Category: HIPAA News

A cyberattack on Manchester Ophthalmology in Connecticut allowed attackers to gain access to patient data. On November 25, 2019, the eye care provider discovered the cyberattack when employees detected strange activity on its system. A third-party technology company helped investigate the incident and found later that day the system access by hackers who tried to deploy ransomware. The hackers gained network access from November 22, 2019 to November 25, 2019. Manchester Ophthalmology was able to immediately terminate remote access and prevent data encryption.

There is no evidence found that indicates the attackers accessed or downloaded any patient data, however, the investigators confirmed that some patient data were not backed up and cannot be retrieved. Manchester Ophthalmology lost the following types of information: patient names, medical histories, and information on the care received by patients at Manchester Ophthalmology.

Patients were instructed to be careful and keep track of their explanation of benefits statements and accounts for any indication of data fraud. Manchester Ophthalmology gave employees further training on the proper backing up of all data.

The breach summary sent to the Department of Health and Human Services’ Office for Civil Rights states that the security breach impacted around 6,846 patients.

Mailing Error at Cook County Health

Cook County health based in Chicago, IL began informing 2,713 people regarding the error in sending some of their protected health information (PHI) to a third-party vendor. The information pertaining to people taking part in a #keepingitLITE research was forwarded to a vendor who was supposed to help mail research data.

The listing of research participants, including their names, physical and email addresses, was mailed to the vendor prior to signing a business associate agreement (BAA). A BAA is proof of a vendor’s agreement to employ safety measures to protect data privacy and security. Without having a BAA, Cook County Health is not assured that the vendor has satisfactory safeguards in place.

Steps were already taken to make certain the same error won’t happen again in the future.

Data Breach at UnitedHealthcare

On January 31, 2020, the health insurance provider, UnitedHealthcare in Minnetonka, MN, reported a data breach in 2019 which resulted in the potential compromise of the private data of some of its clients in South Carolina.

UnitedHealthcare knew about the data security breach on December 10, 2019 and learned that an unauthorized person accessed members’ health information via its member portal sometime on July 30, 2019 to Nov 13, 2019. The compromised information only included the members’ first and last names, medical plan data, and medical claims information.

UnitedHealthcare reported the incident to law enforcement and is helping with the investigation. The health insurer already took steps to stop other similar breaches in the future. The breach was published in HHS’ Office for Civil Rights breach portal indicating that 934 people were impacted.

Two draft cybersecurity practice guides about ransomware and other harmful incidents were published by the National Cybersecurity Center of Excellence at NIST (NCCoE). The first guide is about identifying and protecting assets (SP 1800-25)  while the second guide is about identifying and responding to cyberattacks that jeopardize data integrity (SP 1800-26).

The guides are meant to be utilized by executives, system administrators, chief Information security officials, or people who have a role in securing the information, privacy, and overall operational security of their organizations. It is made up of the following three volumes:

• an executive summary
• approach, architecture and security characteristics
• how-to guides

The first guide talks about the first two primary functions of Identify and Protect of the NIST Cybersecurity Framework. Businesses must do something to secure their assets against ransomware, damaging malware, accidental data loss, and malicious insiders. So as to secure their assets, businesses should first determine their location and then take the required steps to secure those assets against a data damaging event.

To create the first guide, NCCoE investigated several strategies that could be utilized to discover and secure assets from various kinds of data integrity attacks in a variety of conditions. One sample solution was developed in the NCCoE laboratory using commercially accessible solutions to offset attacks prior to their occurrence. The sample solution utilizes solutions such as having safe storage, creating data backups, VMs, and file systems, generating activity logs, helping with asset inventory, and offering integrity monitoring mechanisms.

By utilizing the cybersecurity guide, businesses could identify their assets, evaluate vulnerabilities as well as the reliability and activity of systems to get ready for any attack. Backups may then be made and secured to assure data integrity. The guide additionally helps businesses manage their conditions by evaluating machine posture.

The second guide talks about the primary functions Detect and Respond of the NIST Cybersecurity Framework. The guide explains how organizations could keep track of data integrity and take action immediately to a security event in real-time. A quick response is essential to deal with a data integrity incident to limit the problems created. A quick response could significantly limit the damages and ensure a fast recovery.

The guide addresses event discovery, vulnerability control, reporting functions, mitigation, and containment, and gives comprehensive data on techniques, toolsets to employ, and methods to choose to support the security team’s reaction to a data integrity incident. The sample solution includes several systems working jointly to identify and respond to data corruption incidents in regular enterprise components like databases, mail servers, endpoints, file share servers, and VMs.

NCCoE is looking forward to receiving industry stakeholders’ feedback on the new guides on or before February 26, 2020.

The Iowa Department of Human Services sent notification letters to 4,784 people regarding the potential compromise of their protected health information (PHI).

On November 25, 2019, a member of the department staff threw away documents that contain the PHI of Dallas County customers in a regular garbage dumpster. The records should have been shredded prior to disposal. The improper disposal was discovered late as the dumpster was already emptied. An investigation of the incident revealed that the custodial employee who threw away the paperwork did not know that the content of the documents were confidential data.

It was impossible to identify the names of the patients affected, and so the Iowa Department of Human Services sent notification letters to all people potentially affected by the breach. The information contained in the documents likely included names, birth dates, mailing addresses, Social Security numbers, driver’s license numbers, disability data, medical details, banking and wage data, receipt of Medicaid, mental health data, names of provider, prescription medications, and data on substance abuse and illegal drug use.

Impermissible Disclosure of Prescription Data of Cedarbrook Nursing Home Residents

Cedarbrook nursing home in Lehigh County, PA sent notification letters to 688 residents because their prescription data was inadvertently shared with firms wanting to tender for the pharmacy contract of the nursing home.

Cedarbrook nursing home sent an email with the wrong file attachment to 16 firms in December 2018. The correct file included invoice data showing the medicines prescribed from October to November. The attached file also listed the names of the patients who were given those prescribed medicines.

The mistake was uncovered immediately. Cedarbrook nursing home requested all 16 companies to delete the file. All 16 HIPAA-covered companies confirmed that they have deleted the file.

As a precautionary measure, all affected persons received a notification regarding the privacy breach. It is believed that there is a low risk of patient data misuse. The nursing home has updated its procurement procedures and necessitate supervisory inspection of the outgoing contract information prior to dispatch.

Southfield, MI-based Beaumont Health, which is a non-profit 8-hospital health system, discovered the unauthorized access to its patients’ medical records by a former employee who potentially shared protected health information (PHI) with someone else.

Upon discovery of the unauthorized access to medical records, the hospital system launched an internal investigation. The access logs of the former employee were reviewed and revealed the unauthorized access first happened on February 1, 2017 and persisted until October 22, 2019. Then, the provider discovered the breach in December 2018.

Beaumont Health started its internal investigation confirmed on December 10, 2019 that the former employee had access to the medical records of 1,182 patients in a span of 20 months. The information potentially obtained and disclosed included names, email addresses, addresses, contact telephone numbers, birth dates, Social Security numbers, medical insurance information, and reason for getting medical care.

The individual with whom the employee disclosed the information was affiliated with a personal injury lawyer. The majority of the patients whose information was accessed had received treatment for injuries suffered in motor vehicle mishaps.

As soon as unauthorized access was ascertained, Beaumont Health fired the employee for hospital policies and HIPAA law violations. The breach report has been submitted to law enforcement and Beaumont Health mentioned it will aid law enforcement if of prosecution. The breach was likewise reported to the Michigan Health and Hospital Association.

Beaumont Health mailed notification letters to all affected patients. Patients who had their Social Security numbers compromised also received offers of credit monitoring and identity theft protection services. Patients were advised to stay alert to the threat of identity theft and fraud and were told to look at their explanation of benefits statements and accounts with care and to report in case of suspicious activity.

To prevent the occurrence of similar breaches, Beaumont Health updated its internal policies and procedures.

Ex-VA Employee Received Sentence for Leaking Medical Records of Former Army Major

Jeffrey Miller, 40, of Huntington, WV, a Department of Veteran Affairs’ Benefits Administration former employee, got his sentence for the unauthorized access of the healthcare records of veterans and for disclosing the health records of a former U.S. Army major who sought a position in Congress in West Virginia.

Miller pleaded guilty to getting the healthcare data of 6 veterans, which include the ex-Army Major, Richard Ojeda. Pictures of the records were taken and sent to an associate. The photo of Ojeda’s health records was later passed to high-ranking Republicans to try to sway his 2018 campaign for the 3rd Congressional District in West Virginia.

The federal court sentenced Miller on January 21, 2020 and will remain in jail for 6 months.

The House Energy and Commerce Committee published a draft of the discourse regarding a new bipartisan data privacy bill. The draft bill was about the national criteria for privacy and security and the recommendations to set limitations on U.S. organizations that collect, utilize, and hold on to consumer information.

The draft legislation calls for the creation of a privacy program by all companies and the introduction of a privacy policy, written using simple language, which makes clear what data the company collects, how long it is utilized and kept, and who gets access to the information.

There must likewise be data security measures put in place, which are best suited to the size of the business and the nature of its data activities. In case of a breach of consumer information, businesses ought to submit a report to the Federal Trade Commission (FTC).

The FTC will create a Bureau of Privacy to make rules, provide guidance, and execute compliance. The FTC will put a data retention time frame and create regulations that deal with the disclosure of personal data to third parties.

The bill will give consumers more control over their private data and the way it is used by businesses. Consumers could exercise their right to data access and correction; right to control who is able to access their personal information, and right to tell businesses to remove their personal information.

So that consumers would know which organizations have their personal information, the draft bill calls for the creation of a consolidated repository of data brokers. Consumers can access this repository to know who holds a copy of their data and know how to access that data, make changes, and demand the removal of their personal data.

An Energy and Commerce Committee representative said that the purpose of this draft is to take care of consumers and make transparent rules for data collectors. It took a few months of hard work and close collaboration between the Democratic and Republican Committee staff.

The draft release became available after hearing of the Senate Commerce Committee on the two data privacy bills proposed by Senate Commerce Committee Chairman, Roger Wicker (R-Miss) and Senator Maria Cantwell (D-Wash). There’s no agreement yet on what to put in the bill, but a bipartisan legislation was agreed upon.

The two vital points from the rival bills are the following:

• Should the federal privacy bill preempt state regulations
• Should there be a private cause of action

Sen. Cantwell’s bill recommended a private cause of action allowing consumers to sue companies that violate their privacy. Congressman Wicker does not agree with this. Wicker’s bill recommended the replacement of state laws with the new federal privacy law. Sen. Cantwell proposed to maintain the state laws to give consumers more protection. The bill discussion draft moves away from tackling the two concerns.

Industry stakeholders can submit their feedback on the draft legislation until mid-January 2020.

The Department of Health and Human Services Office for Civil Rights (OCR) reached a settlement with West Georgia Ambulance, Inc. where the latter will pay $65,000 to resolve multiple Health Insurance Portability and Accountability Act Rules violations.

OCR started investigating the ambulance company in Carroll County, GA after receiving breach notification on February 11, 2013 regarding the loss of an unencrypted laptop computer that contains the protected health information (PHI) of 500 patients. The breach report indicated that the company failed to recover the laptop computer, which dropped from the rear end bumper of the ambulance.

The investigation discovered the company’s longstanding noncompliance with several HIPAA Rules. OCR found the following violations of West Georgia Ambulance:

• did not perform a comprehensive, company-wide risk analysis (45 C.F.R. § 164.308(a)(1)(ii)(A))
• did not provide its employees with a security awareness training program (45 C.F.R. § 164.308(a)(5))
• did not enforce HIPAA Security Rule policies and procedures (45 C.F.R. § 164.316)

OCR gave technical support to West Georgia Ambulance to enable the company to deal with its compliance setbacks, but in spite of that support, OCR reported that the company took no meaningful steps to correct the areas of noncompliance. Therefore, a financial penalty was issued.

Besides having to pay the $65,000 financial penalty, West Georgia Ambulance needs to undertake a corrective action plan to deal with all areas of noncompliance identified by OCR. For two years, OCR will be inspecting West Georgia Ambulance’s HIPAA compliance program to make sure it follows the HIPAA Rules.

Patients being transported in the back of an ambulance shouldn’t worry about their medical data privacy and security. All providers, both big and small, should seriously consider their HIPAA obligations.

This is the number 10 OCR HIPAA financial penalty issued in 2019. OCR received a total of $12,274,000 in financial penalties in 2019 for the settlement of noncompliance problems.

November 2019 saw the issuance of three financial penalties on HIPAA-covered entities to settle HIPAA violations.

University of Rochester Medical Center (URMC) paid $3,000,000 to OCR to resolve its HIPAA violation case. OCR started investigating URMC after getting two breach notifications involving missing or stolen devices. In 2010, OCR investigated URMC after losing the first device and offered the medical center technical support. Back then, URMC knew that keeping ePHI on devices entails a high risk and so encryption is deemed necessary. However, there was no implementation of needed controls by URMC and the center continued using unencrypted portable electronic devices. The next time OCR investigated URMC was after the laptop computer theft, the investigators determined that URMC failed in 3 things: to perform a company-wide risk analysis, to reduce risks to a reasonable and proper level, and to implement the required device media controls.

Sentara Hospitals decided to resolve its HIPAA violations by paying OCR $2,175,000. OCR started a compliance investigation after getting a patient’s complaint in April 2017. The complaint was about a bill the patient received from Sentara that contains the protected health information (PHI) of another patient. Sentara Hospitals’ breach report stated that the breach only affected 8 persons, however, OCR learned that 577 letters were erroneously sent to 16,342 different guarantors. Sentara Hospitals declined to correct its breach report with the new figure. OCR additionally discovered Sentara Hospitals’ failure to sign a business associate agreement with one vendor.

The Texas Department of Aging and Disability Services (DADS) was issued a sizeable financial penalty. In 2015, DADS reported to OCR a breach affecting 6,617 patients’ ePHI. A problem in a web app allowed unauthorized people to view the patients’ ePHI over the internet. The ePHI as exposed for about 8 years. Upon investigation, OCR learned that DADS did not conduct a company-wide risk analysis, did not have adequate access controls, and did not monitor information system activity. The penalty paid by DADS to settle the HIPAA violation case amounted to $1.6 million.

Amazon recently made an announcement that the Amazon Lex chatbot service is now supporting Health Insurance Portability and Accountability Act (HIPAA) compliance so healthcare organizations can use it without violating the HIPAA Rules.

Amazon Lex provides a service that lets users create conversational interfaces into apps by means of text and voice. It enables making chatbots that use lifelike, normal language to interact with users, ask questions, gather and provide information, and do a variety of tasks including booking appointments. Amazon Alexa also uses this conversational engine powering Amazon Lex.

Until recently, the potential of using Amazon Lex in healthcare is limited because it wasn’t HIPAA-compliant. It is not allowed to use the solution in association with electronic protected health information (ePHI). Amazon’s business associate agreement (BAA) does not cover this service as well.

Amazon affirmed on December 11, 2019 that the AWS business associate agreement (BAA) addendum now includes Amazon Lex. Hence, the service can now be used with workloads in connection with ePHI, as long as there is a BAA in place. Amazon Lex has been put through third-party security checks under several AWS compliance programs. It is not only HIPAA eligible, but it is likewise compliant with SOC and PCI.

Just like with any software program, a BAA doesn’t ensure compliance. Amazon has made certain of the implementation of proper safety measures to protect the integrity, confidentiality, and availability of ePHI. However, it is the obligation of users to implement the solution the right way and to use it in compliance with HIPAA Rules.

Amazon has published a whitepaper on Architecting for HIPAA Security and Compliance on AWS. This provides guidelines for setting up AWS services that hold, process, and transfer ePHI. Instructions on the management of Amazon Lex were also published.

October saw a 44.44% month-over-month rise in healthcare data breaches. The HHS’ Office for Civil Rights received 52 breach reports having 661,830 healthcare records exposed, stolen or impermissibly disclosed.

Including this month’s report, the total figure of breached healthcare records for 2019 is over 38 million. That translates to 11.64% of the United States population.

October 2019 Largest Healthcare Data Breaches

1. Betty Jean Kerr People’s Health Centers with 152,000 individuals affected due to hacking/IT Incident
2. Kalispell Regional Healthcare with 140,209 individuals affected due to hacking/IT Incident
3. The Methodist Hospitals, Inc. with 68,039 individuals affected due to hacking/IT Incident
4. Children’s Minnesota with 37,942 individuals affected due to unauthorized access/disclosure
5. Tots & Teens Pediatrics with 31,787 individuals affected due to hacking/IT Incident
6. University of Alabama at Birmingham with 19,557 individuals affecte due to hacking/IT Incident
7. Prisma Health – Midlands with 19,060 individuals affected due to hacking/IT Incident
8. South Texas Dermatopathology Laboratory with 15,982 individuals affected due to hacking/IT Incident
9. Central Valley Regional Center with 15,975 individuals affected due to hacking/IT Incident
10. Texas Health Harris Methodist Hospital Fort Worth with 14,881 individuals affected due to unauthorized access/disclosure

Causes of Healthcare Data Breaches in October 2019

• In October, the following incidents were reported:
  18 hacking/IT incident reports involved 501,847 individual healthcare records. The average breach size and median breach size were 27,880 records and 9,413 records, respectively.
• 28 breach reports due to unauthorized access/disclosure incidents involved 134,775 records. The mean breach size and median breach size were 4,813 records and 2,135 records, respectively. Those breaches consist of 15 different reports from Texas Health Resources.
• 5 loss/theft incidents involved 13,454 records. The mean breach size and median breach size were 2,350 records and 2,752 records, respectively. There was one improper disposal incident, which involved 11,754 records.

Location of Breached Health Data

Phishing still causes challenges for healthcare companies. Healthcare providers struggle in blocking phishing attacks and not detecting them quickly. A number of phishing attacks were reported that took weeks to identify.

Though multi-factor authentication could help to lower the risk of cybercriminals stealing and using credentials o gain access to corporate email accounts, a lot of healthcare companies simply use this vital security control after the occurrence of a phishing attack.

This increased number of “other” breaches is because of the mailing error incident at Texas Health, which resulted in 15 of the 19 breach incidents belonging to the other category.

Most of the network server breaches were because of ransomware attacks, including the biggest healthcare data breach in October. That breach shows how crucial it is to have a backup copy of all data, which is tested to ensure data recovery and to have one backup copy kept on a device that is not networked or exposed online.

Data Breaches by Covered Entity Type

There were 45 data breaches reported by healthcare providers. Health plans reported three breaches, and business associates of HIPAA-covered entities reported four breaches. Four breaches were also tainted by business associate involvement though the covered entity reported them.

Healthcare Data Breaches by State
There were 24 states where healthcare providers and business associates reported data breaches. The following is the tally of breach reports by state:

• Texas reported 17 incidents with 15 breach reports from Texas Health
• Ohio reported 4 breaches
• California reported 3 breaches
• Arkansas, Florida, Maryland, Louisiana, South Carolina, New Mexico, and Virginia reported two breaches each
• Arizona, Alabama, Georgia, Indiana, Illinois, Kentucky, Minnesota, Mississippi, Missouri, Montana, Oregon, New York, South Dakota, and Washington reported 1 breach each

HIPAA Enforcement Actions in October 2019

The HHS’ Office for Civil Rights announced two financial penalties for HIPAA violations in October – One was a settlement and one was a civil monetary penalty.

OCR investigated Elite Dental Associates after receiving a complaint from a patient whose PHI was publicly disclosed in a Yelp review. OCR discovered that her PHI wasn’t the only one disclosed in that way. OCR likewise found out that the practice does not provide sufficient information in its notice of privacy practices and therefore did not comply with the HIPAA Privacy Regulation. Elite Dental Associates settled this HIPAA violation case by paying OCR $10,000.

OCR investigated Jackson Health System after the media disclosure of PHI. A photo of an operating room containing the health data of two people including a popular NFL star was published. The OCR investigation revealed several violations of the Security Rule, Privacy Rule, and Breach Notification Rule in a span of several years. OCR charged Jackson Health System with a civil monetary penalty worth $2,154,000.

Eagle Consulting Group, a provider of managed services in Anchorage, AK, received HIPAA Compliance certification from Compliancy Group.

Eagle Consulting Group has many clients belonging to the healthcare sector and provides them with proactive IT services. While managing infrastructure and software solutions, the group is allowed access to electronic protected health information (ePHI). An organization like Eagle Consulting Group is deemed as a business associate under the Health Insurance Portability and Accountability Act and must be HIPAA compliant.

Eagle Consulting Group collaborated with Compliancy Group in order to demonstrate to its clients that it has a trusted HIPAA compliance plan.

Eagle Consulting Group employed the cutting edge HIPAA compliance software solution of Compliancy Group, which is popularly known as The Guard. This software program is handy for monitoring progress towards achieving HIPAA compliance. Once an efficient compliance program is established, The Guard functions as a very valuable tool to manage compliance.

Compliancy Group’s HIPAA experts advised Eagle Consulting Group in finishing the 6-stage HIPAA Risk analysis and remediation plan. After completing the program, the company was confirmed as effectively satisfying the minimum data privacy and security criteria mandated by HIPAA. The company has put in place policies and procedures that ensure the maintenance of HIPAA compliance. Employees perfectly understand their responsibilities in securing ePHI.

Because Eagle Consulting Group had successfully verified its risk analysis and remediation program, Compliancy Group awarded the HIPAA Seal of Compliance to the company.

The HIPAA Seal of Compliance proves to existing and upcoming clients in the healthcare industry that Eagle Consulting Group has satisfactorily complied with the minimum standards under the HIPAA Privacy, Security, and Breach Notification Rules. It is therefore identified as a managed service provider that is HIPAA-compliant.

In the event of being selected for a compliance audit, Eagle Consulting Group can show regulators its confidence that it is in full compliance of HIPAA. The company could similarly help its healthcare clients merge all the necessary technical safety procedures to safeguard their digital networks and keep all ePHI secure.

Amazon’s Alexa now offers a new healthcare skill that patients could utilize in managing their prescribed medications and buying prescription refills.

At the start of this year, Amazon said that it has created a HIPAA-eligible setting for skill developers that integrates the required safety measures to comply with the specifications of the HIPAA Privacy and Security Regulations. Amazon created an invite-only platform for a select team of skill developers to make new skills that can be beneficial to patients.

The new skill is a product of a joint effort of Amazon and Omnicell, a medicine management firm. Amazon approached Omnicell and proposed to the company to generate the new skill after noticing that numerous Alexa users used their tools to create medication reminders. Amazon had obtained responses from a number of users who asked for enhancements to be made to the reminders feature to permit them to put several reminders a day for taking their medicines.

At first, the new Alexa feature will be accessible to clients of the Giant Eagle pharmacy, which manages more than 200 pharmacies all through the Midwest and Mid-Atlantic. With the new skill, patients can place reminders for taking their prescription drugs, look at their present prescription medications, and buy prescription refills from Giant Eagle just by giving voice commands to their Alexa devices.

The new skill comes with a selection of privacy and security protections to avert unauthorized access and improper use. After allowing the Giant Eagle Pharmacy skill and associating their account, users must create a voice profile and input a PIN. Alexa will identify a user through their voice profile, however, it is required that they provide their PIN before relaying any information. Healthcare associated information is also censored in the app to keep privacy. Voice recordings are reviewed and deleted at any time via the Alexa app, Privacy Settings, or by giving voice commands following authentication.

According to VP and general manager of Omnicell, Danny Sanchez, this recent technology is only the start, as we keep on identifying easy to use pharmacy steps that voice-powered devices can execute in real life to keep the patient at the heart of care and improve pharmacy workflow.

With the initial skill release, Amazon will have useful data that can be employed to enhance the customer experience. More pharmacy chains will be added in the New Year.

According to a recent TigerConnect study, 52% of healthcare organizations have communication disconnects that adversely impact patients on a daily basis or several times per week.

These communication challenges are causing disappointment for healthcare workers. They make it more difficult to coordinate patient care, thus leading to lapses in care. In fact, the effect of poor communication is significant and impacts the entire company.

At best, inefficiency in communication brings about delays that raise the price tag of providing healthcare. At worst, weak communication contributes to preventable medical mistakes, physician burnout and, in the most serious cases, it may cause death.

A lot of healthcare establishments are still greatly reliant on obsolete communication technology for instance fax machines and pagers. Groups of healthcare workers utilize various tools for communication and, in spite of an increasingly mobile labor force, landlines are depended on far too often.

TigerConnect research has revealed that communication programming in hospitals is terribly fragmented. 89% of hospitals still make use of fax machines and 39% still heavily rely on pagers for communicating with particular departments, functions or, even organization-wide.

Even if the advanced communications technology is used, it is frequently applied in silos. Nurses and physicians may be shifted onto advanced communications systems, however other people are not. As a result, complete benefits are not achieved.

These communication issues are not just a reason for stress for healthcare workers, patients are likewise noticing them. A Harris poll of patients performed in August 2019 revealed that patients are disappointed by ineffective communication in healthcare when staying in or visiting the hospital, and by the techniques providers are utilizing when communicating with them.

Correcting Broken Communication in Healthcare

TigerConnect is going to host a webinar in which the scope of the communication issues in the U.S. healthcare sector will be talked about together with the difficulties that communication disconnects are producing.

Dr. Will O’Connor, CMIO of TigerConnect and Jorge Jeffery, Data Scientist & Researcher, will speak about these topics and will recommend a solution that will enhance communication in healthcare, boost workflow efficiency, decrease common bottlenecks that are delaying patient throughput, and how enhancements in communication could make sure a lot more patients are seen quickly and the price tag of healthcare provision can be lowered.

Details of the Webinar:
Topic: Fixing Broken Communications in Healthcare

When: Thursday December 12, 2019 at 1.00 PM Eastern Time / 12:00 PM Central Time / 11:00 AM Mountain Time / 10.00 AM Pacific Time

Webinar Hosts: Dr. Will O’Connor, CMIO of TigerConnect / Jorge Jeffery, Data Scientist & Researcher.

Timothy Noonan is now the Deputy Director for Health Information Privacy as announced by the Department of Health and Human Services’ Office for Civil Rights (OCR).

The function of the Deputy Director for Health Information Privacy is to head the Health Information Privacy Division of the OCR, supervise the national health information privacy policy and outreach activities of OCR, and manage and implement the HIPAA Security, Privacy, and Breach Notification Rules and the confidentiality terms of the Patient Safety Rule.

Noonan served as Acting Deputy Director for Health Information Privacy beginning January 29, 2018, after Iliana Peters left. Before accepting the Acting Deputy Director for Health Information Privacy position, Noonan functioned as the Southeast Regional Manager of OCR, prior to going to OCR’s headquarters to work as Acting Associate Deputy Director for Regional Operations as well as the Acting Director for Centralized Case Management Operations.

In the 22 months that Noonan was Acting Deputy Director for Health Information Privacy, he helped protect over $37 million in HIPAA civil monetary penalties and settlements, which include the biggest ever HIPAA penalty. Anthem Inc paid $16 million settlement for the 78.8 million-record data breach that happened in 2015.

Noonan likewise assisted in producing the Right of Access Enforcement Initiative, without which guidance the individuals’ right of access to their healthcare records won’t be issued and the very first financial penalty for Right of Access failures won’t be settled with Bayfront Health St Petersburg.

Noonan also helped in the issuance of Health Apps and in the request for data through public responses on the way the HIPAA Privacy Rule ought to be changed to encourage synchronized, value-based medical care.

Sens. Bill Cassidy, M.D., (R-Louisiana) and Jacky Rosen, (D-Nevada) introduced the Stop Marketing And Revealing The Wearables And Trackers Consumer Health (Smartwatch) Data Act. The new law will make sure that no health information obtained through health apps, fitness trackers and smartwatches will be sold or shared without the consent of the consumer.

The Health Insurance Portability and Accountability Act (HIPAA) is applicable to all health information that HIPAA-covered entities and their business associates collect, store, keep, or transmit. Health apps, fitness trackers and wearable devices collect, store and transmit the same health information, which could be shared or sold without authorization. Consumers do not have control over the persons that could access their health information. The new law seeks to deal with that privacy issue.

The bill forbids transmitting, selling, sharing, or accessing any non-anonymized consumer health data or other personally identifiable health data that is collected, documented, or obtained from individual consumer devices to domestic data brokers, other local or foreign except if with consumer’s consent.

Consumer devices refer to equipment, applications or software programs, or mechanism with the principal feature or capability to collect, keep, or transfer consumer health data.

The Smartwatch Data Act covers data regarding the health standing of a person, personal biometric data, and kinesthetic data obtained directly by means of sensors or manually inputted by consumers into apps. The Smartwatch Data Act will handle all health information obtained by using apps, trackers and wearable devices as protected health information (PHI).

There have been demands for HIPAA to extend its coverage to application developers and wearable device companies that collect, hold, maintain, process, or transfer consumer health data. The Smartwatch Data Act is not a HIPAA extension to cover these businesses, rather the law applies to the information itself. The bill calls on the HHS’ Office for Civil Rights, the primary enforcer of HIPAA compliance to also enforce the Smartwatch Data Act. Noncompliance with the Smartwatch Data Act will have the same penalties as those for HIPAA violations.

The law was presented after the news about Google’s partnership with Ascension, the second biggest healthcare provider in the U.S., that gave Google access to 50 million Americans’ health data. That collaboration brought up several questions regarding the privacy of health data.

HIPAA law covers the data passed by Ascension to Google, but it does not cover fitness tracker data at this time. Google expects to partner with fitness tracker company Fitbit in 2020 and there is concern about the way Google is going to use personal health information obtained by means of Fitbit devices. The Smartwatch Data Act can help make sure that consumers have a say on the use of their health data.

Speakap, a communication platform provider, announced recently that it has been certified as Health Insurance Portability and Accountability Act (HIPAA) compliant by Compliancy Group.

Speakap created a communications platform that allows healthcare companies to easily and effectively communicate with their frontline personnel, even when they have no quick access to computer systems. By using a mobile app, healthcare companies can keep in touch with deskless workers and converse with all the employees by means of a desktop version of the application. Businesses from a broad array of industries use the app; however, before the healthcare industry can use this communications solution, Speakap must ensure the full compliance of its platform, policies, and procedures with HIPAA Rules.

If using the platform to communicate ePHI, HIPAA categorizes Speakap as a business associate. Hence, Speakap needs to incorporate physical, technical and administrative safeguards into its solution and it must fulfill the requirements under HIPAA.

To make sure of the company’s full compliance, Speakap sought the help of Compliancy Group’s compliance coaches. In addition, the use of The Guard, the exclusive software solution of Compliancy Group, helped Speakap to successfully complete the 6-stage risk analysis and risk remediation process of Compliancy Group.

According to the Compliancy Group’s HIPAA specialists, Speakap’s good faith efforts successfully satisfied HIPAA compliance, and so the HIPAA Seal of Compliance has been granted. The HIPAA Seal of Compliance is a proof that Speakap has implemented safety measures, policies, and procedures and has designed an efficient HIPAA compliance program that meet the regulatory standards as required in the HIPAA Security Rule, HIPAA Privacy Rule, HIPAA Omnibus Rule, HIPAA Breach Notification Rule, and the HITECH Act.

Speakap CEO, Erwin Van Der Vlist stated that Speakap is committed to offer reliable and safe solutions that adhere to the high standards of HIPAA. The HIPAA compliant platform of Speakap gives the highest levels of trust and peace of mind to its clients. Its platforms are supported by exceptional measures that give industry-leading solutions.

Compliancy Group confirmed EnTech, a managed IT service provider in Fort Myers, FL, as compliant with the Health Insurance Portability and Accountability Act (HIPAA) Rules.

For over 20 years, Entech has been helping companies in Southwest Florida get the most out of information technology by providing managed IT and integration The company also provides strategic technology consultancy services to assist businesses to decide on the appropriate IT architectures to match their needs.

When providing healthcare organizations with those services, EnTech needs to adhere to the HIPAA Rules. The company should put in place suitable safety measures to ascertain the integrity, confidentiality, and availability of electronic protected health information (ePHI). Employees must be mindful of their responsibilities with regard to HIPAA and ePHI.

The HIPAA coaches of the Compliancy Group and its compliance tracking solution known as “The Guard” helped EnTech to successfully finish the 6-Stage Risk Analysis and Remediation Process set by Compliancy Group. With this excellent achievement, the Compliancy Group confirmed the company’s HIPAA compliance and awarded its HIPAA Seal of Compliance. Only companies that have met all the HIPAA Security, Privacy, Breach Notification, and Omnibus Rules requirements are given the award of HIPAA Seal of Compliance to prove that they have a reliable HIPAA compliance program set up.

Entech’s Chief Development Officer, David Spire said that they are very proud that they have acquired this designation, which shows their commitment to their clients and community. With the constantly changing threat landscape, healthcare organizations that directly or indirectly offer medical care these days should take all the required measures to secure all their personal data.

In addition to a signed business associate agreement, Entech’s HIPAA Seal of Compliance gives present and future clients the reassurance of their commitment to keeping the privacy and security of personal information and fulfilling its responsibilities as required by the HIPAA.

A class action lawsuit filed on behalf of victims of data breach has been settled by UCLA. The lawsuit that was discovered in October 2014 will cost UCLA Health $7.5 million to settle.

Suspicious activity was discovered by UCLA Health on its network back in October 2014. Once detected, UCLA Health contacted the FBI to assist them with the investigation. The forensic investigation revealed that hackers had indeed gained access to its network, although it was believed that at the time they did not succeed in accessing the parts of the network where the medical center stored its patients’ medical information. On May 5, 2015, however, it was confirmed by UCLA that the hackers had in fact gained access to certain sections of the network containing patients’ protected health information and names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers may have been viewed or copied. 4.5 million patients were affected by the breach in total.

Upon the Department of Health and Human Services’ Office for Civil Rights investigation into the breach, they were satisfied with UCLA Health’s breach response and the administrative and technical safeguards that had been put in place after the breach to improve their security.

As a result of this UCLA Health avoided a financial penalty. However, a class action lawsuit was filed on behalf of patients affected by the breach. The complainants alleged UCLA Health failed to inform them about the breach in a timely manner, there had been violations to California’s privacy laws, breach of contract and the failure to protect the privacy of patients by UCLA Health constituted negligence.

UCLA Health notified patients about the breach on July 15, 2015. Although this was, in fact, in line with HIPAA requirements (under 60 days from the discovery that PHI had been compromised) the complainants believed they should have been notified in a more brisk manner, given the fact that it had been 9 months since the breach had occurred.

Under the terms of the settlement, all patients affected by the breach can claim two years of free credit monitoring and identity theft protection services. Patients will also be given the opportunity to make a claim to recover costs that have been placed upon them in protecting themselves against unauthorized use of their personal and health information. Furthermore, they also have the ability to submit a claim to recover losses suffered due to fraud and identity theft.

A claim of up to $5,000 can be made by patients in order to cover the costs of protecting their identities and even up to $20,000 for any damage or losses that resulted from identity theft and fraud. $2 million of the $7.5 million settlement has been put to the side to cover patients’ claims.  The $5.5 million remaining will be placed into a cybersecurity fund.  This fund will be used to improve cybersecurity defenses at UCLA Health.

May 20, 2019 is the cut-off date for patients to submit an objection or exclude themselves from the settlement. Preventative measure claim forms must be submitted by June 18, 2019. Patients also must enroll in the free credit monitoring and identity theft protection services by September 16, 2019. June 18, 2021 was the deadline for submitting claims for the reimbursement of losses is . The final court hearing on the settlement is set to take place on June 18, 2019.

Meditab Software Inc., Sacramento, CA-based medical software provider and it’s San Juan, PR-based affiliate, MedPharm Services have been subject of a huge breach of protected health information.

A fax processing service is also provided by Meditab and one of the servers used for processing faxes has been discovered to be leaking data. As a result, it could be accessed over the internet without the need for any authentication.

The unprotected fax server was discovered by SpiderSilk, a Dubai-based cybersecurity firm. The fax server was hosted on a subdomain of MedPharm Services. Furthermore, it housed an Elastisearch database containing fax communications. Those faxes could be accessed by anyone in real time. The database was formed in March 2018 and was home to over 6 million records. Currently, it is uncertain how many of those records contained protected health information.

A recent report on TechCrunch stated that a brief review of the faxes in the database showed they contained highly sensitive information such as names, addresses, dates of birth, Social Security numbers, payment information, insurance information, doctor’s notes, prescription details, diagnoses, lab test results, and medical histories. None of the above information was encrypted.

Meditab Software and MedPharm Services were both founded by Kalpesh Patel, who TechCrunch contacted in relation to the breach. The fax server was taken offline after the companies were alerted about the breach and an investigation was immediately launched to identify the cause of the breach.

In order to determine the extent of the breach, database logs are currently being assessed, which patients have been affected, and whether the database was accessed or downloaded by unauthorized individuals.

Currently, it is unclear just how long the server was left unprotected and how many patients have been affected by the breach. When the number of records in the database are considered, this breach has potential to be among the largest healthcare data breaches in history in the United States.