HHS begins enforcement of breach notification requirements

Posted on February 25, 2010 by Steve Fox and Vadim Schick

As of February 22, 2010, HHS is expected to begin enforcing the new breach notification requirements created by the privacy and security provisions within the HITECH Act.  Although such requirements went into effect last fall, HHS gave covered entities and business associates a few months to adapt to the new rules.  That enforcement delay is now over, and, perhaps in a related move, on February 23, 2010, HHS's Office of Civil Rights, pursuant to the HITECH Act, posted a list of organizations which reported breaches of unsecured protected health information affecting 500 or more individuals on OCR's web site.  This should serve as a good reminder to providers and HIT vendors alike to be keenly aware of the new regulations on breach notification.

The HITECH Act required a covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” to notify each individual “whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to the breach.  Business associates who discover a breach must notify the covered entity. 

By regulation published in the Federal Register on August 24, 2009, HHS added a rather controversial  "harm threshold" to this requirement:  covered entities and business associates are required to notify the affected individual, the HHS, and, in some cases, the media, if such breach poses a significant risk of harm to the individual.  This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person.

The HITECH Act defines “breach” as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” The Act includes two important (albeit vague) exceptions to this definition for cases in which: (1) “the unauthorized acquisition, access, or use of PHI is unintentional and made by an employee or individual acting under authority of a covered entity or business associate if such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship with the covered entity or business associate, and such information is not further acquired, accessed, used, or disclosed”; or (2) “where an inadvertent disclosure occurs by an individual who is authorized to access PHI at a facility operated by a covered entity or business associate to another similarly situated individual at the same facility, as long as the PHI is not further acquired, accessed, used, or disclosed without authorization.

The HITECH Act imposes a similar notification requirement on a business associate “that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured” PHI. In the event of a breach, the business associate shall provide notice to the covered entity, including “the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach.”

The term “unsecured protected health information” refers to PHI that is not secured through the use of a “technology or methodology” specified by the Secretary in a “Guidance” issued as part of the breach notification regulation in the Federal Register on August 24, 2009 (see link above).  The Guidance, which is to be updated annually, specifies two basic ways of rendering PHI “secure:” encryption and destruction. Electronic PHI must be properly encrypted “by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached.” The Guidance provided an exhaustive list of technologies which would encrypt PHI, referencing “approved” processes and methods from the National Institute of Standards and Technology (NIST). Electronic PHI may be properly destroyed in the hard copy media (e.g., paper, tapes) on which the PHI is stored is shredded or destroyed “suchin such a way “that the PHI cannot be read or otherwise cannot be reconstructed;” electronic media containing PHI “must be cleared, purged, or destroyed consistent with NIST [Guidelines] such that the PHI cannot be retrieved.”

Securing PHI in accordance with this Guidance will be the safest way to protect a healthcare organization from a serious breach of patient data privacy. Organizations that suffer a breach involving disclosed, stolen or lost data that was not “secured” may be subject to a wide range of newly established breach notification requirements.  It is important to note, however, that for both covered entities and business associates, the breach shall be deemed to have been discovered on the first day on which it is “known to such entity or associate.” The term “known” means that the circumstances of the breach are known by any “employee, officer, or other agent of such entity or associate,” other than the person who committed the breach. Furthermore, all notifications (by both covered entities and business associates) must be made “without unreasonable delay,” which, in Congressional time, means no later than 60 calendar days after discovery of the breach. The entity making the notification has the burden of demonstrating that all required notifications were made, as well as explaining the necessity of any delay.

There is a lot more information that covered entities and business associates must know about the new rules, including, for example, requirements regarding the content of breach notices.  For more information on these matters, please do not hesitate to contact us.
Tags: , , , , , , , , , , , , , , , , , , , ,

Rising numbers and costs of data breaches

Posted on January 28, 2010 by Vadim Schick

There is little doubt that the healthcare industry must prepare for a growing number of - and expanding costs associated with - data breaches, particularly for breaches of protected health information.  Here are just a few notable reports on this subject:

  • Infosecurity.com reported on a striking increase in attempts to hack into healthcare organizations, while the rate of hacking in other economic sectors remained flat:  "the last quarter of [2009] saw an average of 13 400 attempts to hack healthcare organizations, compared to an average of 6,500 in the first nine months."  According to researchers at SecureWorks, which produced the graph above, healthcare organizations are particularly vulnerable to such attacks because they "have to provide access to many external networks and web applications so as to stay connected with their patients, employees, insurers and business partners. This increases their risk to cyber attacks."
  • Cnet News reported on similar findings by the Ponemon Institute, whose survey concluded that "Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches."  The cost per compromised record involving a criminal act averaged $215, about 40% higher than breaches from negligence and 30% higher than those from glitches, the Ponemon survey found.

 

There are also a couple of examples of individual healthcare organizations suffering from increasing costs associated with data breaches:
 

  • According to Chattanooga Times Free Press (via iHealthBeat), BlueCross BlueShield of Tennessee announced that it has spent more than $7 million to respond to a security breach resulting from 57 hard drives having been stolen from its training facility, which may have compromised personal and health data of up to 500,000 members.  $7 million tab does not appear to be the end of it:

The insurer has notified 220,000 BlueCross members about the data theft. The company also is offering no-cost credit-monitoring services for affected members. In addition, BlueCross is working to notify attorneys general in 32 states about the breach [pursuant to the HITECH Act].   <...>

BlueCross officials said 20,500 members already have signed up for the no-cost credit-monitoring services. In addition, the company has hired more than 700 contract and BlueCross employees to help determine what data the hard drives contained. The insurer said it might need to spend significantly more money to evaluate the missing data and provide additional identity protection services.

  • Considering the experience of BCBS of Tennessee, the costs associated with HealthNet's infamous data breach must be even higher. On top of providing two years of free credit-monitoring for hundreds of thousands of affected members, HealthNet is being sued by the state of Connecticut for HIPAA violations and noncompliance with HealthNet's own security policies by failing to encrypt the sensitive data.  The missing hard drive contained "27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records."  Further complicating HealthNet's situation is the fact that the company waited for six months to inform the affected customers of the possible breach.

"Healthcare hacks on the rise," Inforsecurity.com (January 26, 2010).

"Survey: Data breaches from malicious attacks doubled last year," cnet News (January 25, 2010).

"Tab for Response to Data Breach Hits $7 Million for BCBS of Tennessee," IHealthBeat (January 26, 2010).

"AG files suit in health data privacy breach," theday.com (January 13, 2010).

 

 
Tags: , , , , , , , , , , , , , , , , ,

In the news: Privacy breaches and de-identification

Posted on January 11, 2010 by Steve Fox and Vadim Schick
  • According to LA Weekly, Huping Zhou, a former employee at the UCLA Healthcare System, pleaded guilty to federal charges of breaches of patient privacy.  Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed.  This case follows a similar breach at UCLA Medical Center, when Lawanda Jackson, a former nurse at the Center, plead guilty to wrongfully accessing information of Britney Spears and Farrah Fawcett.
  • Delaware Online reports about a new unfortunate trend in medical identity theft -- searching for copies of discarded prescriptions:  "In the latest crime trend to hit Delaware, police are reporting that people looking for drugs such as Oxycontin and Vicodin are stalking customers who throw away prescription bags containing paperwork with details about their pills and themselves. They use the personal information to call in prescriptions and charge them to the victims' insurance. Then they turn around and sell the drugs."  According to Bruce DiVincenzo, chief agent of Delaware's Office of Narcotics and Dangerous Drugs:

They're making their own scripts by ordering paper from the Internet," he said. "It's the patient's name that they want, because that person is actively listed as a customer of the pharmacy and will not raise suspicion."

Pharmacies like CVS and Happy Harry's (a subsidiary of Walgreens) take certain precautions to prevent such identity theft, including checking ID's before filling prescriptions and reminding customers to be careful with their receipts and copies of prescriptions.

  • According to Washington Technology, HHS is looking for a contractor to research the effectiveness of "de-identifying" PHI:

Under this new contract, HHS will research re-identifying the data and matching it to a specific individual.

'The contractor shall take one or more HIPAA Privacy Rule de-identified data sets and, using methods and technologies that exclude 'brute force' matching, demonstrate the ability or inability to re-identify the data,' the notice states.

The re-identification must be an accurate and unambiguous match to an individual.

"Former UCLA Health Worker Pleads Guilty To Accessing Celebrities' Medical Records," LA Weekly (January 8, 2010).

"Delaware crime: Trash-picking identity theft targets pharmacy customers," Delaware Online (January 6, 2009).

"HHS wants contractor to test privacy of 'anonymous' data," Washington Technology (January 5, 2010).
Tags: , , , , , , , , , , ,

Health Net data breach affects 450,000 people

Posted on November 19, 2009 by Steve Fox and Vadim Schick

Health insurance provider Health Net reported a loss of a portable disk drive (which occurred six months ago).  The disk drive contained compressed, though not encrypted, data, including social security and bank account information, on nearly half a million persons. 

Connecticut Attorney General Richard Blumenthal was "outraged" the company waited this long to go public about this major data breach:

Health Net’s incomprehensible foot-dragging demonstrates shocking disregard for patients’ financial security, as well as loss of their highly sensitive and confidential personal health information <...> Personal information is like cash and should be guarded with equal care. Casual and cavalier attitudes toward data protection and breaches are intolerable and must stop.

This case provides yet another reminder about the importance of encrypting the sensitive and protected data, including PHI, in your possession.

According to NBC Connecticut:

Blumenthal is investigating and demanding that Health Net provide consumers with at least two years of identity theft protection, identity theft insurance, reimbursement for credit freezes and credit monitoring for at least two years for all 446,000 consumers.

The state Insurance Department is also investigating and looking for information, including what led to the disc drive disappearing, what information is missing, HealthNet’s security procedures and changes they plan.

In a statement, Health Net apologized for any "inconvenience or concern" this breach may cause.  The company will provide credit monitoring for 2 years.  Health Net did not receive any reports of misuse of lost data.

"Health Net Loses Information for 450,000 Clients," NBC Connecticut (November 19, 2008).
Tags: , , , , , ,

HHS News: Interim Final Regulations on Breach Notification; Regional Office Privacy Advisors

Posted on August 20, 2009 by Steve Fox and Vadim Schick

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. 

According to the HHS press release:

The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

You can find the text of the regulation here.

Stay tuned for more analysis of this important set of regulations on this blog. The interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period. 

Also, pursuant to Section 13403(a) of the HITECH Act, the HHS Secretary Kathleen Sebelius designated an individual in each regional office of HHS (Regional Office Privacy Advisors) in order "to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to the HIPAA Privacy and Security Rules."  The names, addresses, and contact information for each of the Regional Managers are listed here, together with a list of the States for which each Regional Manager has responsibility.

"HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information," HHS Press Release (August 19, 2009).

" Designation of Regional Office Privacy Advisors," HHS Press Release (July 27, 2009).
Tags: , , , , , , , , , , , , , ,

FTC Issues Final Breach Notification Rule for Electronic Health Information

Posted on August 17, 2009 by Steve Fox and Vadim Schick

Pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA), the Federal Trade Commission (FTC) issued the final rule regarding notification requirements for breaches of electronic health information by vendors of personal health records and certain affiliated entities:

The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.

<...>

The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule at www.ftc.gov/healthbreach.

You can find the full text of the rule here.

"FTC Issues Final Breach Notification Rule for Electronic Health Information," FTC Press Release (August 17, 2009).

Tags: , , , , , , , , , , , , , , , , ,

Healthcare providers must become aware of and comply with PCI DSS

Posted on June 22, 2009 by Steve Fox and Vadim Schick

Healthcare providers are generally familiar with and are used to the complex network of state and federal data privacy protection laws (e.g., HIPAA and HIPAA Privacy and Security regulations).  However, most providers may not be aware of another set of data security standards, the Payment Card Industry Data Security Standards (PCI DSS), imposed by a non-governmental, private organization representing the credit card industry.  

Contrary to popular belief, PCI standards apply to any processor of credit cards, regardless of volume of credit card transactions.  (However, PCI DSS differ based on each organization's transactions volume.)  In other words, if your healthcare enterprise or practice accepts credit cards as payment for services (which virtually all practices do), your organization is subject to PCI DSS.  

SC Magazine's recent contribution from Jim Lacy, CFO of healthcare IT company ZirMed, provides an excellent reminder for all healthcare providers accepting credit cards to take note of PCI DSS and begin the process of compliance with such standards.

A few lessons from Jim Lacy's piece and more after the jump.

Jim Lacy reminds healthcare providers of a few basic principles of PCI compliance:

  • As mentioned above, PCI DSS applies to all entities processing credit card transactions, regardless of volume.
  • PCI DSS compliance is not prohibitively expensive.  Certain PCI-compliance services are available online for as little as $150 a year.
  • If your organization is not compliant with PCI DSS, you may not be able to process credit card transactions in certain markets.
  • Aside from suspension of one's ability to process credit card transactions, a data breach for non-compliant providers may cost hundreds of thousands of dollars in fines alone (VISA can impose fines up to $500,000 per incident).
  • HIPAA compliance does not mean compliance with PCI DSS.

In addition to PCI DSS, at least one state, Minnesota, adopted most provisions of PCI DSS prohibiting storage of credit card data as state law, the Plastic Card Security Act (PCSA).  PCSA essentially created a strict liability standard for entities processing over 20,000 credit card transactions a year for any losses or damages caused by a data breach of stored credit card data. 

Thus, a Minnesota healthcare enterprise may be strictly liable to credit card companies or patients for losses or damages resulting from a security breach of stored credit card data, if such provider was not compliant with PCI DSS and the applicable provisions of Minnesota law.

"PCI-DSS: Not on health care provider's radar", SC Magazine (June 19, 2009).

 
Tags: , , , , , , ,

$50,000 Laptops: Average cost to employers in case of breach

Posted on April 23, 2009 by Steve Fox and Vadim Schick

A new study of 138 laptop-loss cases suffered over a recent 12-month period by 29 organizations, found that, on average, each lost or stolen laptop cost the employer $49,246.  About 80% of the amount, or about $39,000 per laptop, are costs associated with data breaches, i.e., loss of personal data stored on the lost or stolen laptop.  Significantly, the study found that:

The faster the company learns that a laptop is lost, the lower the average cost ... If a company discovers the loss in the same day, the average cost is $8,950. If it takes more than one week, the average cost rises significantly to approximately $115,849.

The study didn't endorse any particular brand of notebook protection gear, but noted that encryption on average can reduce the cost of a lost laptop by more than $20,000.  (It is important to point out here that most data protection laws (both state and federal) exclude loss of encrypted or secured information from their definition of "breach.")

The study was conducted by the Michigan-based Ponemon Institute and commission by Intel.

("Typical lost or stolen laptop costs companies nearly $50,000, study finds", MercuryNews.com, April 22, 2009.)

Tags: , , , , ,

This just in: New HHS guidance about securing protected information

Posted on April 17, 2009 by Steve Fox and Vadim Schick

From HHS:

On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). This guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS).

This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH). HITECH requires these regulations to be published within 180 days of enactment. If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached.

The Guidance can be viewed (in PDF) here.

Tags: , , , , , , , ,

In the news: "Octomom" privacy breach at Kaiser Permanente; uptick in HIT stocks; and more

Posted on March 30, 2009 by Steve Fox and Vadim Schick
  • After what has become a rather typical breach of patient privacy for Southern California, Kaiser Permanente fired fifteen employees (and disciplined eight additional employees) for looking at the medical records of Nadya Suleman, the mother of octuplets commonly referred to as "Octomom".  Previously, similar breaches occurred at UCLA when that medical center's staff leaked celebrities' medical records to the tabloids.  (MercuryNews.com, via AP, March 30, 2009.)
  • Wall Street Journal reported last week that HIT stocks, especially smaller companies, like eClinicalWorks (which provide the software component of Wal-Mart's new EHR package) will benefit greatly from the billions of dollars in HIT funding included in the stimulus bill.  Also, in another sure sign of a growing industry, Quality Systems, the maker of the NextGen EHR software, is "beefing up its sales force." ("Stimulus Funds for E-Records Augur Big Windfall for Small Health Firms", Wall Street Journal, March 24, 2009.)
  • A new bill is introduced in the Pennsylvania Senate that would ban businesses from collecting personal data from driver's licenses.  This should also serve as a good reminder for businesses not to collect or store more information than absolutely necessary.  (Pennlive.com, March 30, 2009.)
  • Perot Systems will launch a new service tomorrow (April 1, 2009) to help hospitals achieve "meaningful use" status under HITECH, geared towards meeting the interoperability and standardization of HIT use.  (Healthcare IT News, March 30, 2009).

 
Tags: , , , , , , , , , , , , ,

In the news

Posted on March 16, 2009 by Steve Fox and Vadim Schick
  • Kaiser Permanente and IBM inked a $500 million, seven-year IT services deal.  IBM will manage Kaiser's data center operations, storage and software, but IBM will not have access to patients' medical records.  AP, San Francisco Chronicle (March 17, 2009).
  • A new study expects that as much as three-quarters of prescribers will use e-prescribing by 2014 because of the incentives for adoption of e-prescribing technology included in the HITECH Act (though only about 15% of current prescribers use e-prescribing).  This could result in a massive $22 billion reduction in drug and medical costs.  Government Health IT (March 17, 2009).
  • Wal-Mart is bringing its "high-volume, low-cost" approach to the medical records industry.  Wal-Mart's Sam's Club division will produce a package that will include hardware from Dell, software from eClinicalWorks, as well as installation, maintenance and training services.  According to the New York Times (March 11, 2009), the "Sam’s Club offering, to be made available this spring, will be under $25,000 for the first physician in a practice, and about $10,000 for each additional doctor. After the installation and training, continuing annual costs for maintenance and support will be $4,000 to $6,500 a year, the company estimates." This development has huge implications for the EHR market, and may actually aid the widespread adoption of EHR technology.   Healthcare IT News (March 11, 2009) also covered this story.

More news after the jump.

  • Health Information Security and Privacy Collaboration (HISPC) is working on an engine to help healthcare providers navigate through the complex labyrinth of interstate transfers of health information.  Government Health IT (March 5, 2009).
  • President & CEO of HIMSS Analytics, Dave Garetz, predicts a huge rush in 2009 to adopt HIT in order to qualify for government incentives as meaningful EHR users.  There will likely be a significant shortage of competent HIT personnel and "change management experts" to help in this gigantic transition effort, which further underscores this Blog's urgent plea to begin planning for EHR adoption now.  Healthcare IT News (March 4, 2009).
  • Not everything is coming up roses:  Scott Haig of Time has a thoughtful article outlining some of the major challenges for nationwide adoption of EHR technology.  Time (March 5, 2009).
  • Universities are (and have been for years) the leading sector for publicized data breaches.  A new report examines the reasons.  ComputerWorld (March 9, 2009).  (The author of the article, Jay Cline, was only able 20 chief privacy officers at major U.S. universities, which is a clear sign that the academia - as institutions subject to numerous data privacy laws, including HIPAA, GLBA and FERPA - should be much more proactive and serious about data privacy protection.)
Tags: , , , , , , , , , , , ,