45-Days Extension of Comment Period on Proposed HIPAA Privacy Rule Changes Announced

Making changes to the HIPAA Regulations does not happen quite often, thus when there is a proposal for updates, the tendency is to include a variety of new standards and revisions to current terms. Prior to making any updates, a request for information (RFI) is released to let the HHS get feedback on areas of the HIPAA Rules that are creating issues, and parts that need improvements.

Right after the RFI, the HHS issues a notice of proposed rulemaking, which is followed by a comment period. During this comment period, industry stakeholders, such as patients and their households, get the last opportunity to say their thoughts regarding the proposed modifications prior to signing them into law.

After the HHS’ Office for Civil Rights issued an RFI, a Notice of Proposed Rulemaking was published on December 10, 2020. The standard 60-day comment period began from the date, January 21, 2021, when the proposed rulemaking was published in the Federal Register. The comment period will end on March 22, 2021.

Because the proposed modifications consist of updates to the HIPAA Privacy Rule that is going to affect almost everybody in the healthcare sector, the HHS has decided to give an extension for the comment period.

The proposed Privacy Rule modifications consist of fortifying patient rights to get easy access to their own healthcare records, modifications to support a greater family and caregiver participation in the care of people during health and emergency crises, modifications to provide more flexibility for disclosures during emergency scenarios, updates to minimize the administrative load on healthcare companies, and modifications to enhance data sharing for better care coordination and case administration.

The HHS’ Office for Civil Rights is requesting all stakeholders to go through the proposed modifications and give their comments. All feedback obtained will be properly considered and will be used for the final rule which is estimated to be released in late 2021 or early 2022.

OCR expects a high level of public interest in giving feedback on the proposals since the HIPAA Privacy Rule impacts just about everyone who uses the health care system. With the comment period extended for 45 days until May 6, 2021, the public can have the opportunity to look at the proposals and send feedback to shape the future policy.

You can find the HIPAA Privacy Rule Proposed Modifications on this page.

Two Employees Dismissed for Impermissible Disclosures of PHI to Third Parties

Humana has found out that a staff of a hired subcontractor of a business associate impermissibly shared the protected health information (PHI) of around 65,000 members to a third-party for training purposes.

Humana contracted Cotiviti to give services in managing medical records. Then, Cotiviti got a subcontractor to look at the requested health files. Under HIPAA, subcontractors employed by business associates must also follow the HIPAA.

The privacy violations took place between October 12, 2020 and December 16, 2020. Cotiviti informed Humana concerning the HIPAA violation on December 22, 2020. Together, Cotiviti and Humana worked to make certain that security procedures are executed to avoid very similar privacy breaches again. Also, those safeguards are set up at any subcontractors it hires. The individual who shared the information is no longer hired by the subcontractor.

The types of records compromised include the member names, phone numbers, dates of birth, addresses, email addresses, full or partial Social Security Numbers, insurance identification numbers, provider names, medical record numbers, dates of service, treatment data, and medical photos.

Although the disclosures were not intended for malicious reasons and it is believed that there were no further exposures of the PHI, Humana is providing affected people with 2 years of credit monitoring and identity theft protection services for free.

UPMC St. Margaret Dismisses Employee for Impermissible Disclosure of PHI

UPMC St. Margaret has learned about the impermissible disclosure of the protected health information of some of its patients by an employee to a third-party provider without authorization.

In August 2020, UPMC, St. Margaret learned that an organization got a medication administration report even with no legitimate work purpose. The report included details like names, UPMC ID numbers, and medication administration data, such as drug name, dose, time/date of administration, and the reason for having the medication.

After the discovery of the impermissible disclosure, UPMC terminated the staff’s access to UPMC systems and terminated the person’s employment after the investigation was finished. The provider notified the impacted persons regarding the privacy breach on March 5, 2021. There was no reason provided for the delay in sending the notification.

Whistleblower Who Wrongly Accused a Nurse Violated HIPAA Serves 6 Months in Jail

A man from Georgia who wrongly accused a former associate of violating patient privacy and breaching the HIPAA Guidelines got penalized $1,200 and 6 months jail time.

In October 2019, Jeffrey Parker, a 44-year old resident of Rincon, GA, served as a HIPAA whistleblower and notified the authorities regarding a major privacy violation committed by a nurse working at a Savannah, GA hospital, which included sending emails with graphic images of hospital patients with traumatic injuries within and outside the hospital.

Based on court documents, Parker was involved in a complex scheme to set up a former associate as violating the Federal Health Insurance Portability and Accountability Act’s Privacy Rule. To support the false claims, Parker made several email accounts using the names of actual patients and utilized those email accounts to submit false allegations of privacy violations. The hospital where the nurse is employed, the Department of Justice (DOJ), and the Federal Bureau of Investigation (FBI) received copies of the email messages.

Parker additionally claimed that he received threats for being a whistleblower, and so law enforcement officials had taken action to make certain that he is safe. When asked with regards to the threats and the HIPAA rule violations, an FBI agent found irregularities in his statements and after more questioning, Parker confessed that he falsely accused the former associate to frame him up for fake HIPAA violations.

When Parker got charged, U.S. Attorney Bobby L. Christine explained that making false accusations on others of criminal activity is unlawful, and it slows down justice system staff by making them pursue needless investigations. This bogus complaint prompted federal investigators to shift resources and caused unnecessary trouble for a vital health care organization in the community.

Parker admitted to committing a case of making false claims and is likely to face a 5-year jail period. U.S. District Court Judge Lisa Godbey Wood sentenced Parker to stay in jail for 6 months.

Special Agent Chris Hacker who is in Charge of FBI Atlanta stated that numerous investigative hours and resources were spent in figuring out that Parker’s claims as a whistleblower were fraudulent and intended to cause damage to another person. Before he can cause more problems, his fancy scheme was discovered by a perceptive FBI agent and at this point, he is going to serve time for his planned criminal offense.

Parker is not entitled to get parole and is going to serve the complete term, and afterward, he will get 3 years of monitored release.

HHS Secretary Declares Limited HIPAA Waiver in Texas Because of the Winter Storm

Right after President Joseph R. Biden declared an emergency in the State of Texas, Acting Secretary Norris Cochran of the Department of Health and Human Services also announced a public health emergency because of the impact of the winter storm in Texas.

In accordance with Section 1135(b)(7) of the Social Security Act, the HHS Secretary declared a limited waiver of sanctions and fines that may result from non-compliance with some HIPAA Privacy Rule provisions.

For the duration of the waiver, the sanctions and penalties won’t be enforced for non-compliance with these requirements of the HIPAA Privacy Rule:

  • 45 C.F.R. § 164.510(a) – the requirement to get a patient’s consent to talk to family members of friends;
  • 45 C.F.R. § 164.510(b) – the requirement to respect the request of a patient to be taken from the facility directory;
  • 45 C.F.R. § 164.520 – the requirement to send out a notification of privacy practices;
  • 45 C.F.R. § 164.522(a) – the patient’s right to ask for privacy limitations;
  • 45 C.F.R. § 164.522(b) – the patient’s right to ask for private communications.

On February 19, 2021, the waiver is going to be enforced and is going to be retroactive to February 11, 2021.

The waiver is just applicable to hospitals in the location where the public health emergency is declared and to hospitals that carried out their disaster protocols at that time that the waiver became effective. The waiver is in effect for about 72 hours since a hospital executed its disaster protocol.

As soon as the Presidential or Secretarial proclamation ends, hospitals need to then abide by the earlier mentioned provisions of the HIPAA Privacy Rule or suffer sanctions and penalties. That is applicable to patients that remain under the hospital’s care, even when the 72-hour period has not passed.

More information regarding the HIPAA waiver and HIPAA Privacy and Disclosures during Emergency cases is available in the HHS HIPAA Bulletin.

$75,000 Penalty Paid by Renown Health for its HIPAA Right of Access Violation

The Department of Health and Human Services’ Office for Civil Rights (OCR) is going ahead with its program to end non-compliance with the HIPAA Right of Access. OCR revealed its fifteenth settlement deal that dealt with a HIPAA Right of Access enforcement action.

Renown Health, a non-profit healthcare network in Northern Nevada, consented to pay $75,000 as a financial penalty for its HIPAA case with OCR to be able to resolve its potential violation of the HIPAA Right of Access.

OCR began investigating Renown Health after a patient reported a complaint because she did not receive a digital copy of her protected health information (PHI). In January 2019, the patient placed her request to Renown Health with an instruction to give her medical and billing data to her attorney. No record was received after waiting for more than a month. Therefore, the patient submitted her complaint to OCR. Renown Health provided the required information only on December 27, 2019, approximately one year after filing the initial request.

As per the HIPAA Privacy Rule (45 C.F.R. § 164.524), healthcare records should be delivered to the asking party within 30 days of filing the request. OCR determined that Renown Health violated the Privacy Rule for waiting too long to provide the requested information.

Apart from having to pay the financial penalty, Renown Health is going to carry out a corrective action plan. It is required to create, keep, and update, as necessary, the provider’s written guidelines and procedures making certain that they follow the HIPAA Right of Access. Staff members should undergo training with regards to the guidelines and procedures. A sanctions policy ought to be enacted when workers do not stick to the guidelines and procedures. Renown Health will be supervised by OCR for two years to make sure of the HIPAA Right of Access compliance.

Having access to patient health records is a vital HIPAA right. Medical care companies are accountable to the law to give patients prompt access to their medical records.

The aforementioned settlement is the third announced by OCR in 2021. The first two prior settlements involved Banner Health and Excellus Health Plan. The former paid a $200,000 settlement for violating the HIPAA Right of Access, while the latter paid $5,100,000 as the penalty for multiple HIPAA violations that brought about a data breach in 2015 affecting 9,358,891 records.

Sharp HealthCare Pays $70,000 Penalty to Settle its HIPAA Right of Access Violation

The HHS’ Office for Civil Rights (OCR) has penalized Sharp HealthCare $70,000 for not being able to deliver prompt access to a patient’s health records. This is the 16th financial penalty issued by OCR in association with the HIPAA Right of Access enforcement initiative that began in the latter part of 2019.

OCR got a patient complaint on June 11, 2019 that stated Sharp Healthcare, also known as Sharp Rees-Stealy Medical Centers (SRMC), was unable to give him a copy of his health records in 30 days as the HIPAA Privacy Rule requires.

The patient explained that he made a written request on April 2, 2019 yet did not receive the requested records even after over 2 months. OCR looked into the complaint and offered technical support to SRMC regarding the HIPAA Right of Access provision of the HIPAA Privacy Rule and the need to deliver medical records to a third party when asked for by a patient. OCR marked the complaint as resolved on June 25, 2019.

OCR received a second complaint from the same patient submitted on August 19, 2019 because the requested medical records were not yet received. The complainant eventually got the required medical records on October 15, 2019, after over 6 months since the patient first requested the records.

OCR affirmed that not delivering the requested records within the prescribed time violated 45 C.F.R. § 164.524 and the HIPAA violation called for finance charges. If the provider gave the records on time after getting technical support, a financial penalty might have been averted.

Besides spending $70,000 on penalty, Sharp HealthCare has consented to follow a corrective action plan with OCR’s close supervision for compliance in a period of 2 years. The corrective action plan calls for Sharp HealthCare to create, keep, and update, as required, policies and guidelines that cover patient requests for copies of their medical information. Employees must have training regarding the people’s right to access their own PHI.

In a statement concerning the most recent settlement, Acting OCR Director Robinsue Frohboese stated that patients have the right to prompt access to their medical information. OCR designed the Right of Access Initiative to implement and protect this vital right.

Micky Tripathi and Robinsue Frohboese Get New Appointment as Heads of ONC and OCR at the HHS

The Biden government has chosen Micky Tripathi to take the position of National Coordinator for Health IT of the Department of Health and Human Services’ Office.

Tripathi is going to head the Office of the National Coordinator for Health IT with its responsibility of coordinating work to embark on advanced health information technology to make the sharing of health information secure. The ONC is at present overseeing the work of giving Americans immediate access to their health data through their mobile phones and is utilizing the 21st Century Cures Act provisions to increase health IT interoperability and restrict information blocking.

Tripathi is a seasoned expert in secure health information exchange and understands the existing interoperability issues in the healthcare field. Prior to becoming an ONC member, Tripathi was formerly the chief alliance official at Arcadia, a healthcare analytics and software business. He was responsible for making partnerships to enhance healthcare utilizing revolutionary IT technology.

Tripathi was similarly the manager of strategy and management consulting firm Boston Consulting Group (BCG), the first president and CEO of the Indiana Health Information Exchange, the CEO of the Massachusetts eHealth Collaborative, and was a board member of the Datica, HL7 FHIR Foundation, Sequoia Project, the CommonWell Health Alliance and the CARIN Alliance.

Arcadia CEO Sean Carroll mentioned that Micky was a well-known leader on healthcare interoperability and possesses a vision for the importance of immediate sharing of the appropriate information to deliver the best healthcare while lessening expenses. Tripathi is truly most suitable for this very critical mission. Donald Rucker, M.D. held this position over the past 4 years.

The HHS has furthermore affirmed the appointment of Robinsue Frohboese as the current Acting Director of the HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance. Frohboese was previously the primary deputy director of OCR and became an acting director to replace March Bell, who obtained the position last January 15, 2020 following the stepping down of past OCR Director Roger Severino from the position.

Frohboese has had a vital part in many civil rights projects and in OCR’s enforcement of the HIPAA Privacy Rule.

Prior to getting the position as OCR’s primary deputy director, Frohboese had been working for 17 years with the Special Litigation Section of the Civil Rights Division of the U.S. Department of Justice. He was the first Senior Trial Attorney and then had become the Deputy Chief.

Fertility App Provider Sued for Disclosing User Data with Chinese Firms Without Permission

A lawsuit was filed against Easy Healthcare Corp. based in Burr Ridge, IL because of the alleged disclosure of sensitive user data with third-party companies situated in China.

Easy Healthcare Corp is the programmer of Premom, a well-known smartphone fertility app for monitoring users’ ovulation cycles to know the days they are most fertile. The legal action states that a variety of sensitive user information was shared with at least three Chinese firms without getting users’ permission. Because the data is kept on servers in China, the lawsuit claims sensitive data could possibly be accessed or taken by the Chinese government.

The data sent to the Chinese organizations consists of sensitive healthcare details, geolocation information, user and advertiser IDs, device activity data, and device hardware identifiers. Considering that the identifiers don’t change, merging them with the information where it was found would permit data collectors to re-create app users’ activities.

Identifiers given to the Chinese organizations consist of MAC addresses or Wi-Fi media access controls, which are specific identifiers for network interface controllers; MAC/BSSID addresses of routers, which details geographical location; and SSID (Service Set IDs) of routers, which offer Wi-Fi networks data. It is additionally possible for the information to be collected about users’ interests, health, religion, political perspectives, and other sensitive information.

The lawsuit states user data was shared with Jiguang (Aurora Mobile Ltd), Umeng, and UMSNS, which provide activity analysis, precision marketing, financial risk management, and location-based analysis services to their customers.

Based on the legal action, the Premom privacy policy says that it will not share or sell your personal data to data brokers, marketing platforms, or data resellers, therefore the distribution of the information is in direct violation of those policies. Although the privacy policy does express that non-identifiable user data may be gathered, users are advised that the information would not be shared with third parties without user authorization.

The plaintiff found out that her personal information was disclosed to the three Chinese firms for three years without her permission or knowledge. She states Easy Healthcare deceived her as she was not told that her information would be given to the Chinese entities. The lawsuit likewise claims Easy Healthcare shared the data to get money and that the company was misrepresenting its data-sharing policies. The lawsuit likewise claims user data is logged each time users unlock or use their phone, even when they aren’t using the application, which breaches Google Play’s developer policies.

The lawsuit was filed a couple of months following a bipartisan group of senators wrote to the Federal Trade Commission (FTC) to ask for scrutiny of the data security and privacy policies of the Premom app, after discovering the unauthorized information sharing by International Digital Accountability Council.

The legal action was filed in the US Northern District Court of Illinois, Eastern Division and wants class-action status and damages for application users. The lawsuit additionally requires Easy Healthcare to stop sharing user data with organizations without first acquiring authorization from app end users. Easy Healthcare has denied any wrongdoing.

Premom is not the only health application found to be sharing user information without acquiring informed permission from software users. The FTC recently settled a data privacy and security case with Flo Health in January 2021 for misrepresenting privacy practices for its fertility app and shared user data with a data analytics firm without authorization. Flo Health was instructed to evaluate and modify its privacy policies and acquire permission from app users prior to sharing their information.

Public Health Emergency Privacy Act Approved to Make sure Privacy and Security of COVID-19 Information

Last January 28, 2021, democratic senators presented the Public Health Emergency Privacy Act to secure the privacy of Americans and make sure there are information security measures implemented to safeguard COVID-19 related health information obtained for public health uses.

Sens. Richard Blumenthal, D-Conn., Mark Warner, D-Va., and U.S. representatives Suzan DelBene, D-WA, Jan Schakowsky, D-IL., and Anna Eshoo, D-CA., introduced the Public Health Emergency Privacy Act. The Act calls for solid and enforceable privacy and information security rights in order to establish health information.

Sen. Blumenthal mentioned that technologies such as contact tracing, home screening, and online appointment scheduling are absolutely vital to prevent the propagation of this disease, however, Americans are rightly cautious about the safety of their sensitive health information. Legal safety measures that secure consumer privacy could not match up with technology, and that affecting the struggle against COVID-19.

The Public Health Emergency Privacy Act is going to make certain that tight privacy protections are put in place so that any health information gathered for public health purposes will just be employed to accomplish the public health reason for which it was gathered.

The Public Health Emergency Privacy Act confines the usage of the information gathered for public health reasons to public health uses, forbids the usage of the information for discriminatory, unconnected, or invasive purposes, and inhibits government agencies that are not part of public health services from misusing the information.

The Act calls for the application of data security and data integrity protection to secure health information, for the data gathered to be limited to the minimum required data to accomplish the purpose for which it is gathered, and mandates tech companies to delete the data as soon as the public health emergency has concluded.

Americans’ voting rights are safeguarded by not conditioning the right to vote on any health condition or usage of contact tracing applications. The Act will likewise provide Americans control over public health efforts by ensuring transparency and demanding opt-in authorization. The Act additionally demands regular reports on the effect of digital collection resources on civil rights.

The Public Health Emergency Privacy Act won’t replace the prerequisites of the Privacy Act of 1974, the HIPAA, or federal and state medical record retention and health data privacy rules.

According to Sen. Warner, having strong privacy protections for COVID health information becomes more important with the ongoing vaccination efforts and firms get started tinkering with things such as ‘immunity passports’ to protect access to facilities and services. Without the appropriate health privacy laws, it’s possible that privacy violations and discriminatory usage of health information could turn out to be common in medical care and public health.

This isn’t the first proposal of this type of legislation. An identical bill was presented in 2020, however, it did not earn the support of congress.

Employee Terminated by Montefiore Medical Center and Bethesda Hospital for HIPAA Breaches

Baptist Health’s Bethesda Hospital located in Boynton Beach, FL has terminated a worker because of impermissibly accessing the protected health information (PHI) of a patient and modifying a home health order that was used to give home care services to a patient.

The hospital discovered the HIPAA breach on December 1, 2020 and conducted an internal investigation. The employee involved in the breach ended up being dismissed. The hospital already informed law enforcement about the incident.

The investigation showed that the former employee also accessed other patient records from June 1, 2019 to December 2, 2020. The types of data possibly accessed included names, birth dates, addresses, medical insurance details, Social Security numbers, and clinical records.

All affected persons received notification and offers of free identity theft protection and credit monitoring services. Baptist Health is looking for more ways to protect patients’ PHI and avoid the same breaches later on.

The HHS’ Office for Civil Rights’ website has not listed the incident yet so the number of patients affected is presently uncertain.

Montefiore Medical Center TerminatesTerminates Employee for Unauthorized Access of Medical Records

Montefiore Medical Center located in New York found out that an unauthorized worker accessed the PHI of patients in a span of 5 months last 2020. Upon becoming aware of the unauthorized access, Montefiore quickly blocked the employee from accessing the electronic medical record system and started an investigation to know the magnitude of the HIPAA violation.

Following the comprehensive investigation, the medical center terminated the employee and reported the breach to law enforcement for probable criminal prosecution. The former employee viewed types of information that varied from one patient to another and may have included first and last names, birth dates, addresses, medical record numbers, the last four numbers of Social Security numbers, and clinical data like examination results, consultation histories, and diagnoses.

There is no reason given regarding the person’s motive for accessing the information. There is also no evidence found that suggests the use of patient data for identity theft or fraudulence. Montefiore Medical Center already notified all affected patients and offered them free identity theft protection services.

This is Montefiore Medical Center’s second incident that involved inappropriate access of medical records in the last 5 months. The first was in September 2020 when the medical center reported the theft of approximately 4,000 patients’ PHI by a former employee from January 2018 to July 2020.

HHS Gives $20 Million to Expand COVID-19 Vaccine Information Sharing

The U.S. Department of Health and Human Services has made $20 million readily available to make data sharing between health information exchanges (HIEs) and immunization information systems better.

The funding was from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) fund that President Trump signed on March 27, 2020 to help vaccination initiatives to combat the COVID-19 pandemic.

The funds expand the Office of the National Coordinator for Health Information Technology (ONC)’s Strengthening the Technical Advancement and Readiness of Public Health Agencies via Health Information Exchange (STAR HIE) Program and can support communities in their health information sharing regarding COVID-19 vaccinations.

Public health agencies could get extra help to monitor and recognize persons who have not yet gotten a second dose of the COVID-19 vaccine. The extra money will help physicians identify and get in touch with high-risk individuals who have not acquired their first vaccination.

The added investment will be allocated countrywide and will be utilized to support communities that have been hit hard by COVID-19. The HHS will additionally be giving funding to the Association of State and Territorial Health Officials (ASTHO) as well as the Colorado Regional Health Information Organization (CORHIO) to boost HIE immunization collaborations.

These CARES Act funds are going to help doctors better get access to information of their patients from their community immunization registries by utilizing the sources of their local health information exchanges. Using this collaborative work, public health departments and physicians will be ready to more effectively give immunizations to at-risk patients, fully grasp undesirable events, and better monitor long lasting health outcomes as more Americans receive immunizations.

The success of vaccination programs depends on properly identifying patients and making sure patients get two doses of the appropriate vaccine. That means hospitals, pharmacists, and public health authorities must have access to patient information and vaccine data. Good data exchange and patient matching can likewise help to provide insights into the efficiency of the vaccines and monitoring long term health outcomes. STAR HIE has plans to present statistics to determine vaccination outcomes.

There are roughly 100 HIEs in the US which reach about 92% of Americans. There are 63 immunization information systems in the United States, one for each state, 8 in territories, and five in cities. The immunization information systems have funds, partly from the Centers for Disease Control and Prevention’s National Center for Immunization and Respiratory Diseases (NCIRD).

OCR to Have Enforcement Discretion Concerning the Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments

The Department of Health and Human Services’ Office for Civil Rights has announced that it will exercise enforcement discretion and will not issue financial fines on HIPAA-covered entities or business associates in case of violations of the HIPAA Rules connected with the good faith use of online or web-based scheduling applications (WBSAs) for making individual sessions for COVID-19 vaccinations.

The notice of enforcement discretion covers the use of WBSAs for the limited role of booking individual visits for COVID-19 shots for the duration of the COVID-19 public health emergency. The notification is in force right away, is retroactive to December 11, 2020, and will continue to be in effect throughout the COVID-19 national public health emergency.

A WBSA is a non-public facing internet or web-based app that enables individual meetings to be booked in connection with large scale COVID-19 vaccination. The goal of a WBSA is to permit covered healthcare companies to quickly timetable huge numbers of appointments for COVID-19 vaccinations.

A WBSA, and the information created, obtained, kept, or transmitted by the WBSA, will just be accessible to the intended parties, such as the healthcare organization or pharmacy giving the vaccinations, an authorized person booking sessions, or a WBSA staff member that must have access to the solution and/or records for delivering technical assistance.

The notice of enforcement discretion will not apply to an appointment scheduling program that connects directly to electronic health record (EHR) systems.

A WBSA may not fulfill all specifications of the HIPAA Guidelines and would consequently not be allowed for use in association with electronic protected health information (ePHI) under standard situations. It is additionally probable that the vendor of a WBSA may not know that their application is being utilized by healthcare organizations in correlation with ePHI, which would hence categorize the vendor as a business associate under HIPAA.

Although the notice of enforcement discretion is in force, OCR is not going to charge penalties against HIPAA covered entities, their business associates, and WBSA vendors that satisfy the description of a business associate as per the HIPAA Policies for good faith uses of WBSAs for booking COVID-19 vaccination schedules.

Though penalties will not be issued, OCR encourages using acceptable safeguards to protect the privacy of individuals and the protection of ePHI. It means the ePHI gathered and inputted into the WBSA must be restricted to the minimum required information, encryption technology ought to be employed in case available, and all privacy configurations ought to be enabled. That includes modifying the calendar display to hide names or just display initials. If a vendor saves ePHI, the storage must only be short-term and ePHI must be destroyed no later than 30 days after the scheduled appointment. The WBSA vendor must be directed not to expose any ePHI in a manner that is not in line with the HIPAA Rules.

These sensible safety measures are advised by OCR, although not implementing the suggested reasonable safeguards won’t, in itself, mean a covered health care provider or its business associate failed to act in good faith in view of this Notification.

Bad faith uses that are not covered by the notification are listed below:

  • Use of a WBSA where the vendor does not allow its usage for managing healthcare services.
  • Utilizing the WBSA for arranging appointments apart from COVID-19 vaccinations.
  • Employing a solution that does not feature access controls to restrict access to ePHI to permitted people.
  • Screening persons for COVID-19 prior to personal healthcare appointments.
    Using public-facing WBSAs.

OCR is utilizing all available ways to make the administration of COVID-19 vaccines efficient and safe to all people as much as possible.

Vulnerabilities Discovered in Innokas Yhtymä Oy Vital Signs Monitors

There are two medium-severity vulnerabilities discovered in Innokas Yhtymä Oy vital signs monitors that permit hackers to modify communications between downstream devices and to disable certain functions of the monitors. The vulnerabilities have an impact on all versions of VC150 patient monitors with software version earlier than version 1.7.15.

Affected patient monitors contain a cross-site scripting (XSS) vulnerability that permits the injection of a web script or HTML by means of the filename parameter to change several administrative web interface endpoints. The vulnerability is caused by incorrect neutralization of input at the time of web page creation. The vulnerability is monitored as CVE-2020-27262 with an assigned severity score of 4.6 out of 10.

The second vulnerability, monitored as CVE-2020-27260, is caused by incorrect neutralization of special components in the output utilized by downstream elements. HL7 v2.x injection vulnerabilities enable attackers in close proximity and have a linked barcode reader to input HL7 v2.x segments into HL7 v2.x messages through a variety of expected parameters. This vulnerability was given a severity score of 5.3 out of 10.

The people credited with the identification of the vulnerabilities were: Julian Suleder, Birk Kauer, and Nils Emmerich of ERNW Research GmbH; and Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH.

Innokas Yhtymä Oy already issued a computer software update to fix the vulnerabilities and advises the use of software version 1.7.15b or newer versions only. To date, there are no reported incidents of vulnerabilities exploitation in the wild.

It is additionally recommended to follow the following network best practices:

  • Segment networks
  • Use VLANs
  • Isolate patient monitors
  • Implement physical restrictions to prevent the unauthorized access of patient monitors
  • Clinical personnel must report any instances of unauthorized persons trying to sign in or tinker with the patient monitors

New Capabilities to CC&C Platform Added With TigerConnect’s Acquisition of Critical Alert

TigerConnect is going to have a variety of new features added to its clinical communication and collaboration program after the purchase of Critical Alert, a healthcare middleware provider. This is the second big purchase by TigerConnect in Santa Monica, CA in 2020, after purchasing Call Scheduler last fall.

Critical Alert provides hospitals and health systems with a cloud-based and mobile business-quality middleware. Hospitals make use of the middleware solutions for management of nurse call, alarm and events, clinical workflow analysis and medical device interoperability. Besides the selection of middleware solutions, Critical Alert delivers conventional nurse call equipment to over 200 hospitals all over North America.

The purchase will lead to the incorporation of the suite of middleware products with the TigerConnect system and will include many new functionality and power a broad range of alert styles and alarm management improvements. The incorporation of the middleware is estimated to be finished in Q1 of 2021.

Critical Alert middleware seamlessly works with clinical systems to send alarms, activities, and values and offers virtualized nurse call which includes contextual patient information to enable nurses to choose with requests to prioritize. By means of centralized response to of nurse call notifications and the supervision of workflows and tasks, there is lesser noise and clinical disruptions and better responsiveness.

Real-time Location Systems (RTLS) integrations aid to enhance caregiver efficiency and simplify workflows and allow real-time monitoring of personnel location and time expended on assignments. These integrations offer information about resource planning, workflow efficiency, and continuing process development endeavours.

The integration of Critical Alert with TigerConnect will permit quick integrations with smart bed alerts for efficient fall deterrence and enhanced patient security. When the safe bed setting is jeopardized, alerts will be delivered instantly to mobile devices permitting nurses to easily respond.

By means of an incorporation with the TigerFlow care team collaboration solution, notifications will be wisely sent to the appropriate caregivers, controlling unwanted noise and enhancing performance. The context supplied with these notifications assists nurses to prioritize properly. Critical Alert additionally provides innovative analytics that give ideas regarding patient conduct and assist with the optimization of employee work load.

With the integration of Critical Alert middleware into the TigerConnect platform, it gives more value to clients and aids to relieve the stress on nurses especially at this time when nurse burnout is quite prevalent. The enhancements on efficiency and effectiveness will probably benefit hospitals, especially considering the present shortage on nurses.

The acquisition of Critical Alert is very strategic and it is a natural development of TigerConnect’s already-powerful collaboration system, according to TigerConnect CEO and co-founder Brad Brooks. Now, all the nurses that use TigerConnect, these new functionalites will send real-time, contextual data to their mobile units or desktop so they could work more intelligently, prioritize actions, and successfully coordinate care using just one platform every day for business messaging.

Critical Alert CEO John Elms is going to join the team of TigerConnect as Chief Product Officer/ Elms and will have a crucial role in combining the technologies of two companies and will direct future product developments. VP Wil Lukens of Critical Alert Sales will likewise join TigerConnect and will be the General Manager of Critical Alert’s traditional Nurse Call hardware section and will proceed with operations using the same standalone business unit name.

The merging of the two companies is perfect timing, according to John Elms. Together, the company will be able to resolve a few of the serious challenges that nurses face such as alarm fatigue, resource optimization and action prioritization.

Breaches At Northwestern Memorial Hospital, Five Points Eye Care, and Apex Laboratory

Northwestern Memorial Hospital in Chicago found out that an old temporary employee may have viewed the medical records of selected patients without proper authorization while doing work at the hospital.

The hospital detected unauthorized data access on December 2, 2020. An analysis of access logs revealed the staff accessed patient information without a work-connected purpose for doing so from October 27, 2020 to December 2, 2020. The data probably accessed only included names of patients, addresses, and treatment details. The person did not get access to financial data or Social Security numbers.

Northwestern Memorial Hospital gave a report regarding the privacy breach stating that the data of 682 patients might have been viewed and said that the non-permanent staff is not working at the hospital any longer. It is not clear why the information was accessed. The hospital is notifying all affected patients about the privacy breach through the mail and has reported the incident to the appropriate authorities.

Potential Breach of Patient Information at Athens Optometrist

Five Points Eye Care located in Athens, GA has learned that an unauthorized individual acquired access to its network and possibly viewed/obtained patient data. The breach happened on October 27, 2020 and was identified and remediated the same day.

The breach just impacted the email system that contained communication routed to the optometrist from other treating physicians. The information in the email messages included names, birth dates, Social Security numbers, addresses, prescription drugs, and treatment plans. A forensic investigation established that the unauthorized individual did not access any other data.

Five Points Eye Care reported the security breach to law enforcement, mailed notifications to affected individuals, and offered free credit monitoring services for one year.

Apex Laboratory Encountered a DoppelPaymer Ransomware Attack

In July 2020, Apex Laboratory, a home laboratory services provider in New York and South Florida, encountered a DoppelPaymer ransomware attack. The DoppelPaymer ransomware gang uploaded thousands of records recently to its data leak site. Many of the information contained the protected health information (PHI) of patients and sensitive employee information.

Databreaches.net reports that after getting in touch with Apex Laboratory concerning the data breach, the dumped information was deleted from the DoppelPaymer leak website. Apex Laboratory posted a breach notice on its website on December 31, 2020 confirming that it experienced a ransomware attack on July 25, 2020, but the encrypted information was restored on July 27, 2020.

It is presumed that the data uploaded to the leak site was obtained in the July cyberattack. Apex Laboratory stated that after getting notification regarding the dumped files, it took steps immediately to make sure the attackers deleted the data files from the leak website. The dumped records are believed to have patient names, dates of birth, lab test results, and the phone numbers and Social Security numbers of some patients. The breach investigation is in progress and the provider will mail breach notification letters to victims in a couple of days.

OCR Issued the 19th HIPAA Penalty of 2020

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a settlement with Peter Wrobel, M.D., P.C., also known as Elite Primary Care, over a HIPAA Right of Access compliance violation.

Elite Primary Care in Georgia provides primary health services. OCR started a compliance investigation after receiving a complaint from one of its patients on April 22, 2019. Allegedly, he had been refused access to his medical records. On May 2, 2019, OCR got in touch with the provider and offered technical support on the HIPAA Right of Access. OCR instructed the practice to evaluate the specifics of the request and give the requested information if the request satisfied the HIPAA Privacy Rule requirements.

The patient later sent a written request for access to the practice on June 5, 2019. The patient submitted to OCR another complaint on October 9, 2019, since the practice still refused to provide access to the medical records he requested.

On November 21, 2019, Elite Primary Care provided the patient’s health information to his new healthcare company and also gave the patient his copy of the information on May 8, 2020.

Because of the delayed provision of the requested records to the patient, OCR judged that the practice violated the HIPAA Right of Access (45 C.F.R. § 164.524).

Under the conditions of the settlement, Elite Primary Care is going to pay a $36,000 financial penalty and undertake a corrective action plan which includes creating, enforcing, maintaining, and updating, as required, its written policies and guidelines associated with the HIPAA Right of Access condition of the HIPAA Privacy Rule. As soon as OCR has checked those policies and guidelines, pertinent members of its staff will be given proper training.

The practice agreed to the settlement without admission of liability. OCR is going to supervise Elite Primary Care for two years to make sure that it follows the required compliance.

This is OCR’s 13th settlement announcement under the HIPAA Right of Access enforcement initiative and the 19th HIPAA financial penalty issued in 2020.

OCR established the Right of Access Initiative to deal with the numerous instances that patients were denied prompt access to their health records. Health care companies, big or small, should make sure to give prompt access to patients’ health records, and for a fair fee, according to OCR Director Roger Severino.

Atlantic.Net Back-Office Upgrade Significantly Enhances Performance and Overall Customer Service

Atlantic.net based in Orlando, FL made announcements about major changes that will considerably enhance performance, make certain of more accurate billing, and will aid the company provide better overall customer support.

The HIPAA-compliant hosting provider now offers the Ubersmith business management software suite to its clients. This innovative back-office software package makes it possible to use over 50 various programs on subscription, customer support, billing, and device management to be merged into just one system. Business procedures that took 7-14 days in the past can now be done in one day.

Simplifying internal processes will make sure customer support concerns can be handled a lot more quickly. The new system made it possible for Atlantic.net to cut the time in half to resolve support issues and to improve the billing for customers’ overall usage by 55%. Employees now simply need training on one system, instead of many different systems. That would save many hours and streamline products and resources. The removal of repetitive systems and enhancement in operational proficiency will give a net positive effect on the growth of revenue.

The Ubersmith system’s quick to customize integrated software program can manage subscription payment, infrastructure management, order management, and ticketing. The modular software program is very flexible and may be extended and built-in with software utilized by other areas of the business by using the Ubersmith-supplied API and software development kit.

Atlantic uses Ubersmith APIs to merge with other systems used to manage payments, accounting, security certificates domain registration, and more. Ubersmith is presently adding Salesforce so that Atlantic.net could connect its sales, prospecting activities, and customer quotes in one system.

The full integration of the Ubersmith software program will allow Atlantic.net to attain high levels of operational performance, worker productivity, and provide a better quality of customer support.

Atlantic.Net has completed an outstanding job at using the functionalities provided in Ubersmith’s business management, operations and infrastructure software program. Ubersmith is happy to be a part of the Atlantic business’ growth and expansion in the field of cloud services and hosting.

Breaches at Tufts Health Plans, Tennessee Proton Radiation Therapy Centers, Liv-On Family Care Center and Presbyterian Health Plan

A phishing attack on Tufts Health Plan led to the exposure of the protected health information (PHI) of 60,545 members’ of EyeMed, a vision benefits management company.

EyeMed discovered the phishing attack on July 1, 2020, but the phishing attack happened in June 2020. On the day of discovering the breach, the firm terminated access to the breached account. In September 2020, EyeMed advised Tufts Health Plan regarding the breach.

The following types of protected health information were included in the compromised email account: Names, birth dates, email addresses, physical addresses, phone numbers, birth or marriage certificates,government ID or driver’s license numbers, vision insurance account/identification numbers, Medicaid or Medicare numbers, and health insurance account numbers. The medical diagnoses and issues, partial or full social security numbers and/or financial information,  treatment details, and/or passport numbers were compromised for some people.

EyeMed offered the affected persons a complimentary membership to credit monitoring and identity protection services for two years.
.

Security Incident Affects Tennessee Proton Radiation Therapy Centers

Two proton radiation therapy centers located in Tennessee encountered a security incident that affected MTPC, LLC in Nashville and Proton Therapy Center, LLC in Knoxville. The incident transpired in the early morning of October 28, 2020.

The attack resulted in continued disturbance to a number of clinical and financial processes, nevertheless, the centers continued to deliver safe and effective patient services. Action is underway to counteract the attack. At this time, the centers adopted the established back-up procedures such as offline recording techniques.

So far, there is no evidence found that indicates the copying, access and misuse of patient or employee details.

Liv-On Family Care Center Patients Notified of PHI Theft

Liv-On Family Care Center located in St. Paul, MN is sending a notification to 1,580 patients concerning the theft of computer equipment that contains their PHI during a burglary on October 25, 2020.

The burglars stole computers, laptops, and tablets that comprised info such as patients’ names, dates of birth, addresses, health records, social security numbers, and other data. The devices were password-protected, however not encrypted, therefore it may be possible to access the PHI. The center already reported the break-in to the police, however, there are no stolen computer gadgets recovered yet.

More Than 3,500 Presbyterian Health Plan Members Affected By Mailing Error

Presbyterian Health Plan based in Albuquerque, NM is notifying 3,557 plan members concerning a mailing error that caused the misdirection of letters to other health plan members. On October 1, 2020, letters were sent to plan members telling them about recommended health screenings for taking care of their healthcare treatment and offered contact details for care coordination. The letters addressed to patients were delivered to some other addresses of members. The mailing did not have any of the following information: Social Security numbers, financial or credit card data, or any data included in medical systems or any other health data.

Xavier Becerra Appointed as New Secretary of the Department of Health and Human Services

President-elect Joe Biden made the decision to give California Attorney General Xavier Becerra the position of Secretary of the Department of Health and Human Services. Becerra’s appointment is still awaiting’ the transition team’s announcement.

Biden is determined to establishing the most diversified administration ever and although there is some development, Biden has been criticized about the number of appointed Latinos thus far. Should the Senate confirm the appointment of Becerra, he will be the Department of Health and Human Services’ very first Latino Secretary. The Congressional Hispanic Caucus has praised the selection of Sec. Becerra.

Becerra supports the Affordable Care Act and served to have this legislation pass through the 2009 and 2010 Congress. The previous Los Angeles area congressman was also the leader of the coalition of Democratic states that protected the Affordable Care Act and opposed efforts by the Trump Administration to overturn it. Becerra is going to be responsible for broadening the Affordable Care Act and will probably immediately recall changes done by the Trump government.

Becerra has partnered with the Louisiana Attorney General to improve the drug Remdesivir’s availability within the state and with a lot of Republican Attorneys General in taking legal action versus opioid makers. His achievements in working together with Republicans helped safeguard the position of Secretary of the HHS. Becerra is going to have the job of supervising the HHS action team’s fight against the coronavirus pandemic, which includes the mass vaccination program that is going to start throughout the United States at the beginning 2021.

Biden has selected Dr. Rochelle Walensky to head the Centers for Disease Control and Prevention. Walensky is recognized at Massachusetts General Hospital as an infectious disease expert with substantial experience in fighting against HIV/AIDS. The current director of the nationwide Institute of Allergy and Infectious Diseases and chief medical consultant on COVID-19, Dr. Anthony Fauci, will continue in those 2 roles.

Biden chose Jeff Zients, President Barack Obama’s then economic advisor, to be the White House coronavirus coordinator. On the other hand, Vivek Murthy, the co-chairman of the coronavirus task force, will take again the Surgeon General position he had’ during the Obama government.

Biden also nominated the Yale School of Medicine professor Dr. Marcella Nunez-Smith to become the COVID-19 Equity Task Force chairperson. Deputy campaign manager Natalie Quillian will take the responsibility of being deputy coordinator of the COVID-19 Response. President Biden will announce the other appointees of his health care team in the next couple of days.

HHS Releases Final Rules Regarding Safe Harbors for Cybersecurity Donations

On November 20, 2020, the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) and Office of Inspector General (OIG) released the final rules to help improve the coordination of care and minimize regulatory obstructions. Both final rules include safe harbor terms that permit hospitals and healthcare delivery systems to contribute cybersecurity technology to physician practices.

The CMS introduced the 627-page final edition of the Modernizing and Clarifying the Physician Self-Referral Regulations, often referred to as Stark Law, and the OIG finalized changes to the 1,049-page Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules Concerning Beneficiary Inducements.

Physician practices frequently have restricted resources, making it hard for them to carry out solutions to deal with cybersecurity threats. Without the required protections, unauthorized individuals can access, steal, delete or encrypt sensitive healthcare data. Threat actors can additionally carry out attacks on small doctor practices and use them to get access to exploited healthcare systems.

When the regulations were first proposed, commenters stressed the value of a safe harbor to enable non-abusive, advantageous arrangements between doctors and other healthcare organizations, such donations of cybersecurity solutions to help protect the healthcare ecosystem. The CMS first suggested the improvements in October 2019 for the Regulatory Sprint to Coordinated Care.

The CMS final rule explains the Stark Law exclusions regarding contributions of electronic health record donations to doctors, broadening the EHR exemption to include cybersecurity software programs and services. One exception was likewise offered for expanding cybersecurity donations that include donations of cybersecurity hardware.

CMS explained that the finalized exemptions offer new freedom for specific arrangements, for example, contributions of cybersecurity technology that secure the integrity of the healthcare ecosystem, whether or not the parties employ a fee-for-service or value-based payment system.

The changes acknowledge the risk of cyberattacks on the healthcare industry and make a secure harbor for cybersecurity technology and services to safeguard cybersecurity-associated hardware, and will make sure that cybersecurity software programs and hardware are available to all healthcare companies of all sizes.

The safe harbor is applicable to, but is not limited to, software security procedures to protect endpoints that permit network access control, an application that offers malware prevention, business continuity application, data protection, and encryption and email traffic control. The exception likewise includes the hardware that is needed and used mainly to implement, preserve or re-establish cybersecurity” and a big range of cybersecurity services like update and maintenance of software and cybersecurity training services. There is no differentiation in the rule between local and web-based cybersecurity solutions.

Under the cybersecurity exception, recipients do not need to contribute to the cost of the donated cybersecurity technology or services. With the EHR exception, the cost required for donations of EHR items or solutions is retained.

HHS said that allowing entities to donate cybersecurity technology and related services to physicians will result in fortifying the entire health care ecosystem.

The final rules are intended to be printed in the federal register on December 2, 2020 and are estimated to take effect starting January 19, 2021.