electronic protected health information
Subscribe to electronic protected health information's Posts

OCR Guidance Underscores Importance of Authentication under HIPAA

In its tenth OCR Cyber Awareness Newsletter of the year (Newsletter), the Office for Civil Rights (OCR) reminded HIPAA-covered entities and business associates of the importance of selecting an appropriate authentication method to protect electronic protected health information (ePHI). Authentication is the process used to “verify whether someone or something is who or what it purports to be and keeps unauthorized people or programs from gaining access to information.” The Newsletter notes that the health care sector has been a significant target of cybercrime and that some incidents result from weak authentication methods.

Authentication methods can consist of one or more factors and are often described as: (1) something you know, such as a password; (2) something you are, such as a fingerprint; or (3) something you have, such as a mobile device or smart card. Single-factor authentication requires use of only one of the methods. Multifactor authentication requires use of two or more methods (for example, a password prompt followed by an additional prompt to a mobile device). (more…)




OCR Explains How Information Blocking Violates HIPAA

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently posted guidance (OCR guidance) clarifying that a business associate such as an information technology vendor generally may not block or terminate access by a covered entity customer to protected health information (PHI) maintained by the vendor on behalf of the customer. Such “information blocking” could occur, for example, during a contract dispute in which a vendor terminates customer access or activates a “kill switch” that renders an information system containing PHI inaccessible to the customer. Many information vendors have historically taken such an approach to commercial disputes.

Read full article here.




Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.

Read the full article here.




Pressure Points: OCR Enforcement Activity in 2014

During 2014, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services initiated six enforcement actions in response to security breaches reported by entities covered by the Health Insurance Portability and Accountability Act (HIPAA) (covered entities), five of which involved electronic protected health information (EPHI).  The resolution agreements and corrective action plans resolving the enforcement actions highlight key areas of concern for OCR and provide the following important reminders to covered entities and business associates regarding effective data protection programs.

  1. Security risk assessment is key.

OCR noted in the resolution agreements related to three of the five security incidents, involving QCA Health Plan, Inc., New York and Presbyterian Hospital (NYP) and Columbia University (Columbia), and Anchorage Community Mental Health Services (Anchorage), that each entity failed to conduct an accurate and thorough assessment of the risks and vulnerabilities to the entity’s EPHI and to implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level.  In each case, the final corrective action plan required submission of a recent risk assessment and corresponding risk management plan to OCR within a relatively short period after the effective date of the resolution agreement.

      2.  A risk assessment is not enough – entities must follow through with remediation of identified threats and vulnerabilities.

In the resolution agreement related to Concentra Health Services (CHS), OCR noted that although CHS had conducted multiple risk assessments that recognized a lack of encryption on its devices containing EPHI, CHS failed to thoroughly implement remediation of the issue for over 3-1/2 years.

      3.  System changes and data relocation can lead to unintended consequences. 

In two of the cases, the underlying cause of the security breach was a technological change that led to the public availability of EPHI.  A press release on the Skagit County incident notes that Skagit County inadvertently moved EPHI related to 1,581 individuals to a publicly accessible server and initially reported a security breach with respect to only seven individuals, evidentially failing at first to identify the larger security breach.  According to a press release related to the NYP/Columbia security breach, the breach was caused when a Columbia physician attempted to deactivate a personally-owned computer server on the network, which, due to lack of technological safeguards, led to the public availability of certain of NYP’s EPHI on internet search engines.

      4.  Patch management and software upgrades are basic, but essential, defenses against system intrusion.

OCR noted in its December 2014 bulletin on the Anchorage security breach (2014 Bulletin) that the breach was a direct result of Anchorage’s failure to identify and address basic security risks. For example, OCR noted that Anchorage did not regularly update IT resources with available patches [...]

Continue Reading




Just in Time for the Holidays: Another HIPAA Settlement

Following an Office for Civil Rights investigation, Anchorage Community Mental Health Services, Inc., agreed to pay $150,000 and comply with a two-year Corrective Action Plan to settle allegations that it violated the HIPAA Security Rule. This settlement is another reminder that covered entities and business associates should take the necessary steps to ensure compliance with HIPAA and to reasonably and appropriately safeguard the electronic protected health information in their possession.

Read the full article.




STAY CONNECTED

TOPICS

ARCHIVES