November 28, 2016
It has come to our attention that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates.
The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.
In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights. We take the unauthorized use of this material by this firm very seriously. In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at OSOCRAudit@hhs.gov.
To help alert our readers to the threat and defenses you can employ in preventing HIPAA violations, I will be hosting a no charge seminar at Noon (Central) September 14, 2016, and you are invited to attend. We will be hosting this webinar on a new platform that is reputed to be less glitchy than many of the formats we have used in the past, so join us to give us your feedback.
Hospitals might be surprised to learn that HIPAA violations can not only result in federal fines, but also in fines from more than one state if the breach involves out-of-state residents. Under the HITECH Act, state Attorneys General also have enforcement and fine capabilities, but as states get more into privacy legislation, some states are enforcing their own state privacy regulations to protect their home state residents against out-of-state healthcare organizations and businesses as well.
In July 2014, the Massachusetts’ AG announced a consent judgment for $150,000 with a Rhode Island hospital over a breach of more than 12,000 Massachusetts residents’ health records under an action based on state privacy regulations and HIPAA. The action cited “deficient” employee training and internal policies the allegedly delayed discovery of the breach and reporting.. The terms also reportedly included the hospital hire an outside firm to audit compliance and inventory all locations and custodians of all unencrypted electronic media and patient charts. No cost estimate was placed on the compliance program.
The alleged breach occurred in 2011 when 19 backup tapes containing records for the hospitals two prenatal clinics — one located in Massachusetts — were misplaced. The breach was discovered in early 2012 but not reported until the fall of 2012.
The states of Massachusetts, California, Florida, and Texas have been leaders in aggressive privacy laws and enforcement. HIPAA covered entities should review their data breach response plans to update them for these states specifically and especially if they are in border areas. Many consultants recommend that covered entities and business associates anticipate they will be held to compliance standards in any out-of-state venue where patients reside and be prepared to respond even in non-contiguous states.
COMMENT: Hospitals, clinics, providers, and business associates should review their insurance coverage for adequate “cyber” coverage for HIPAA, privacy, and confidentiality. The rapid explosion of privacy claims and HIPAA fines has moved this exposure into one of the most rapidly growing liability and compliance arenas today, and the source of almost as many questions as EMTALA on this site.
Lawyers, risk managers, and IT experts were struck this week the seemingly impossibility of complying with the law of privacy and security when the US government’s NSA and other countries are undermining or out-right sabotaging their efforts at every turn.
In another disclosure that has left the highest levels of industry experts “gobsmacked”, Pro Publica.com has reported on new Snowden disclosures that include:
- The NSA has secretly and successfully worked to break many types of encryption, the widely used technology that is supposed to make it impossible to read intercepted communications.
- Referring to the NSA’s efforts, a 2010 British document stated: “Vast amounts of encrypted Internet data are now exploitable.” Another British memo said: “Those not already briefed were gobsmacked!”
- The NSA has worked with American and foreign tech companies to introduce weaknesses into commercial encryption products, allowing backdoor access to data that users believe is secure.
- The NSA has deliberately weakened the international encryption standards adopted by developers around the globe.
For full details of the importance of these disclosures to your privacy and security efforts, go to www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption” CLICK HERE