U.S. Healthcare System Faces Mounting Cybersecurity Risks

The heightened use of technology in healthcare is coupled with mounting cyberattacks. Recently, the healthcare industry experienced a global cyberattack when malicious software targeted the industry. The attack hit Britain’s National Health Service the hardest, affecting sixty-five of its hospitals. Cyberattackers stole healthcare information after using phishing emails to take control of the organizations’ computers, encrypting the computers’ information, and threatening to release the patient information contained on the systems if the organizations failed to satisfy payment demands.

According to the U.S. Department of Health and Human Service’s Office for Civil Rights, over 100 million Americans’ health records were divulged in 2015. In early 2017, Experian predicted the health care industry would be the biggest target for an attack. Moreover, an Identity Theft Resource Center report revealed that more than 25% of all data breaches occurred in the healthcare industry, costing an estimated $5.6 billion each year.

Congress created the Health Care Industry Cybersecurity Task Force through the Cybersecurity Act of 2015 to examine the healthcare industry’s vulnerabilities and create solutions to the cyber threats that place millions of patients’ information at risk each year. In light of the recent attack, the task force investigated the state of health information systems security in the U.S. and found a desperate need to increase health IT security.

In its report to Congress, the task force made a series of recommendations that suggested how to fend off the increasing threats. Among others, the recommendations include creating programs to cleanse healthcare organizations of vulnerable hardware and software and inserting more people with security skills into the healthcare field. The report emphasizes that failure to intervene could lead to catastrophic losses for organizations and patients.

The task force notes that the successful implementation of its recommendations will require significant time and resources, but it hopes the government will promptly respond to its report with efforts to improve cybersecurity in healthcare organizations.

The task force notes that the successful implementation of its recommendations will require significant time and resources, but it hopes the government will promptly respond to its report with efforts to improve cybersecurity in healthcare organizations.

 

© 2017 Vandenack Weaver LLC
For more information, Contact Us

Changes Coming to Meaningful Use

The government program providing incentives to health providers for meaningful use of electronic health records continues to be troubled as the final rule for stage 3  has been delayed until 2018. Coupled with recent comments by the Centers for Medicare and Medicaid Services (CMS), it appears that the entire program will undergo substantive changes in the year ahead. However, CMS notes, it is important to continue under the old program until the changes start being unveiled in the spring of 2016.

When meaningful use started in 2009, the intent was to induce medical providers to use the new technology purchased with the help of the federal government. By providing incentive payments to the physicians that showed they were using the new technology in a meaningful way, the government believed it would improve quality, safety, and efficiency of care through electronic health records. However, CMS has found that the program did not operate as envisioned, resulting in the forthcoming changes to the program, expected to start in the spring of 2016.

While the new program has guiding themes that were issued by CMS, it is unclear what the new program will ultimately look like. However, many of the themes are to focus on the outcome of patient care, with less focus on the use of the new technology, in hopes that complaints by all stakeholders about the meaningful use program will be alleviated. For health providers, the pending changes will take time implement and until such time, the meaningful use program is still the operative requirements. To read more about the changes, please visit the official blog of CMS at: http://blog.cms.gov/2016/01/19/ehr-incentive-programs-where-we-go-next/

© 2015 Vandenack Williams LLC
For more information, Contact Us

Who Owns Medical Records in the Digital Age?

Determining who owns medical records in the age of electronic health records remains somewhat ambiguous. In fact, recent issues at the University of Rochester Medical Center highlight the confusion as the health provider recently reached settlement over a violation of protected health information because a nurse practitioner took patient information to a new practice. Thus, the relevant question is whether the provider, the physician, the electronic health record provider, or the patient own the information?

Many patients assume the Health Insurance Portability and Accountability Act (HIPAA) provides ownership of health information to the patient, but the law, in fact, fails to specify. Largely, this issue is left to state legislatures to determine, but the majority of states have failed to address the issue. According to a recent survey by the George Washington University’s Hirsh Health Law and Policy Program and the Robert Wood Johnson Foundation, only New Hampshire provides ownership of medical records to the patient, while in 20 other states, the healthcare provider owns them.

In the age of electronic health records, patient data is quickly shareable between physicians, patients, and other individuals. This poses new legal challenges for healthcare providers and physicians, especially as the laws and regulations on protected health information continue to evolve and state attorneys general start to enforce the privacy laws under the Health Information Technology for Economic and Clinical Health Act. This means that physicians and healthcare providers of all types should ensure that their internal policies on health records fully comply with the evolving legal landscape.

© 2015 Houghton Vandenack Williams
For more information, Contact Us

Potential Employer Requirements Due to Anthem, Inc. Data Breach

On February 4, 2015, Anthem Inc., one of the largest U.S. health insurers, notified the public that their data systems were breached. This breach potentially left customer names, social security numbers, and other personal information vulnerable. Subsequently, Anthem Inc. has already seen a customer lawsuit filed in California over the breach, with many more expected.

Health plan participants that have been affected will be notified in compliance with federal law. However, as this investigation continues, this may place additional burdens on employers. Depending upon the nature of the breach, of which further details are expected soon, employers may have to issue breach notifications under the Health Insurance Portability and Accountability (HIPAA). Until it becomes clear what information was taken, specific notification requirements are unclear. For example, a key question is whether protected health information was taken.

Depending upon the type of health plan an employer offers, it will have a varying impact upon the obligations for each company. The requirements will become clearer once further information is released. Beyond the federal HIPAA requirements, 47 states have unique breach notification laws that may impose obligations.

If you have questions pertaining how this may impact your requirements under the law, please contact Houghton Vandenack Williams for further information.

© 2015 Houghton Vandenack Williams

For more information, Contact Us

HHS Releases Bulletin: HIPAA Privacy in Emergency Situations

Generally, when you visit a healthcare facility or receive any health treatments, you expect a certain level of privacy. Patient privacy is protected by HIPAA, or the Health Insurance Portability and Accountability Act. However, the Department of Health and Human Services released a bulletin this month outlining situations when the privacy rules are not applicable.

Private health information is not protected when public health is at risk, treatment of the individual patient so requires, and other moments that may be necessary. As an example, in the middle of a public health crisis, a healthcare provider may disclose critical information “to prevent or control the disease, injury, or disability.”

Although a provider must still be extremely careful to not over-disclose private information, the release will generally be protected if they comply with requests from Federal entities, such as the Centers for Disease Control. The provider can disclose to other health providers for coordination of care efforts, family and friends who are involved in the treatment, relief organizations such as Red Cross, and potentially media outlets.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

Weak Passwords Put Patients’ EHR at Risk

By M. Thomas Langan II.

A recent government report criticized the current electronic health record certification process for failing to require strong passwords.  These vulnerabilities make it easier for hackers to penetrate electronic health record (“EHR”) systems and access patient records.  The report comes amid a study that many patients are reluctant to divulge their information when their physician uses EHR out of fear of their data’s security.  Despite the current lax requirements, it is recommended that all passwords be at least 8 characters long and contain 3 of the following: capital letters, lowercase letters, numbers and special characters and are changed at least monthly.

The government’s report can be found here: http://oig.hhs.gov/oas/reports/region6/61100063.asp

The study can be found here:  http://jamia.bmj.com/content/early/2014/07/24/amiajnl-2014-002804.abstract

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

Nebraska Passes Bill Expanding Telehealth Coverage

The Unicameral has passed a bill that expands the definition of telehealth, which will presumably expand Medicaid coverage for these services. Under the new law, telehealth includes all usage of medical information electronically exchanged between sites to aid providers in diagnosing or treating patients. The bill explicitly includes telemonitoring and “store-and-forward” technology in the definition of telehealth. It also removes language from the prior statute that excluded telephone conversations, e-mails, and faxes from the definition of telehealth consultations.

The bill makes a number of other minor changes to the state’s telehealth laws. Specifically, it prohibits changes in reimbursement rates that depend on the distance between a patient and her healthcare provider. Thus, as a result of this bill, Nebraska providers may be able to claim reimbursement for new services, and are protected from changing reimbursement rates based on distance.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

FDA Releases New Report on Health IT Oversight

The FDA, in conjunction with other administrative agencies, has released a new report that describes its strategic plan for regulating health IT devices. The report suggests three different categories of health IT, based on the risks associated with each type. The lowest-risk category is administrative health IT functions. This includes software for admissions, scheduling, and practice management. The FDA has indicated that health management health IT functions pose a slightly higher risk. These include clinical decision support and medication management tools. Finally, the FDA identified medical device health IT functions, such as robotic surgical control and computer-aided detection software, as high risk areas.

The FDA has indicated that it will focus its attention on medical device health IT functions, and does not see a need for further regulatory oversight over the other two areas at this time.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

Medical Providers Should Use Caution on Continued Use of Windows XP

Microsoft’s recent announcement that it will stop providing support for its Windows XP operating system could cause an increased HIPAA risk to certain medical providers. HIPAA generally requires medical providers to adequately safeguard its protected health information.  One effect of Microsoft’s decision is that it will no longer be helping to ensure that users of XP are secure from new forms of hacking and malware.  Therefore, medical providers using XP are at an increased risk of being attacked and possibly violating HIPAA.  To help prevent this, medical providers using Microsoft XP should ensure that their anti-virus software and firewalls are current while beginning to look into upgrading its operating systems.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

How Does HIPAA Affect My Business?

HIPAA was enacted to protect the privacy of an individual’s health information. The vast majority of HIPAA requirements apply to covered entities and business associates. A covered entity is an organization that transmits or produces protected health information. A business associate is an organization that carries out the functions of covered entities or otherwise receives health information from covered entities, for example, a billing company.

If you are a covered entity or business associate then you are subject to the HIPAA Privacy Rule which governs the use and disclosure of protected health information. You are also subject to the HIPAA Security Rule which governs how health information should be safeguarded.

Even if your company is not a covered entity or business associate there are certain aspects of HIPAA that you should be aware of. If your company offers employment benefit plans or health plans or otherwise has health information on your employees, then you should make sure that this information is not disclosed without the express permission of the employee. You should also make sure that this information is safeguarded and not allowed to be accessed by unauthorized personnel.

Finally, you should check state law as states are allowed to supersede certain parts of HIPAA and apply them towards your business.

© 2014 Parsonage Vandenack Williams LLC

For more information, contact us