In response to the increasing prevalence of ransomware cyber-attacks by hackers on electronic health information systems in hospitals and medical practices, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on Monday July 11, 2016 its publication of new HIPAA guidance on ransomware (“Ransomware Guidance”). According to OCR:

Ransomware is a type of malware (or malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data.

Notably, the HIPAA Security Rule already requires implementation of security measures to help covered entities and business associates prevent the introduction of malware (e.g., ransomware) into their systems, and to implement policies and procedures to assist in responding to ransomware attacks. The Ransomware Guidance addresses, among other areas, how to implement security measures in order to prevent, mitigate the chances of, or even recover from ransomware attacks. Not surprisingly, conducting a risk analysis (or risk assessment) is at the core of covered entities and business associates implementing security management processes as required by the HIPAA Security Rule. The Ransomware Guidance further notes that maintaining an overall contingency plan, as required by the Security Rule, that includes disaster recovery planning, emergency operations planning and frequent backups of data can also help covered entities and business associates respond to and recover from malware infections, including ransomware attacks.

In addition, the Ransomware Guidance states that ransomware attacks against a covered entity or business associate can be considered a breach under the HIPAA Rules. Specifically, the Ransomware Guidance provides, “[w]hen electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e. unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” Therefore, unless it can be shown that there is a low probability that the PHI involved in the ransomware attack has been compromised based on the factors in the Breach Notification Rule, a breach is presumed to have occurred, which would trigger the applicable breach notification provisions.

Even before OCR’s publication of the Ransomware Guidance, in late June the Secretary of HHS sent a letter (“Letter”) to the attention of chief executive officers at health care entities addressing the threat of ransomware. The Secretary attached interagency guidance to the Letter containing best practices and mitigation strategies integral to combatting ransomware incidents.

Ransomware is immediately disruptive to the day-to-day operation of businesses, as seen by its impact earlier this year on health care systems like MedStar in Washington, D.C. and Hollywood Presbyterian Medical Center in Los Angeles (“HPMC”), resulting for example, in HPMC paying 40 Bitcoins (approximately $17,000) to regain control of its computer system. Although the Ransomware Guidance does not address whether payment or ransom should be paid to regain access to computer systems, the interagency guidance attached to the Letter advises against paying hackers because, among other reasons, paying a ransom doesn’t necessarily guarantee that an entity will regain access to its system. The Ransomware Guidance does recommend that an entity victimized by a ransomware attack contact its local FBI or United States Secret Service field office.

For more information about the Ransomware Guidance contact Gregory M. Fliszar, Ryan Blaney, J. Nicole Martin or a member of Cozen O’Connor’s Health Law team.

MedStar, a Washington, D.C.-area hospital chain, became the latest healthcare industry victim of a cyber-attack when hackers breached its systems with a crippling virus. MedStar operates 10 hospitals in the D.C./Baltimore region, employs 30,000 staff, has 6,000 affiliated physicians, and serviced more than 4.5 million patient visits in 2015.

After being paralyzed by the virus, MedStar’s entire IT system for its 10 hospitals was forced to shut down and revert to paper records. The chain’s approximately 35,000 employees do not have access to emails and cannot look up digital patient records in the attack’s wake. The FBI is assisting the chain by investigating the incident. It’s unclear at the moment whether or not the hackers are demanding ransom from MedStar in exchange for removing the virus.

Monday’s cyber-attack at MedStar comes weeks after Hollywood Presbyterian Medical Center in Los Angeles paid hackers 40 bitcoins, or about $17,000, to regain control of its computer system, which hackers had seized with ransomware using an infected email attachment.

Hackers increasingly target healthcare entities as security protections in healthcare often lag behind those in banking and financial sectors. Healthcare information contains a treasure trove of patients’ personal information, and a complete healthcare record is worth at least ten times more on the black market than credit card information. Also, hospitals are considered critical infrastructure that cannot reasonably be closed or incapacitated for any great length of time, and so may be more inclined to bowing to hackers’ demands for ransom.

This latest attack just goes to show the importance of cybersecurity at hospitals and other healthcare entities. In addition to the recent Hollywood Presbyterian Medical Center attack, data breaches and cyber-attacks have also recently occurred at Excellus Blue Cross Blue Shield, UCLA Health System, Premera Blue Cross, and Anthem Inc.

For more information, please contact Dana Petrillo, or another member of Cozen O’Connor’s Health Law team.

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) finally announced on March 21 that it is ready to begin Phase Two of its HIPAA audit program, which will include business associates. These audits, mandated by HITECH, will primarily be comprised of desk audits, scheduled for completion by the end of December 2016, followed by onsite audits.

OCR explained it will immediately commence Phase Two by verifying, via email, cover entities’ and business associates’ contact information. The OCR is requesting timely responses, so that it can send pre-audit questionnaires out in order to gather data from covered entities and business associates for the creation of potential audit subject pools. The data will relate to the entities’ size, type and operations. Should covered entities and business associates fail to respond to OCR’s requests, they may still be part of OCR’s potential subject pools because OCR plans to compile publicly available information about covered entities and business associates that do not respond to its requests.

The first round of desk audits will focus on covered entities, and the second round will focus on business associates. The third round will be onsite audits, with a greater focus on the HIPAA requirements. OCR explains that some covered entities and business associates who are subject to desk audits may also be subject to onsite audits. According to OCR, all covered entities and business associates are eligible to be audited. The audits will focus on identifying compliance with specific privacy and security requirements under HIPAA/HITECH, and OCR will notify auditees by letter, regarding the subject(s) of their specific audits. On the HHS website, OCR provides a sample letter for review. Subsequent to the audits, OCR will review and analyze information from audit final reports.

Importantly, if an audit report uncovers significant noncompliance with HIPAA, it could prompt an investigation by OCR. The areas of interest for OCR in Phase Two will become clearer as the Phase Two audit program gets underway, but for now, we know OCR will focus on assessing covered entities’ and business associates’ HIPAA compliance, identifying best practices and discovering risks and vulnerabilities.

More information about the Phase Two audits is available here, and you can also contact Greg Fliszar, Ryan Blaney, J. Nicole Martin or another member of Cozen O’Connor’s Health Law team.

On consecutive days, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) recently announced two large HIPAA breach settlements. On March 16, 2016, OCR announced that it entered into a Resolution Agreement with North Memorial Health Care of Minnesota for $1.55 million plus a two-year corrective action plan. On March 17, 2016 OCR followed by announcing that Feinstein Institute for Medical research, a New York biomedical research institute, agreed to pay to OCR $3.9 million and enter into a three-year corrective action plan to settle potential HIPAA violations. Both cases resulted from the all too familiar scenario of breaches resulting from stolen, unencrypted laptops.

In the Minnesota hospital breach, the unencrypted laptop containing the PHI of over 9,000 individuals was stolen from the locked car of an employee of a business associate of the hospital. According to the OCR’s investigation, the hospital failed to have a business associate agreement in place with that particular business associate. OCR also alleged that the hospital had not previously performed a risk analysis to identify and address potential risks and vulnerabilities to the ePHI it maintained, accessed or transmitted.

In the New York research corporation breach, OCR alleged that the institution did not have policies and procedures in place, including a policy on encryption and one that addressed use and access of electronic devices (e.g., the removal of the devices from the institution’s facility), nor did it have in place a security management process that sufficiently addressed potential security risks and vulnerabilities to ePHI, namely, its confidentiality, vulnerability or integrity. Notably, the stolen, unencrypted laptop contained the PHI of approximately 13,000 individuals.

As above, both OCR settlements also include multiple year corrective action plans requiring the hospital and research facility to conduct risk analyses/assessments, train their employees, and have HIPAA compliant policies and procedures in place. The Resolution Agreement for the Minnesota hospital breach is available here, and the Resolution Agreement for the New York research institute breach is available here.

Takeaways: The OCR’s 2016 breach enforcement is off to a very strong start with two high dollar settlements. Lessons learned from both breaches include the significance of encrypting electronic devices, conducting and updating on a regular basis security risk assessments and analyses, having adequate safeguards in place to protect PHI, having business associate agreements with all business associates, and having and implementing HIPAA policies and procedures to protect the security and privacy of PHI, including for example, policies related to encryption, authorized access to ePHI/PHI, and removal of electronic devices from facilities.

For more information, contact Greg Fliszar, J. Nicole Martin, or a member of Cozen O’Connor’s Health Law team.

In the wake of recent gun violence and in a concerted effort to protect public safety, the Department of Health and Human Services (HHS) released a final rule published in the Federal Register January 6, 2016, that modifies the HIPAA Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of persons who are subject to a Federal “mental health prohibitor” that would prevent such individuals from possessing a firearm (“Final Rule”). The covered entities are those that have “lawful authority to make the adjudications or commitment decisions that make individuals subject to the Federal mental health prohibitor, or that serve as repositories of NICS reporting purposes.”

The Final Rule, which will appear at 42 C.F.R § 164.512(k)(7), adopted what HHS had initially proposed in April 2013 in its proposed rule. The purpose of the Final Rule is to afford the NICS with the ability to identify individuals subject to this prohibitor for the purpose of disqualifying them from shipping, transporting, possessing or receiving a firearm. Individuals subject to the Federal mental health prohibitor include those who have been involuntarily committed to a mental health institution, found incompetent to stand trial or not guilty by reason of insanity, or have been determined by a court or other lawful authority to be a danger to themselves or others or being unable to manage their own affairs. The disclosures to the NICS will be restricted to limited demographic and other information required by the NICS. Further, the Final Rule specifically prohibits the disclosure of any diagnostic or clinical information and “any mental health information beyond the indication that the individual is subject to the Federal mental health prohibitor.”

Importantly, the Final Rule’s express permission to disclose/report is narrowly tailored. Specifically, it does not extend to covered entities permission to report to the NICS the protected health information of individuals who are subject to the State-only mental health prohibitors. Additionally, the permission is not extended to “most treating providers”, which emphasizes HHS’ intention to protect the privacy of the patient-provider relationship.

A key tension at the heart of the gun control issue for years has been how to adequately protect individual privacy, in particular, mental health information, and maintain public safety. Not surprisingly, the Final Rule’s publication comes at a time of heightened tension between these issues, and President Obama announced yesterday that under his executive actions on guns, the administration will, among other actions, seek to expand mandatory background checks for certain private gun sales.

The Final Rule is effective February 5, 2016, 30 days from its publication in the Federal Register. To learn more about reporting under the Final Rule and the amended HIPAA regulation, please contact Greg Fliszar, J. Nicole Martin or any member of Cozen O’Connor’s Health Care team.

In August 2012, a Physician Group—comprising of nearly 20 physicians—reported its HIPAA breach to HHS, which resulted from a laptop bag containing the employee’s laptop and a computer server backup being stolen from an employee’s car in July 2012. According to the Resolution Agreement between HHS and the Physician Group, the laptop did not contain ePHI, but the portable, unencrypted server backup in the employee’s bag did. The backup contained ePHI for 55,000 individuals. To settle this matter, the Physician Group has agreed to pay $750,000.

Although stolen laptops and lack of encryption is nothing new in the world of HIPAA breaches, this situation stands out for a few reasons:

•  The Physician Group did not conduct “an accurate and thorough” risk assessment;
•  The significance of encryption extends not only to desktop computers and laptops, but also to portable devices, including but not limited to computer server backups; and
• This is a notable fine for a Physician Group of less than 20 physicians.

For more information regarding this incident and HIPAA compliance, including the importance of encryption and risk assessments, contact J. Nicole Martin or any member of Cozen O’Connor’s healthcare law team.

On April 27, 2015, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that Cornell Prescription Pharmacy (“Cornell Pharmacy”) had entered into a resolution agreement to settle, without an admission of liability or wrongdoing, potential HIPAA violations. As part of the resolution agreement Cornell Pharmacy will pay $125,000 and enter into a two-year corrective action plan (“CAP”) focused on correcting the alleged deficiencies in its HIPAA compliance program.

Cornell Pharmacy is a small, single store pharmacy located in Denver, Colorado that specializes in compound medications and providing services for local hospice agencies. OCR began an investigation into the pharmacy after it received a media report from a Denver news agency that protected health information (“PHI”) belonging to Cornell Pharmacy was apparently disposed of and found in an unlocked, publicly accessible dumpster. The documents were not shredded and contained the PHI of approximately 1,610 of Cornell Pharmacy’s patients.   After conducting its investigation, OCR concluded that Cornell Pharmacy failed to implement any written policies and procedures as required by HIPAA’s Privacy Rule, and further failed to provide training on the Privacy Rule to its workforce members.

This settlement is instructive as OCR again highlights the importance of having updated and comprehensive HIPAA policies and procedures in place, including policies on the proper disposal of PHI, and on training all staff on those policies and procedures.   Further, in this year of massive cyber-attacks and other breaches of electronic data, this HIPAA settlement serves to remind covered entities and business associates not to forget about protecting their paper records as well.   As stated by OCR in its press release, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.” As discovered by Cornell Pharmacy, a breach or other improper disclosure of paper PHI can also result in significant consequences.

For further information please contact the author, Gregory M. Fliszar (Philadelphia, PA), or other members of Cozen O’Connor’s healthcare team.

Coming fresh off the heels of the Anthem data breach Premera Blue Cross announced on March 17^th that it was the victim of a “sophisticated” cyberattack that may have exposed the personal information of approximately 11 million of its members.  Premera has approximately 6 million members residing in the State of Washington, 250,000 members residing in Oregon and 80,000 members residing in Alaska.  Premera stated that the cyberattack began sometime in May of 2014 but was not discovered until the end of January 2015.   According to Premera, the information exposed may include social security numbers, bank account information, and medical and financial information, including clinical information.

Three state insurance commissioners (Washington, Oregon and Alaska) have already launched a joint investigation and a market conduct examination of Premera related to the breach.  The joint investigation will include on-site reviews of Premera’s financial books, records, transactions, and Premera’ cybersecurity.  The Washington Insurance Commissioner has expressed concern over the length of time (approximately six weeks) it took for Premera to notify his office of the attack.  Alaska’s governor ordered all state agencies to review their online security safeguards as well as those put in play by their business associates.  Premera is also conducting an internal forensic investigation by a cybersecurity firm and is cooperating with the FBI in a criminal investigation.

Combined with the cyberattacks on Community Health Systems and Anthem, this is the third large attack on a member of the health care industry announced in the last seven months, and these three breaches may have collectively impacted approximately 95.5 million people.   As these attacks illustrate, health information is now a high priority target for cybercriminals.  Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a wealth of personal information that can be used for identity theft and to file false health insurance claims.  Further, the data security protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to attack by those who view the valuable information as “low hanging fruit.”

Similar to the Anthem and the Community Health Systems breaches, Premera was immediately hit by a proposed class action accusing Premera of negligence and inadequate security.  The March 26, 2015 Complaint alleges that Premera breached its duty of care by failing to secure and safeguard the personal and health information of its members and negligently maintaining a system that it knew was vulnerable to a security breach.  The Complaint further alleges that Premera has a duty to secure and safeguard the personal health information of its members under HIPAA and its failure to implement security and privacy safeguards was a violation of HIPAA.  The Complaint also alleges violations of state consumer protection laws and data disclosure laws.

As evident by the Anthem and Premera breaches, a single security incident resulting in a data breach can have significant consequences for health care companies and business associates that include government investigations, class action lawsuits, and a hit to the organization’s reputation.  To manage this risk, we encourage all companies handling health information to conduct comprehensive risk assessments and to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

This month, Governor Chris Christie signed into law a New Jersey bill requiring health insurance carriers (e.g., insurance companies, health service corporations, hospital service corporations, medical service corporations, HMOs that issue health benefits plans in New Jersey) to encrypt or otherwise secure  computerized records of personal information (e.g., SSN, address, identifiable health information, driver’s license number) (“Bill”). The Bill provides an alternative to encryption if the carrier uses, a “method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.” However, password protection for computer programs, which is commonly used in the industry, is inadequate under the Bill if “the program only prevents general unauthorized access to the personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection computer program.”

The Bill does not address the ramifications for insurance carriers that fail to adhere to its requirements. However, in a statement by the Bill’s sponsors, the lawmakers explained that health insurance carriers that violate the Bill would be subject to penalties under the New Jersey consumer fraud statute, such as a monetary penalty up to $10,000 for an initial offense, and no more than $20,000 for each subsequent offense(s). Lawmakers further explained that “a violation can result in cease and desist orders issued by the Attorney General and the awarding of treble damages and costs to the injured party.”

Interestingly, this Bill only applies to health insurance carriers and not to healthcare providers, such as hospitals or physician group practices. However, it is anticipated that New Jersey will follow the industry enforcement trend that although encryption is not technically required under HIPAA it is considered a “reasonable” technical safeguard and therefore becoming an industry standard best practice. The timing of the Bill is also interesting as President Obama and the Federal Government discuss potential Federal legislation on cybersecurity, student privacy, and a national breach standard.  Tune back in to the Health Law Informer for future blogs on these issues.

Recently, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) released its Work Plan for Fiscal Year 2015 (“Work Plan”).  The OIG protects the integrity of HHS programs by identifying fraud and abuse and by suggesting improvements to HHS programs.  The Work Plan informs the public of new and ongoing reviews that OIG plans to pursue during the current fiscal year.

For Fiscal Year 2015 and beyond, OIG intends to focus on emerging payment, eligibility, management, and IT systems security vulnerabilities in the ACA programs, such as the health insurance marketplace.  OIG stated that it would also focus on the efficiency and effectiveness of payment policies in inpatient and outpatient settings, for prescription drugs, and in managed care.

Some specific new items of note include: (1) identifying clinical laboratories that routinely submit improper Medicare claims, (2) reviewing the rate of and reasons for transfers from group homes or nursing facilities to emergency departments as a potential indicator of poor quality, (3) identifying Medicaid MCO payments made on behalf of deceased or ineligible beneficiaries, and (4) assessing the extent to which hospitals comply with the contingency planning requirements of HIPAA.

The Work Plan is a valuable resource annually published by the OIG for providers to identify potential compliance risk areas.

Cozen O’Connor recently published another blog of the Work Plan with the Work Plan’s specific focus on HIPAA and/or information technology that the OIG will examine and address during Fiscal Year 2015.