HHS Releases Final HIPAA Privacy and Security Update Final Rule

U.S. Department of Health & Human Services
FOR IMMEDIATE RELEASE
Thursday, January 17, 2013

The U.S. Department of Health and Human Services (HHS) moved forward today to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.

“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius.  “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The changes in the final rulemaking provide the public with increased protection and control of personal health information.  The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims.  The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.

Individual rights are expanded in important ways.  Patients can ask for a copy of their electronic medical record in an electronic form.   When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.  The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office of Civil Rights Director Leon Rodriguez.   “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes.  The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.

The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

The Rulemaking announced today may be viewed in the Federal Register at https://www.federalregister.gov/public-inspection.


The final document is here.

New tools to help providers protect patient data in mobile devices

U.S. Department of Health & Human Services
Press Release
December 12, 2012

Launched by the U.S. Department of Health and Human Services (HHS) today, a new education initiative and set of online tools provide health care providers and organizations practical tips on ways to protect their patients’ protected health information when using mobile devices such as laptops, tablets, and smartphones.

The initiative is called Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information and is available at www.HealthIT.gov/mobiledevices.  It offers educational resources such as videos, easy-to-download fact sheets, and posters to promote best ways to safeguard patient health information.

“The use of mobile health technology holds great promise in improving health and health care, but the loss of health information can have a devastating impact on the trust that patients have in their providers.  It’s important that these tools are used correctly,” said Joy Pritts, HHS’ Office of the National Coordinator for Health Information Technology (ONC) chief privacy officer. “Health care providers, administrators and their staffs must create a culture of privacy and security across their organizations to ensure the privacy and security of their patients’ protected health information.”

Despite providers’ increasing use of using mobile technology for clinical use, research has shown  that only 44 percent of survey respondents encrypt their mobile devices.  Mobile device benefits—portability, size, and convenience—present a challenge when it comes to protecting and securing health information.

Along with theft and loss of devices, other risks, such as the inadvertent download of viruses or other malware, are top among reasons for unintentional disclosure of patient data to unauthorized users.

“We know that health care providers care deeply about patient trust and the importance of keeping health information secure and confidential,” said Leon Rodriguez, director of the HHS Office for Civil Rights. “This education effort and new online resource give health care providers common sense tools to help prevent their patients’ health information from falling into the wrong hands.”

For more information, tips, and steps on protecting and securing health information when using a mobile device visit www.HealthIT.gov/mobiledevices.

Beth Israel Deaconess reveals health data breach

By Kyle Murphy, PhD
EHR Intelligence
Originally published July 20, 2012

The personal health information of close to 4,000 patients at Beth Israel Deaconess Medical Center (BIDMC) has been compromised after a physician’s personal laptop was stolen on May 22, says the Boston Globe. BIDMC officials could not be reached for comment.

 

The entire story is here.

 

Thanks to Ken Pope for this information.

Data breach leads to $1.7M fine for Alaska DHSS

By Erin McCann
Healthcare Finance News
Originally published June 27, 2012

The Alaska Department of Health and Social Services (DHSS) – the state’s Medicaid agency – has agreed to pay $1.7 million to the U.S. Department of Health and Human Services (HHS) to settle possible violations of the HIPAA Security Rule, making it the second largest settlement for HIPAA violations to date.

As part of the settlement, the state has also agreed to take corrective action to properly safeguard the electronic personal health information (PHI) of their Medicaid beneficiaries.

The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing PHI was stolen from the vehicle of a DHSS employee. PHI from an estimated 2,000 individuals was stored on the device.

The entire story is here.

Editorial Note: Please do not tranfer large amounts of personal data from a secure data bank to a jump drive, lap top or other portable storage device.

Tennessee insurer to pay $1.5 million for breach-related violations

BlueCross BlueShield agrees to pay HHS for HIPAA violations tied to 2009 breach that exposed data on 1 million members

Computerworld

Originally published March 13, 2012

A 2009 data breach that has already cost BlueCross BlueShield of Tennessee nearly $17 million got a little more expensive Tuesday.

The insurer today agreed to pay $1.5 million to the U.S. Department of Health and Human Services (HHS) to settle Health Insurance Portability and Accountability Act (HIPAA) violations related to the breach.

Under the settlement, BlueCross BlueShield has also agreed to review and revise its privacy and security policies and to regularly train employees on their responsibilities under the HIPAA of 1996.

The settlement is the first resulting from enforcement action taken by the HHS under Health Information Technology for Economic and Clinical Health (HITECH) breach notification requirements.

The notification rules require all HIPAA-covered entities to notify affected individuals of any breach involving their health information. It also requires them to notify the HHS and the media in cases where the breach affects more than 500 people.

Leon Rodriguez, director of the HHS Office for Civil Rights (OCR) said the settlement underscores the department's intent to vigorously enforce HIPAA's security and privacy rules.

"This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program," Rodriguez said in a statement.

The entire story is here.

US Health Breach Tally Hits 19 Million

385 Major Incidents Reported Since 2009

Govinfosecurity.com

By Howard Anderson, January 23, 2012

With the tardy addition of the Sutter Health breach, the U.S. tally of major healthcare information breaches now includes 385 incidents affecting more than 19 million individuals since September 2009.

The Department of Health and Human Services' Office for Civil Rights recently added the Sutter Health breach, which occurred in October, to its official tally of breaches affecting 500 or more individuals. It adds incidents once it confirms the details.

Healthcare information on 943,000 individuals was on an unencrypted desktop computer that was stolen in October from a Sutter facility in California; that total is reflected in the official federal healthcare breach tally. But in announcing the breach, Sutter Health noted that two databases with information on 4.2 million patients were on the device.

A database for Sutter Physician Services, which provides billing and other administrative services for 21 Sutter units, held only limited demographic information on about 3.3 million patients collected from 1995 through January 2011. The device also contained a database with more extensive information on 943,000 Sutter Medical Foundation patients, dating from January 2005 to January 2011. This smaller database included the same demographic information as the larger database, plus dates of service and a description of diagnoses and/or procedures.

Sutter Health faces two class action lawsuits in the wake of the breach.

Breach List Update

In addition to adding the Sutter Health incident, federal officials added five much smaller incidents to the official breach tally in the past month.

Of the 385 incidents affecting 500 or more individuals that are now included in the official tally after being reported to authorities as required under the HIPAA breach notification rule, roughly 55 percent have involved lost or stolen unencrypted electronic devices or media. About 22 percent have involved a business associate.

The entire story is here.

Digital Data on Patients Raises Risk of Breaches

By Nicole Perlroth
Published 12/18/11
The New York Times: Technology

One afternoon last spring, Micky Tripathi received a panicked call from an employee. Someone had broken into his car and stolen his briefcase and company laptop along with it.

So began a nightmare that cost Mr. Tripathi’s small nonprofit health consultancy nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees. Not to mention 600 hours dealing with the fallout and the intangible cost of repairing the reputational damage that followed.

Mr. Tripathi’s nonprofit, the Massachusetts eHealth Collaborative in Waltham, Mass., works with doctors and hospitals to help digitize their patient records. His employee’s stolen laptop contained unencrypted records for some 13,687 patients — each record containing some combination of a patient’s name, Social Security number, birth date, contact information and insurance information — an identity theft gold mine.

His experience was hardly uncommon. As part of the 2009 stimulus bill, the federal government provides incentive payments to doctors and hospitals to adopt electronic health records. Some 57 percent of office-based physicians now use electronic health records, a 12 percent jump from last year, according to the Centers for Disease Control.

An unintended consequence is that as patient records have been digitized, health data breaches have surged. The number of reported breaches is up 32 percent this year from last year, according to the Ponemon Institute, a security research group. Those breaches cost the industry an estimated $6.5 billion last year. In almost half the cases, a lost or stolen phone or personal computer was responsible.

The entire story can be read here.

HIPAA Summit West: 1 in 4 Organizations Report Data Breaches

Dom Nicastro, for HealthLeaders Media, September 27, 2011

Ali Pabrai said it best at last week's fifth national HIPAA Summit West at the Grand Hyatt in San Francisco. Pabrai, a data security expert, noted that 97% of chief information officers are concerned about data security.

"My question is, 'Who are these other three percent?'" Pabrai asked the hundreds of laughing attendees.

Pabrai, MSEE, CISSP (ISSMP, ISSAP), of ecfirst's HIPAA Academy in Newport Beach, CA, delivered a message that resonates with HIPAA privacy and security officers: Everyone, especially those charged with protecting the privacy of patient information, needs to be concerned about data security.

Numbers game

The numbers at the HIPAA Summit told the story:

• 1 in 4: Organizations reporting a data breach (source: Pabrai)
• 250,000 to 500,000: Medical identity thefts (source: Pabrai)
•  330: Organizations reporting a breach of unsecured protected health information affecting 500 or more individuals since September 2009 (source: Office for Civil Rights, or OCR)
• 34,000: Number of reports of breaches submitted to OCR affecting fewer than 500 individuals (source: OCR)

From how and from where the 500-or-more breaches are coming:

How:

• Theft: 50%
• Unauthorized access disclosure: 20%
•  Loss: 16%
• Hacking/IT: 7%

Where:

• Paper records: 24%
• Laptop: 23%
• Desktop computer: 17%
• Portable electronic device: 16%
• Network server: 10%

In August, McAfee reported that hackers broke into the United Nations data system and hid there for two years unnoticed, Pabrai said.

"How do we know that someone isn't hiding in our systems, and how long have they been there?" Pabrai asked the audience. "Do we have appropriate controls? What is the state of our information security?" Do you have intrusion protection and intrusion prevention in place?

"This is not just a compliance issue," Pabrai said. "This will have significant risk to the organization and will impact your facility in the seven figures."

The entire story can be read here.

OCR Data Breach Tally Passes a Milestone

Dom Nicastro for HealthLeaders Media

Covered entities have reported breaches of unsecured protected health information affecting 500 or more individuals to the Office for Civil Rights (OCR) nearly once every other day since the HIPAA privacy and security enforcer began posting the information 18 months ago.

The list, posted on the OCR breach notification website, hit the 300 mark this week. OCR went live with the site in February 2010, recording breaches that date back to September of 2009.

That's about 13 breaches per month dating back to the fall of 2009.

The website is part of the breach notification interim final rule, in effect since September 2009. OCR withdrew the rule a little more than one year ago from the hands of the Office of Management and Budget (OMB), which reviews rules for government agencies. OCR wanted more time to pursue changes to the rule.

The rest of the story can be read here.

HIPAA Auditor Involved in Own Data Breach

Dom Nicastro, for HealthLeaders Media

The company hired by the Office for Civil Rights (OCR) to conduct nationwide HIPAA privacy and security compliance audits was responsible for a breach that includes the loss of an unencrypted flash drive and affects more than 4,500 patient records.

OCR’s request for audit proposals came in February 2011, about eight months after KPMG, LLP, reported its breach to the New Jersey healthcare system.

KPMG, which won OCR’s $9.2 million contract for HITECH-required HIPAA audits in June 2011, told the Saint Barnabas Health Care System of West Orange, NJ, in June 2010 that a KPMG employee lost an unencrypted flash drive that may have contained a list with some patient names and information about their care, Saint Barnabas reported on its website. 

The potential breach affected individuals at two facilities—3,630 patients at Saint Barnabas Medical Center in Livingston, NJ, and 956 patients at Newark Beth Israel Medical Center in Newark, NJ—according to a report on the OCR breach notification website. The website lists entities reporting breaches affecting 500 or more individuals, a HITECH requirement that went live in February 2010.

The flash drive did not include patient addresses, Social Security numbers, personal identification numbers, dates of birth, financial information, or other identifiable information, according to the report on the Saint Barnabas website.

KPMG reported the matter to the New Jersey healthcare system June 29, 2010. KPMG believes the flash drive was misplaced on or about May 10, 2010, according to Saint Barnabas.