Released August 30, 2017 from HHS.GOV


HHS Secretary Waives Certain HIPAA Privacy Rule Provisions for Texas and Louisiana Hospitals; OCR Issues Bulletin for Medical Professionals Navigating HIPAA Rules in Emergency Situations

In response to Hurricane Harvey, U.S. Department of Health and Human Services (HHS) Secretary Tom Price, M.D., declared a public health emergency in Texas and Louisiana and has exercised the authority to waive sanctions and penalties against a Texas or Louisiana covered hospital that does not comply with the following provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule:

• The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care

• The requirement to honor a request to opt out of the facility directory

• The requirement to distribute a notice of privacy practices

• The patient's right to request privacy restrictions

• The patient's right to request confidential communications

Other provisions of the Privacy Rule continue to apply, even during the waiver period.

When the Secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency period identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; (3) with respect to the provisions identified above; and (4) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.  All other provisions of the HIPAA regulations, including the Security Rule and the Breach Notification Rule, remain in effect.  For more information on the bulleting click here.

April 20, 2017

Reinsurance carrier, Summit Re, suffered a ransomware attack in August, 2016 that affected thousands of members covered by major insurance carriers, self-funded employer groups and small regional health plans.  In multiple articles, Summit Re has stated there is no evidence that the data accessed has been used inappropriately; however, breach notification procedures and investigations have been put in place as well as mitigation measures to those members identified. Business Associates were notified in October of the ransomware attack.  A partial list of impacted entities and their covered members includes:

Highmark Blue Cross Blue Shield of Delaware, Louisiana Health Cooperative Inc., PrimeWest Health of Minnesota, Select Health Network of Indiana, Alliant Health Plans of Georgia, and Tufts Health Public Plans Inc.

Additionally, Alliant Health Plans was advised some time after the initial notification of an impermissible access of its member date which occurred in March, 2016.  It is unclear if additional carriers were impacted by that impermissible access of member data. Subcontracting Complicates Summit Re Ransomware Outreach, March, 16, 2017; retrieved April 20, 2017 Another Healthcare Organization Affected by Summit Ransomware Attack, January 12, 2017; retrieved April 20, 2017

April 20, 2017

The Center for Children’s Digestive Health (CCDH) has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a corrective action plan. CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois. 

In August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of the Center for Children’s Digestive Health (CCDH) following an initiation of an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH. While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015. Additionally, neither party could produce a signed BAA prior to Oct. 2015.  For the full corrective action plan, click here.

March 2, 2017

Nearly 80,000 patients were potentially impacted by a recent data breach at Georgia-based Emory Healthcare’s Orthopaedics & Spine Center and Brain Health Center (EHC) at Emory Clinic.

On January 3, 2017, EHC became aware of an incident of unauthorized access involving a third party database called Waits & Delays. The database was used to update patients on appointment information.

The database, which contained appointment information, patient demographic information as well as contact information and medication record numbers, dates of service, and physician names,was deleted by an unauthorized individual who then requested a ransom to have the data restored.

Potentially impacted patients include any individuals who scheduled an appointment at the Orthopaedics & Spine Center within Emory Clinic between March 25, 2015 and January 3, 2017, and any patients with an appointment at Emory Clinic Brain Health Center between December 6, 2016 and January 3, 2016.  EHC maintained that no patient Social Security numbers, financial information, diagnoses, or any other information from patient EHRs were accessed during the incident and said it has no indication any patient information has been misused in any way.

EHC discovered another instance of unauthorized access by an independent security research center. That incident had occurred in an effort to find gaps in application security to alert companies of areas needing improvement.

After learning of the data breach, EHC launched an internal investigation and notified law enforcement. The health organization is presently in the process of informing potentially impacted patients and reassessing their security measures to make any necessary changes to internal and external systems containing patient information.