Compliance Helper

HIPAA Medical data breaches most often caused by theft

Sat, 04 Sep 2010 17:37:28 GMT

I found this interesting article in American Medical News. It is interesting that two thirds of the reported breaches involved theft. What this indicates is that good policies and procedures and training could prevent a lot of the breaches. Encryption would also have protected most of these data. Privacy and security programs need not be expensive and difficult to maintain. It is mostly about training staff in proper methods to protect PHI.

Here is more from the article:

The Health Information Trust Alliance in August published an analysis of the 108 breaches that were reported to the Dept. of Health and Human Services from Sept. 23, 2009, to mid-July. The study found that the only type of breach experienced by every industry sector -- and often the biggest cause of a breach -- was theft. Health plans and physician practices were the biggest targets.

The analysis found that 68 of the 108 reported breaches were the result of theft. Of those thefts, 24 were at physician practices and involved a total of 318,478 patient records

HIPAA Violations with Paper Records by Business Associate and Sub-Contractor

Wed, 01 Sep 2010 15:41:48 GMT

Naturally the focus is on electronic records since it is easier to lose a large number of electronic records but that does not mean that those dealing with paper records are safe. Several large pharmacies have been fined millions for improper disposal of prescription information.

So you say you have good policies and procedures in place? How about your business associates and their sub-contractors? In this case the hospitals turned the records over to a pathology group (Carney) who in turn handed it off to a medical billing company (Goldthwait) and the former owner of the medical billing company Joseph Gagnon stated that they had been dumping the unsecured records at the dump for at least 2 or 3 years.

Maybe you have a business associate agreement in place that you think will protect you. "Goldthwait employees come to hospital pathology labs and print out the information they need to bill insurers — or the pathologists mail the information to the company. Dole, the Carney pathologist, said he required Gagnon to sign an amendment to their contract in 2003 stating that he would dispose of the paper in a way that complied with newly passed federal legislation designed to protect patients’ health information — though the amendment did not specify exactly how Gagnon would do that."

A seven year old agreement with no specific requirements is not much of a firewall. If I was the auditor I would find everyone in this daisy chain guilty of willful neglect.

You simply must get "suitable assurance" that your business associates are compliant.

Here is a link to the complete article:

www.boston.com/news/local/massachusetts/articles/2010/08/13/mass_hospitals_investigate_exposure_of_records/?page=1

Information Security and Privacy Compliance Work Plan by Rebecca Herold, The Privacy Professor

Tue, 31 Aug 2010 17:06:05 GMT

We here at Compliance Helper are very fortunate to have as our privacy and security expert, Rebecca Herold, The Privacy Professor, www.theprivacyprofessor.com . Rebecca has developed not only all the policies, procedures, and forms used on our site but also a step by step process to lead you through setting up an information security and privacy program appropriate for your organization.

Recently she was asked to speak at a webinar on the subject of HIPAA HITECH privacy and security and as part of that preparation she developed a work plan that essentially lays out the process used in our Prepare program. I have now posted this on our website at http://www.compliancehelper.com/resources/ so if you want to see the process go there and take a look. You can also get a demonstration of how the technology works at the home page of www.compliancehelper.com

Business Associates Must Comply with Ther HIPAA Contracts, Now!

Wed, 25 Aug 2010 14:57:33 GMT

I am pleased to see that the law firms are coming to grips with the NPRM and putting out opinions that reflect the new world created therein. It clearly states that if you have a business associate agreement in place HHS expects you to be compliant with the terms of that agreement, now. As we all know many insurance carriers and payers sent out amended BA agreements in an attempt to shift liability to the BA. Of course now the chain of responsibility extends down to the sub-contractor and everyone is liable if there is a breach. Here is a more complete quote from this blog:

The Office for Civil Rights (OCR) of HHS issued a proposed rule setting forth modifications to the Privacy, Security and Enforcement rules issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The proposed rule implements the changes to HIPAA that are contained in the Health Information Technology for Economic and Clinical Health Act (the HITECH Act). Key items under the proposed rule include the following:

Revising the definition of business associate to include patient safety organizations, health information organizations, E-prescription gateways, persons who facilitate data transmission, vendors of personal health information and subcontractors of a covered entity
Amending the definition of protected health information (PHI) to provide that the privacy and security rules do not protect individually identifiable health information of persons who have been deceased for more than 50 years
Defining electronic media to reflect the current National Institute of Standards and Technology definition, including intranets and voice technology digitally produced from information systems and transmitted by phones
Amending the definition of workforce to clarify that the term includes employees, volunteers, trainees and other persons whose conduct in the performance of work for a business associate is under the direct control of the business associate
Holding a business associate contractually liable, not only for improper uses and disclosures of PHI, but also for compliance with all other requirements of the Privacy Rule that pertain to the performance of the business associate's contract
Requiring material changes to the notice of privacy practices, including a statement that describes the uses and disclosures of PHI that require an individual's authorization
Providing that the noncompliance penalties could be imposed on covered entities and business associates for the acts of their agents, including workforce members and subcontractors acting within the scope of the agency

OCR proposes a 180-day period beyond the effective date of the final rule by which covered entities and business associates are expected to be in compliance with the proposed rule, unless otherwise specified. In addition, the proposed rule includes a one-year transition period for compliance with the business associate contract changes. The one-year period is in addition to the 180-day compliance period. Thus, covered entities and business associates have one year past the compliance date to renew or modify existing contracts to meet the new requirements. However, if contracts are renewed or modified following the compliance date or prior to the end of the one-year period, contracts would need to be compliant as of the time of the renewal or modification.

44% of CIOs say Business Associates Not Ready for "Meaningful Use":Pricewaterhouse Coopers Study Shows

Mon, 16 Aug 2010 15:55:23 GMT

Bruce Henderson, national leader of the EHR/HIE Practice at PricewaterhouseCoopers, says that initial and ongoing collaboration is essential on the road toward meaningful use of electronic health records. “Each phase of the timeline for achieving meaningful use standards calls for a higher level of collaboration.”

In the survey, 44% of CIOs say they are concerned that the external vendors they rely on in health information exchanges are not prepared for meaningful use implementation. Other barriers to implementation, Henderson says, include the delay in making final regulations publicly available, a lack of clarity surrounding some of the regulations, and an overall shortage of skilled IT staff in the labor market.

Preparing For Meaningful Use

"Preparing for HITECH compliance takes considerable planning. “As a first step, CIOs should institute an open dialogue between vendors, payers, physicians, patients, and others and assess where their systems and processes stand,” Henderson says.

Compliance Helper feels that one essential piece of information is the level of HIPAA HITECH compliance of all business associates and sub-contractors. A risk assessment which is also required for "Meaningful use" will give you a snapshot but for ongoing transparency metrics must be in place to continuously monitor compliance. The Compliance Meter^tmsupplies this critical information.

The Compliance Cooperative or CO-OP helps even the smallest sub-contractor get compliant, stay compliant, and prove compliance with the Compliance Meter^tm. All of this for only a $125 set up fee and $35 per month for maintenance.

Business Associates Liable for Breach of Their Business Associate Agreements, Effective February 17, 2010

Wed, 11 Aug 2010 20:18:02 GMT

Finally we are seeing privacy and security experts agreeing that if you signed a BA agreement you must be compliant with the terms of that agreement, now.

Here is more from this important blog:

New standards imposed on business associates and their partners.

Guest commentary from Daniel F. Gottlieb, Bernadette M. Broccolo, Jennifer S. Geetter, Jerry Tichner, Jeanna Palmer Gunville, Sarah S. Nelson, Edward G. Zacharias and Stephen W. Bernstein, attorneys in the Health Industry Advisory Practice Group of global law firm McDermott, Will & Emery, LLP

[Editor's note: Due to its length, this guest commentary will be presented in a series of three blog posts on consecutive days. Part 1 appears below.]

On July 14, 2010, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services (HHS), issued a proposed rule (Proposed Rule) containing modifications to the privacy standards (Privacy Rule), security standards (Security Rule) and enforcement regulations (Enforcement Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The proposed modifications include changes required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and other changes deemed appropriate by OCR in order to strengthen the privacy and security of health information and to improve the "workability and effectiveness" of the Privacy Rule, Security Rule and Enforcement Rule (collectively, the Administrative Simplification Regulations).

OCR is accepting comments on the Proposed Rule through Sept. 13, 2010. Covered entities, business associates and others affected by the Administrative Simplification Regulations should consider submitting comments to OCR in order to shape the final rule. The Proposed Rule indicates that final amendments to the Administrative Simplification Regulations will be effective 180 days after the publication of a final rule. However, covered entities and business associates that have agreed to comply with HITECH Act requirements or other Administrative Simplification Regulation requirements through business associate agreements will continue to have contractual compliance obligations prior to the effective date.

Consequently, effective Feb. 18, 2010, the HITECH Act makes business associates both contractually liable to a covered entity for breach of the business associate agreement with the covered entity and civilly and criminally liable to the government for violations of those Security Rule requirements and the Privacy Rule's business associate agreement requirements.

Do Note Breach Business Associate Agreements:Ford & Harrison LLP, Daniel Sulton

Wed, 11 Aug 2010 15:49:38 GMT

I read this post with interest this morning. It seems that every day we get another law firm interpreting the NPRM here is an excerpt from the Ford & Harrison LLP opinion by Daniel Sulton

"The proposed rule modifies the requirements for a business associate agreement. A covered entity would not be required to report any breach or violation of the business associate agreement to HHS even if termination of the business associate agreement is not feasible. Also the parties to a business associate agreement must include provisions in the agreement requiring the business associate to take reasonable steps to cure any material breach or violation of the business associate agreement between the business associate and a subcontractor, or terminate the contract. The business associate agreement must also contain provisions requiring a business associate to comply with the Security Rule, report breaches of unsecured PHI to the covered entity, and ensure any subcontractors comply with the same rules applicable to business associates."

In the NPRM HHS states: Regardless of the reason, to avoid the risk of the far more serious penalties in this proposed rule, we expect that business associates and subcontractors that have been lax in their complying with the privacy and security standards may now take steps to enhance their security procedures and strengthen their policies for protecting the privacy of the protected health information under their control.

Healthcare Leads in Data Breaches:Transparency Needed

Mon, 09 Aug 2010 14:50:29 GMT

Healthcare is lagging behind banking and finance in compliance. While it is true that HIPAA HITECH is new to a lot of business associates and sub-contractors the majority of the breaches are at covered entities with some help from their BAs.

As you get down to the level of business associates and sub-contractors the current level of compliance is probably less than 10%. Many have never heard of HIPAA or HITECH. This is a huge problem we feel can only be solved through the application of 21st century technology, ie cloud computing, and 21st century methodology, ie task centered process. Putting a canned manual up on the shelf or a CD-rom in you desk drawer is not compliance and it sure isn't transparency.

With the new proposed rules the entire chain of responsibility from top to bottom need to work together to prevent these data breaches. This requires transparency up and down the chain. You need to see the level of compliance of your business partners in real time. This is why we invented the Compliance Meter^tm . You have to identify your metrics, embed the data collection into the work process, and then post the Compliance Meter^tm for all to see.

"My Credit Card is Being Used Fradulently after Anthem Blue Cross HIPAA Data Breach"

Fri, 06 Aug 2010 17:44:23 GMT

As an Internet based company dealing with healthcare organization I don't often see the personal side of privacy and security. I comment I just received on my blog about the Anthem Blue Cross data breach brought it all home to me. Here is the opening paragraph of an anquished person dealing with a huge problem.

"Three days ago, my credit card number was used fraudulently. Today I received a letter from Anthem telling me a breach had occured, leaking my social security number, name & credit card number. I have not been a customer with Anthem for over a year (since February 2009, I believe). When I called Anthem to ask about this, I was told this leak had occured a year ago. When I asked why I was not informed a year ago, when the leak occured, I was told they did not find out about until just now. When I asked why Anthem had my private information still stored in their database when I have not been an Anthem customer for over a year - I was told they had no way of knowing why my private information was still being kept (mind you - without my knowledge or permission) in their database"

I won't even start on all the things that are wrong about this situation, but suffice it to say that this breach should have never happened and when it was revealed it should have been dealt with in an entirely different manner.

Healthcare organizations who are dealing with HIPAA regulations for the first time often ask me why Congress did this to them. The answer is above. If this industry does not convince patients that their data is safe the whole electronic medical record revolution will not happen. We must get better at protecting data and handling the fall out when those efforts fail.

No HIPAA Compliant Policies and Procedures Means "Willful Neglect"

Thu, 29 Jul 2010 17:27:12 GMT

The legal analyses of the NPRM are starting to come in and indicate a new awareness of the need for compliant HIPAA policies and procedures. This recent post is a good example.

<http://www.beckersasc.com/news-analysis/ocr-issues-proposed-modifications-to-hipaa-privacy-and-security-rules-to-implement-hitech-act.html>

Not only has the NPRM expanded the universe by including sub-contractor of business agents it has made it clear that responsibility for PHI extends up and down the ladder. This responsibilty exists whether there is an agreement in place or not, but if there is a business associate agreement in place you must be compliant with the terms of that agreement, now.

Compliance Helper can help even the smallest sub-contractor get compliant, stay compliant, and prove compliance with our Compliance Meter^tm.

Legal Review of New HIPAA HITECH Rules: Foley & Lardner

Mon, 26 Jul 2010 16:48:56 GMT

This is an excellent review of the new, proposed rules from HHS on HIPAA HITECH. In particular the emphasis on the changes for business associates and their sub-contractors is important because it extends the HIPAA standards to a much larger group of companies. Many of these companies are totally unaware of these rules and their implications.

As a company that helps business associates develop a set of policies and procedures my attention was drawn the section on the four tiers of penalties and particular this section:

'The Proposed Rule also provides examples of hypothetical circumstances that would fall within the various tiers. In determining which of the four culpability tiers applies, HHS will consider the extent to which a Covered Entity or Business Associate has effective policies and procedures that evidence an intent to comply with HIPAA and the steps taken to comply. This makes it imperative for Covered Entities and Business Associates to have robust policies in place and to fully document their steps to implement and comply with them." My emphasis added.

I recommend that you read the article carefully to see the impact on your company.

http://www.lexology.com/library/detail.aspx?g=e25e4bf7-e203-4e0b-aae0-f75106e63156&utm_source=Lexology%20Daily%20Newsfeed&utm_medium=Email&utm_campaign=Lexology%20subscriber%20daily%20feed&utm_content=Lexology%20Daily%20Newsfeed%202010-07-26&utm_term=

Vendors: Can You Prove Your HIPAA HITECH Compliance?

Fri, 23 Jul 2010 15:15:35 GMT

I found this interesting article this morning talking about the data breach involving Lincoln Medical Center, Siemens, and FedEx. (link below) The story is an excellent illustration of the new challenge for covered entities (CE). If the recent rules proposed by HHS go through as expected a CE is responsible for their business associates (BA) and the BAs and their subcontractors are required to be HIPAA HITECH compliant, Many of these BAs and sub-contractors who also become BAs have never heard of HIPAA HITECH. HHS estimates 1 to 2 million new BAs will need to become compliant. HHS also states that if a BA agreement exists they expect the BA to be compliant with the terms of their agreements, now. No waiting periods, no grace periods, be compliant, now.

The next big challenge for both CEs and BAs is proving compliance. There is no third party with authority to certify or accredit for HIPAA HITECH. The BA needs to prove their compliance in order to get and keep their business relationships in healthcare. The CE is required to only do business with compliant BAs. Our Compliance Meter^tmfills the gap by displaying the current level of compliance in four areas, policies, procedures, forms, and tasks. At a glance the CE can see whether the BA is compliant and if necessary drill down to view their policies, procedures, forms, and determine whether they have completed all of their assigned tasks. The Helper assigned to the account also provides oversight.

We can help BAs get compliant for as little as $125 and stay compliant for as little as $35 per month. This meets the "reasonable and appropriate" criterion specified by HHS. Once they are compliant they can display the Compliance Meter^tm or deploy it to their business partners. A simple, cost effective and efficient method of meeting HIPAA HITECH standards and being able to prove it.

http://www.technewsworld.com/story/Report-From-the-Trenches-Health-IT-Post-HITECH-70443.html?wlc=1279804591&wlc=1279896459

Top Privacy and Security Experts Agree: Business Associates Must Comply with HIPAA HITECH

Sat, 10 Jul 2010 17:46:26 GMT

If you have been reading my blogs you know that I have been preaching about the business associate problem for months. In the new rules released for public comment on July 8, HHS made their position very clear. We have designed programs to fit any budget that will help business associates and their sub-contractors get compliant quickly and stay compliant forever. With our Compliance Meter^tm. They will be able to prove their compliance at all times. I have copied the whole article from Healthinfosecurity.com because it is extremely relevent and timely.

Business Associates Get HIPAA Alert

Proposed Rule Clarifies Their Responsibilities

July 9, 2010 - Howard Anderson, Managing Editor, HealthcareInfoSecurity.com

Save

Digg

Delicious

A 234-page proposal to revamp the HIPAA privacy, security and enforcement rules does a good job of hammering home the message that business associates and their subcontractors, as well as the healthcare organizations they serve, must comply with the updated rules, security experts say.

The proposal is designed to ensure that patients' rights are protected as more health records are digitized and exchanged. And a crucial component, security experts say, is protecting that information everywhere that it's used.

Chain of Trust

"It's the whole chain of trust that has to be completed," stresses Kate Borten, president of The Marblehead Group.

"At first glance, the most impactful area in the proposal may be the new requirements relating to business associate agreements," adds Lisa Gallagher, senior director, privacy and security, at the Healthcare Information and Management Systems Society.

"The depth of the changes in the business associate rules was a surprise," adds Dan Rode, vice president of policy and government relations at the American Health Information Management Association.

The "notice of proposed rulemaking" issued July 8 also includes detailed provisions granting patients access to their information and enabling them, in certain cases, to restrict who can access or use it.

Clear Guidance

The proposal makes it crystal clear the HIPAA privacy and security rules' requirements would apply to business associates -- companies that provide services to "covered entities," such as hospitals, clinics and insurers, and have access to protected health information.

Plus, it would take the significant additional step of requiring business associates to sign agreements with their subcontractors to ensure they also comply with HIPAA.

The exhaustive detail in the proposed rule dealing with business associate's requirements was sorely needed, says Rebecca Herold, owner of Rebecca Herold & Associates. In advising hundreds of business associates about compliance issues, Herold says she's been frustrated that many have mistakenly concluded that neither HIPAA nor the HITECH Act required them to meet the same compliance standards as their covered entity partners.

"The rule makes it much clearer that the covered entities' responsibilities must go far beyond just having a business associate agreement," Herold stresses. Instead, hospitals, clinics and others must work closely with their business partners to make sure they're carefully following the HIPAA privacy and security rules, she adds.

"There have been so many breaches that have been the result of a lack of security controls within business associates and their subcontractors that HHS wanted to make sure they made it very clear that these organizations were responsible for HIPAA compliance," she notes.

Broader Definition

Herold praised the proposed rule for broadening the definition of business associates. The revised definition includes vendors of personal health records software, health information exchanges, as well as "patient safety organizations," which receive reports on safety events from healthcare providers.

Including patient safety organizations, Herold says, "helps fill an important gap in privacy protections that has emerged over the past few years."

Other examples of business associates, as defined earlier under HITECH, include: third-party administrators, pharmacy benefit managers, claims processors, transcription companies, lawyers and accountants, among others.

Addressing Uncertainty

By spelling out that business associates' subcontractors also must be HIPAA-compliant, the rule helped resolve uncertainty, Borten says. "I have lots of clients who are business associates, and they all use subcontractors, and there wasn't, until now, the sense that those subcontractors had to comply just as the business associate does."

Adding subcontractors to the list of those who must comply "makes sense" because it closes the security loop, including everyone who might access protected health information, adds Rode of AHIMA.

The Department of Health and Human Services' Office for Civil Rights prepared the proposed rule, which is required under the Health Information Technology for Economic and Clinical Health Act, also known as the HITECH Act.

http://www.healthcareinfosecurity.com/articles.php?art_id=2734

Signed a Business Associate Agreement?, Get Compliant, Says HHS

Fri, 09 Jul 2010 17:31:46 GMT

The Notice or Proposed Rule Making or NPRM is pretty heavy reading but if you make it to page 163 you will find some very interesting comments about HHS expectations vis a vis business associates and their business associate agreements. They basically say that they assume that BAs are compliant with their agreements and have privacy and security programs in place. They go on further to say "For those business associates that have not already adopted HIPAA-compliant privacy and security standards for PHI, the risk of criminal and/or civil monetary penalties may spur them to increase their efforts to comply with privacy and security standards."
If you have signed a BA agreement and are not compliant you have two major problems. First, you are in breach of contract with your business partner which could shift a greater liability to you and threaten your relationship. Second you are guilty of "willful neglect" which can bring penalties, fines, and possilbe criminal charges.

The effective dates and comment periods, which might lead you to think that you have lots of time are irrelevent because you have already agreed to be compliant. If you have neglected to or refused to sign a BA agreement, the covered entity is required to either terminate your contract, notify HHS, or both.

With effective compliance programs starting at $125 there is no cost excuse and with the requirements of your contract in force today there is no excuse for delay. Get compliant, stay compliant, prove compliance with the Compliance Meter^tm.

HHS Expects Business Associates to be Compliant, Now!

Thu, 08 Jul 2010 20:09:45 GMT

This excerpt from the NPRM is very important.

9. Business Associates and Covered Entities and their Contractual Relationsips:

For business associates that have already taken HIPAA-compliant measures to protect the privacy and security of the protected health information in their possession, the proposed rules with their increased penalties would impose limited burden.

We assume that business associates in compliance with their contracts would have already designated personnel to be responsible for formulating the organization’s privacy and security policies, performed a risk analysis, and invested in hardware and software to prevent and monitor for internal and external breaches of protected health information.

We expect that most business associates make a good-faith effort to follow the terms of their contracts and comply with current security and privacy standards.

For those business associates that have not already adopted HIPAA-compliant

privacy and security standards for protected health information, the risk of criminal and/or civil monetary penalties may spur them to increase their efforts to comply with the privacy and security standards. Up to this point, the consequences of failing to meet the privacy and security standards were limited to a business loss in the form of a terminated contract. In the context of the business associate’s overall business, the risk of losing thecontract may not be a sufficient incentive to warrant investing in added security or establishing privacy policies potentially at significant expense. There may be other more benign reasons such as ignorance of potential threats or lack of knowledgeable personnel on staff.

Regardless of the reason, to avoid the risk of the far more serious penalties in this proposed rule, we expect that business associates and subcontractors that have been lax in their complying with the privacy and security standards may now take steps to enhance their security procedures and strengthen their policies for protecting the privacy of the protected health information under their control.

NPRM (Notice Of Proposed Rule Making) Conference Call July 8: Not Much New

Thu, 08 Jul 2010 15:40:43 GMT

If you have read my previous blogs you will have already realized that I am not a privacy and security expert, Rebecca Herold is in charge of that. My job is to try and figure out how to develop tools to help small covered entities and business associate comply at a cost that is "reasonable and appropriate" and to deliver those tools.

I sat in on the conference and while the speeches were nice, didn't feel that I heard anything new or startling. I will wait for expert opinion to see if that impression was correct. What I did hear was a strong emphasis on getting business associates compliant including applying the same penalties to them which apply to covered entities. Silly me, I thought that was already the case, but I guess not.

I was surprised that this was going back out for public comment since I thought we had already been through that. Perhaps my perspective is influenced by my focus on helping the hundreds of thousands of non-compliant business associate get compliant.

Should you be interested here is a link to the complete text, and if you find some pearls of wisdom here that I missed please send me a comment. I hope this acts as a clarion call to business associates to get compliant but rather doubt that they will read the 234 pages, nor will I, but I will totally skim them.

http://www.ofr.gov/OFRUpload/OFRData/2010-16718_PI.pdf

Health Net Settles with Connecticut AG: Up to $750,000

Wed, 07 Jul 2010 17:23:47 GMT

What I would consider the sound of the first shoe dropping is the $750K settlement with Connecticut. Next will be the fines and penalties from OCR. This is a serious warning about the power of state Attorneys General on enforcement of HIPAA HITECH.

Here in California we have Jerry Brown, our current AG, running for Governor. Anthem Blue Cross, who are already the poster child for outrageous price increases also just announced a breach of over 200,000 patient records. Do you think Jerry is likely to file a suit and get some nice headlines about protecting patients? I would bet on it.

Steve Poizner the current California Insurance Cpmmisioner who lost the Republican nomination for Governor got some great press out of getting Anthem to withdraw their outrageous price increase.

Health Net Settles Massive Security Breach

By BOB CONNORS

Updated 3:00 PM EDT, Tue, Jul 6, 2010

Connecticut has settled a lawsuit with an insurance company involving a massive security breach that compromised financial and medical records for half-a-million state residents.

In May 2009, Health Net lost a disk drive containing names, addresses, social security numbers and medical information for 500,000 Connecticut residents and 1.5 Million patients nationwide. The company didn't report the missing disk for months.

Attorney General Richard Blumenthal says an investigation by Health Net concluded the disk was most likely stolen. "These missing medical records included some of the most personal, intimate patient information -- exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft," Blumenthal said.

The settlement involves Health Net of the Northeast Inc., Health Net of Connecticut Inc. and parent companies UnitedHealth Group Inc. and Oxford Health Plans.

Blumenthal calls the settlement historic, with the state's unprecedented enforcement of the federal Health Insurance Portability and Accountability Act (HIPAA). The 1996 act helps protect patients' medical records.

Under the settlement, Health Net agreed to implement measures to protect health information and other private data. The company will also pay the state a $250,000 fine, and agreed to an additional $500,000 payment if the missing disk drive was accessed and the information on it was used improperly.

Failing to Train Business Associates on HIPAA Can be Described as Willful Neglect, Amy Leopard , Walter & Haverfield LLP

Tue, 06 Jul 2010 17:27:33 GMT

We did a webinar with Amy Leopard awhile back and I very much enjoyed her insight. She recently was a co-presenter with David Mayer, the OCR's acting senior adviser for the health information privacy, compliance and enforcement group, the complete text of which may be found at the following place.

http://searchhealthit.techtarget.com/news/2240019850/Office-for-Civil-Rights-offers-HIPAA-enforcement-update

Once again there was a prediction that the "final regulations" pertaining to business associates could be published "as early as July 9th". I won't comment again on these predictions but sooner or later someone has to get the right date.

The significant quote for me was from Amy, stating "Willful neglect generally can be described as knowing HIPAA rules but not properly training employees -- and now, business associates -- in them." When we last talked Amy was focused on the business associate agreement, which is an important first step for the covered entity, but making sure that the business associate is compliant is the next step.

The covered entity has a responsibility to get "suitable assurance" that their business associates are compliant and may request a risk assessment from them if "reasonable and appropriate". It is within the power of covered entities to have a great influence on protecting the PHI that they entrust to their BA. They need to start using that power.

Siemens to FedEx to Lincoln: Oops 130,495 Patient Records Breached by Two Business Associates.

Fri, 02 Jul 2010 16:26:21 GMT

Sending unencrypted PHI through a carrier is a violation of any good privacy and security policies and procedures, and a CE should be managing their BAs better. Periodic risk assessments can lead to an evaluation of your policies and procedures that would reveal these gaps in your security and privacy program.

What is interesting to me is that the hospital says that they are not using FedEx to ship patient records anymore. So does this mean that they are trusting USPS or UPS or have they realized that encryption might be a good idea?

Here is the article from Computerworld:

New York hospital loses data on 130,000 via FedEx

Breach affects 130,495 patients

Robert McMillan (IDG News Service/San Francisco Bureau)
30 June, 2010 15:46

New York's Lincoln Medical and Mental Health Center is notifying patients that their personal information may have been compromised after seven CDs full of unencrypted data were FedExed by a hospital contractor and then lost in transit.

The CDs were sent by the hospital's billing processor, Siemens Medical Solutions USA, around March 16, but never arrived at their intended destination. They included sensitive health and personal information including Social Security numbers, addresses, dates of birth, health plan numbers, driver's license numbers and even descriptions of medical procedures, the hospital said on a note posted to its Web site.

The breach affects 130,495 patients, according to a notification posted Tuesday by the U.S. Department of Health and Human Services.

"FedEx has suggested that the CDs likely became separated from their shipping envelope at one of its facilities, were swept up and destroyed," the hospital said in a letter sent to victims, dated June 4.

The CD was password-protected but unencrypted, the letter states.

Companies have begun taking better care of their customers' data in recent years, as they've had to foot multimillion-dollar bills following similar incidents. According to the Ponemon Institute, a security research firm, the average U.S. data breach costs companies more than US$200 per record .

Siemens is no longer FedExing CDs to Lincoln, the hospital said. It is not aware of any of the data being improperly accessed.

Data Breach in October 2009 Caused by Third Party Vendor States Anthem Blue Cross on June 25, 2010

Tue, 29 Jun 2010 17:37:23 GMT

This story gets curiouser and curiouser. According to Anthem the breach actually was created in October of 2009 by an as yet unnamed "third parth vendor". We may have to wait for the Wall of Shame posting to find out who they are, but what will be even more interesting is why nearly nine months has gone by without a peep from Anthem.

Then of course the class action lawsuit rears it's ugly head. Apparently a patient discovered the breach of her data. First question is did she report this to Anthem and if so what did Anthem do about it? I would guess that if they knew they did not do enough since she hired an attorney. Next we hear that the attorney accesses the site and downloads patient records. Did they only download her records or were other records downloaded? Did they meet any other data miners while they were looking around? Enquiring minds want to know. Not until the attorney files a class action lawsuit does Anthem become aware that they have a hole in their ship, a gaping hole.

I now know two people who have gotten the letters from Anthem, one of whom is in the privacy and security business. It will be interesting to see what they plan to do about the class action suit.

I hope this is the wake up call that covered entities need to get serious about managing their business associates.

Business Associate (BA) Causes HIPAA HITECH Breach of Over 200,000 at Anthem Blue Cross

Mon, 28 Jun 2010 15:02:08 GMT

A third party vendor (BA) left a hole in Anthem Blue Cross's security that you could drive a truck through and left it open for five months. From Anthem's press release "The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that all security measures were in place, when in fact they were not. As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again" Not until a lawsuit was filed by affected patients did Anthem discover the breach. That is a very loud and painful wake up call. This will cost Anthem millions in fines and penalties not to mention the lost business which Ponemon Institute suggests will be 66% of the cost.

Anthem Blue Cross glitch exposed personal data

By SHAYA TAYEFE MOHAJER (AP) – 3 days ago

LOS ANGELES — About 230,000 Anthem Blue Cross customers have been warned that their personal data, including medical records and Social Security numbers, may have been wrongly accessed following a faulty upgrade of the company's website.

A site user was able to manipulate Web addresses to access confidential information after security measures weren't reinstated properly following an October 2009 upgrade, said Anthem spokeswoman Cynthia Sanders.

"We were told by a third party vendor that all security measures were in place," said Sanders. "As soon as we heard about the attorneys, we went in, discovered the problem and fixed it immediately."

Covered entities (CE) need to take an active role in helping their BA protect their PHI because they are going to be the ones paying the bills and taking the losses. HIPAA states that the CE must have "satisfactory assurance" that their BA are compliant and that they may request a risk assessment if "reasonable and appropriate". I am sure that Anthem now thinks that a risk assessment would have been "reasonable and appropriate" in this case.

Does this qualify as "willful neglect"? Only time and the OCR audit will tell but there are some very suspicious acts, including failure to notify in the required time frame.

I once blogged that BAs were the "blind side" for CE security and I am sure that Anthem feels blindsided at this time.

Get compliant, stay compliant, and require proof that your BA are compliant.

HIPAA HITECH Breach Prevention on Hold, Breach Notification in Force, Does this Make Sense?

Fri, 25 Jun 2010 18:44:02 GMT

In a personal record third blog of the day I want to point out that apparently OCR is more interested in breach notification than breach prevention. When told that enforcement will be delayed most business associate and many covered entities stopped or slowed down the efforts that could prevent breaches. Putting in place good policies, procedures, and forms. Appointing a privacy and securty officer, training their staff. These are pretty much on hold in many organizations yet if they have a breach of more than 500 records they are put in the equivalent of a pillory on the OCR website.

I think the priorities should be reversed. Give a signal today that everyone needs to start, today, working on breach prevention. With modern tools getting compliant is within reach for even the smallest company at prices they can afford, but most will resist until they get clear signals from the government and their business partners.

Let's get started.

HIPAA-related HITECH regulations on July 8, "Lucy" and the football redux.

Fri, 25 Jun 2010 18:29:58 GMT

I won't go into details since these rumors have all been proven false so far and this one was denied almost immediately. As Charlie Brown learned, or actually never learned, you can't trust "Lucy". This time "Lucy" says July 8th but her May and June predictions proved false so why should we believe now? Ironically I just blogged about another breach of 200,000 patient records by Anthem Blue Cross. Lucy does not see any cause and effect here but others of us do. Added to the 2.5 million breached records already reported and we are approaching a significant number.

The BAs are waiting for a signal from their CEs or HHS/OCR to get started on HIPAA HITECH compliance, but since they are not hearing it from either they are delaying and denying.

Data Breach of 200,000 by Anthem Blue Cross

Fri, 25 Jun 2010 17:14:43 GMT

Things are getting closer and closer to home for me. I was having lunch with two data security consultants when one of them said that he had just gotten a breach notification letter from Anthem Blue Cross. Sure enough when i checked the Internet the following story was there.

Published: June 23, 2010
> Updated: June 24, 2010 7:24 a.m.
> Personal data accessed on Blue Cross website
> By COURTNEY PERKES
> THE ORANGE COUNTY REGISTER
>
> More than 200,000 Anthem Blue Cross customers this week received letters
> informing them that their personal information might have been accessed
> during a security breach of the company's website.

It is really time for the healthcare industry to get serious about compliance. A good start would be getting the published rules for business associates as promised from OCR. People have heard that there is a delay in enforcement and they are delaying getting started on the path to compliance. Over 2.5 million breached records this year should tell us that current efforts are not working.

Overlooked “Business Associates” Under the HITECH Act

Wed, 23 Jun 2010 14:02:58 GMT

As I meandered around the Internet this morning I came across the post below. I also saw a post from a IT security company stating that they were coming across many business associates that were ignoring the requirements of the HITECH Act because they were not getting any pressure from their covered entities. I have seen this also and think that the CE is doing themselves and their BAs a huge disservice by not making it clear that they must comply. I also lay some blame at the feet of HHS and OCR as with their delays in enforecement they have fueled this widespread denial. As Ms Roberts states any entity that comes into contact with PHI must comply.

Overlooked “Business Associates” Under the HITECH Act

By Sharon Roberts, Rph, PharmD, JD

"Any entity that comes into possession of PHI, even indirectly or temporarily, for example, in the course of conducting due diligence in connection with a proposed acquisition, financing or underwriting, could have legal responsibilities under HIPAA and the HITECH Act."

Get compliant, stay compliant and prove compliance with the Compliance Meter^tm.