GAO: HHS Must Improve Monitoring of Medicare Telehealth and Assist Providers Communicate Privacy Concerns

The Government Accountability Office (GAO) lately performed an assessment of Medicare telehealth services given over the COVID-19 pandemic. Because a waiver was on hand, access to telehealth and virtual appointments was greatly expanded. The assessment included the use of telehealth services, the way CMS determined and checked risks considering the Medicare waivers, and the way the HHS’ Office for Civil Rights (OCR) modified its implementation of HIPAA compliance with regard to telehealth throughout the COVID-19 public health crisis.

With normal conditions, telehealth services are included in Medicare, however only in restricted instances, for example when patients residing in rural areas don’t get quick access to healthcare services. The growing need for telehealth because of the COVID-19 pandemic found the issuance of waivers by the HHS’ Centers for Medicare and Medicaid Services (CMS) resulted in the expansion of Medicare telehealth services and permitted virtual appointments to be given in a wider selection of situations. OCR also issued a notice of enforcement discretion stating that enforcement actions wouldn’t be carried out against healthcare companies for the honest conduct of telehealth services, regardless if non-public-facing technology was employed that wouldn’t typically be HIPAA compliant.

From April to December 2019, 5 million Medicare telehealth consultations were done. At the same time in 2020, the number went up to 53 million. As per the GAO report, the CMS could not adequately review the quality of care offered to patients by means of telehealth appointments, and there’s concern that patients do not completely know the privacy risks involved, which possibly resulted in the inappropriate disclosure of sensitive health data.

OCR urged covered companies to let patients know about the possible privacy and security issues related to telehealth services; nevertheless, OCR didn’t inform companies about the particular language to utilize when describing those risks nor provide guidance to help companies clarify the risks. Giving such details to companies can help make sure that patients know the possible impact of the privacy and security risks connected with telehealth technology on their protected health information (PHI).

Under standard instances, a healthcare company and a communications platform vendor should sign a business associate agreement; nonetheless, that prerequisite wasn’t implemented throughout the public health crisis. That can possibly raise the risk of disclosing a patient’s PHI without them knowing it. Patients might not know that this change happened because of OCR’s telehealth policy, and the non-protection of their privacy.

GAO discussed in the report that there were complaints filed concerning possible violations of HIPAA Privacy and Security Rule regarding telehealth appointments. Patients filed 5 separate complaints about using technology for telehealth consultations that weren’t HIPAA Security Rule compliant. There were 37 filed privacy complaints about concerns like the presence of third parties in visits and cases where companies disclosed PHI without getting patient permission.

GAO has suggested that OCR give more education and outreach to enable companies to clarify the privacy and security threats to patients linked to telehealth to ensure that those threats are completely understood. GAO highlighted the importance of giving patients quick-to-understand data to enable them to thoroughly examine the risks to their personal data and enhanced communication regarding the privacy policies and HIPAA compliance of telehealth vendors to help patients to better comprehend the privacy threats.

OCR agreed with the suggestions and stated it will be giving more guidance to healthcare companies concerning the offer of telehealth services, which includes the guide to make clear the privacy and security threats to patients in simple language.

GAO discovered there was incomplete information on audio-only and video telehealth appointments done from April to December 2020. This was confirmed to be because of the insufficiency of correct billing codes employed by insurance providers to monitor telehealth and virtual consultations and to determine when telehealth services were provided to beneficiaries in their residences.

GAO advised the CMS to create an extra billing modifier to permit the appropriate monitoring of audio-only office appointments, to require companies to utilize service codes that show when Medicare telehealth services are given to beneficiaries in their residences, and for the CMS Administrator to thoroughly evaluate the quality of Medicare services, which include audio-only services, sent utilizing telehealth throughout the public health crisis.

3 Dental Practices To Pay Fine to Resolve the HIPAA Right of Access Violations

The HHS’ Office for Civil Rights (OCR) has decided to resolve three investigations of dental practices for likely HIPAA Right of Access violations. The three investigations were begun after patients complained concerning the inability of their dental practices to offer them on-time access to their medical records, as one of the investigations included an accusation of charging an overpriced fee for a copy of health records.

A patient of Great Expressions Dental Center of Georgia, P.C. (GEDC-GA) submitted a complaint at the OCR last November 2020 after the Georgia-based dental and orthodontics company informed her that a copy of her health records will only be given after she pays a $170 copying charge. The HIPAA Right of Access grants healthcare institutions to bill patients for giving a copy of their medical records, however, the costs ought to be fair and cost-based.

OCR’s investigation results show that the patient didn’t receive a copy of her files until February 2021, which is 15 months following the preliminary request. OCR likewise confirmed that GEDC-GA’s practice of reviewing copying costs led to the patient being billed a cost that wasn’t fair and cost-based. GEDC-GA decided to resolve the case and spent on an $80,000 penalty and put in place a good corrective action plan to deal with the violation of the HIPAA Right of Access.

An investigation of Family Dental Care, P.C. based in Chicago-IL started after a patient filed a complaint on August 8, 2020 saying that the dental practce failed to give her a complete copy of her healthcare records. The former patient sent a request for all her information in May 2020, however, only parts of those files were made available. The patient didn’t get her complete records until October 2020, above 5 months after the first request was filed. OCR confirmed there was an inability to give prompt access to the required medical records, which breached the HIPAA Right of Access. Family Dental Care opted to negotiate the case by paying a $30,000 dine and enforced a corrective action plan to handle the non-compliance.

OCR got a complaint on October 26, 2020 from patient of B. Steven L. Hardy, D.D.S., LTD (dba Paradise Family Dental located in Las Vegas, NV). The patient claimed to have asked for a copy of her and her small kid’s healthcare information on a number of instances, nevertheless, the records were not given. The requests were submitted from April 11, 2020, to December 4, 2020, yet the files were not given until December 31, 2020, 8 months right after the preliminary submission of the request. OCR established the late provision of the records breached the HIPAA Right of Access. Paradise decided to resolve the case and spent a $25,000 financial fine and carried out a corrective action plan to deal with the violation.

OCR Director Melanie Fontes Rainer mentioned that the enforcement action regarding the 3 right of access violations emphasizes why dental practices of any size need to adhere to the HIPAA Rules. Patients get an essential right protected by HIPAA to obtain their asked-for health records, generally, in a period of 30 days. When companies comply, there will be fewer patients to submit a complaint with OCR regarding their medical records requisition.

Melanie Fontes-Rainer is the new HHS’ Office for Civil Rights Director

The HHS’ Office for Civil Rights (OCR) has a new Director, Melanie Fontes Rainer, who was sworn in by the Department of Health and Human Services Director Xavier Becerra. Fontes Rainer is going to head the department’s enforcement of HIPAA compliance and federal civil rights. He will lead the department’s policy and tactical projects.

Fontes Rainer formerly worked as Acting Director, in place of Lisa J. Pino who quit the position in July 2022 after 11 months. Before becoming a part of OCR, Fontes Rainer worked as Secretary Becerra’s Counselor and offered strategy guidance on concerns related to patient privacy, civil rights, reproductive health, competition in healthcare, the Affordable Care Act (ACA), equity, and the private insurance industry. In that position, she headed the enforcement of the No Surprises Act, which made medical billing transparent helping consumers to save money. Fontes Rainer led the White House Task Force on Reproductive Healthcare Access, and recently gave the Secretary and the Administration advice on dealing with the Supreme Court judgment on Dobbs v. Jackson Women’s Health Organization. Fontes Rainer was likewise designated by the Secretary on the White House Competition Council, spearheading cross-cutting Department work and a whole-of-Government strategy on competition, price transparency, and costs to help U.S. consumers.

Before Fontes Rainer became a member of the Biden-Harris Administration, she had the following roles:

  • She worked as Special Assistant to the California Department of Justice Attorney General and Chief Health Care Advisor. As Special Assistant
  • She headed a national team to conserve the Affordable Care Act and secure healthcare insurance for over 133 million people in America.
  • She helped create the Health Care Rights and Access, which is a new office dedicated to proactively developing laws related to health care civil rights, competition, consumer protection, and privacy.
  • She worked in the U.S. Senate as a Senior Aide and Women’s Policy Director to Chair Patty Murray on the Health, Education, Labor and Pensions and the Budget Committees
  • She assisted in passing a number of transformative health care legislation, such as the Every Student Succeeds Act, the 21st Century Cures Act, and the Justice for Victims of Trafficking Act
  • She headed the Senate in the work involving the Affordable Care Act, gender equity, and reproductive rights.

Melanie has dedicated her whole professional career to serving the public and worked tirelessly to ensure that medical care is accessible to everyone and reasonably priced, regardless of who you are or where you live. As a longtime senior aide, Melanie will protect and impose the medical care and civil rights of every citizen across the country. Melanie’s dedication and expertise are essential to carrying out the priorities in health and human services of the Biden-Harris Administration.

Urology Center of Colorado to Resolve Class Action Data Breach Lawsuit

The Urology Center of Colorado has decided to resolve a class action lawsuit associated with a 137,820-record data breach that happened in September 2021. Last November 5, 2021, the company dispatched notification letters to its patients informing them about the potential compromise of some of their protected health information (PHI) two months earlier, from September 7 to September 8, 2022.

Unauthorized people gained access to its system and likely extracted files that contain patient data including names, birth dates, addresses, Social Security numbers, health record numbers, diagnoses, doctor names, insurance provider companies, names of guarantors, and treatment cost data. Impacted persons were provided free 12-months credit monitoring and identity theft protection services.

Legal action was submitted on behalf of plaintiffs Diona Lopez and Kristen Snyder as well as other persons impacted in the same way
by the security breach. The plaintiffs claimed the Urology Center of Colorado was at fault for not implementing required safety measures to protect the privacy of patient data, which include the inability to encrypt patient information, use patches quickly to mitigate identified vulnerabilities, evaluate and update account privileges of users, update firewalls, give proper training to people on the processes for dealing with inbound email messages, and be sure proper security procedures were implemented. The legal action additionally claimed a violation of Colorado’s data security regulations, a breach of implied contract, and a breach of fiduciary duty. Due to the negligence, the plaintiffs assert they are dealing with a huge, increased risk of fraud and identity theft.

The Urology Center of Colorado did any admit to any wrongdoing and does not accept liability for the information breach however decided to negotiate legal action to avoid the uncertainty of trial and continuing legal expenses. Based on the conditions of the settlement, the Urology Center of Colorado has consented to give payment for recorded out-of-pocket expenses and lost time. Those who file a claim are going to be entitled to get as much as $500 for recorded losses, which include as much as 5 hours of lost time. Claims of around $2,500 could be filed for extraordinary losses, and those who were California locals during the data breach are eligible to get $50 more in payments.

People that registered for the identity theft protection and credit monitoring services made available by the Urology Center of Colorado can claim two more years of membership. People who didn’t initially register for the services will get a two-year membership to those services.

Class action data breach settlements usually consist of a commitment to put into action more security procedures, though this negotiation has no such promises. The Urology Center of Colorado mentioned in its November breach notification letters that extra measures were being thought of to enhance security.

People who would like to refuse to or leave themselves out of the settlement have up to October 10, 2022, to take action. Claims should be filed by November 7, 2022. The schedule for the final fairness hearing is on October 26, 2022.

House Democrats Seek Responses from Meta about its Data Sharing Guidelines

On August 31, 2022, Democrats from the Committee on Energy and Commerce composed a letter for the Meta CEO, Mark Zuckerberg, to convey their worries concerning the sharing of personal communications to police authorities and want clarification about its data-sharing rules. The conversations between a mom and her daughter took place on Meta platforms regarding an unlawful abortion.

The police performed a criminal investigation involving Nebraska locals, 41-year-old Jessica Burgess, and her 18-year-old daughter, Celeste Burgess, because of a supposed unlawful abortion. The teen is purported to have had an illegal abortion after the 20th week, and buried the unborn child. After Roe v Wade was revoked, Nebraska made abortion unlawful over 20 weeks following fertilization.

The police started an investigation right after knowing that a 17-year-old suddenly gave birth to a baby born dead. The local law enforcement released a warrant to Meta to access the discussions between mom and daughter recorded on its platforms, based on a Deseret News report. Celeste Burgess faced charges of three felony counts: executing an unlawful abortion, carrying out the abortion with no licensed physician, and then hiding a dead body, together with two misdemeanors: hiding the death of a person and bogus reporting. Jessica Burgess faced charges on two counts: doing an unlawful abortion beyond 20 weeks and carrying out the abortion as a doctor with no license. Another 22-year-old man likewise faced a misdemeanor charge: trying to hide another person’s death.

Meta released an announcement about the reported case in the media hoping to correct the false stories, stating most of the reporting concerning Meta’s part in a criminal case involving a mom and daughter living in Nebraska is simply incorrect. Meta affirmed that the warrant did not mention any abortion. The legal warrants were issued by local authorities last June 7, prior to the Supreme Court’s judgment in Dobbs v. Jackson Women’s Health Corporation. The warrants didn’t speak about abortion at all, as per Meta. Court files indicate that police were investigating the supposed unlawful burning and burial of an aborted baby. The warrants had non-disclosure requirements, which kept them from spreading data about them. The orders are already lifted.

The Committee Democrats are looking for responses from Meta about its privacy guidelines on the safety of the sensitive data of its platform users and how the firm makes sure personal data is safe while following legal accountabilities, particularly taking into consideration the company will probably get more requests from the authorities asking access to users’ sensitive information associated with unlawful abortions.

Chairman Frank Pallone, Jr., Chair of the Subcommittee on Oversight and Investigations, Diana DeGette, Chair Subcommittee on Consumer Protection and Commerce, Jan Schakowsky, and Chairwoman of the Subcommittee on Health, Anna G. Eshoo, have asked for a briefing concerning how Meta treats personal information and its guidelines and procedures concerning the sharing of that information with authorities and other third parties.

California Legislature Approves Bill Banning the Disclosure of Data About Abortions

The Californian legislature has approved a bill (AB-1242) that forbids organizations in the state from honoring warrants by other states that like to access data about persons looking to or offering abortions.

The judgment of the U.S. Supreme Court to revoke Roe v. Wade eliminated the federal right to get an abortion. A number of states had trigger laws set up that made abortion unlawful in case Roe v. Wade is revoked. Twelve states have now made abortion unlawful for state locals. Some other states are contemplating employing the same limitations.

There are concerns that lawsuits can be filed against persons in those states in case they seek abortions in other states, and that state attorneys general and police authorities may try to acquire data concerning people getting abortions in states allowing abortion legally. Under the current legislation in California, information about persons must be given in case a search warrant is given for particular reasons. The change in the law forbids issuing such a warrant associated with investigations of people getting abortions or people offering abortions. The new law likewise forbids local authorities from helping abortion investigations, which include giving cellphone location details of women who take a trip to California to get abortions.

Particularly, the law forbids issuing an ex parte order permitting the interception of any electronic communication or wire or an order, or extension of an order, permitting or authorizing the setup and using a pen register or trap and trace device for the goal of investigating or retrieving proof of a prohibited violation.

Prohibited violations are described as a violation of the legislation that results in liability for, or arising out of, either banning, facilitating, or getting an abortion or planning or trying to offer, facilitate, or get an abortion that is legal with California legislation.

In case a state wants to release a search warrant to find the identity of people or the details of their communications, it is necessary for those states to testify that the data being searched is not associated with the abortion investigations. When any Californian firm decides to abide by any such requirement, the state attorney general will be allowed to file a suit against the firm for a violation of state legislation.

The bill only needs the approval of California Governor Gavin Newsom. The due date is September 30, 2022 for Newsom to sign the new legislation.

Study Investigates How Medical Apps are Disclosing Health Information to Facebook and Others

Sensitive information is being sent to data brokers and marketers with the goal of serving targeted ads, and not only by health applications and fitness trackers. HIPAA-covered entities are likewise sending health information with no patient authorization, which subjects them to regulatory penalties and legal cases.

A lot of end-user health applications gather sensitive health data, such as personal fitness and workout applications, and pregnancy and fertility tracker applications. The applications are given information or directly acquire that data via connected wearable devices, and that data may be sent to third parties or bought, in accordance with the agreements for use of the applications. If users don’t like to disclose their information, they can just stop using the apps.

Nevertheless, there is a rising concern about healthcare companies covered by the Health Insurance Portability and Accountability Act (HIPAA) disclosing identifiable health information. Numerous hospitals have lately been found to have utilized the Meta Pixel JavaScript code on their web pages for monitoring visitor activity and analyzing the performance of their Facebook advertising campaigns. In certain instances, the code is put on pages inside patient websites, and health data has been transmitted to Meta with no authorization and utilized by Facebook marketers to send targeted personalized ads. A minimum of two lawsuits were filed against healthcare companies due to the privacy breaches, and Novant Health has lately sent notifications to over 1.3 million individuals whose privacy was breached.

Study Investigates How Medical Applications Share Healthcare Information with Social Media Platforms

A new study has looked into how medical applications have been disclosing sensitive health information. The researchers chose medical applications that were popular with patients that are active on social media sites, such as Facebook, to get data associated with their medical ailment. The study looked at five digital medicine firms and assessed 32 cross-site-tracking middleware types that utilized cookies to monitor people all over the Internet and disclosed their browsing activities with Facebook for marketing and lead generation purposes. Particularly, the researchers centered on companies that were providing services to patient advocates belonging to the cancer care community who were frequent users of social media websites.

Patients usually utilize social media sites to get assistance from their friends. Facebook is the most commonly used. Facebook is flooded with advertisements associated with medical ailments. Based on the researchers, in 2019, health and pharmaceutical firms spent over 1 billion on ads using Facebook mobile advertising only. The health data disclosed by patients to social communities exposes them to these advertisements and enables health and pharmaceutical firms to select particular patient populations. The targeted patients in the cancer community were seen to be vulnerable to online fraud, health misinformation, and privacy breaches by means of using cross-site tracking middleware. The researchers centered their research on the ad model of Facebook, though the results may be applicable to other social media platforms.

How Patients Tracking and Sending Targeted Ads Work

In a normal situation, a cancer patient registers for a digital medicine or genetic testing application and accepts the terms and conditions. The patient has or registers for a Facebook account in a different process. Vendors add third-party tracking codes on web pages that transmit off-Facebook activity with no permission from a user.

The off-Facebook activity sent by the vendor is employed to update Facebook’s advertisement interests algorithms. Subsequently, Facebook shows health-associated advertisements according to the users’ health interests. Vendors can tailor advertisements to users with particular health interests, and could likewise try to enhance the data via forms and quizzes, as the lead information sent from Facebook to the CRM system of the vendor.

Privacy Guidelines and Data Sharing Practices Vary

Although digital medicine or genetic testing applications have privacy guidelines that describe how information is gathered and used, in certain instances, the privacy guidelines do not suit actual information-sharing practices. All five applications had privacy guidelines, however, three stated that health information wouldn’t be transmitted to advertisers when data was being shared.

All five applications are likely subject to the Health Breach Notification Rule of the Federal Trade Commission, and two of the application vendors were CLIA-accredited labs that provide clinical genetic and diagnostic testing, and are thus covered by HIPAA. In certain instances, users are monitored and information was being disclosed even if there was no consent given, and in a few instances, users were advised that their health data wouldn’t be given to Facebook or other parties.

A representative of Meta stated that health data shouldn’t be provided on the platform and that it screens and removes health information to keep it from being disclosed to advertisers; nevertheless, the filter doesn’t identify all health information. The researchers mentioned Facebook’s announcement in November 2021 that it is going to remove all specific ad-targeting endpoints for sensitive health data.

The researchers noted that the practice of monitoring users and disclosing their information with Facebook (and other social media sites) may violate government and industry legislation, particularly the FTC’s Health Data Breach Notification Rule and likely HIPAA. Additionally, they state that from the introduction of the Health Data Breach Notification Rule, no enforcement has been issued.

The researchers showed that it’s possible to obtain personal information and personal health information without the help of highly advanced cyberattack strategies but only the usual third-party advertising applications. Although the research did not confirm any deliberate deceit of individuals, it was likewise unclear to what extent these companies knew that user health information is being tracked and provided to Facebook in order to serve targeted ads.

The marketing applications show a dark pattern of monitoring vulnerable patient visits across platforms while they surf on the internet, in a few ways not clear to the firms and patient populations who are using Facebook. Although the digital medicine ecosystem depends on social networks to get and build up their businesses via advertising-associated marketing programs, these practices at times contradict their very own stated privacy guidelines and promises to their customers.

The study entitled Health advertising on Facebook: Privacy and Policy Considerations was publicized in the journal Patterns last August 15, 2022.

FTC Sues Kochava Due to Illegal Gathering and Sale of Sensitive Geolocation Information

The Federal Trade Commission (FTC) is suing the data broker Kochava in Idaho for illegally gathering and peddling the sensitive information of mobile end users, violating the FTC Act. Based on the lawsuit, Kochava might be gathering and peddling the exact geolocation information of consumers together with data that enables the identification of individuals. The location information is supported by a Mobile Advertising ID (MAID), a special identifier that is given to a consumer’s mobile unit for marketing reasons. Although people can alter the MAID, a user must proactively reset the MAID on their mobile unit.

Kochava’s clients can buy a license to get feeds of premium information that consist of timestamped latitude and longitude coordinates that show the location of mobile gadgets together with unique identifiers. The information is utilized for different purposes, such as for promotions and monitoring retail shop visitors. Although Kochava clients should pay for a subscription to get data access, a data sample is given totally free. To get access to the data, it is required to register for a free AWS account and get approval from Kochava to access the sample. There are no restrictions on the use of the sample information. The sample covers a 7-day time frame, with the FTC saying in the suit that one day’s value of information in the free sample contained 327,480,000 rows, 11 columns, and the information gathered from over 61,803,400 exclusive mobile gadgets.

It is possible to know which consumers went to the reproductive health clinic using their mobile devices by plotting the longitude and latitude
coordinates found in the Kochava data stream utilizing a publicly accessible map applicationS. Additionally, since every set of coordinates has a time-stamp, a mobile gadget that has been to the location can be identified. The same techniques may be employed to track consumers’ appointments to other sensitive areas. The FTC states a number of data brokers promote services that complement MAIDS with consumers’ names and physical addresses, even though it is possible to recognize people without utilizing those services according to the dwell time and regularity of visits to some areas and from public information.

The FTC states Kochava has not enforced any technical settings to stop its clients from identifying users or monitoring visits to sensitive places, like utilizing blacklists to take away location information when people go to sensitive areas like abortion hospitals, mental healthcare companies, and addiction treatment facilities. The FTC’s evaluation of the data sample confirmed that one gadget had been to a women’s reproductive health facility and exposed that person’s family home address.

The FTC claims that the selling of sensitive geolocation information represents an unnecessary invasion of the private life of consumers and would probably cause considerable injury. The lawsuit claims Kochava’s business tactics constitute unjust acts or methods that violate Section 5 of the FTC Act, 15 U.S.C. § 45(a), and that users are suffering, have endured, and will still experience substantial injury because of Kochava’s violation of the FTC Act. The lawsuit wants the sale of sensitive geolocation data to end and the removal of all sensitive location information collected by Kochava.

At the beginning of this month, Kochava filed a lawsuit in order to reverse the FTC lawsuit, which mentioned that it had enforced a new function on August 10, 2022, called Privacy Block. This function takes away sensitive location information from its marketplace, which includes location information showing visits to healthcare companies.

$300,640 HIPAA Penalty Issued Due to Improper PHI Disposal

New England Dermatology P.C. based in Massachusetts, dba New England Dermatology and Laser Center (NDELC), decided to resolve an alleged HIPAA Privacy Rule violation case by paying a $300,640 penalty to the HHS’ Office for Civil Rights (OCR).

On May 11, 2021, NDELC informed OCR regarding a privacy violation that affected the protected health information (PHI) of 58,106 individuals. On March 31, 2021, NDELC discarded empty containers of specimens in a usual dumpster in a parking lot at the NDELC. The containers got labels written with the patients’ names, birth dates, sample date of collection, and the names of the companies that got the samples. OCR looked into the incident and NDELC showed it was a common practice to discard empty specimen containers with waste materials. The workers are doing this practice from February 4, 2011 up to March 31, 2021.

The administrative safety measures of the HIPAA Privacy Rule – 45 C.F.R. § 164.530(c) – require the implementation of proper administrative, physical and technical safeguards to keep the privacy of PHI safe. Covered entities should fairly protect PHI to control accidental uses or disclosures, and should fairly protect PHI from any deliberate or accidental use or disclosure. If the protected health information does not require legal retention, it should be discarded safely, meaning protected health information should be in essence made unreadable, indecipherable, and or can’t be reconstructed before disposal.

Besides violating 45 C.F.R. § 164.530(c), OCR confirmed there was an impermissible PHI disclosure to unauthorized persons, violating 45 C.F.R. § 164.502(a). NDELC decided to resolve the case without admitting any liability. Besides having to pay a financial penalty, NDELC has consented to employ a corrective action program, including two years of supervision.

Improper removal of protected health information results in an unwanted risk to patient data security, stated Acting OCR Director Melanie Fontes Rainer. Entities covered by HIPAA need to take all the steps to make sure of safety when discarding patient data. Patient information must be kept from public access. Rainer succeeded Lisa J. Pino in July 2022. Pino acted as OCR Director for up to 10 months.

OCR has been busy because of HIPAA enforcement. There were 17 HIPAA cases in 2022 that were resolved with financial penalties. There were 19 cases with financial penalties issued in 2020.

Data Exposed at Lamoille Health Partners and California Department of Corrections and Rehabilitation

The California Department of Corrections and Rehabilitation (CDCR) has lately found out that unauthorized individuals have acquired access to one of its information systems. The breached system held medical information on all people who were screened for COVID-19 between June 2020 and January 2022, which include staff members, visitors, and other persons, although not inmates. The data associated with COVID-19 screenings included name, personal address, telephone number, email, date of birth, and COVID-19 testing results.

Records on the system also held the mental health data of inmates in the Mental Health Services Delivery System from 2008, along with the information of persons on parole who were involved in substance use disorder treatment programs. Some of the compromised data included trust account details, driver’s license numbers, and Social Security Numbers.

The information of inmates comprised name, CDCR number, mental health history, mental health treatment, and mental health diagnosis. The data in the Trust, Restitution, Accounting, and Canteen System (TRACS) was likewise likely involved, including transaction data made by CDCR to and from trust accounts dating back to 2008, together with some trust account numbers.

CDCR mentioned the data breach was uncovered during routine maintenance. The investigation did not confirm when the first system compromise happened; nevertheless, suspicious activity was noticed in a file transfer system from December 2021. CDCR cannot affirm whether any specific information was accessed or exfiltrated and stated no corroborating evidence was observed that suggests compromise or misuse of any exposed information.

CDCR mentioned procedures and practices were modified to control the chances of other breaches and the affected computer system is not being used anymore. A substitute computer system was employed that has more security settings.

The incident is not yet posted on the HHS’ Office for Civil Rights Breach Portal therefore it is still uncertain how many people were impacted.

Lamoille Health Partners Suffers Ransomware Attack

Lamoille Health Partners based in Vermont has just announced that it encountered a ransomware attack on June 13, 2022. It took prompt action to avoid further unauthorized access to its systems. A third-party digital forensics firm helped with the investigation. Lamoille Health Partners stated it could securely restore the encrypted files from backup files thus no ransom was given; nonetheless, the forensic investigation confirmed that the attackers got access to its systems from June 12, 2022 to June 13, 2022. During that time it is possible that files that contain patients’ protected health information (PHI) may have been accessed or obtained.

On June 24, 2022, Lamoille Health Partners affirmed that the records that might have been viewed had patient data like names, dates of birth, addresses, health insurance data, medical treatment details, and Social Security numbers. 59,381 persons were informed about the exposure of their PHI. Complimentary identity protection and credit monitoring services were provided to people whose Social Security numbers were exposed.

Novant Health Patients PHI Exposed via Meta Pixel Code on Patient Portal

Novant Health has just informed patients regarding a breach of their protected health information (PHI) because of the wrong settings of Meta Pixel code on its patient website.

Code Snippet Transmitting Sensitive Patient Information to Meta

At the beginning of this year, The Markup conducted an investigation about the usage of Meta Pixel code on websites of healthcare providers. The investigation revealed that 33 of the 100 top-rated hospitals in America had employed Meta Pixel code on their web pages. Moreover, 7 hospitals used the code on their patients’ password-protected webpages. The 7 hospitals were FastMed, Community Health Network, Edward-Elmhurst Health, Novant Health, Renown Health, WakeMed, and Piedmont.

Meta Pixel is a piece of JavaScript code that is employed to monitor site visitors, and the information collected is transmitted to Meta (Facebook), which can be employed to deliver targeted adverts. Meta says that companies that utilize Meta Pixel aren’t meant to transmit sensitive information. In case Meta finds out it has been provided sensitive information in error, it is blocked out to avoid using the information to deliver targeted adverts. That procedure doesn’t seem to be working well. Although that data is blocked out, it is still being transmitted to Meta.

After the report was published, several lawsuits had been filed on behalf of those whose personal data and PHI were shared with Meta through the Meta Pixel code on healthcare company portals. The lawsuits assert a breach of federal and state privacy regulations since the data was transmitted with no express permission from the patients.

A patient of MedStar Health System based in Baltimore filed a class action lawsuit, which alleges that Meta Pixel was employed on the sites of about 664 healthcare companies, permitting patient information to be transmitted to Meta violating the Health Insurance Portability and Accountability Act (HIPAA). Another lawsuit versus Meta and Dignity Health and the University of California San Francisco was filed with the main plaintiff alleging to have been gotten targeted advertisements after the sharing of sensitive data with regards to a health matter on the patient website. Of late, an identical lawsuit was filed versus Meta and Northwestern Memorial Hospital based in Chicago, IL.

Novant Health Informs Patients Concerning Meta Pixel Data Breach

Novant Health lately informed a still unknown number of patients about the disclosure of some of their protected health information (PHI) to Meta. It is the first healthcare company to send breach notification letters to patients related to using the Meta Pixel code.

Novant Health said in its breach notification letters that an improper configuration of [Meta] Pixel resulted in the transfer of PHI to Meta. It also mentioned it wished to be transparent about the data breach and why it used the pixel code on its site.

Because of the COVID-19 pandemic, Novant Health had a promotional campaign to connect more patients to its Novant Health MyChart patient website. The goals are to improve access to care via virtual consultations and to offer more access in response to the limits of in-person care. The campaign used Facebook ads and added a Meta tracking pixel on its website to determine the success of those advertisements. However, the pixel was set up erroneously and might have permitted a number of private data to be sent to Meta from its website and MyChart portal.

When informed concerning the likely privacy breach, Novant Health promptly deactivated and took away the pixel from the patient website and started an investigation to find out the magnitude to which data was being sent to Meta. On June 17, 2022, Novant Health confirmed that PHI might have been unintentionally transmitted according to the type of user actions on the patient website. The data sent would have differed from individual to individual, and might have contained a person’s email address, telephone number, IP address, button/menu selections, contact details inputted into Advanced Care Planning or Emergency Contacts, type and date of appointment, doctor chosen, and/or content entered into text boxes.

Novant Health explained it did not find any proof that Meta or any third party has used the data transferred. In case a person entered financial details or a Social Security number, that data might also have been transmitted to Meta. Novant Health stated the notification letters sent to individuals would mention when such data was disclosed, and in that case, free credit monitoring services will be given to impacted persons.

Cyberattacks Suffered by First Choice Community Healthcare and Arlington Skin

First Choice Community Healthcare located in Albuquerque, NM, has begun informing a number of patients about the unauthorized access of a person to its network who possibly stole patient information. First Choice explained in a substitute breach notification that it discovered strange activity in its technological system on March 27, 2022. A third-party cybersecurity company was employed to perform a forensic investigation and find out the nature and extent of the breach. Although it wasn’t possible to validate whether the unauthorized person accessed or exfiltrated any files, the probability cannot be excluded.

An extensive analysis of the impacted files was finished on June 3, 2022, which affirmed the potential compromise of the following data: names, First Choice patient ID number, date of birth, Social Security numbers, diagnosis, clinical treatment data, prescription medications, dates of service, medical insurance details, patient account number, medical record number, and provider details. Impacted persons got informed concerning the breach through mail on August 1, 2022, and received free identity theft protection services via IDX.

The breach is not yet posted on the HHS’ Office for Civil Rights portal, therefore it is presently uncertain how many persons were impacted.

17,468 Arlington Skin Patients Informed About Electronic Medical Records Breach

Dr. Michelle A. Rivera, MD, also known as Arlington Skin in Virginia began informing 17,468 patients about the potential access to their protected health information (PHI) by unauthorized persons during a security breach involving Virtual Private Network Solutions (VPN Solutions), a business associate.

VPN Solutions handles the electronic medical records of Arlington Skin patients by using the Allscripts practice management services and electronic medical records system. The cyberattack was identified by VPN Solutions on or approximately October 31, 2021. According to the forensic investigation, the attack possibly affected the following data: names, addresses, birth dates, diagnostic and treatment data, medical insurance data, and Social Security numbers.

Arlington Skin began sending notification letters to impacted persons on July 8, 2022. There was no proof of data theft discovered however, as a safety measure, fraud support and remediation services were offered to impacted people via CyberScout.

Ransomware Attack at Mailing Vendor Affected 326,278 Aetna ACE Members

The health insurance provider Aetna ACE recently announced being impacted by a ransomware attack on a mailing vendor resulting in the breach of protected health information (PHI) of 326,278 plan members. Aetna stated the breach only affected persons insured with Aetna ACE, and it did not affect any PHI of persons served by CVS Health or Aetna.

The ransomware attack impacted OneTouchPoint, which offers printing and mailing solutions to U.S. organizations, which include billing providers employed by healthcare companies. OneTouchPoint gets access to contact data and some other data types to deliver its contracted solutions. On April 28, 2022, OneTouchPoint found out that files were encrypted on its systems. The unauthorized access happened a day before April 27, 2022.

Third-party cybersecurity experts were hired to look into the security breach. The investigation concluded on June 1, 2022, however, it was not determined which particular files had been exfiltrated from its network. Impacted customers had been informed on June 3, 2022, and OneTouchPoint is determining which of the customers’ data was possibly accessed or extracted from its systems. The compromised and possibly stolen information may have included names, addresses, birth dates, member IDs, and some medical data.

OneTouchPoint stated it offered to mail notification letters to all impacted persons; nonetheless, a few of its clients opted to self-report the data breach and mail the notification letters themselves. OneTouchPoint has submitted the breach report to the Maine Attorney general on behalf of 30 health plans stating that 1,073,316 persons were impacted. Aetna ACE opted to self-report the data breach. Other health plans impacted by the ransomware attack on OneTouchPoint include Anthem, Kaiser Permanente, Humana, Health First, Geisinger, UPMC Health Plan, Blue Cross and Blue Shield of Alabama, Blue Shield of California Promise Health, and other affiliated health plans of Blue Cross Blue Shield.

This is not the first time Aetna ACE experienced data breaches at business associates. A business associate PHIshing attack in 2020 exposed the PHI of 484,157 plan members of Aetna ACE. Because of the response made by a staff member of vendor EyeMed to a phishing email, unauthorized persons got access to email accounts that held the PHI of 2.1 million persons. EyeMed had to pay a $600,000 fine to the New York State Attorney General for security violations that resulted in the data breach.

Aetna furthermore encountered another mailing-associated data breach in 2017, which impacted 12,000 persons. In that instance, a mailing was delivered to members to let them know about the various options available for getting prescriptions for their HIV drugs. But window envelopes were used and so the HIV drug details could be read by anyone who would know that the recipient members were getting treatment for HIV or were given HIV medicines to avoid infection. State attorneys general investigated Aetna in this case. Aetna had to pay over $2,725,000 million in penalties to settle the case. A $1,000,000 fine was additionally enforced by the HHS’ Office for Civil Rights, and Aetna resolved a $17 million class action lawsuit.

IBM Report Reveals Record High $10.1 Million Average Cost of a Healthcare Data Breach

IBM’s 2022 Cost of a Data Breach Report reveals that for the first time ever, the average cost of a healthcare data breach is in two digits – from more or less $1 million to $10.1 million. That is 9.4% higher than in 2021 and 41.6% higher than in 2020. Across all industries, the average data breach cost increased 2.6% year over year at $4.35 million. That is the largest average cost in 17 years and is 12.7% greater than in 2020.

For the report, IBM Security investigated 550 companies in 17 nations and regions and 17 various industries that experienced data breaches from March 2021 to March 2022. More than 3,600 interviews had been conducted with people in those companies. 83% of companies that participated in the study have encountered one or more data breaches, and 60% of companies stated the data breach resulted in a higher price of their goods and services.

Overview of Data Breach Costs in 2022

  • $4.35 million Global average cost of a data breach
  • $164 million Global average cost per breached record
  • $9.44 million Average cost of a data breach in the U.S.
  • $10.1 million Average cost of a healthcare data breach
  • $49 million Average cost of a 1 million record data breach
  • $387 million Average cost of 50-60 million record data breach
  • $4.54 million Average cost of a ransomware attack
  • $4.91 million Average cost of phishing as the preliminary attack vector

In 2022, this is the first time that the major part of the data breach costs was discovery and escalation, amounting to $1.44 million; it was $1.24 million in 2021. Following was lost business with an average cost of $1.42 million in 2022, it was $1.59 million in 2021. The post-breach response is slightly higher at $1.18 million from $1.14 million 2021. There was a slight increase in costs of notification at $0.31 million from $0.27 million in 2021.

Usually, 52% of the breach costs are sustained during the first year, 29% during the second year, and 19% right after two years. In very regulated industry sectors like healthcare, a lot bigger percentage of the costs are suffered with 45% of costs during the first year, 31% during the second year, and 24% after the second year, which was credited to regulatory and legal expenditures.

The report looked into the various preliminary attack vectors and discovered that the most prevalent entry path was the usage of stolen credentials (19% of all data breaches) with an average data breach costing of $4.5 million. 16% of all data breaches were phishing attacks, the most expensive attack vector with an average cost of $4.91 million. 6% of all data breaches were business email compromise attacks with an average cost of $4.89 million. 15% of data breaches were due to cloud misconfigurations with an average cost of $4.14 million. Lastly, 13% of data breaches were due to vulnerabilities in third-party software with an average cost of $.55 million per breach.

In 2022, the average time to discover a data breach was 207 days. It was 212 days in 2021. The average time to control a data breach was 277 days; it was 287 days in 2021. With a shorter time to discover and control a breach, also called the data breach lifecycle, there is a reduced breach cost. Data breaches that have a lifecycle below 200 days cost 26.5% ($1.12 million) lower on average compared to data breaches that have a lifecycle above 200 days.

A crucial step necessary to boost security is to undertake zero trust techniques, however, just 59% of companies had implemented zero trust, and about 80% of critical infrastructure companies had not yet implemented zero-trust strategies. The average breach cost for critical infrastructure companies that have not implemented zero trust was $5.4 million. It was $1.17 million higher compared to those that had applied zero trust strategies.

 

PHI Exposed in Data Breaches at Clinivate, Kaiser Permanente, and McLaren Port Huron Hospital

Clinivate Reports Compromise of 77,652 Records

Concerning the data breach report submitted to the HHS’ Office for Civil Rights on June 2, 2022, there is an update by Clinivate based in Pasadena, CA, an EHR solutions provider for behavioral health centers and schools.

Based on a breach notification sent to the California Attorney General, odd activity was discovered in its digital system on March 23, 2022. A forensic investigation affirmed the unauthorized access by a third party to its network. On May 25, 2022, it was confirmed that the files accessed by that third party between March 12, 2022 and March 21, 2022 contained the protected health information (PHI) of individuals.

The files held the protected health information of 77,652 people, such as names, health plan beneficiary numbers, medical record numbers, treatment data, diagnosis details, other medical data, and information regarding payments for health services.

Clinivate has informed affected persons and mentioned it has executed additional safety measures to avoid further data breaches.

McLaren Port Huron Hospital Announces Compromise of PHI of 49,000 Individuals in MCG Health Cyberattack

McLaren Port Huron Hospital has stated the PHI of a number of patients was exposed in a cyberattack at a former business associate, MCG Health. MCG Health offers patient care guidelines to numerous health plans and about 2,600 hospitals in the U.S.A. On March 25, 2022, MCG Health found out an unauthorized third party got data from its system that contained data elements like names, medical codes,
Social Security numbers, postal addresses, phone numbers, email addresses, birth dates, and gender. A lot of MCG Health clients were impacted by the breach.

McLaren Port Huron Hospital stated it was advised concerning the breach on June 9, 2022. The delayed notification meant it has not done its own investigation to know the possibility of an actual exposure of patient information. But it has sent notifications to all affected people to advise them of the probability that their PHI was stolen. McLaren Port Huron Hospital discontinued using MCG Health in 2019.

The data breach report has been sent to the HHS’ Office for Civil Rights as affecting 48,957 McLaren Port Huron Hospital patients. Affected persons were provided complimentary identity theft protection and credit monitoring services for 24 months.

Kaiser Permanente Reports Stealing of iPad With PHI

Kaiser Permanente has started sending notifications to certain people about the theft of an iPad that held their protected health information. The iPad was stored in a locked storage area at the Kaiser Permanente Los Angeles Medical Center. An unidentified individual broke into the storage space and stole the iPad, and additionally obtained the password for accessing the gadget.

The device was utilized at a Kaiser Permanente COVID-19 testing area and had pictures of COVID-19 specimen labels and PHI i.e. names, health record numbers, dates of birth, and the dates and locations of service. The theft was identified on the same day and Kaiser Permanente remotely erased the data on the unit, including all photos.

Kaiser Permanente mentioned it has transferred devices comprising PHI to a safer place and has strengthened its internal practices and methods. Kaiser Permanente stated the iPad included the PHI of around 75,000 health plan members.

 

Cloud Security Alliance Issues Third Party Vendor Risk Management Guidance for Healthcare Companies

Cyber attackers are more and more targeting business associates of HIPAA-covered entities because they offer a great way to reach the systems of several healthcare companies. To aid healthcare delivery organizations (HDOs) handle the situation, the Cloud Security Alliance (CSA) has released new guidance about third-party vendor risk management in healthcare. The Health Information Management Working Group drafted the guidance, which has examples and uses cases and gives details on a few of the risk management program resources that HDOs can use for risk management.

Third-party vendors offer valuable services to HDOs, such as services that can’t be efficiently handled in-house; nevertheless, using vendors presents cybersecurity, compliance, reputational, operational, privacy, strategic, and financial threats that must be handled and mitigated. The guidance is supposed to aid HDOs to determine, evaluate, and mitigate the risks related to using third-party vendors to avoid and minimize the intensity of security occurrences and data breaches.

Cyberattacks on vendors helping the healthcare sector have grown recently. Instead of targeting an HDO, a threat actor may strike a vendor to acquire access to sensitive information or to misuse the vendor’s privileged access to an HDO’s system. For instance, a successful attack on a managed service provider enables a cyber actor to obtain access to the systems of all clients of the company by exploiting the privileged access of the MSP to client networks. This is good for a hacker since it suggests it isn’t required to crack into the systems of every MSP client one by one.

Whenever third-party vendors are employed, the attack surface grows considerably, and controlling and minimizing risk is usually a problem. Although third-party vendors are utilized in all industries, third-party vendor security threats are most common in the healthcare industry. The CSA states that this is because of the scarcity of automation, substantial usage of digital programs and medical devices, and the insufficient completely deployed critical vendor management settings. Because healthcare companies usually use numerous vendors, performing extensive and precise risk tests for all vendors and employing critical vendor management settings may be a very labor-intensive and expensive process.

Dr. James Angle, the primary author of the paper and co-chair of the Health Information Management Working Group stated that Healthcare Delivery Organizations put their trust in third-party vendors for the security of their sensitive information, finances, reputation, and others. Considering the value of this crucial, sensitive information, along with regulatory and compliance demands, it is very important to recognize, evaluate, and minimize third-party cyber risks. This paper provides an overview of third-party vendor challenges in healthcare along with recommended identification, discovery, response, and mitigation tactics.

When an HDO opts to employ a third-party vendor, it is vital that efficient monitoring controls are executed, however, it is apparent from the volume of third-party or vendor-associated data breaches that lots of healthcare companies find it difficult to determine, safeguard, identify, respond to, and get back from these occurrences, which indicates the present approaches for evaluating and handling vendor threats are faltering. These problems can have a significant financial effect, not only when it comes to the breach mitigation expenses, but HDOs likewise face the danger of regulatory penalties from the HHS’ Office for Civil Rights as well as the state Attorneys General. Additionally, there is a substantial possibility of long-lasting damage to reputation.

The CSA gives a number of recommendations in the paper, such as implementing the NIST Cybersecurity Framework for checking, measuring, and monitoring third-party threats. The NIST Framework is generally focused on cybersecurity, however, similar principles may also be used for measuring various risks. The primary capabilities of the framework are to identify, secure, detect, respond, and get back. With the framework, HDOs could determine threats, know what information is given to each, prioritize vendors according to the degree of risk, apply safety measures to secure critical services, make sure monitoring controls are enforced to identify security occurrences, and a plan is created for responding to and preventing any security breach.

BJC Healthcare Settles Data Breach Lawsuit Arisingfrom 2020 Phishing Attack

BJC HealthCare is resolving a class action lawsuit filed against it for not properly protecting patient data from phishing attacks. On May 5, 2020, the nonprofit hospital system based in St. Louis reported an email system breach that affected 287,876 people. The investigation affirmed the compromise of three email accounts in March 2020 because of responding to phishing emails. Although data theft cannot be established, the impacted email accounts comprised the protected health information (PHI) of patients of 19 of its hospitals. The types of information potentially compromised consist of names, birth dates, health insurance data, driver’s license, Social Security numbers, and healthcare data.

The lawsuit, filed in the Circuit Court of the City of St. Louis State of Missouri, at first alleged 10 counts against the defendants and made it through two motions to dismiss, with the lawsuit permitted to continue with 8 of the 10 counts:

  • breach of contract
  • unjust enrichment
  • negligence
  • negligence per see
  • vicarious liability
  • breach of the covenant of good faith and fair dealing
  • violations of the Missouri Merchandising Practicing Act (MMPA) and Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA)

BJC HealthCare consented to resolve the lawsuit with no admission of liability or wrongdoing. According to the conditions of the settlement, BJC HealthCare will allocate funds to cover claims of affected persons up to a maximum $5,000. Every individual impacted may send a claim for ordinary and extraordinary expenditures sustained due to the data breach.

Claims may be filed for ordinary costs like bank fees, interest, credit tracking expenses, postage, mileage, and around 3 hours of lost time at $20 for each hour. Ordinary claims are limited to $250 for every person. Claims of as much as $5,000 could be submitted for extraordinary expenditures, such as documented monetary losses and around three hours of additional lost time at $20 for every hour. BJC Healthcare has additionally agreed to provide two years of free identity theft protection and credit monitoring services. Named plaintiffs will get approximately $2,000 and BJC HealthCare will cover the plaintiffs’ legal expenses. BJC HealthCare has given $2.7 million to pay for the expense of using multi-factor authentication for its email accounts to enhance protection versus phishing attacks.

Claims should be filed by Dec. 14, 2022. The hearing on the final approval of the negotiation is scheduled for Sept. 6, 2022.

In May 2022, BJC HealthCare submitted a report of one more email breach to the HHS’ Office for Civil Rights. The incident was noted as affecting 500 people – a typical placeholder utilized until the precise number of affected persons is identified. The breach happened two months ago.

FTC to Enforce Laws that Prevent the Illegal Use and Disclosure of Location and Sensitive Health Information

The Department of Health and Human Services’ Office for Civil Rights is the enforcer of the HIPAA Rules, restricting HIPAA-covered entities and business associates of those entities in their uses and disclosures of healthcare information. The Federal Trade Commission (FTC) polices the entities that are not under HIPAA, privacy violations, and illegal uses and disclosures of sensitive consumer data. The FTC lately made an announcement that it will totally enforce the law to stop illegal uses and disclosure of highly sensitive information.

A person’s distinct location and data regarding their health are common types of sensitive data that are collected by connected devices like smartphone applications, fitness trackers, and browsers. These sensitive data are then combined with other information, monetized and bought by third parties, usually without the persons who own the data knowing about it.

Acting Associate Director Kristin Cohen of FTC Division of Privacy & Identity Protection states that the highly personal data that people don’t want to share even with family, co-workers, or friends is what is disclosed to total strangers. These strangers often use shadowy ad tech and data broker systems to profit from the sharing of data at an unparalleled scale.

Location data can be collected by connected devices, even if not in use. Data about a person’s work, sleep, social whereabouts, worship, and medical appointments can be obtained. Although many people may agree to give their location information in order to get real-time crowd-sourced information about the quickest way home, they likely would not want to share their online identity linked to the frequency of their consultations with a doctor or therapist. Once a company has obtained such information, consumers usually don’t know who has it or how it was used. After collection, data goes to a big and intricate marketplace frequented by many sellers, buyers, and sharers.

Because of the SCOTUS ruling that changed Roe v. Wade, many have scrutinized the data collection and sharing practices because of the potential for collected location data and information associated with personal reproductive data, including those considering abortion, to be misused.

According to Cohen, Copley Advertising, LLC settled a case in 2017 regarding its usage of geolocation technology that detected people passing through a digital fence around an abortion clinic. The identified persons were then targeted with ads about alternatives to abortion. The FTC likewise recently resolved a case against Flo Health because of its disclosure of the sensitive information of people who used its period and fertility tracking application. The company did not do as it said that the collected information by the app would be kept private and confidential.

Cohen stated that the wrong use of location and health information puts consumers at risk. They could suffer harm from phishing attacks, physical and emotional injury, extortion, stigma, discrimination, and mental anguish.

Cohen said the FTC will use all its legal authorities to protect the privacy of consumers. The law will be enforced on those who illegally exploit the location, medical, or other sensitive information of Americans.

The FTC will enforce laws, such as the FTC Act that forbids unfair and fràudulent trade practices; the Safeguards Rule, the Children’s Online Privacy Protection Rule, and the Health Breach Notification Rule.

The FTC will also go after organizations that state they anonymize or aggregate consumer informàtion but do so only to deceive. They are in violation of the FTC Act. The FTC has already taken action against companies that use location information without permission, improperly get and store sensitive data, and do not respect individual requests to remove sensitive data.

OCR Issued 11 More Financial Penalties Due to HIPAA Right of Access Violations

The Department of Health and Human Services’ Office for Civil Rights has alerted healthcare companies regarding the importance of complying with the HIPAA Right of Access. It also announced 11 new financial penalties for HIPAA-covered entities for failing to give patients their medical records promptly. With the most recent batch of enforcement actions, there is now 38 financial penalties enforced with the HIPAA Right of Access enforcement initiative.

The HIPAA Right of Access upholds the right of individuals to examine their protected health information (PHI) that is kept by a HIPAA-covered entity, look for information errors, and ask for the correction of any errors. Individuals may likewise ask for a copy of their PHI from healthcare companies and health plans. Upon request of the information, the provider must give the requested copy in full within 30 days. In very restricted instances, a 30-days extension is allowed. Patients or their nominated representatives may submit requests. For minors, their parents and legal guardians may acquire a copy of the minor’s data. Any person asking for a copy of their information can only be billed a fair, cost-based amount for getting a copy of their files. The information must be given in the format asked by the patient, as long as the HIPAA-covered entity is technically capable of giving records in that file format.

OCR started its HIPAA Right of Access enforcement initiative in 2019 due to prevalent non-compliance with this HIPAA right. Health care providers ought to keep in mind that there are currently 38 enforcement actions in the Right of Access Initiative. OCR is serious about upholding the rules and the right of people to prompt access to their health records.

Penalties of the HIPAA Right of Access

The most recent penalties were all enforced for the inability to give prompt access to a person’s health records, and not for billing unreasonable costs for requesting the information. All except one of the cases were resolved with OCR, and the covered entities agreed to implement a corrective action plan to deal with the non-compliance issues and avoid more violations.

The covered entity ACPM Podiatry declined to cooperate with OCR’s demands, thus getting a civil monetary penalty. A former patient requested a copy of his medical records and then notified OCR on April 8, 2019 that ACPM had declined to give those records. OCR extended technical support to ACPM on April 18, 2019 stating that the data must be given under HIPAA. ACPM still did not provide the records so the patient filed a second complaint with OCR one month later.

OCR’s investigation showed the records were withheld because the complainant’s insurance provider did not pay the bill. However, the complainant stated the records were needed so as to plead the unfavorable decision and file that appeal. Although there was communication between OCR and ACPM Podiatry, ACPM did not take action on OCR’s data access requests, the Letter of Opportunity to give proof of mitigating factors, nor OCR’s notice of proposed determination of a financial penalty, therefore imposing a civil monetary penalty.

Three of the enforcement actions were due to the inability of a HIPAA-covered entity to give a patient’s nominated representative a copy of the needed records. Two cases involved the refusal of the provider to give a patient’s medical records because of outstanding medical costs. The right of a patient to get a copy of their health records is not conditional on whether the medical services are paid in full.

The list of financial penalties is as follows:

1. ACPM Podiatry – Civil Monetary Penalty of $100,000 for untimely access to records
2. Memorial Hermann Health System – Settlement of $240,000 for untimely access to records (complete records not given for 564 days from the initial request)
3. Southwest Surgical Associates – Settlement of $65,000 for untimely access – records given after 13 months
4. Hillcrest Nursing and Rehabilitation – Settlement of $55,000 for untimely access – records not given to a personal representative for 7 months
5. MelroseWakefield Healthcare – Settlement of $55,000 for untimely access – not giving the records to the nominated representative of the patient for 4 months
6. Erie County Medical Center Corporation – Settlement of $50,000 for untimely access – not giving the requested records to a nominated representative of the patient
7. Fallbrook Family Health Center – Settlement of $30,000 for untimely access – unspecified delay in giving the requested records
8. Associated Retina Specialists – Settlement of $22,500 for untimely access – inability to give the patient the records for 5 months
9. Coastal Ear, Nose, and Throat – Settlement of $20,000 for untimely access – inability to give the patient the records for 5 months
10. Lawrence Bell, Jr. D.D.S – Settlement of $5,000 for untimely access – inability to give the patient the records for over 3 months
11. Danbury Psychiatric Consultants – Settlement of $3,500 for untimely access – denied the records for 6 months because of the patient’s outstanding medical costs

OCR has already issued 122 financial penalties involving HIPAA-regulated entities to settle HIPAA violations starting in 2008. With the most recent batch of HIPAA penalties, there are now 16 financial penalties in 2022, higher than the financial penalties enforced in 2021 by 2.

 

Data Brokers and Health Apps Investigated Because of Privacy Practices

The House Committee on Oversight and Reform reported the start of an investigation to find out how data brokers and health application providers are accumulating and selling the personal reproductive health information of individuals. The investigation was prompted by the SCOTUS decision overturning Roe v. Wade because committee members were worried that the personal information of people receiving reproductive healthcare services might be abused.

The Chairwoman of the Committee on Oversight and Reform, Rep. Carolyn B. Maloney, the Chairman of the Subcommittee on Economic and Consumer Policy, Rep. Raja Krishnamoorthi, and Rep. Sara Jacobs sent a letter to five data brokers (Digital Envoy, SafeGraph, Placer.ai, Babel Street, and Gravy Analytics) and five health app providers (Flo Health, BioWink, Digitalchemy Ventures, Glow, and GP International) asking for documentation regarding how personal reproductive care data is collected and sold.

Big amounts of personal information are currently being gathered and sold, frequently with no knowledge of people. The data is employed to deliver targeted ads to individuals and for other purposes. There is a concern that the gathering and sale of this data might endanger the health, security, and privacy of U.S. citizens and healthcare companies.

Collecting sensitive information can cause serious risks to those receiving reproductive care and even to providers of this kind of care, not just by having invasive government surveillance, but also by allowing people to possibly encounter harassment, intimidation, or violence. Geographic information obtained via mobile phones could be employed to find individuals seeking care at hospitals, and lookup chat history talking about clinics or prescription medication generate digital breadcrumbs disclosing curiosity on abortion.

The Committee Members mentioned a research study publicized in JMIR entitled “Privacy, Data Sharing, and Data Security Policies of Women’s mHealth Apps: Scoping Review and Content Analysis,” which stated that 20 of the 23 most in-demand women’s health applications including reproductive health applications were giving user information to third parties, although only 52% of those applications acquired permission from users. The research discovered that many women’s mHealth applications had terrible data privacy, sharing, and safety requirements.

It is possible that information from health applications, particularly period trackers, can be employed to determine women who have gotten abortions. Data brokers are discovered to sell users’ location information, such as the location information of persons who went to healthcare clinics offering abortions. Lately, Google launched that it will additionally enhance privacy security by automatically removing the location information from Google accounts linked to consultations with healthcare companies that offer sensitive healthcare services, however, Google is not the sole provider that logs location information.

The data brokers and health application companies have until July 21, 2022 to answer and give the requested information.