HITECH amendment encourages adoption of recognized security practices

An amendment to the Health Information Technology for Economic and Clinical Health Act (HITECH) enacted on January 5, 2021 provides incentive for a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), or a covered entity’s business associates, to adopt recognized security practices. H.R. 7898, enacted as P.L. 116-321, states that the Secretary of the Department of Health and Human Services shall consider whether the covered entity or business associate has adopted recognized security practices, that may mitigate fines or other remedies imposed for HIPAA security violations, or favorable termination of a HIPAA security audit. Recognized security practices are standards, guidelines and best practices developed by the National Institute of Standards & Technology (NIST) or other regulatory guidelines for cybersecurity.

Excellus Health Plan settles data breach for $5.1 million

The Department of Health & Human Services Office for Civil Rights (OCR) announced a $5.1 million settlement with Excellus Health Plan, Inc. relating to a data breach that affected over 9.3 million persons. The breach arose out of a cyberattack that began in December 2013, in which hackers installed malware and conducted reconnaissance activities within the health plan’s information technology system. The attack was not ended until May 2015. In addition to the settlement payment, the health plan agreed to a two-year corrective action plan that requires it to conduct a comprehensive information security risk analysis; adopt an enterprise-wide risk management plan; and update its policies and procedures, including providing for regular review of audit logs, access reports and security incident reports, and adoption of access control measures, including network or portal segmentation and password management.

Read more ...

Banner Health settlement is largest so far in the OCR’s Right of Access initiative

On January 12, 2021, the Department of Health & Human Services Office for Civil Rights (OCR) reported that it had reached a $200,000 settlement with Banner Health. This is the fourteenth settlement in OCR’s Right of Access initiative, which investigates claims of patients and related parties that they have been denied access to their health records. Under the Health Insurance Portability and Accountability Act (HIPAA), HIPAA covered entities, including health care providers, are required to respond to a request for access to records within thirty days.

The Banner Health settlement is the third six-figure settlement, following settlements in October 2020 with Dignity Health ($160,000) and NY Spine ($100,000). The remaining eleven settlements have been for less than $100,000, with five $25,000 or less. However, the ongoing compliance reporting required by the settlement agreements may be a more substantial burden than the upfront settlement payment, especially for smaller providers. Generally, the settlement agreements require the provider to revise its policies and procedures, train employees, and provide reports to OCR for a two-year period.

Appeals Court overturns $4 million penalty imposed on MD Anderson Cancer Center

The Fifth Circuit Court of Appeals ruled that the Department of Health and Human Services (HHS) violated the Administrative Procedure Act in imposing a $4 million civil monetary penalty on M.D. Anderson Cancer Center. The case arose out of three incidents in 2012 and 2013, in which an unencrypted laptop was stolen, and two unencrypted USB thumb drives were lost. 

HHS had determined that M.D. Anderson violated the requirement under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requiring HIPAA covered entities to implement a mechanism to encrypt electronic protected health information (ePHI) or adopt another appropriate method to limit access. HHS also determined that the hospital violated the HIPAA Privacy Rule prohibition on unpermitted disclosure of PHI. Finally, HHS found that the hospital had reasonable cause to know that it had violated these rules and assessed daily penalties of $1,348,000 for the Security Rule violation and $3,000,000 for the Privacy Rule violation.  The court ruled that HHS was arbitrary and capricious in applying its regulations and calculating the penalty amounts.

Read more ...

OCR’s HIPAA audit report reveals many easily fixable mistakes

The Department of Health and Human Services Office for Civil Rights (OCR) published a report on audits of compliance with the privacy, security and breach notification rules of the Health Insurance Portability and Accountability Act (HIPAA) by HIPAA covered entities (CEs) and business associates (BAs). Most CEs complied with requirements for timely notification of breaches and prominent posting of the Notice of Privacy Practices (NPP) on their websites. However, many CEs failed to fully comply with requirements of the HIPAA Privacy Rule for providing access to Protected Health Information (PHI), and with regard to the required content of the NPP. Also, most CEs and BAs failed to demonstrate that they complied with the HIPAA Security Rule requirement for risk analysis and risk management. OCR noted that it provides extensive compliance resources for these areas.

Read more ...

OCR will use enforcement discretion for telehealth during the pandemic

The Office for Civil Rights (OCR) of the Department of Health and Human Services has announced that during the COVID-19 national emergency, health care providers may use audio or video communication technology to provide telehealth to patients via popular applications.  Ordinarily, providers would need to comply with the HIPAA Security Standards and enter into a business associate agreement with the technology vendor in order to provide HIPAA-compliant telehealth services.  However, to make health care services accessible to patients, OCR is allowing providers to use non-public facing remote communication, such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom or Skype.  Public facing applications such as Facebook Live should not be used for telehealth.

OCR publishes guidance on disclosing PHI to public health authorities through an HIE

On December 18, 2020, the Office for Civil Rights (OCR) of the Department of Health and Human Services published a guidance document addressing circumstances in which a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) or its business associate may disclose protected information (PHI) to a public health authority through a health information exchange (HIE). Some circumstances in which PHI may be disclosed are in effect only during the COVID-19 public health emergency (PHE). Covered entities need to be aware of this limitation, and prepare to terminate or modify these arrangements when the PHE terminates. If a covered entity is using an HIE to transmit PHI to a public health agency, once the COVID-19 PHE ends the parties will need to discontinue this disclosure unless the BAA expressly permits it.

Read more ...