CFO Gets Prison Time for HITECH Fraud

June 22, 2015

Hospital Executive Falsified ‘Meaningful Use’ Attestation

By , June 19, 2015.

A former Texas hospital CFO has been sentenced to 23 months in federal prison for submitting false documents so a medical center could receive payments under the HITECH Act electronic health records financial incentive program.

In addition to his prison sentence, Joe White, former CFO of the now-shuttered Shelby Regional Medical Center in East Texas, was ordered to pay restitution of nearly $4.5 million to the HITECH incentive payment program.

Court documents indicate that to help pay the restitution, White has been ordered to liquidate an IRA account and an annuity, which as of November 2014, had respective balances of about $115,000 and $2,500.

White, 68, of Cameron, Texas, pleaded guilty on Nov. 12, 2014, to making false statements in November 2012 to the Centers for Medicare and Medicaid Services that Shelby Regional Medical Center was a meaningful user of EHRs, when the hospital actually was primarily using paper records, according to the Department of Justice (see CFO Pleads Guilty to HITECH Act Fraud).

To obtain financial incentives from Medicare or Medicaid under the HITECH Act, hospitals and physicians must submit detailed documents that attest to meeting the requirements for the program, including conducting a HIPAA security risk assessment.

Case Details

In a statement issued by the FBI on June 18, U.S. attorney John Bales said, “The EHR incentive program was designed to enhance the delivery of excellent medical care to all Americans and especially for those citizens who live in underserved, rural areas like Shelby County. There is no doubt that Mr. White understood that purpose and yet, he intentionally decided to steal taxpayer monies and in the process, undermine and abuse this important program.”

According to information presented in court, White was CFO for Shelby Regional as well as other hospitals owned and operated by Tariq Mahmood, M.D., of Cedar Hill, Texas.

The 54-bed Shelby Regional closed last year amidst legal issues involving Mahmood, who was indicted by a federal grand jury on April 11, 2013. He was charged with conspiracy to commit healthcare fraud and seven counts of healthcare fraud.

Court documents indicate that Mahmood was sentenced on April 14 to 135 months in federal prison, and also ordered to pay restitution totaling nearly $100,000 to CMS, the Texas Department of Health and Human Services and Blue Cross Blue Shield.

White oversaw the implementation of EHRs for Shelby Regional and was responsible for attesting to the meaningful use of the EHRs to qualify to receive HITECH incentive payments from Medicare, according to the FBI.

As a result of White’s false attestation, Shelby Regional Medical Center received nearly $786,000 from Medicare, the FBI statement says. In total, hospitals owned by Mahmood were paid more than $16 million under the Medicare and Medicaid EHR incentive program, the FBI says.

A Justice Department spokeswoman tells Information Security Media Group that the $4.5 million restitution that White was ordered to pay represents the EHR incentive money Shelby Regional received from CMS under false attestation, as well as EHR incentive money that other hospitals owned by Mahmood, for which White was also CFO, received from CMS. While White did not personally receive the incentive money from CMS, “restitution is mandatory pursuant to the Mandatory Victim Restitution Act of 1996,” she explains, citing 18 USC 3663A(a)(1), which says, “Notwithstanding any other provision of law, when sentencing a defendant convicted of an offense described in subsection (c), the court shall order, in addition to…any other penalty authorized by law, that the defendant make restitution to the victim of the offense. …”

More Cases to Come?

Healthcare attorney Brad Rostolsky of the law firm Reed Smith says that although most healthcare professionals and organizations participating in the HITECH meaningful use incentive program are trying to play by the rules, federal regulators must be on the look-out for potential fraudsters, considering the billions of dollars in incentives being paid. “My sense is that the large majority of institutional and small/solo practice providers appreciate the context in which these meaningful use attestations are being made, and they focus on ensuring that the attestations are true and accurate,” he says. “That said, in situations where the facts are as they are [in the Joe White case], it would not surprise me if the government continues to be aggressive in its enforcement.”

Attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says he expects federal authorities will file more HITECH criminal cases. “The sense we have gotten from public statements by OIG and others involved in prosecuting healthcare fraud violations is that there are a number of investigations ongoing to determine if there has been fraud in obtaining funds through the EHR incentive payment program,” he says.

Holtzman suggests that those organizations that have received HITECH incentives must keep thorough documentation to prove they met all the requirements.

“The key is to keep detailed documentation of the information that was used to support the representations in the attestation for seven years,” he says. “An individual or organization can avoid criminal culpability through showing that a reasonable effort was made to support a belief that the provider or hospital had met the meaningful use requirements and was therefore eligible for receiving EHR incentive payments.”

HITECH Audits

While criminal cases related to the HITECH Act EHR incentive program have been rare, federal regulators have been ratcheting up their audits of healthcare entities attesting to “meaningful use” of EHRs.

Among those selected was Temple University Health System in Philadelphia, which recently passed an audit for meaningful use compliance at one of its hospitals, says CISO Mitch Parker. The area of attestation most closely scrutinized by CMS auditors was Temple’s HIPAA security risk assessment, he says.

“You can’t skimp on the risk assessment. That’s the first and foremost item that they look for,” he says. “And it can’t be one of those cut-and-dry ones. You have to be very detailed about it. We had about 300 categories in ours.”

Unencrypted Devices Still a Breach Headache

May 13, 2015

The Ongoing Risk Posed by Lost, Stolen Mobile Devices

By , May 12, 2015.

Unencrypted Devices Still a Breach Headache

While hacker attacks are grabbing most of the health data breach headlines so far in 2015, a far more ordinary culprit – the loss or theft of unencrypted computing devices – is still putting patient data at risk.

See Also: PHI Security: The Role of Encryption and Tokenization

Incidents involving unencrypted laptops, storage media and other computing devices are still popping up on the Department of Health and Human Services’ “wall of shame,” which lists health data breaches affecting 500 or more individuals. Among the largest of the most recent incidents is a breach at the Indiana State Medical Association.

That breach involved the theft of a laptop computer and two hard drives from a car parked for 2-1/2 hours in an Indianapolis lot, according to local news website, The Star Press. Information on more than 38,000 individuals, including ISMA employees, as well as physicians, their families and staff, was contained in the ISMA group health and life insurance databases on those devices.

The incident occurred on Feb. 3 while ISMA’s IT administrator was transporting the hard drives to an offsite storage location as part of ISMA’s disaster recovery plan, according to The Star Press. An ISMA spokeswoman declined Information Security Media Group’s request to comment on the breach, citing that there are “ongoing civil and criminal investigations under way.”

A breach notification letter sent by ISMA indicates that compromised data included name, address, date of birth, health plan number, and in some cases, Social Security number, medical information and email address. ISMA is offering those affected one year’s worth of free credit monitoring.

Common Culprit

As of Feb. 27, 51 percent of major health data breaches occurring since 2009 involved a theft while 9 percent involved a loss, according to data presented by an Office for Civil Rights official during a session at the recent HIMSS 2015 Conference in Chicago. Of all major breaches, laptop devices were involved in 21 percent of the incidents, portable electronic devices in 11 percent and desktop computers in 12 percent, according to the OCR data.

Two of the five largest breaches to date on the Wall of Shame involved stolen unencrypted computing devices:

  • A 2011 breach involving the theft of unencrypted backup computer tapes containing information on about 4.9 million individuals from the car of a Science Applications International Corp. employee who was transporting them between federal facilities on behalf of military health program TRICARE.
  • The 2013 theft of four unencrypted desktop computers from an office of Advocate Health and Hospital Corp. in Chicago, which exposed information on about 4 million patients.

Many smaller breaches affecting less than 500 individuals also involve unencrypted computing devices, according to OCR.

Safe Harbor

The thefts and losses of encrypted computing devices are not reportable breaches under HIPAA. That’s why security experts express frustration that the loss and theft of unencypted devices remains a common breach cause.

“It is unfortunate that [encryption] is considered an ‘addressable’ requirement under HIPAA, as many people don’t realize that this does not mean optional,” says Dan Berger, CEO of security risk assessment firm Redspin, which was recently acquired by Auxilio Inc.

Under HIPAA, after a risk assessment, if an entity has determined that encryption is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI, it must implement the technology. However, if the entity decides that encryption is not reasonable and appropriate, the organization must document that determination and implement an equivalent alternative measure, according to HHS.

Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he’s expecting to see soon an OCR resolution agreement with a healthcare provider that suffered several breach incidents caused by their failure to manage the mobile devices used by their employees on which electronic protected health information was stored or accessed.

Read full article…

Pharmacy Fined $125,000 for Breach

April 28, 2015

By , April 27, 2015.

Paper Patient Records Not Properly Destroyed

A small Denver compounding pharmacy has been slammed with a $125,000 federal penalty for a 2012 breach involving improper disposal of paper patient records. It’s the second such HIPAA enforcement action within a year by federal regulators tied to an incident involving records dumping by a covered entity.

In an April 27 statement, the Department of Health and Human Services’ Office for Civil Rights says Cornell Prescription Pharmacy has agreed to a HIPAA settlement that includes the $125,000 penalty and calls for adopting a corrective action plan to correct deficiencies in its compliance program.

Cornell is a single-location pharmacy that specializes in compounded medications and related services for hospice care agencies in the region.

Proper PHI Disposal

“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” says OCR Director Jocelyn Samuels. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”

OCR launched a compliance review and investigation in February 2012 after the agency received notification from a Denver news outlet regarding the disposal of unshredded documents containing the protected health information of 1,610 patients in an unlocked, open container on Cornell’s premises.

OCR’s investigation determined Cornell failed to implement any written policies and procedures as required by the HIPAA Privacy Rule. The pharmacy also failed to provide training on policies and procedures to its workforce as required by HIPAA, OCR says.

Similar Cases

OCR last June approved an $800,000 HIPAA settlement with Parkview Health System, an Indiana-based community health system, tied to an incident involving paper records dumping. In that case, the organization was cited for leaving 71 cardboard boxes of medical records on thousands of patients unattended and accessible to unauthorized persons on the driveway of a retiring physician’s home (see $800,000 Penalty for Paper Records Breach).

An in addition to the Parkview case, OCR has issued hefty settlements for several other breaches involving improper disposal of PHI.

“The latest OCR settlement is almost identical to 2009 and 2010 settlements against CVS and Rite Aid over the pharmacies allegedly dumping protected health information in publicly-accessible waste containers,” says privacy attorney Adam Greene of law firm Davis Wright Tremaine.

“In both of those cases, as in the current case with Cornell Prescription Pharmacy, the OCR investigation was triggered by a local television news report identifying the issue at local pharmacies,” Greene notes. “In response to the CVS and Rite Aid cases, OCR issued specific guidance on properly disposing of protected health information. Apparently, when OCR learned of a news report indicating that a pharmacy was not heeding this guidance, OCR determined that an additional settlement was needed.”

Covered entities and business associates should closely track OCR settlement agreements “and ensure that any similar issues are addressed within your own organization,” Greene stresses.

Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he’s surprised there haven’t been even more such enforcement actions by OCR for these kinds of improper disposal cases.

There have been approximately 30 large breaches since April 2011 that have involved covered entities or business associates that failed to make paper or printed PHI unreadable or indecipherable, “such as by shredding into itty-bitty pieces,” says Holtzman, who was a senior adviser at OCR prior to joining CynergisTek in 2013. “This [latest] case represents a drop in the bucket.”

Corrective Action Plan

As part of its resolution agreement with OCR, Cornell has agreed to implement a corrective action plan that includes developing, maintaining and revising, as necessary, written policies and procedures to comply with the HIPAA Privacy Rule and submitting documentation of those policies and procedures to OCR for its review and approval.

The policies and procedures must include administrative and physical safeguards for the disposal of all non-electronic PHI, including those records being “shredded, burned, pulped or pulverized so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.”

The pharmacy also agreed to distribute those policies and procedures to all members of its workforce within 30 days of OCR approving them and to also issue those policies and procedures to new members of the workforce within 30 days of their beginning of service.

In addition, the pharmacy agreed to provide its workforce HIPAA privacy training and to report violations of its privacy policies and procedures by its workforce to OCR.

More Settlements Soon?

Some privacy and security experts believe the resolution agreement with Cornell could be the first of several additional enforcement actions in the works at OCR for 2015, including cases involving other examples of HIPAA non-compliance.

“This is likely the beginning of a more active phase of OCR enforcement that we have been anticipating,” Holtzman says. “I believe that OCR has been investigating a number significant investigations and compliance reviews, many resulting from breaches reported to HHS.”

Holtzman adds: “I do not believe that OCR limits itself to reserving its enforcement resources to a predetermined checklist or agenda prioritizing one type of incident over another.”

In a recent interview with Information Security Media Group, Greene also predicted that OCR will likely announce a number of eye-popping financial settlements for HIPAA violations later this year (see Could Big HIPAA Settlement be Coming?).

View original article…

HIPAA Compliance Audits Remain on Hold

April 16, 2015

OCR Official Describes New Guidance in the Works

By , April 15, 2015.

HIPAA Compliance Audits Remain on Hold

After a three-year delay, federal regulators remain tight-lipped about when the next round of HIPAA compliance audits will begin. But a variety of new HIPAA-related guidance is in the works, a government official says.

During an April 15 session at the HIMSS 2015 Conference in Chicago, a regional official from the Department of Health and Human Services’ Office for Civil Rights told attendees the next phase of the random HIPAA audit program “is under development.” Attorney Alessandra Swanson, an OCR team leader from the agency’s Chicago office, declined to say whether there’s a potential timeline for when OCR expects to kick off the next round of HIPAA audits, or what the program might look like.

OCR, which enforces HIPAA, had hoped to kick off phase two of its compliance audit program last fall, but officials last September revealed the program was being delayed. The culprit blamed at the time: technology that the agency said was still being rolled out at the agency that will allow OCR to collect audit-related documentation from covered entities and business associate via a Web portal (see HIPAA Compliance: What’s Next?).

OCR also had a change in leadership last year. In July, Jocelyn Samuels was named the office’s new director. Samuels, who was formerly acting assistant attorney general for the Civil Rights Division at the U.S. Department of Justice, replaced Leon Rodriguez, who was named director of U.S. Citizenship and Immigration Services, a unit of the Department of Homeland Security.

Privacy attorney Adam Greene, a partner at the law firm Davis Wright Tremaine, told Information Security Media Group in an interview at the HIMSS Conference that he believes the delay in various OCR enforcement activities, including the audit rollout, could be related to tight OCR resources, as well as the new leadership settling in.

But OCR appears to be staffing up for the audit program. In an announcement posted last week by HHS, the agency said it had open a “compliance specialist – auditing” position available within its Washington headquarters.

“This position serves as the senior auditing subject matter expert who provides leadership, oversight, coordination and advice necessary to design, plan and execute an audit program of covered entity and business associate compliance with the HIPAA privacy, security and breach notification rules,” the job posting said.

OCR officials in recent months have said the agency also is working on updating its audit protocol for covered entities and creating a new audit protocol for business associates. BAs became directly liable for compliance under the HIPAA Omnibus Rule last year and are subject to OCR enforcement actions, including financial penalties that range up to $1.5 million per HIPAA violation.

Other Activities

In addition to preparing for resuming the random HIPAA compliance audit program, OCR is working on new guidance, including material relating to business associates; the breach notification rule as well as a breach assessment tool; the use of protected health information for marketing; the “minimum necessary” standard for data; and HIPAA Security Rule compliance updates, Swanson says.

In addition, OCR is continuing breach investigations and rule-making.

“Our goal is, and has always been to get entities into compliance,” Swanson says. “I know that our enforcement cases get a lot of attention, but when you look at the number of enforcement cases versus those that are resolved with technical assistance and corrective actions, you’ll see that we always try to go the compliance route first. “We’re interested in getting everyone into compliance; we’re not out there trolling for enforcement cases.”

OCR is anticipating receiving 15,000 to 17,000 HIPAA complaints in 2015, she says. All health data breaches affecting more than 500 individuals are investigated by the agency, she says. Although there have been no enforcement actions involving monetary settlements with business associates, Swanson says the agency is current investigating a number of breaches involving BAs.

Read full article…

Former Therapist Charged in HIPAA Case

April 10, 2015

Faces Charges Tied to Inappropriate Access to Records

By , April 9, 2015.

A former respiratory therapist at an Ohio hospital has been indicted for HIPAA violations in connection with alleged inappropriate access to the records of nearly 600 patients.

The indictment of Jamie Knapp, who had formerly worked at ProMedica Bay Park Hospital in Oregon, Ohio, is one of only a handful of criminal prosecutions of individuals for HIPAA violations.

“Overall, criminal prosecutions under HIPAA have not been that common, although we have seen an increase in recent years,” says privacy attorney Scot Ganow of the law firm Faruki Ireland & Cox PLL. “I do expect us to see more prosecutions as the interest in healthcare information increases for a variety of purposes, including identity theft, cyberstalking, public shaming and celebrity watching.”

According to indictment documents filed this month in a federal court in Ohio, a grand jury indicted Knapp for unlawfully obtaining identifiable health information of 596 patients in violation of HIPAA. The grand jury also charged Knapp with unauthorized access of a protected computer, in violation of federal laws.

“In her capacity as a respiratory therapist, Knapp was authorized to access individually identifiable health information and protected health information of certain respiratory patients,” according to the indictment. “Knapp was not authorized to access the individually identifiable health information and protected health information of other hospital patients.”

Federal prosecutors involved in the case did not immediately respond to Information Security Media Group’s request for more details about the alleged HIPAA violations.

Accessing protected health information without authorization and the disclosure of this information to a third party carries a jail term of up to 10 years in addition to a maximum fine of $500,000 if the disclosure is made for personal gain, Ganow says.

On May 28, 2014, ProMedica, the parent company of the 72-bed hospital where Knapp worked, began notifying the affected patients that their records were inappropriately accessed between April 1, 2013, and April 1, 2014 (see Police Investigating Insider Breach). The breach was also reported to the U.S. Department of Health and Human Services, which has listed the incident on its “wall of shame” website of major breaches as an unauthorized access/disclosure incident involving electronic medical records and a network server.

Other HIPAA Cases

There have been only a handful of other HIPAA-related indictments of individuals that have resulted in convictions and prison sentences.

“Most recently, we saw the criminal conviction of hospital employee Joshua Hippler in Texas for wrongful disclosure of individually identifiable health information for personal gain,” Ganow notes. In February, Hippler was sentenced to serve 18 months in prison after pleading guilty on Aug. 28, 2014, to wrongful disclosure of individually identifiable health information (see Prison Term in HIPAA Violation Case).

Federal prosecutors say that from December 2012 through January 2013, Hippler was an employee of an unidentified East Texas hospital, where he obtained protected health information with the intent to use it for personal gain.

In another case in October 2013, Denetria Barnes, a former nursing assistant at a Florida assisted living facility, was sentenced to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information.

Ganow predicts prosecutors will pursue more of these criminal HIPAA cases. “As long as the healthcare industry continues to actively use Social Security numbers and not take steps to redact them or commit to a minimum use policy, we will see increased criminal activity and related prosecutions,” he says. “Because healthcare records have names, dates of births and SSNs, they are a tempting target for one-stop shop identity thieves. ”

Still, there are steps that healthcare entities can take to minimize insider breaches.

“It’s not enough to have your policies, procedures and safeguards in place. You have to continually assess your security posture for new threats or new risks as a result of a new use of information,” he says.

Read full article…

It’s Time to Re-Examine Risk Management

March 30, 2015

Attacks Against Anthem, Others Are a Call to Action

By Bob Chaput, March 27, 2015

Bob Chaput

Just as 9/11 shattered our assumptions about the impregnability of U.S. defense systems, the recent Anthem Inc., Premera Blue Cross and Community Health Systems mega-breaches show that we need a top-to-bottom re-examination of what information risk management really requires.

To be fair, most healthcare boards of directors and C-suite executives have had their hands full just dealing with the Affordable Care Act and the momentous shift from the fee-for-service model to value-based care. That may be the reason why so many healthcare boards and C-suites are either ill-informed or disengaged from information risk management.

“We must move from the technical/tactical/spot-welding approach to a business architectural solution that’s strategic.”

In the wake of the highly publicized Community Health Systems, Anthem and now Premera hacking incidents, most organizations are scrambling to play catch-up – often trying to “checklist” their way to security. By default, and in the absence of board and C-suite direction, this approach is often too technical, too tactical and involves too much spot-welding.

Here are some reasons why it’s not a matter of if, but when, the next Anthem-style disaster strikes:

Most organizations don’t truly understand the scope of the problem. Although the Anthem hacking incident, which affected 78.8 million individuals, made headlines worldwide, hackers only account for about 8 percent of major health data breaches since September 2009, according to the Department of Health and Human Services. The other 92 percent are mainly due to preventable mistakes made by an organization’s own employees and business associates – losing a laptop containing unencrypted PHI, improperly disposing of paper records, “snooping” into and disclosing confidential data, etc. A health system might pat itself on the back for avoiding an Anthem-type breach, then get stung by a smaller scale breach that can still tarnish its reputation and cost millions to remedy.

The value and vulnerability of patient data are increasing dramatically. The anticipated growth of the national eHealth Exchange means that the likelihood of breaches will continue to rise. The exchange is predicted to soon connect hundreds of hospitals and thousands of medical groups. Hackers will no doubt be encouraged by what the Anthem thieves got their hands on: dates of birth, physical and e-mail addresses, and Social Security numbers of nearly 80 million individuals. That’s the equivalent of the entire populations of California, New York, Illinois and Maryland.

Too few organizations have a formal process for benchmarking the maturity of their IRM programs. The healthcare field is way behind other industries in this regard. The FBI said as much in its April 2014 Privacy Industry Notice and its August 2014 Alert. Many manufacturers and retailers routinely use maturity models to test the efficacy of their supply chain management and business intelligence. Healthcare needs to make it a priority to benchmark its IRM programs.

The term “data security expert” doesn’t equate with “risk management expert.” Too many healthcare organizations rely on their IT staff to ward off hackers, forgetting that breaches also come in a variety of low-tech (or no-tech) varieties. Plus the Anthem breach begs the question: What were the “experts” really doing?

Although the hackers did penetrate several layers of Anthem security, they may have gained access to the huge database by using a stolen password. And numerous media reports suggest that Anthem hadn’t bothered to encrypt the database. At the very least, we shouldn’t be making it easier for hackers to do their job. Whether the Anthem hackers were part of an international cyber-espionage team – or just brainy teenagers – doesn’t really matter. Several news organizations are reporting that the insurer will soon exhaust its $100 million cyber-insurance coverage to meet the staggering cost of identity theft repair and credit monitoring.

The healthcare field has “HIPAA compliance” myopia. The Anthem breach proves once and for all that information risk management is much more than a HIPAA compliance issue. IRM has a direct impact on patient safety and quality of care. But even more than that, it’s a discipline that’s essential to the health of a company’s brand and bottom line.

The Anthem breach demonstrates that there’s still a glaring need for better board and C-suite education about what constitutes comprehensive IRM. We must move from the technical/tactical/spot-welding approach to a business architectural solution that’s strategic. To do so, healthcare organizations need to use new benchmarking tools to help them assess the maturity of their IRM initiatives.

If the CHS breach was a wake-up call, the massive Anthem breach was a bugle blaring across healthcare boardrooms and C-suites nationwide. Let’s hope that it rouses leaders to action.

Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US, is CEO of Clearwater Compliance, an information risk management advisory firm based in Nashville, Tenn., that offers an IRM benchmarking tool.

Go to original article…

N.J. Law Requires Insurers to Encrypt

January 13, 2015

New Requirement Goes Beyond HIPAA

By , January 12, 2015.

N.J. Law Requires Insurers to Encrypt

A New Jersey law that will go into effect in July requires health insurers in the state to encrypt personal information that they store in their computers – a stronger requirement than what’s included in HIPAA .

The new law, signed by N.J. governor Chris Christie last week, was triggered by a number of health data breaches in the state, including the 2013 Horizon Blue Cross Blue Shield of New Jersey breach affecting 840,000 individuals. That breach involved the theft of two unencrypted laptops.

The new law states: “Health insurance carriers shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.

The law applies to “end user computer systems” and computerized records transmitted across public networks. It notes that end-user computer systems include, for example, desktop computers, laptop computers, tablets or other mobile devices, or removable media.

Personal information covered by the encryption mandate includes individual’s first name or first initial and last name linked with any one or more of the following data elements: Social Security number; driver’s license number or State identification card number; address; and identifiable health information.

Different than HIPAA

“The New Jersey law differs from HIPAA in that it mandates implementing encryption, whereas HIPAA mandates addressing encryption,” privacy attorney Adam Greene of law firm Davis Wright Tremaine says.

The Department of Health and Human Services offers this explanation of the HIPAA encryption requirement on its website: “The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of electronic PHI.

“If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.”

Greene points out that because the new state law is tougher than HIPAA, “A New Jersey health plan could determine that some of its protected health information does not require encryption under HIPAA, but they will nevertheless be required to encrypt the information under the New Jersey law.”

– Healthcare Info Security

Go to original article…

 

Biggest Health Data Breaches in 2014

December 23, 2014

Federal Tally Reveals Latest Trends

By , December 22, 2014.

Biggest Health Data Breaches in 2014

The five biggest 2014 health data breaches listed on the federal tally so far demonstrate that security incidents are stemming from a variety of causes, from hacker attacks to missteps by business associates.

The top breaches offer important lessons that go beyond the usual message about the importance of encrypting laptops and other computing devices to prevent breaches involving lost or stolen devices, still the most common cause of incidents. They also highlight the need to bolster protection of networks and to carefully monitor the security practices of business associates.

The Department of Health and Human Services’ Office for Civil Rights adds breaches to its “wall of shame” tally of incidents affecting 500 or more individuals as it confirms the details. A snapshot of the federal tally on Dec. 22 shows that 1,186 major breaches impacting a total of nearly 41.3 million individuals have occurred since the HIPAA breach notification rule went into effect in September 2009.

According to the tally, the top five health data breaches in 2014 affected a combined total of nearly 7.4 million individuals.

The largest breach in 2014 was the hacking attack on Community Health System, which affected 4.5 million individuals. In that incident, forensic experts believe an advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the hospital chain’s systems.

The Community Health Systems incident is also the second largest health data breach since the enactment of the HIPAA data breach notification rule in 2009. The largest breach is a 2011 incident involving TRICARE, the military health program, and its contractor, Science Applications International Corp., which affected 4.9 million individuals.

Business Associate Troubles

The second largest HIPAA incident in 2014 implicated a business associate. That breach, affecting 2 million individuals, involved an ongoing legal dispute between the Texas Health and Human Services Commission and its former contractor, Xerox, which had provided administrative services for the Texas Medicaid program. The breach arose when the state ended its contract with Xerox. The vendor allegedly failed to turn over to the state computer equipment, as well as paper records, containing Medicaid and health information for 2 million individuals.

However, in September, following a court hearing, the state and Xerox reached an agreed order for the vendor to retain the disputed documents and data until a hearing in January. Texas HHSC in a statement tells Information Security Media Group that the state “believes there was a low risk that client information was compromised and that the information will be protected” by Xerox as the court case continues.

Another top five health data breach in 2014 involved both a business associate and a more familiar culprit – stolen unencrypted computing devices. That Feb. 5 incident involved a vendor that provided patient billing and collection services to the Los Angeles County departments of health services and public health. The theft of eight unencrypted desktop computers from an office of Sutherland Healthcare Services – L.A. County’s vendor – affected more than 342,000 individuals, the federal tally shows. Initially, that breach was believed to have impacted about 168,000 individuals, but the figure was subsequently revised.

Unsecure Files

The fourth largest 2014 breach on the federal tally involved Touchstone Medical Imaging, a Brentwood, Tenn.-based provider of diagnostic imaging services, which became aware in May “that a seldom-used folder containing patient billing information relating to dates prior to August 2012 had inadvertently been left accessible via the Internet. The breach affected more than 307,000 patients.

Read full article…

Optical Care Chain Loses a Server, Again

December 5, 2014

Missing Computer Contained PHI for 48,000 Customers

By , December 2, 2014. Follow Marianne @HealthInfoSec

For the second time in recent weeks, Visionworks Inc., has revealed that one of its stores misplaced a database server, apparently due to improper disposal.

In a Nov. 21 statement, Visionworks, a unit of Pittsburgh, Pa.-based healthcare insurer Highmark Inc., revealed that a database server at a store in Jacksonville, Fla., containing “partially unencrypted protected health information” belonging to approximately 48,000 customers had been mistakenly discarded after it was replaced on June 2 during scheduled computer upgrades.

Last month, the chain announced that a store in Annapolis, Md., lost a database server containing patient information in June while it was being replaced during a store renovation (see Lost Server: What Went Wrong?). The lost Maryland computer, which contained data on 75,000 customers of that store location, is believed by Visionworks to have been discarded by mistake in a landfill.

Preventive Steps

The Highmark spokesman declined to comment on steps the company is taking to prevent the loss of more servers from its stores. “Visionworks is in the process of fully encrypting all servers. The process should be complete within the next six months,” he says.

While encrypting all data on the lost computer could have potentially prevented the breach at both store locations, “Server hard-drive encryption in an optometrist store is very rare,” notes Kerry McConnell, a senior consultant at security services firm, Tom Walsh Consulting.

Security experts say the back-to-back incidents spotlight the need for organizations to have solid inventory management and data disposal practices, and to ensure that staff are aware of those policies.

“In our experience doing HIPAA risk assessments, we often see storerooms or locked ‘cages’ of older used equipment,” says Dan Berger, CEO of security services firm Redspin. “We often point this out as a vulnerability for precisely the reason that occurred at Visionworks. Once taken out of service, it is very easy to forget what is on each server or workstation,” he says. “That sets the stage for an inadvertent discarding of a device that contains lots of confidential data.”

Berger stresses that having policies safeguarding PHI even when it’s no longer needed is mandated under HIPAA.

“We cite the HIPAA Security Rule, which requires that covered entities and business associates implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored,” he says.

Read full article…

November 7, 2014

Can healthcare consumers now enforce HIPAA privacy rules? Leveraging our judicial system, the answer may be yes. A recent state Supreme Court ruling gives patients the right to sue healthcare providers for negligence if they violate a “standard of care” when managing protected health information.

Court Allows HIPAA Negligence Claim

Experts Analyze Potential Impact of Decision

By , November 7, 2014.

Legal experts are analyzing the potential national impact of a Connecticut Supreme Court ruling that plaintiffs can sue for negligence if a healthcare provider violates HIPAA regulations for protecting patient privacy.

Read more….