Author Archives: Frank Sivilli

Massive Data Breach Affects Thousands of NFL Players

nfl-logo

The NFL has reported that thousands of players’ health care records were breached in late April after a laptop was stolen from the car of a Washington Redskins trainer.

The records are extensive, dating back a full 13 years. They’re reported to include current and former players’ protected health information (PHI), as well as that of the attendees of the annual scouting Combine.

In an official statement from the NFL to the players’ union about the theft, NFLPA Executive Director DeMaurice Smith said:

The NFLPA [NFL Players Association] has consulted with the U.S. Department of Health and Human Services regarding this matter. The NFLPA also continues to be briefed by the NFL on how they intend to deal with both the breach by a club employee, the violation of NFL and NFLPA rules regarding the storage of personal data, and what the NFL intends to do with respect to notifying those who may be affected. We will keep you apprised of what we hear from the team and League.

The severity of the breach is such that the NFL has contacted the Department of Health and Human Services (HHS), the arm of the federal government that deals with HIPAA enforcement and personal data privacy and security. It’s unlikely that the NFL will be persecuted as a HIPAA Covered Entity in this breach, sparing potential fines and litigation. HHS has made it clear that high-profile patients’ medical records must be afforded the same legal protection as anyone else’s. Athletes and celebrities alike face heightened risks to their privacy and are often targeted by attacks to their personal data.

Physical theft continues to plague the health care industry. Paper and physical records are easy targets, but it’s becoming apparent that electronic health records (EHR)–the long-heralded solution to this industry-wide problem–falls short of any kind of guaranteed security. Though the stolen laptop containing the players’ health data was password protected, it wasn’t encrypted.

Even though there have been industry-wide pushes for EHR adoption and migration away from paper records, their integrity of those records can be tenuous without the accompanying encryption and privacy measures needed to ensure they’re being kept secure.

In a statement given to Deadspin, an NFL spokesperson said that: “We are aware of no evidence that the thief obtained access to any information on the computer that was stolen nor aware that any information was made public.” The spokesperson also confirmed that the NFL’s electronic medical record (EMR) system that encompasses player data for the entire league was unaffected by the breach.

Over 112 million Americans had their health data breached in 2015 alone. In this case, HHS has the opportunity to make a decisive statement on EHR adoption and patients’ rights to privacy in an effort to curb the frightening trend that these massive data breaches are starting to take.

Is Apple Finally Entering the HIPAA Game?

apple-watch

For years, Apple has notoriously avoided stepping into the burgeoning HIPAA-compliant health-tech market. Its peers–tech giants the likes of Amazon, Microsoft, Google, and FitBit–have all willingly begun signing Business Associate Agreements (BAAs), allowing their products and services to be used across the health care industry to store, transmit, or create protected health information (PHI).

So when Business Insider reported on a job listing posted by Apple looking for a “Privacy Counsel” focused on HIPAA and Health, heads rightfully turned.

With the exception of third party apps and some Apple Watch functionality, Apple has been decidedly quiet on the issue of HIPAA. There are a number of HIPAA compliant messaging and data storage apps that have long been popular with Apple users in the health care field, but its own iMessage messaging service remains insecure and non-compliant.

The job listing itself is vague, asking only for “health privacy expertise” in addition to a slew of requirements that make it clear they’re going for the best in the business to spearhead their interests in HIPAA compliance.

So it seems that Apple is poised to move ahead in a few directions.

They can go the way of Google and develop an end-to-end encrypted messaging service for doctors or other covered entities and business associates. This would serve the function of allowing PHI to be safely transmitted without risking the security or integrity of health data.

The other option is to go the way of health-tech manufacturer FitBit and create a suite of HIPAA-compliant health tracking services for the Apple Watch.

In the year since its release, the Apple Watch has been widely adopted as a health monitoring device. One report from April 2016 indicated that 80% of Apple Watch owners utilize its health and fitness tracking, and 56% say that that’s the primary reason they use it.

With discussions of data security and privacy reaching the national stage, the pressure is mounting against tech companies to take the plunge and begin protecting their customers’ data. Apple CEO, Tim Cook, commented on his plans for the Apple Watch. “One day,” he said, “this is my prediction, we will look back and we will wonder: how can I ever have gone without the Watch? Because the holy grail of the watch is being able to monitor more and more of what’s going on in the body.”

With this renewed focus on health, it’ll be worth watching Apple to see if anything comes of this new job listing and their potential foray into the world of HIPAA compliance.

Iowa Hospital Uncovers Extensive 7-Year Privacy Breach

UnityPoint Allen Hospital

After seven years of illegally accessing the protected health information (PHI) of 1,620 patients, an employee at UnityPoint Health’s Allen Hospital in Waterloo, Iowa has been reported to the Department of Health and Human Services (HHS) for federal investigation.

Officials at the hospital say that the breach was first uncovered on March 14, 2016. The data that this employee inappropriately accessed over the course of her seven-year stint includes patients’ names, dates of birth, addresses, treatment information, health insurance identification information, and medical record numbers. Social Security numbers may have been viewed in some cases as well.

After the breach was initially discovered, Allen Hospital launched a full review of the employee’s access history, revealing that she had begun inappropriately accessing PHI as early as September of 2009. Allen’s vice president for institutional advancement, Jim Waterbury commented that the employee’s job entailed regularly accessing PHI, which accounts for the excessive length of time it took for officials to notice that the HIPAA breaches were occurring.

Hospital officials have escalated the issue to the HHS Office for Civil Rights (OCR) and have taken disciplinary action against the employee. They’ve also sent letters to affected individuals to notify them of the breach.

In a statement, Waterbury commented on the incident, saying: “We apologize to our affected patients, and we accept our responsibility to keep this event from happening again.” Luckily, officials at Allan have reported that they’ve found no evidence that would indicate that any of the patients’ data had been stolen or used illegally.

Regardless of the action that OCR pursues, HIPAA regulation makes it clear that excessive and inappropriate access to PHI outside the scope of regular treatment or billing is a breach of patients’ rights to privacy. Health care organizations that allow employees to access PHI must have policies and procedures in place to monitor their access to PHI.

Often, internal auditing and compliance-as-a-service programs can be implemented that give administrators and security or privacy officers the ability to monitor and document employee access to PHI. Allen Hospital has introduced just such a program now that the breach has been brought to a close as a means of mitigating future incidents and ensuring that their patients’ rights to privacy are being protected and upheld.

Buffalo Medical Group Denies Alleged “HIPPA” Violations

Letter_alleges_HIPAA_violations_0_36158610_ver1.0_640_480

Receiving HIPAA breach notification letters in the mail has become a disappointingly commonplace occurrence for many Americans over the past few years. In a single breach alone last February, as many as 80 million individuals had their protected health information (PHI) breached by Anthem. HIPAA regulation mandates that breaches be reported to affected patients informing them of the full extent of the information that was exposed.

So when patients of the Buffalo Medical Group received letters informing them that their PHI had been breached, they were rightfully concerned.

The letter detailed a convoluted set of interactions, wherein a former nurse allegedly disclosed the PHI of a number of patients to her boyfriend. In August of 2015, though, the nurse and her boyfriend “had a big breakup and he sent a tell-all letter […] detailing these HIPPA [sic] violations.

When the Buffalo Medical Group was reached for contact about the content of the letter, however, they said that it was not official, and that the alleged HIPAA violations were entirely unfounded.

The Buffalo Medical Group immediately launched an investigation into the source of the letter, and found that it hadn’t originated from their offices or from any of their employees. The Group released a statement saying that:

“…the letter was fabricated and widely distributed for the sole purpose of harassing the individuals named in the letter, and that the motives of the author are wholly unrelated to the professional conduct of the Buffalo Medical Group or its employees. We are working with our advisors to take appropriate legal action against the responsible party.”

No word yet as to why the letter was sent to these few patients. But this case raises the important question of the legitimacy of the breach notification process. False claims that PHI has been breached can be damaging to the organizational reputation of the practices they impersonate, and can pose dangers to the integrity of targeted patients’ privacy.

Even though the fraudulent letter wasn’t being used to scam patients, similar schemes have circulated widely for years and have been used to harvest data, amounting to identity theft and significant financial or personal stress.

Currently, The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) hasn’t released any guidance about the nature of fraudulent breach notification, but one thing is clear: if you receive a letter and see HIPAA spelled “HIPPA,” you’d be wise to give it a second glance.

Malware-Laced USBs Sent to Members of the ADA

USB drives loaded with malware were mistakenly mailed by the American Dental Association (ADA) to its members earlier this month.

According to investigative reporter Brian Krebs, the issue first came to light after an ADA member posted on a security forum saying that he was suspicious of the integrity of the drive when he first received it. The ADA mailed the credit card-shaped devices in its annual package to members preloaded with updated “dental procedure codes” that offices use for billing and insurance purposes.

Upon investigating the code stored on the USB, it was revealed that one of the files contained a string that would launch a malicious web page used by hackers to infect targeted computers with malware that could “gain full control of the infected Windows computer.”

The ADA was reached for comment, and said that it sent an email to members with instructions to dispose of the device as a preventative measure. The ADA maintains that only “a handful of reports” were made, and that “many of the flash drives do not contain Malware.” The best means of proceeding here is with caution, though, particularly if clients are considering using their USB drives on computers where protected health information (PHI) is stored.

The ADA has also said that “anti-virus software should detect the malware if it is present,” but it’s unclear how accurate that statement is considering that the malware was originally discovered by a client who needed to access the source code himself before realizing that his device was infected. There’s no word yet about how ADA members whose emails are not on file will be notified of this security threat.

A good security policy outlines the safe use of external media in conjunction with appropriate anti-virus and malware-scanning programs. HIPAA regulation requires that organizations implement physical, technical, and administrative safeguards to mitigate circumstances in which PHI can become compromised. Health care professionals of all disciplines should adhere to organizational policies regarding the safe use of physical media devices such as removable USB drives or SD cards.

Threats to information security are going to continue to surface in increasingly unexpected ways. Even trusted medical associations face exposure to threats, which is why maintaining proper security protocols at all times is absolutely essential to protecting sensitive data and PHI.

Potential HIPAA Violations in the Aftermath of Prince’s Death?

 

Prince BlogHIPAA

Following Prince’s sudden death on April 21, 2016, media speculation about the causes surrounding the event have already begun to circulate widely.

TMZ has reported that the artist was treated for a drug overdose just six days prior to his death. His private jet was reported to have made an emergency landing in Moline, Illinois where Prince was taken to a hospital just hours after performing in Atlanta.

TMZ cites “several sources in Moline” in their report, saying that doctors gave him treatment “typically administered to counteract the effects of an opiate.” TMZ has since reported that the treatment was given by EMTs in response to a Percocet overdose.

While the story itself does not constitute a HIPAA violation, the question remains surrounding the integrity of the information that TMZ received in their reporting. If medical professionals or hospital staff disclosed the information about the potential drug overdose, then that would be considered a serious breach of Prince’s rights under the HIPAA Privacy Rule.

The unauthorized disclosure of patients’ protected health information (PHI) is strictly prohibited by federal regulation. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released specific guidance on the issue of PHI and media releases, stating that:

Health care providers cannot invite or allow media personnel […] into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media.  Only in very limited circumstances […] does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual.

Celebrities and individuals who have a strong public presence who experience health crises or deaths are often subject to intense media scrutiny and reporting in the aftermath of these events.

Back in July of 2015, a similar scenario played out when New York Giants player Jason Pierre-Paul’s medical records were unlawfully disclosed after being tweeted by an ESPN reporter. But because the records weren’t leaked by a health care professional, the tweet technically does not constitute a HIPAA breach, and OCR cannot step in to remediate the leak.

The same reasoning holds true for TMZ’s story. If, upon further reporting, it becomes apparent that a medical professional was responsible for leaking the story, then the hospital could potentially be at fault for violating Prince’s rights under the HIPAA Privacy Rule. However, as it stands, TMZ and other news media outlets reporting this, or similar stories, cannot be charged with violating HIPAA.

Don’t Forget: March 11 Deadline for Meaningful Use Attestation Approaching

The Centers for Medicare and Medicaid Services (CMS) have shifted their deadline for Meaningful Use (MU) attestation from the previous February 29 date to Friday, March 11, 2016. This most recent shift in deadline was made so that practices could attest to the Physician Quality Reporting System (PQRS, formerly PQRI), which has a deadline that falls on that same date. Both MU and PQRS are health care quality improvement incentive programs that are monitored and run through CMS. Physicians can attest to both programs at once as they share the same requirements and measures for quality assurance.

CMS has set up a site for their EHR Incentive Program where health care professionals can register and attest to MU and PQRS by the March 11, 2016 deadline.

In case you’re unsure if this deadline applies to you and your practice, CMS has stated that all “eligible professionals, eligible hospitals, and critical access hospitals (CAHs) participating in the Medicare Electronic Health Record (EHR) Incentive Program” are beholden to this March 11 deadline for their 2015 attestation. CMS’ EHR Incentive Program is intended to provide incentives for eligible professionals (EPs) and eligible hospitals that are upgrading, or currently implementing, an EHR system.

March 11 is just one in a series of deadlines that are fast approaching for health care professionals attesting to CMS’ EHR programs. CMS has an ongoing Meaningful Use audit program looking to target practices that have missed or will miss these upcoming deadlines. They’ve set up a page that they regularly update with new CMS deadlines and attestation information, so be sure to check back regularly to keep your practice on track with your MU and EHR attestation.

Don’t Forget: February 29 Deadline for Reporting 2015 HIPAA Breaches Approaches

The deadline for reporting small breaches to the Department of Health and Human Services (HHS) is quickly approaching. By February 29th, all Covered Entities (CEs) that have had breaches in unsecured protected health information (PHI) that affected 500 individuals or more during 2015 must submit their annual reports if they haven’t done so already.

In case you’re unclear about whether or not this deadline applies to your organization, remember that HHS defines a CE as a health plan, health care clearinghouse, or health care provider that transmits “any information in an electronic form in connection with a transaction for which HHS has adopted a standard.” More or less, that includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies that handle PHI electronically. You can read more about HHS’s regulation on CEs here. If your organization meets these qualifications and has had a small data breach in 2015, you can visit HHS’s site before February 29th to perform your annual report.

HIPAA regulation works differently depending on the size and scope of the breach in question, so keep in mind that this deadline and annual reporting process is only applicable in the case of small breaches. Breaches that have affected more than 500 individuals need to be reported within 60 days of the discovery of the breach to the appropriate state and federal contacts. Patients whose PHI has been breached should always be notified within 60 days of the discovery as well.

Don’t let this deadline pass without reporting any outstanding breaches. All you need to do is check out HHS’s reporting page and fill in the appropriate information before February 29th.