I have three new privacy & security cases to report on this issue.
HIPAA Privacy & Security Updates—From Dorothy Cociu, COIN Editor and HIPAA Privacy & Security Consultant & Trainer, January 2019
ALLERGY PRACTICE PAYS $125,000 TO SETTLE DOCTOR’S DISCLOSURE OF PATIENT INFORMATION TO A REPORTER
On November 26, 2018, HHS Office for Civil Rights reported that Allergy Associates of Hartford, PD (Allergy Associates), has agreed to pay $125,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the HIPAA Privacy Rule.
Allergy Associates is a health care practice that specializes in treating individuals with allergies, and is comprised of three doctors at four locations across Connecticut.
In February, 2015, a patient of Allergy Associates contacted a local television station to speak about a dispute that had occurred between the patient and an Allergy Associates’ doctor. The reporter subsequently contacted the doctor for comment and the doctor impermissibly disclosed the patient’s PHI to the reporter.
OCR’s investigation found that the doctor’s discussion with the reporter demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure, according to OCR, occurred after the doctor was instructed by Allergy Associates’ Privacy Officer to either not respond to the media or respond with “no comment.” Additionally, OCR’s investigation revealed that Allergy Associates failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media.
In addition to the monetary settlement, Allergy Associates will undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.
The resolution agreement can be found on the OCR website.
FLORIDA CONTRACTOR PHYSICIANS’ GROUP SHARES PHI WITH UNKNOWN VENDOR WITHOUT A BUSINESS ASSOCIATE AGREEMENT
Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services (HHS) and to adopt a substantial corrective action plan to settle potential violations of the HIPAA Privacy & Security Rules. ACH provides, according to OCR, contracted internal medicine physicians to hospitals and nursing homes in west central Florida. ACH provided services to more than 20,000 patients annually and employed between 39 and 46 individuals during the relevant timeframe.
Between November 2011 and June 2012, ACH engaged the services of an individual that represented himself to be a representative of a Florida-based company name Doctor’s First Choice Billings, Inc (First Choice). The individual provided medical billing services to ACH using First Choice’s name and website, but allegedly without any knowledge or permission of First Choice’s owner.
On February 11, 2014, a local hospital notified ACH that patient information was viewable on the First Choice website, including name, DOB, and social security number. In response, ACH was able to identify at least 400 affected individuals and asked First Choice to remove the PHI from its website. ACH filed a breach report with OCR on April 11, 2014, stating that 400 individuals were affected; however, after further investigation, ACH filed a supplemental breach report stating that an additional 8,855 patients could have been affected. OCR’s investigation revealed that ACH never entered into a Business Associate Agreement with the individual providing medical billing services to ACH, as required by HIPAA, and failed to adopt any policy requiring business associate agreement until April, 2014. Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014. The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities of the confidentiality, integrity, and availability of an entity’s electronic PHI.
In addition to the monetary settlement, ACH will undertake a robust corrective action plan that includes the adoption of business associate agreements, a complete enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA rules.
In a non-HIPAA major breach, Marriott Hotels/Starwood Hotels announced a major data breach in their guest reservation services. An internal investigation showed that unauthorized access has been ongoing since 2014.
In a number of online and TV news reports, the company has confirmed that the personal information of up to 500 million guests who made a reservation on or before September 10, 2018 was exposed. I was unfortunately (as I’m sure many of you were as well) notified of this event on December 7th.
For approximately 327 million (of the 500 million) of these guests, the exposed information includes some combination of name, mailing address, phone, email addresses, passport numbers, DOB, gender, arrival and departure information, possibly encrypted credit card numbers and expiration dates.
Marriott recently discovered that an unauthorized party hadcopied and encrypted information, and took steps toward removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
Marriott states that the payment card information was encrypted using AES 128, and that there are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing addresses, email address and other information.
Marriott is in the process of notifying it’s customers and has taken many steps to help you monitor and protect your information, including a dedicated call center, email notification to guests affected and free WebWatcher enrollment.
They are advising guests to monitor your Marriott and SPG account for suspicious activity, change your passwords regularly, do not use the same passwords on multiple accounts, review your payment card account statements for unauthorized activity and immediately report any unauthorized activity to the bank that issued your card.
Marriott/SPG also advises that you be vigilant against third parties attempting to gather information through deception “phishing” through links to fake websites. Marriott says it will NOT ask you to provide your password by phone or email. They also ask you to immediately contact your national data protection authority or local law enforcement if you believe you are a victim of identity theft or your personal data has been used.
Basically, they are advising you to do much of the same as I have been doing in a number of articles and columns in the COIN! ##
