October 31, 2017


The Office of Civil Rights issued in its October Cybersecurity Newsletter guidance regarding the use of mobile devices that are used to create, store, and transmit ePHI.  Among the helpful hints provided in the text, a staunch reminder to be sure your IT Security staff assigns the appropriate risk level to the use of mobile devices.  Bulleted suggestions offered in the newsletter include:


Implement policies and procedures regarding the use of mobile devices in the work place – especially when used to create, receive, maintain, or transmit ePHI.

·         Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.

·         Install or enable automatic lock/logoff functionality.

·         Require authentication to use or unlock mobile devices.

·         Regularly install security patches and updates.

·         Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.

·         Use a privacy screen to prevent people close by from reading information on your screen.

·         Use only secure Wi-Fi connections.

·         Use a secure Virtual Private Network (VPN).

·         Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps,                    securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.

·         Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.

·         Include training on how to securely use mobile devices in workforce training programs.

The full newsletter may be found here.

Released August 30, 2017 from HHS.GOV


HHS Secretary Waives Certain HIPAA Privacy Rule Provisions for Texas and Louisiana Hospitals; OCR Issues Bulletin for Medical Professionals Navigating HIPAA Rules in Emergency Situations

In response to Hurricane Harvey, U.S. Department of Health and Human Services (HHS) Secretary Tom Price, M.D., declared a public health emergency in Texas and Louisiana and has exercised the authority to waive sanctions and penalties against a Texas or Louisiana covered hospital that does not comply with the following provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule:

• The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care

• The requirement to honor a request to opt out of the facility directory

• The requirement to distribute a notice of privacy practices

• The patient's right to request privacy restrictions

• The patient's right to request confidential communications

Other provisions of the Privacy Rule continue to apply, even during the waiver period.

When the Secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency period identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; (3) with respect to the provisions identified above; and (4) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.  All other provisions of the HIPAA regulations, including the Security Rule and the Breach Notification Rule, remain in effect.  For more information on the bulleting click here.

April 20, 2017

Reinsurance carrier, Summit Re, suffered a ransomware attack in August, 2016 that affected thousands of members covered by major insurance carriers, self-funded employer groups and small regional health plans.  In multiple articles, Summit Re has stated there is no evidence that the data accessed has been used inappropriately; however, breach notification procedures and investigations have been put in place as well as mitigation measures to those members identified. Business Associates were notified in October of the ransomware attack.  A partial list of impacted entities and their covered members includes:

Highmark Blue Cross Blue Shield of Delaware, Louisiana Health Cooperative Inc., PrimeWest Health of Minnesota, Select Health Network of Indiana, Alliant Health Plans of Georgia, and Tufts Health Public Plans Inc.

Additionally, Alliant Health Plans was advised some time after the initial notification of an impermissible access of its member date which occurred in March, 2016.  It is unclear if additional carriers were impacted by that impermissible access of member data.

ThinkAdvisor.com: Subcontracting Complicates Summit Re Ransomware Outreach, March, 16, 2017; retrieved April 20, 2017

HealthITSecurity.com: Another Healthcare Organization Affected by Summit Ransomware Attack, January 12, 2017; retrieved April 20, 2017

April 20, 2017

The Center for Children’s Digestive Health (CCDH) has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a corrective action plan. CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois. 

In August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of the Center for Children’s Digestive Health (CCDH) following an initiation of an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH. While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015. Additionally, neither party could produce a signed BAA prior to Oct. 2015.  For the full corrective action plan, click here.