Federal Government Report Summarizes Health Care Privacy Compliance Efforts

July 29, 2014July 31, 2014 Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law breach, compliance report, data breach, OCR, Office for Civil Rights, Privacy & Security, report to Congress, U.S. Department of Health and Human Services

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

–“Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report); and

–“Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both of OCR’s reports (as well as previous annual reports) may be accessed here. This post discusses the Compliance Report. We summarized the Breach Report in a separate post entitled “Federal Government Report on Data Breaches in Health Care.”

OCR is the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The Compliance Report summarizes OCR’s compliance and enforcement activity with respect to the HIPAA Privacy, Security, and Breach Notification Rules.

Continue reading →

Federal Government Report on Data Breaches in Health Care

July 21, 2014July 22, 2014 Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law data breach, healthcare breach reports, Privacy and security of electronic data, privacy and security of personal health information, U.S. Department of Health & Human Services Office for Civil Rights

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

• “Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report), and
• “Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both reports (as well as previous annual reports) may be accessed here. This post discusses the Breach Report, and a separate article will be posted later addressing the Compliance Report.

The Breach Report offers valuable insight into OCR’s priorities with respect to healthcare data breaches and gives an excellent summary of many recent settlements. OCR (the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules) has prepared this Breach Report describing the numbers and types of healthcare data breaches occurring for calendar years 2011 and 2012. The Breach Report is compiled from breach reports that HIPAA requires be provided to OCR by covered healthcare providers, health plans, healthcare clearinghouses and their business associates. The raw data upon which these reports is based is available here. OCR also provides some cumulative data on breaches reported since the breach notification law went into effect on September 23, 2009. OCR then slices and dices this data in a variety of different and useful ways, sorting it by: cause, location of affected protected health information (PHI), types of entities involved, number of individuals affected, remediation steps taken, etc. Continue reading →

New Kentucky Data Breach Rules Go into Effect

July 15, 2014July 18, 2014 Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security definition of personally identifiable information, encryption standards, Privacy & Security, privacy and security of protected health information, state data breach law

Kentucky imposes new security and data breach notification requirements.

In its most recent legislative session, the Kentucky General Assembly enacted two new data breach laws, HB 5 and HB 232, which go into effect July 15, 2014. Kentucky governmental agencies, those doing business with governmental agencies, and persons simply doing business in Kentucky should be aware of these added data security and breach notification requirements. Some level of comfort may be taken by health care providers, health insurance companies, banks, or others who are subject to either the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or Title V of the Gramm-Leach-Bliley Act of 1999, as at least HB 232 appears to exempt them. However, questions remain as to whether HIPAA-covered entities and banks are exempt under HB 5 when they have a contract with a state agency and receive personal information from the agency. Hopefully this issue will be sorted out in the rule-making to come, before additional requirements of HB 5 kick in on January 1, 2015.

Continue reading →

KHIE issues June Newsletter

June 17, 2014 Kathie McDonald-McClure EHR Certification Standards, Electronic Health Records, Eligible Professional Incentives, Health Information Technology, HITECH Law, Hospital EHR Incentives linkedin, meaningful use of certified EHR, Medicare reimbursement reductions

The Kentucky Health Information Exchange (KHIE) has issued its June 2014 Newsletter, The KHIE Connection. This month’s issue includes a summary of the Centers for Medicare and Medicaid Services (CMS) Notice of Proposed Rule Making (NPRM) that, if finalized, would allow providers to meet Stage 1 or Stage 2 Meaningful Use with electronic health records (EHRs) that are certified to HHS ONC’s 2011 or 2014 Edition criteria or a combination of both Editions. Comments to the NPRM must be received by July 21, 2014. The newsletter also addresses Medicare’s scheduled payment adjustments for 2015 that will impact eligible hospitals and providers who do not timelyattest to Meaningful Use of certified EHRs. Guidance on attesting to Meaningful Use also is included.

Healthcare CIOs Face Cyber Risk: Internet Explorer Gives Hackers Total Access (Microsoft Issues Patch)

April 29, 2014May 1, 2014 Kathie McDonald-McClure Electronic Health Records, Federal Law Resources, Health Information Technology HIPAA Security Rule, IE's zero-day threat, Internet Explorer Cyber Security Vulnerability, Microsoft Security Advisory for IE patch

Updated May 1, 2014 at 5:30 pm

The old weather proverb about March, in like a lion and out like a lamb, hit April in the reverse in the world of cyber security. While the first six days of April seemed relatively calm in the cyber world, on Monday, April 7, 2014, the Heartbleed flaw in encryption security was announced (see our previous post here). As of April 26, 2014, the month was still roaring like a lion with yet another newly discovered cyber security threat to Internet Explorer (IE), first announced by FireEye Research Labs. Microsoft quickly confirmed the flaw on its Security TechCenter webpage. Today, May 1, 2014, Microsoft released a critical security update announcing a patch for all versions of Microsoft IE, including XP, which have the vulnerable flaw. This patch, which fixes the vulnerability discussed further in this article, should be immediately installed.

IE’s Vulnerability Dubbed “Operation Clandestine Fox.” FireEye named the flaw “Operation Clandestine Fox” for a couple of reasons. One is that hackers are already exploiting the vulnerability in an active “campaign.” Further, FireEye said the exploits are “clandestine” because the hackers lure computer users to malicious web code, like a “fox” who lures prey to a watering hole and then moves in for the kill.

With the IE vulnerability, the hacker can use Adobe Flash content, a popular website or an email to bait the computer user to click on malicious HTML code. This allows the hacker to download the malicious software to the user’s computer. Once downloaded, the hacker gains access to the user’s computer and can then gather the information needed to access other programs and networks accessed by the user. Such access can include otherwise secure servers, databases and networks. The risk has been perceived as sufficiently significant to prompt the U.S. Department of Homeland Security to issue a security advisory to its CERT Vulnerability Alerts Database webpage. Microsoft and Homeland Security are updating their advisories almost daily, requiring daily, if not hourly, vigilance on the part of Chief Information Officers (CIOs) in developing a responsive action plan.

HIPAA Security Rule Compliance: Develop An Action Plan. CIOs should immediately assess newly identified cyber security vulnerabilities posed to its networks and develop an action plan to address them. The risk assessment should include an evaluation of how confidential electronic data is accessed by others such as employees, medical staff, patients, and third-party vendors. Ensuring security is especially critical for those who can remotely access your organization’s electronic health record system. Continue reading →