 12.

The computer was used by the Kaiser Permanente Northern California Division of Research to store research data. The breach, officials note, involved patients participating in specific research studies and may have compromised their names, birth dates, medical record numbers, lab results associated with research, addresses and additional medical research data.

The entire story is here.

Large Hospital Breach Caused by Inside Inappropriate Access

Health Data Management
Originally published May 31, 2013

Bon Secours Mary Immaculate Hospital in Suffolk, Va., is notifying about 5,000 patients after discovering a significant amount of inappropriate access to patients’ electronic health records from two employees inside the facility.

“During an April 2013 audit of a patient’s medical record, the health system identified suspicious access that prompted an investigation,” according to a notice the hospital issued. “The investigation revealed that two members of the patient care team accessed patients’ medical records in a manner that was inconsistent with their job functions and hospital procedures, and inconsistent with the training they received regarding appropriate access of patient medical records.”

The entire story is here.

HHS Releases Final HIPAA Privacy and Security Update Final Rule

U.S. Department of Health & Human Services
FOR IMMEDIATE RELEASE
Thursday, January 17, 2013

The U.S. Department of Health and Human Services (HHS) moved forward today to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.

“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius.  “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The changes in the final rulemaking provide the public with increased protection and control of personal health information.  The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims.  The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.

Individual rights are expanded in important ways.  Patients can ask for a copy of their electronic medical record in an electronic form.   When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.  The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office of Civil Rights Director Leon Rodriguez.   “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes.  The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.

The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

The Rulemaking announced today may be viewed in the Federal Register at https://www.federalregister.gov/public-inspection.


The final document is here.

Cancer Care Group Data Breach Exposes Nearly 55,000 Patients

By Kyle Murphy
EHR Intelligence
Originally published August 28, 2012

In a press release today, Cancer Care Group (Indianapolis, IN) announced that a laptop computer containing its computer server backup media was stolen from an employee’s locked care on July 19, 2012. The breach has potentially exposed the protected health information (PHI) or personally identifiable information (PII) of close to 55,000 individuals, including the organization’s own employees. The latest incident comes less than a month after Apria Healthcare reported a similar incident in Arizona where an employee’s car was broken into and a laptop containing information for 11,000 patients stolen.

The entire story is here.

Cardiologists fined $100,000 for Internet privacy violations

By Ken Alltucker
The Republic - azcentral.com
Originally published April 17, 2012

The federal government has fined a Phoenix and Prescott cardiac surgeon medical practice $100,000 for posting patients' clinical and surgical appointment information on an Internet calendar that was available to the public.

The entire story is here.

8 Breach Prevention Tips: Action Items Based on Lessons Learned

By Howard Anderson

Govinfosecurity.com

Originally published February 8, 2012

What can be learned from the more than 390 major breaches affecting more than 19 million individuals that have been reported as a result of the federal HIPAA breach notification rule? Plenty, breach prevention experts say.

Here are eight key breach-prevention insights from information security thought-leaders:

1. Don't Forget Risk Assessments

The details of the biggest breaches last year "make it painfully clear that inadequate, if any, HIPAA security risk analysis took place prior to the breaches," says Dan Berger, CEO at Redspin.

2. Encrypt Mobile Devices, Media

"Even though encryption is what's referred to as an addressable standard in the HIPAA security rule - which means it's not actually mandated in all cases - I don't see any reason why information shouldn't be encrypted in all cases on portable media and devices," says Robert Belfort, partner at the law firm Manatt, Phelps & Phillips LLP. "That's one step that organizations can take that can address a very significant share of the types of breaches that are occurring."

3. Beef Up Training

"People have to be trained to understand the policies of the organization, and they have to be trained about common-sense safeguards that they can follow to avoid breaches or the misuse of information," Szabo stresses.

4. Conduct Internal Audits

In addition to training, an important step toward addressing internal breach threats is to conduct audits of records access, Belfort says.

5. Monitor Business Associates

About 22 percent of major breaches, including many of the largest incidents, have involved business associates. As a result, it's essential to work with vendor partners to ensure they're taking adequate breach prevention steps.

The rest of details are here.

In the Resources section of this blog, there is a White Paper on Preventing a Data Breach and Protecting Health Records – One Year Later: Are You Vulnerable to a Breach? by Kaufman, Rossin & Co. to augment these security issues.