Is it April already? Where has the time gone? We have all heard about Facebook’s woes, but you have been so busy, you have probably missed a few of the other recent developments in health IT and data privacy and security. We have you covered with a roundup of some of the significant and interesting guidance and events from the first quarter of 2018.

OCR Guidance on Cyber Extortion

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) January Cybersecurity newsletter focused on cyber extortion, emphasizing the steady historical increase in prevalence and expected continued increase. OCR reported that cyber extortion can come in many forms, but typically involves cybercriminals demanding money to stop (or delay) their malicious activities (e.g., stealing sensitive data or disrupting computer services).

The newsletter included a description of different kinds of cyber extortion, some of which OCR has highlighted in previous publications, including: ransomware and denial of service (DoS) and distributed denial of service (DDoS) attacks. OCR provided guidance on proactive steps to reduce the chances of being a cyber extortion victim (e.g., implementing a risk analysis and risk management program, training employees to better identify suspicious emails and other messaging technologies, patching systems to fix vulnerabilities, deploying proactive anti-malware solutions, encrypting and backing up sensitive data, testing contingency and disaster recovery plans, etc.) and how to respond to a cyberattack (e.g., using OCR’s previously published Cyber-Attack Quick Response checklist and infographic).

Liability for HIPAA Violations Remain Even When a Business Closes

In February, OCR reminded us that the consequences of HIPAA violations do not have an expiration date. A receiver appointed to liquidate a company’s assets agreed to pay $100,000 from the receivership estate in order to settle potential HIPAA Privacy Rule violations involving impermissible disclosure of PHI.

OCR received an anonymous complaint and, after an investigation, determined that over the course of a couple of weeks, the company had impermissibly disclosed PHI of 2,150 individuals by leaving the PHI in an unlocked truck in the company’s parking lot, or by granting permission to an unauthorized person to remove the PHI from the company, and leaving the PHI unsecured outside the company’s facility.

The company went out of business during the course of OCR’s investigation. In unrelated litigation, a receiver was appointed to liquidate the company’s assets for distribution to creditors and others. The receiver agreed to pay the $100,000 settlement and properly store and dispose of the remaining medical records in compliance with HIPAA. Regarding the settlement, OCR Director Roger Severino stated that, “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”

 OCR Releases Phishing Guidance

Phishing is a type of cyberattack used to trick individuals into divulging sensitive information via electronic communication by impersonating a trustworthy source (e.g., an email that appears to come from IT requesting that the individual “click here to reset your password” or a message that includes a spreadsheet that appears to have organization financials but really contains malicious software that executes when the attachment is opened). According to OCR, phishing is one of the primary methods used to distribute malicious software, including ransomware.

In its February 2018 Cybersecurity newsletter, OCR addressed the importance of remaining vigilant against phishing attacks as these attacks are becoming increasingly sophisticated. Among other tips to avoid becoming a victim of a phishing attack, OCR noted that one of the primary methods to combat phishing attacks is through user awareness and cybersecurity training. While your workforce is the first line of defense, maintaining a current backup is also a key proactive step to keep your organization better positioned to respond to cyberattacks. OCR also recommends that entities use multifactor authentication to reduce the possibility that someone can hack into an account using only a password, and that entities keep anti-malware and system patches up to date to lessen the amount of damage in the event of a successful phishing attack.

Contingency Plan Drafting Tips from OCR

OCR’s March Cybersecurity newsletter provides a set of tips for drafting a contingency plan, i.e., a set of pre-determined actions that allow an organization to return to daily operations as quickly as possible after an unforeseen event. As a critical component to protect availability, integrity, and security of data, OCR emphasized that contingency plans should no longer be limited to natural disasters, but should also address how to respond to cyberattacks.

The newsletter specifies those contingency plan elements required by HIPAA (i.e., disaster recovery, emergency mode operation/continuity of operations, and data backup). OCR also noted that having a contingency plan is not enough; the plan should be tested and deficiencies should be revised. Overall, OCR emphasized the importance of conducting a risk analysis to identify potential threats, risks, and possible preventative controls but also being ready to respond, operationalize and maintain the contingency plan as part of normal business operations.

 MyHealthEData Initiative and Medicare’s Blue Button 2.0

The Trump administration announced the MyHealthEData initiative and launch of Medicare’s Blue Button 2.0 on March 6. The initiative’s purpose is to “empower patients by giving them control of their healthcare data, and allowing it to follow them through their healthcare journey.” The MyHealthEData initiative will “work to make clear” that patients deserve to electronically receive a copy of their entire health record and also be able to share their data with whomever they want and, with these tools, be able to choose the provider that best meets their needs leading to greater competition and reduction in costs.

With a goal of decreasing duplication and aiding in continuity of care, the launch of Medicare’s Blue Button 2.0 includes a new and secure way for Medicare beneficiaries to access and share their personal health data in a universal digital format, including allowing a patient to access and share their health care information, previous prescriptions, treatments, and procedures with other providers. The administration has asked all insurers to follow the government’s lead and give patients access to their claims data in digital format explaining that “. . . enabling patients to control their Medicare data so that they can quickly obtain and share it is critical to creating more patient empowerment.”

Consumer Engagement: HHS Patient Guide and ONC Brief Released

On April 4, HHS issued an online guide to getting and using health records in support of the MyHealthEData initiative, described above. The new guide includes advice to patients on how to get, check, and use their health care records in an effort to increase patient engagement through an easy-to-use tab format.

Also in April, the Office of the National Coordinator for Health Information Technology (ONC) published a new ONC data brief, which included statistics on access to and use of online medical records, including:

  • As of 2017, over half of individuals have been offered online access to medical records by either a provider or insurer.
  • Among individuals who accessed their records, 8 in 10 felt the online record was easy to understand and useful.
  • One-third of individuals used an electronic device (e.g., Fitbit, blood pressure monitor) to monitor health and 4 in 10 table/smartphone users have a health or wellness app.

While those working in the health IT industry may feel like health IT is omnipresent, it is clear that there are many Americans who have not been offered online access (48%) or have not viewed an online medical record in the past year (24%). As technology and interoperability continue to advance, we should expect to see continued use of health IT. The new guide to getting and using health records is an example of HHS getting in on this game, supporting the MyHealthEData initiative, and educating patients on their rights and benefits of accessing health IT. We will be watching for more to come from this initiative.

For questions about any of these updates, how to reasonably operationalize or respond to any of the guidance, or health IT privacy and security generally, please contact Meghan O’Connor at (414) 277-5423/meghan.oconnor@quarles.com, Rachel Weiss at (414) 277-5829/rachel.weiss@quarles.com, Sarah Erdmann at (414) 277-5512/sarah.erdmann@quarles.com, or your Quarles & Brady Health Information Technology, Privacy and Security attorney. Stay tuned to our Safe & Sound blog for future privacy and security updates and quarterly wrap-ups!