Archive for HIPAA News
A new healthcare bill aimed at accelerating the development of new clinical drugs and innovative treatments would allow federal regulators to relax portions of HIPAA privacy laws in the name of research, as well as penalize electronic health record vendors that fail to comply with standards for interoperability and safe information exchange. The proposed bill also allows penalties for vendors who engage in information blocking.
The 21st Century Cures Act was co-authored by U.S. Reps. Fred Upton (R-Mich.) and Diana DeGette (D-Colo.), who began work on the bill more than a year ago. They, along with three other co-sponsors, unveiled a draft of the bill April 30, which was then amended and presented to the House Committee on Energy and Commerce’s Subcommittee on Health. It passed by voice vote.
Among other things, the bill would allow HHS to revise or clarify provisions of the HIPAA Privacy Rule in regard to use and disclosure of patients’ PHI for the purposes of research.
The Privacy Rule currently allows hospitals and other healthcare providers to use PHI without authorization from their patients only for the purposes of treatment, billing, and internal healthcare operations; however, under the proposed law, those covered entities and their business associates would have unfettered access to those records to use in researching new drugs and treatments as well.
Proponents of the bill argue these changes, along with streamlining the regulatory process, will remove barriers to life-saving medical advancements. They also point to language in the bill that says PHI used in research would be fully protected under HIPAA Privacy, Security, and Breach Notification Rules.
There’s also consideration of seeking one-time authorization from patients to use their PHI in future medical research.
“The history of health innovation is remarkable,” Upton told colleagues during the subcommittee session. He chairs the House Committee on Energy and Commerce. “But the future is where I’ve set my sights. I’ve got my eye on 21st Century Cures. And I want to ensure that the laws, regulations, and resources governing the quest for better and faster treatments keep pace with scientific advances.”
“There is no cause more worthy, no challenge more urgent. We need 21st Century Cures, and we need them now,” he said. Upton also noted that of roughly 10,000 known diseases – most of them rare maladies – only 500 currently have treatments available.
“This bipartisan effort will take a broad look at the full arc of the process – from the discovery of clues in basic science, to streamlining the drug and device development process, to unleashing the power of digital medicine and social media at the treatment level,” said DeGette in a statement.
Subcommittee sessions were scheduled for May 19 and 20 for further deliberation on the bill.
In the wake of the cyberattack that exposed the PHI of nearly 80 million current and former Anthem, Inc., subscribers, the health insurer is refusing to comply with requests for a security audit by the Office of Personnel Management’s (OPM) Inspector General, according to HealthData Management.
Anthem participates in the Federal Employees Health Benefits Program. The program provides health benefits to civilian government employees and annuitants in the U.S. The OPM oversees this program and conducts vulnerability scans and configuration compliance audits of participants’ computer servers. Anthem refused the audit as it is against its corporate policy, HealthData Management reported.
In 2013, the OPM Office of the Inspector General attempted to audit Anthem but the insurer implemented restrictions that prevented auditors from adequately testing the security of Anthem systems. The final 2013 report on Anthem (known as Wellpoint, Inc., at the time) states that the agency was unable to attest that the insurer’s servers were secure.
Kate Borten, CISSP, CISM, founder of The Marblehead Group in Marblehead, Massachusetts, notes that the breach appears to be related to multiple security vulnerabilities. Successful spear phishing attacks permitted unauthorized access and network protocols were likely outdated, says Borten.
Much can be learned by simply looking at the way Anthem reacted to the breach and began its breach notification process.
“They had a plan, they reacted quickly, they were on top of it,” says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon. “That’s something that I can’t say for many healthcare organizations.”
Having an incident response plan in place proves valuable regardless of the size of an organization or a breach, he says. This must be regularly tested and retested to ensure employees are aware of the plan and how the plan works so updates can be made, if necessary.
Although it is important to have an incident response plan in place, the Anthem breach highlights the fact that organizations need more to ensure PHI is secure, says Mac McMillan, FHIMSS, CISSM, co-founder and chief executive officer of CynergisTek, Inc., in Austin, Texas.
“Healthcare organizations have to invest in technology and services that enhance their detection capabilities,” McMillan says. “The bottom line we need to spend more attention on making it harder for hackers to exploit our enterprises and exfiltrate data.”
Stay tuned for the April issue of Briefings on HIPAA for more reactions to the breach.
Anthem subscribers are rallying together to file lawsuits in response to the cyberattack on the insurer that exposed the PHI of 80 million current and former Anthem subscribers, according to the Times Union.
Subscribers filed class-action lawsuits against Anthem in Alabama, California, Georgia, and Indiana. Each lawsuit seeks more than $5 million in damages.
The Indiana Court of Appeals recently upheld a $1.4 million verdict against Walgreens following a HIPAA violation, according to www.indystar.com. Walgreens had requested that the appeals court overturn a July 2013 verdict that awarded damages to pharmacy customer Abigail Hinchy after a pharmacist inappropriately accessed her records.
Hinchy filed a lawsuit in Marion Superior Court after learning that pharmacist Audra Withers accessed her prescription information without authorization. Withers shared the confidential information with her husband, who is Hinchy’s ex-boyfriend and the father of her child. Withers’ husband shared Hinchy’s private information with at least three other people and planned to use it in a paternity lawsuit, according to www.indystar.com.
Walgreens argued that it should not be liable for Withers’ actions. However, the court of appeals unanimously decided that Withers violated her duties by viewing and sharing information found in Hinchy’s records and that the trial court ruling allowed jurors to consider Walgreens’ liability, according to www.indystar.com.