High Number of HIPAA Mobile Device Breaches – Time to Use Safe Harbor Encryption

Most breaches of electronic protected health information (ePHI) reported to the Department of Health and Human Services (HHS) have related to the theft or loss of unencrypted mobile devices. These breaches can lead to potentially hefty civil fines, costly settlements and negative publicity (e.g. Stanford and Idaho laptops or APDerm thumb drive). Given the increasing use of mobile devices and the significant costs of breach notification, healthcare organizations and their business associates would be wise to invest in encryption solutions that fall within the “safeharbor” for HIPAA breach notification.

Encryption and the “Safeharbor” for HIPAA Breach Notification

Under HHS guidance, ePHI is not considered “unsecured” if it is properly encrypted by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” and such confidential process or key that might enable decryption has not been breached.  To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.  Encryption processes “consistent with” (for data at rest) or which “comply, as appropriate, with” (for data in motion) the National Institute for Standards and Technology (“NIST”) guidelines are judged to meet the law’s standard for encryption.  If ePHI is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information—this is known as the HIPAA breach notification “safeharbor”. [78 FR 5664]

NIST Guidelines for Data at Rest

The NIST guidelines for data at rest do not provide specific requirements for encryption technology– instead, it describes common storage encryption technologies (full disk, volume, virtual, and file/folder encryption) and offers recommendations for implementing a storage encryption solution. A main takeaway from this guide is that “the appropriate encryption solution for a particular situation depends primarily upon the type of storage, the amount of information that needs to be protected, the environments where the storage will be located, and the threats that need to be mitigated.” Despite the lack of bright-line rules, the NIST guide does offer some key recommendations, such as:

  • When selecting a storage encryption technology, consider solutions that use existing system features (such as operating system features) and infrastructure.
  • Use centralized management for all deployments of storage encryption except for standalone deployments and very small-scale deployments.
  • Select appropriate user authenticators for storage encryption solutions.
  • Implement measures that support and complement storage encryption for end user devices.

Encryption Technology for Apple iOS Devices: A Case Study

The good news is that the technology is available to properly encrypt ePHI without being too burdensome.  For instance, Apple’s popular iPhones and iPads fortunately have their own built-in encryption technology.  Every iOS device has a “dedicated AES (Advanced Encryption Standard) 256 crypto engine built into the DMA (Direct Memory Access) path between the flash storage and main system memory, making file encryption highly efficient.”  Setting a passcode turns on Data Protection, and the passcode becomes a key to encrypting mail messages and attachments (or other apps), using 256-bit AES encryption. Notably, Apple’s encryption technology (CoreCrypto Module and CoreCrypto Kernel Module) has been FIPS (Federal Information Processing Standards) certified, a standard that the NIST guide references and approves.

Based on the NIST guidelines for data at rest, the following are some basic steps for implementing a storage encryption technology solution specifically with Apple iOS devices:

  • Ensure that users have up-to-date devices and operating systems (e.g. iPhone 4 or higher running iOS 4 or higher).
  • Work with an IT administrator or security expert to manage deployment of iPhones.
  • Select appropriate passcode requirements to meet your security needs, including timeout periods, passcode strength and how often the passcode must be changed. The effectiveness of data protection depends on a strong passcode, so it is important to require and enforce a passcode stronger than 4 digits when establishing passcode policies.
  • Store/transmit the minimum amount of ePHI necessary to effectuate communication.
  • Disable access to Notification Center and Alerts from locked screen to prevent display of potentially sensitive data.
  • Revise and document organizational policies as needed to incorporate appropriate usage of the storage encryption solution.
  • Make users aware of their responsibilities for storage encryption, such as physically protecting mobile devices and promptly reporting loss or theft of devices.

For additional guidance on mobile device security, the HHS Office of the National Coordinator for Health Information Technology (“ONC”) has also provided helpful tips in “How Can You Protect and Secure Health Information When Using a Mobile Device?”.

As healthcare becomes more mobile, covered entities, business associates, and health information technology vendors should become familiar with the “safeharbor” for HIPAA breach notification and the NIST guidelines for encryption of data at rest and in transit.  For more information about the HIPAA “safeharbor”, encryption standards, or HIPAA in general, please contact Jefferson Lin, Lee Kuo or David Schoolcraft.

 

HHS Issues HIPAA Guidance For Mental Health

HHS recently issued HIPAA guidance for mental health practitioners, in an effort to help providers wade through complicated decisions of when disclosures of patient information are permissible.  This guidance, set up in a FAQ format, is designed to incorporate common questions related to the intersection of mental health and privacy laws.  The guidance addresses when healthcare providers are permitted to:

  • Communicate with a patient’s family members, friends, or others involved in the patient’s care;
  • Communicate with family members when the patient is an adult;
  • Communicate with the parent of a patient who is a minor;
  • Consider the patient’s capacity to agree or object to the sharing of their information;
  • Involve a patient’s family members, friends, or others in dealing with patient failures to adhere to medication or other therapy;
  • Listen to family members about their loved ones receiving mental health treatment;
  • Communicate with family members, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others; and
  • Communicate to law enforcement about the release of a patient brought in for an emergency psychiatric hold.

The guidance also addresses FERPA (privacy laws in a school setting), Federal alcohol and drug abuse confidentiality (42 CFR Part 2 Programs) and the rights of parents to have access to a minor child’s information.    Though not addressed in the guidance, those mental health practitioners practicing in Washington State should also be aware of  the new statutes regulating mental health record disclosures which take effect on July 1, 2014.

For assistance in navigating these privacy rules please contact Elana Zana or Dave Schoolcraft.

HHS Deadline for HIPAA Breach Notification Reporting

As part of the HITECH revisions to HIPAA, providers are required to report all HIPAA breaches, regardless of the number of individuals affected to HHS on an annual basis.  The deadline for this report is Saturday, March 1st, 2014.  This reporting requirement is pursuant to the Omnibus HIPAA Rule published in January of 2013.  Providers who have had breaches affecting less than 500 individuals can report the HIPAA breaches here.  This report needs to be filled out for each breach that occurred during the 2013 calendar year.  For example, if a covered entity had a breach in April of 2013 affecting three individuals and another breach in December 2013 affecting two individuals the report must be submitted for each breach but not for each individual (a total of two reports would be submitted in this example).  To fill out this form covered entities will need to submit the following information about the breach:

  • General information regarding the covered entity
  • Whether the breach occurred at or by a Business Associate and the associated contact information for that Business Associate
  • Date of the Breach
  • Date of Discovery
  • Approximate number of individuals affected by the Breach
  • Type of Breach (i.e. theft, loss, unauthorized access, etc.)
  • Location of breached information (i.e. laptop, e-mail, etc.)
  • Type of Protected Health Information involved in the Breach (i.e. demographic, financial, etc.)
  • Description of the Breach
  • Safeguards in place prior to the Breach (i.e. firewalls, physical security, etc.)
  • Date individuals were notified of the Breach
  • Whether substitute notice was required (this requirement is described in the rule)
  • Whether media notice was required (this requirement is described in the rule)
  • Actions taken in response to the Breach (sanctions, mitigation, etc.)
  • Any additional actions taken
  • Attestation

For those covered entities that have had a breach which affected more than 500 individuals, this report should have been submitted no later than 60 days following discovery of the breach in accordance with the Breach Notification Rule.

If you have questions regarding filling out this report or on Breach Notification in general please contact Elana Zana or Dave Schoolcraft.

Proposed HIPAA Rule to Enhance Criminal Background Check System

On January 7, the U.S. Department of Health & Human Services (HHS) published a notice of proposed rulemaking (NPRM) to revise the HIPAA Privacy Rule expressly permitting certain covered entities to disclose specific information about individuals who are subject to the federal mental health prohibitor to the National Instant Criminal Background Check System (NICS). HHS stated the purpose of this amendment is to help “strengthen the federal background check system to keep guns out of potentially dangerous hands” by removing legal barriers under HIPAA that may prevent reporting relevant information to the NICS.

The NICS is a national system used to conduct background checks on individuals who may be disqualified from purchasing or receiving firearms based on federally prohibited categories or state law. One such category is the federal “mental health prohibitor,” which includes individuals who have been (1) involuntarily committed to a mental institution; (2) found incompetent to stand trial or not guilty by reason of insanity; or (3) determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or to lack the mental capacity to contract or manage their own affairs.

The proposed amendment would permit HIPAA covered entities that perform the commitments or adjudications that make individuals subject to the federal mental health prohibitor, or that act as repositories of NICS records on behalf of a state, to use and disclose certain information for NICS reporting purposes. These select covered entities would be permitted to disclose only  the “individual’s name; date of birth; sex; a code or notation indicating that the individual is subject to the Federal mental health prohibitor; a code or notation representing the reporting entity; and a code identifying the agency record supporting the prohibition.” Covered entities would not be permitted to disclose clinical or diagnostic information, medical records, or other identifiable health information. Covered entities could disclose the information directly to the NICS or to an entity designated by a state as a data repository for NICS reporting purposes.

Because the proposed rule focuses on covered entities that actually are responsible for ordering involuntary commitments or conducting adjudications, or that act as a designated repository of NICS records, it does not affect most treating providers or covered entities that only engage in treatment functions. Further, this modification would permit, not require, the specified covered entities to disclose information.  The proposed amendment would not include any additional notification requirements to individuals whose information was disclosed and would not require covered entities to change their notice of privacy practices.

HHS is seeking comments, which are due on March 10, on various issues addressed in the NPRM, including whether the permission should be broadened to include reporting on individuals subject to state firearms prohibitions and additional (non-clinical) identifying information.

For more information about the proposed rule or HIPAA in general, please contact Jefferson Lin.

Stolen Thumb Drive Proves Costly for Dermatology Practice

The Department of Health and Human Services (HHS) recently announced a $150,000 settlement with a dermatology practice in Massachusetts that arose out of a stolen thumb drive.  The unencrypted drive, which contained the health information of approximately 2,200 individuals, was stolen from a vehicle of one of the practice’s staff members.

Although HHS was concerned with the staff member’s failure to safeguard the health information, the large settlement amount resulted primarily from the practice’s lack of HIPAA policies and procedures.  Specifically, HHS determined that the practice: (1) had no breach notification policies, (2) had not conducted risk assessments for potential security vulnerabilities, and (3) did not adequately perform HIPAA training for its workforce.

This case provides an important warning to health care providers who do not have comprehensive HIPAA and HITECH policies and procedures.  Although the risk of being selected for an HHS HIPAA audit is still relatively low, it only takes one breach of health information for HHS to open an investigation that can result in costly penalties.

For more information about HIPAA and HITECH policies and procedures, please contact Casey Moriarty.

 

Meaningful Use Audits – Security Risk Analysis

‘Tis the season for Meaningful Use, the time of year when eligible professionals (EPs) and eligible hospitals (EHs) compile their data from the meaningful use measures and prepare for attestation.  It is also the season of meaningful use audits.  A lesson learned from recent audits: CMS means what it says – EPs and EHs must conduct a security risk analysis.  This measure is not one to be taken lightly – it’s a HIPAA requirement, and CMS auditors are on the lookout for documentation (remember, all documentation must be retained for 6 years).

Regardless of whether EPs or EHs are attesting to Stage 1 or Stage 2, or the fact that they performed a security risk analysis last year, this objective and measure must be fulfilled each year:

 

Stage 1

Stage 2

Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Objective. Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in Certified EHR Technology in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.

The HIPAA requirement for a Security Risk Analysis pursuant to 45 CFR 164.308(a)(1) is as follows:

“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

CMS Meaningful Use audits have specifically called out this objective and measure and are requiring participants to prove that a Security Risk Analysis has actually occurred.  Though the HIPAA Security Officer should have conducted a security risk analysis for the entire practice/hospital, EPs and EHs should maintain a copy of this assessment with their meaningful use documentation and should review the assessment to make sure that the risk analysis complies with the meaningful use requirements (note: the Stage 2 requirements are significantly broader).

Below is the audit question that was sent to some Stage 1 EPs:

“Provide proof that a security risk analysis of Certified EHR Technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis).  If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include the completion dates.”

Note that the audit request indicates that further documentation is needed to satisfy the auditors.  EPs must show the implementation plan and the completion dates.  As per the measure itself, the requirement is not merely to conduct a security risk analysis, but the EPs and EHs must implement security updates and correct security deficiencies.  EPs and EHs should document these steps as well in order to appropriately respond to an audit request.

CMS has recently issued a new tip sheet to assist EPs and EHs in fulfilling the security risk analysis requirement.  In addition ONC has published guidance on HIPAA Security Risk Analysis requirements.  The CMS tip sheet includes some common myths surrounding risk analysis such as:

  • “I only need to do a risk analysis once.”

False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.

  • “My EHR vendor took care of everything I need to do about privacy and security.”

False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

  • “The security risk analysis is optional for small providers.”

False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

  • “Simply installing a certified EHR fulfills the security risk analysis MU requirement.”

False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

Responding to a Meaningful Use audit can be time consuming and very detailed oriented — thus, maintaining the appropriate documentation is essential.  For assistance with Meaningful Use or HIPAA security risk assessments, please contact Elana Zana.

UW Medicine Notifies 90,000 Patients of HIPAA Breach

Just before the Thanksgiving holiday, UW Medicine reported a HIPAA security breach, affecting roughly 90,000 patients at Harborview and UW Medical Centers.  In early October, a UW Medicine employee opened an e-mail attachment containing malicious software.  The malware took control of the computer, which had patients’ data stored on it.  The information that was exposed was a subset or extraction of data that was used for billing purposes.  Patient information may have included names, medical record numbers, addresses, phone numbers, dates of service, charge amounts for services received, Social Security numbers or Medicare numbers.

This is the fourth biggest HIPAA security breach this year, according to data from the Department of Health and Human Services.  The other major breaches involved stolen unencrypted computers and laptops (Advocate Health System and AHMC Healthcare) and improper disposal of medical records (Texas Health Harris Methodist Hospital).

The recent UW Medicine incident highlights the need for hospitals, providers, and business associates to monitor and update their virus protection software and firewalls.  Additionally, organizations should implement security awareness and training programs for all workforce members– this may include periodic reminders addressing malicious software or guidance on opening suspicious e-mail attachments, e-mail from unfamiliar senders or hoax e-mail.

For assistance with HIPAA and/or the breach notification rules please contact Elana Zana or Jefferson Lin.

 

Reducing the Risks of Third-Party Access to EHR Systems

UnityPoint Health, a health system located in Iowa, recently informed 1,800 patients of a breach of their health information.  UnityPoint learned of the breach after an audit discovered that a third party contractor’s employee had improperly gained access to the UnityPoint electronic health record (EHR) system and viewed the records of the 1,800 patients.

The UnityPoint breach shows the risks of allowing a third party contractors, known as “business associates,” to access health information in an EHR system  While such access may be required for certain activities, including billing, claims management, or utilization review, providers must be certain that the business associate agreements with such contractors include strong protections for the provider.

For example, business associate agreements should include requirements for the business associate to indemnify the provider for expenses resulting from HIPAA breaches, pay all notification costs associated with such breaches, and maintain insurance policies that provide coverage for a large breach.

Although strong language in a business associate agreement provides legal protection for a provider, it will do nothing to counteract the public relations fallout that results from notifying patients of a breach.  Therefore, providers should make every effort to contract with legitimate entities that understand HIPAA compliance.

If you would like more information about HIPAA compliance, please contact Casey Moriarty.

Guidance on Refill Reminders and Enforcement Delay until Nov. 7th

The Office of Civil Rights recently released guidance related to the new HIPAA marketing requirements and refill reminders.  The guidance includes several FAQs and examples to help navigate the new HIPAA marketing/refill reminder rules.  In conjunction with the release of this guidance (and as a result of a lawsuit filed by Adheris, Inc.), HHS has decided to delay enforcement of the refill reminder requirements until November 7, 2013.  This enforcement delay is only with regard to the refill reminder rules and does not apply to the rest of the HIPAA requirements which will be enforced starting September 23, 2013.

Pursuant to HIPAA, a covered entity or business associate must receive a patient’s written authorization before using or disclosing PHI to make a marketing communication to him/her – unless another exception otherwise applies.  The new HIPAA marketing definition includes a generally common sense definition of marketing, with certain limited exceptions.  The new marketing rule creates an explicit exception “to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, only if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity’s cost for making the communication.”  The focus of the guidance is on two key phrases within the definition:  (1) whether the drug is  “currently being prescribed” and (2) whether there is financial remuneration and if so if it is “reasonably related to the covered entity’s cost of making the communication”.

The guidance identifies the following as satisfying the first requirement that the drug is currently being prescribed:

WITHIN EXCEPTION

• Refill reminders.

• Communications about generic equivalents of a drug being prescribed.

• Communications about a recently lapsed prescription (one that has lapsed within the last 90 calendar days).

• Adherence communications encouraging individuals to take prescribed medicines as directed.

• Where an individual is prescribed a self-administered drug, communications regarding all aspects of a drug delivery system.

NOT WITHIN EXCEPTION

• Communications about specific new formulations of a currently prescribed medicine.

• Communications about specific adjunctive drugs related to the currently prescribed medicine.

• Communications encouraging an individual to switch from a prescribed medicine to an alternative medicine.

With regard to the second prong, whether there is financial remuneration and if so whether it is related to the cost of making the communication, HHS provides the following information:

WITHIN EXCEPTION

• Communication does not involve remuneration.

• Communication involves only non-financial or in-kind remuneration, such as supplies, computers, or other materials.

• Communication involves only payment from a party other than the third party (or other than on behalf of the third party) whose product or service is being described in the communication, such as payment from a health plan.

• Remuneration involves payments to the covered entity by a pharmaceutical manufacturer or other third party whose product is being described that cover the reasonable direct and indirect costs related to the refill reminder or medication adherence program, or other excepted communications, including labor, materials, and supplies, as well as capital and overhead costs.

• Remuneration involves payments to a business associate assisting a covered entity in carrying out a refill reminder or medication adherence program, or to make other excepted communications, up to the fair market value of the business associate’s services.  The payments may be made by a third party whose product is being described directly to the business associate or through the covered entity to the business associate.

NOT WITHIN EXCEPTION

• Communication involves financial remuneration other than as described above.

The guidance then provides a series of examples and FAQs that are quite helpful in explaining what is and what is not permissible under the refill reminder exception to the marketing rule.  Though refill reminders are permitted, a covered entity should be careful to ensure that it is following the exception requirements or it should request patient authorization for such communications.  For more information about HIPAA and the marketing rule specifically please contact Elana Zana.

 

Copier Hard Drive Breach Costs Plan $1.2 Million

Yesterday, HHS announced a new HIPAA related settlement with Affinity Health Plan for $1,215,780 related to PHI maintained on leased copy machines.  This settlement follows an OCR investigation prompted by Affinity’s breach report filed on April 15, 2010.   Affinity became aware of the breach following notice from CBS Evening News.  Apparently, CBS purchased a photocopier previously leased by Affinity as part of an investigative report.  CBS then notified Affinity that the copy machine contained PHI on its hard drive.  Affinity reported that an estimated 344,579 individuals were affected by this breach.

OCR determined that Affinity improperly disclosed PHI when it returned its copy machines to the leasing agents without erasing the data on the copier hard drives.  Additionally, Affinity failed to include the copy machine hard drives in its HIPAA mandated risk analysis required by the Security Rule and failed to implement policies and procedures for wiping the hard drives when returning the photocopiers to its leasing agents.  Affinity also entered into a corrective action plan with the OCR to retrieve all hard drives contained on copy machines previously leased that remain in the possession of the leasing agent.

Covered Entities (and now business associates) need to make sure that all electronic devices, including copy machines, medical equipment computers, mobile phones, tablets, etc. are incorporated into their HIPAA Security Policies and Procedures and are evaluated to ensure that PHI is wiped prior to returning or selling any such devices.  The FTC has issued a report on safeguarding data stored in hard drives of digital copiers and NIST has also issued guidance on media sanitation.

For more information regarding how to comply with the HIPAA Security Rules please contact Elana Zana.