The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently issued a warning regarding vulnerabilities in third-party applications used by entities covered by HIPAA. The OCR warning applies generally to HIPAA Covered Entities and Business Associates. While Covered Entities and Business Associates are more cognizant of vulnerabilities in operating systems (like Windows) and install updates and patches as needed (we hope), OCR reported that companies are less likely to do the same for third-party applications (like Adobe’s Acrobat or others). Continue Reading OCR Warns of HIPAA Risks in Third-Party Apps
The number one threat to a company’s information (personal or confidential) is still its own employees. Data security and privacy training are the first lines of defense against negligent employee behavior.
Join us tomorrow (6.22) at 1 PM ET for a webinar in which we will explore why traditional training programs are falling short and what you can do to boost your efforts and counter top concerns regarding malicious and negligent employee handling of personal and confidential data.
CLE credit available in NY and CA
Last week, the Federal Trade Commission (FTC) announced (press release) that Practice Fusion, the largest cloud-based electronic health company in the United States, has agreed to settle FTC charges over deceptive practices involving the public disclosure of healthcare provider review information collected from consumers that included sensitive personal and medical information. Below is our review of the circumstances of the basis of the FTC complaint, a summary of the terms of the settlement, and a few pointers on how to avoid a similar situation. There are many lessons to be learned from this FTC complaint for all online providers, not only EHR providers. Read on ….. Continue Reading Practice Fusion and FTC Settle Complaint Over Deceptive Statements About the Privacy of Consumer-Generated Online Content
At long last, the Department of Health and Human Services Office for Civil Rights (OCR) has released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule. OCR will be using the audit protocol for its impending Phase 2 audits of covered entities and business associates, which are set to begin next month.
The protocol covers the following subject areas:
- Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
- Security Rule requirements for administrative, physical, and technical safeguards.
- Breach Notification Rule requirements.
OCR has also released other materials that shed light on the logistics of the audit process, including a copy of the Audit Pre-Screening Questionnaire that it will use to collect demographic information about covered entities and business associates. OCR will use this information to create a pool of potential auditees.
Entities selected for audit will be required by OCR to identify and provide detailed information regarding their business associates. The information collected by OCR will be used to help identify business associates for the Phase 2 audits. OCR has released a template with the information that covered entities will have to provide, including the business associate’s name, contact information, type of services, and website.
Covered entities and business associates should be working to ensure that they have the required compliance documents and materials ready, especially given OCR’s aggressive timetable: if selected for an audit, an auditee will have only 10 days to respond to OCR.
As we have discussed previously on this blog, the audit protocol is an excellent HIPAA compliance tool, especially for audit readiness assessment. Unfortunately, the version of the tool on the OCR website can be unwieldy to use in practice. In order to assist covered entities and business associates with their HIPAA compliance efforts, we have repackaged the audit protocol into a more user-friendly format that can be downloaded here.
Originally posted to Mintz Levin’s Health Law & Policy Matters Blog on 4/20/16
The HHS Office for Civil Rights (“OCR”) officially launched the long-awaited (and dreaded) Phase 2 of the HIPAA Audits Program on March 21st. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails (check your spam filter!) from OCR that will begin the audit process.
Why Audits? Why Now?
The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) requires OCR to periodically audit both Covered Entities and Business Associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012. The Phase 1 audits only examined Covered Entities and the results were generally disappointing. Only 11% of the entities audited had no findings or observations and many findings related to Security Rule compliance. After many delays, OCR is now proceeding with Phase 2. Continue Reading Phase 2 HIPAA Audits Coming to You: Check Your Spam Filter!
For our HIPAA-covered entity readers, we have asked these questions before: Have you taken a business associate inventory ? Have you undertaken a comprehensive risk assessment as required by HIPAA?
It’s all getting real – read on. Continue Reading Pay Attention to Business Associate Agreements!
21st Century Oncology Holdings, a company that operates a chain of 181 cancer treatment centers in the US and Latin America, announced on Friday March 4 that it was latest victim of a cyber-attack affecting 2.2 million individuals. When did the attack occur? Months ago. Read on for the gory details….. Continue Reading Not again …. yet another health care data breach
We have seen many variations of the ransomware attacks on the increase lately. Cryptolocker and Cryptowall are the two most prevalent threats, but a Forbes article about the HPMC attack revealed that HPMC was victimized by a variant called “Locky,” which, according to the Forbes article, is infecting about 90,000 machines a day.
Details of the HPMC Incident
On February 2, 2016, three days before the HPMC attack, the Department of Health & Human Services Office for Civil Rights (“OCR”) announced the launch of its new Cyber-Awareness Initiative. That announcement included information on ransomware attacks and prevention strategies. Suggested prevention strategies from OCR included:
- Backing up data onto segmented networks or external devices and making sure backups are current. That protects you from data loss of any kind, whether caused by ransomware, flood, fire, loss, etc. If your system is adequately backed up, you may not need to pay ransom to get your data unlocked.
- Don’t be the low-hanging fruit: Ensuring software patches and anti-virus are current and updated will certainly help. Many attacks rely on exploiting security bugs that already have available fixes.
- Installing pop-up blockers and ad-blocking software.
- Implementing browser filters and smart email practices.
Most of these prevention strategies are HIPAA security and overall general business security measures that ought to be in place for companies across the board. As OCR and the FBI (see below) both indicate, smart email practices and training the workforce on them are key elements to preventing phishing scams. If you are a HIPAA-covered entity, you should be checking in with Mintz’s Health Law & Policy Matters blog on a regular basis.
FBI on Ransomware
One of the big questions arising out of the HPMC and other ransomware cases is: do we pay? If your business is about to grind to a halt, you likely have no choice. However, the incident should first be reported to the FBI and discussed with forensics and legal experts who have experience with ransomware in particular. The FBI’s Ransomware information page provides some tips. Ransomware attacks should be part of your incident response plan and the “what do we do” should be discussed at the highest levels of the company.
When in Doubt, Don’t Be a Click Monkey!
Before clicking on a link in an email or opening an attachment, consider contextual clues in the email. The following types of messages should be considered suspicious:
- A shipping confirmation that does not appear to be related to a package you have actually sent or expect to receive.
- A message about a sensitive topic (e.g., taxes, bank accounts, other websites with log-in information) that has multiple parties in the To: or cc: line.
- A bank with whom you do not do business asking you to reset your password.
- A message with an attachment but no text in the body.
All businesses in any sector need to take notice of the HPMC attack and take steps to ensure that they are not the next hostages in a ransomware scheme.
Written by Kate Stewart
Recent enforcement actions by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) have highlighted that, not surprisingly, Covered Entities should not leave medical records in a physician’s driveway and should not dispose of protected health information (“PHI”) in a dumpster. From an action against a home health care provider announced yesterday, we can now add to that list the fact that PHI should not be stored under an employee’s bed or in a kitchen drawer. Continue Reading Latest OCR Enforcement Action: Underbed Storage is Not Appropriate for PHI
It’s Privacy Monday again – and summer is winding down.
Here are three bytes of privacy/security information to start your week:
1. House Committee Releases HHS Breach Investigation
If you are subject to HIPAA and the oversight of the Department of Health and Human Services (HHS), schadenfreude will probably best describe your reaction.
A report recently released by the House Energy & Commerce Committee reveleaed that hackers have breached at least five divisions of HHS — including the FDA — in the last three years.
“What we found is alarming and unacceptable,” committee Chairman Fred Upton, Michigan Republican, and Oversight and Investigations Subcommittee Chairman Tim Murphy, Pennsylvania Republican, said in a joint statement. “At a time when sensitive information is held by so many in the public and private sectors, Americans should not have to worry that the U.S. government is left so vulnerable to attack.”
The 27-page review of HHS information security found that the breaches were unsophisticated and the affected agencies “often struggled to provide accurate, clear and sufficient information on the security incidents” during the course of their investigation. According to the committee, officials at two breached agencies were unable to provide accurate details about security incidents within their own networks. “These incidents raise questions about whether information security officials have the appropriate level of expertise,” the report reads.