Data Privacy & Security/HIPAA/HITECH

The U.S. Department of Health & Human Services (“HHS”) issued final regulations in January 2013 modifying the privacy, security and enforcement provisions under the Health Information Portability and Accountability Act of 1996 (“HIPAA”). Covered entities and business associates were generally required to comply with the final regulations by Sept. 23, 2013. To reduce administrative burden and costs of renegotiating existing business associate agreements, HHS provided a transition period. Business associate agreements in place as of Jan. 25, 2013, and not modified or renewed between March 26, 2013, and Sept. 23, 2013, were deemed to comply with the new regulations for up to 12 months. All relevant entities should note that the deemed compliance period ends Sept. 22, 2014.

The Food and Drug Administration (FDA) released a new Draft Guidance June 20, 2014, that would make significant changes to the way mobile medical devices are regulated, despite only being claimed by the FDA in September 2013. In that original Guidance, the FDA defined a new industry that it intended to regulate: the creators and providers of mobile medical apps. Such apps originally included many different kinds of apps, from blood glucose monitors to apps that displayed MRI or ECG visual data.

“End-users, sysadmins, and developers lead the pack when it comes to mucking things up, though pretty much all of us are guilty.” These are simple, yet telling, words from the 2014 Data Breach Investigations Report released this week by Verizon.

The report statistics indicate:

  •  46 percent of all data security incidents in healthcare come from theft or simply losing a laptop or other device containing confidential information—triple that of almost all other industry sectors

Because the healthcare community relies upon encryption to safeguard e-Protected Health Information (ePHI), vulnerability to the underlying security of any encryption code is potentially devastating.

The Heartbleed computer bug is gaining substantial media coverage recently, and for good reason. Organizations, especially those in healthcare, should pay special attention to risks from the bug. Heartbleed is not a computer virus, but is actually a software defect. The defect went unnoticed for a long period of time, and was unfortunately adopted by many websites.

Discovered by Neel Mehta of Google Security, the Heartbleed bug is based on a fault in functionality in the widely used OpenSSL library. This library is used by security vendors’ products to secure web browsing and even mobile banking applications. For example, if you go to a site like Amazon, you may notice a little lock in the browser section of the bar with the letters “https”– that is a sign that the website uses, and is a part of, the OpenSSL library. When the Heartbleed bug is exploited, the attacker can retrieve memory, up to 64KB from the remote system.  Such information may contain usernames, passwords, keys or other useful information that enables bigger attacks.

The Senate Committee on Commerce, Science, and Transportation today released its analysis of the 2013 Target Data Breach, using the “intrusion kill chain” framework from Lockheed Martin as its analytical tool.  In short, the analysis shows that although Target likely failed at multiple steps along the chain to stop the breach, the opening salvo by the attackers was waged on a Target vendor, Fazio Mechanical Services.

Although details are not reported, the report does suggest that the attacker may “have sent malware-laden emails to Fazio at least two months before the Target data breach began.”  Target’s supplier portal and facilities management pages were apparently viewable on the Internet, and files from the sites “allowed the attacker to map Target’s internal network prior to the breach.”  Unfortunately, Fazio was also using a free version of an anti-malware product, which did not provide real-time protection and was intended only for individual consumer use.

Last week, our own Brian Bewley chaired the HCCA Midwest Regional Conference in Overland Park, Kansas.  The conference addressed current compliance issues such as the compliance officer’s evolving role, RAC audits and appeals, and HIPAA.  The conference had a great turnout – in fact, the most attendees in the conference’s history.

Husch Blackwell’s Julianne Story

Adoption of EHR technologies has greatly increased as the result of the EHR Incentive Program. Touted as one of the necessary building blocks for creating integrated delivery systems, EHR is considered vital to improve health quality, efficiency and patient safety.  The EHR Incentive Program has been very successful and CMS has awarded over $10

Marketing Involving PHI

The HIPAA Omnibus Rule made changes to the rules related to marketing involving PHI.  A marketing communication, as defined by HIPAA, is a communication about a product or service that encourages the recipient to purchase that product or service.  Previously, PHI could not be used or disclosed for a marketing communication without authorization unless

On January 17, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services issued its final rule modifying the HIPAA privacy, security, enforcement, and breach notification rules. The final rule became effective on March 26, 2013, and providers have just over a month left to comply with the new rule.  Compliance is required by September 23, 2013.

Changes to Breach Identification

Under the old standard, a reportable breach was an unauthorized use or disclosure of PHI that posed a significant risk of financial, reputational or other harm to the affected individual. Under the new standard, all unauthorized uses and disclosures of PHI are presumed to be reportable breaches unless, following a risk assessment, it is determined that there is a low probability that the PHI has been compromised.

Previously, we recommended including the following factors in breach risk assessments:

  1. the type and amount of PHI disclosed;
  2. to whom the PHI was disclosed; and
  3. the risk of further disclosure.

Welcome to our new series on HIPAA!

Whether you are feeling a little rusty on HIPAA issues or trying to figure out the new Omnibus rule, we hope you will find this information helpful.  Each week, we will be discussing a new aspect of HIPAA including:

  • HIPAA basics
  • New Omnibus regulations
  • Responding to subpoenas
  • HIPAA disasters
  • Enforcement