2019 predictions recapWe have made it most of the way through another year.  Now is the time to see how we did when we released our 2019 predictions in episode 186 way back on Jan 11.  There were so many things that transpired this year just when thinking about the threat landscape much less all of our HIPAA discussions it feels long ago in a galaxy far, far away. Let’s get to the 2019 predictions recap.

A 5 star review is all we ask from our listeners.
1x
0:00
...
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

2019 Predictions Recap – Ep 234

The HIPAA Boot Camp

2020 Sessions Dates Coming Soon

March 24, 25, 26

Tucker, GA

For info go to TheHIPAABootCamp.com

Registration Form

 

Share Help Me With HIPAA with one person this week!

We have been remiss in acknowledging our Patreon sponsors.

SHOUT OUT TO OUR PATREON SUPPORTERS

John Dubinski

George Fenton – Kenneth Sims

Data Privacy Day Jan 28, 2020.

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

2019 Predictions Recap

No one likes to admit they screw up but we don’t care.  We went out on a limb in January making predictions so we have to see how strong that limb in December. Let’s see how all 5 of our predictions turned out.  Some much better than others that is for sure.

1. More Federal Data Privacy & Security Legislation coming.

At the beginning of the year it was looking really promising.  Both Republicans and Democrats in Congress plus the White House all said they wanted to see federal action to protect our online privacy.  The tech companies all testified for it in late 2018, GDPR was working in the EU and CCPA was coming in 2020 so the momentum was there.  There is virtually little voice out there for NOT having a federal privacy law.

Was there a lot of activity relating to privacy laws this year?  Yes.  Did they get anywhere?  Not really.  However, the pressure continues to build on this topic.  If you search for federal privacy law and 2019 there will likely be a few articles for every single month about something happening.  It just isn’t getting any closer to a real law any time soon.

The major factor that we had hoped to push the legislation is the fact that the California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020.  The impact that law has on businesses operating not only in CA but nationwide will have some impact on the pressure for federal law.  When you look at just the 72-hour breach reporting and impressive fines for failure to comply how it is enforced you can assume it will have an impact on the whole country.

There are so many issues that must be addressed, however, to get to a true federal law it turns out it will be tricky at best.  All kinds of issues must be worked out such as what takes precedence if a state law is more stringent than the federal law.  Do private citizens have a right of action or is it limited to just the governing authorities like HIPAA?  What data is covered?

Even more challenging may be how do companies define data protections and get consent from individuals?  Do you really know what data and rights you have signed away in those license and privacy agreements?  You may be surprised.

Needless to say, this topic will continue to rear its ugly head until it is resolved it won’t just go away.  Our federal government is so dysfunctional they can’t even agree on a law that they both say they agree on every time they are asked.  If it didn’t get done in 2019, it will take a miracle for it to get done before 2021.

We were hopeful, just like many others, going into this year.  Unfortunately, all we have to show for it is hope.  This week there was another one proposed so the saga continues.

2. More civil suits relating to data privacy and security from patients, government, and class actions will be coming.

We know there are plenty of cases out there but looking back it is hard to decide how to quantify if there are really more than there were before.  As the public becomes more educated they will take action when they feel their rights are violated.  Just like all other things, some people take things too far but most folks are just looking for you to do the right thing.  When you fail them they get upset and want to take action.

Patients are becoming more aware of their rights or at least that there is more to HIPAA than “that paper you sign”.  This is prompting them to ask more questions and pursue action when they feel their rights are violated.

While most think of the big class action suits when we talk about these things, I believe there is a much higher likelihood that these privacy lawsuits are filed by a single patient who feels their rights have been violated.  Sometimes it is the result of insider access privacy issues and sometimes it may have to do with procedural things like access to their medical records.  Either way, they are becoming more common place.

The good news is that if you are doing what you are supposed to be doing under HIPAA it is pretty easy to defend in those cases.  If you are checking the box for compliance it will be a lot harder to do.  The training of staff and their attitudes towards their own privacy responsibilities reflects the culture in the company.  If they think they can do what they want as long as they don’t get caught I would have a hard time defending that program in court.  There clearly isn’t a company culture of privacy and security in place.  I also can’t defend a group who doesn’t have the policies, procedures, and training in place because they are too busy or don’t want to spend the money and resources to get it done.

Montana lets patients sue for cases in their new law.

Information Sharing Cases

Other cases relate to sharing information like University of Chicago Medicine and Google which will get into more in a minute.  This part of the data sharing discussion with Google involves sharing de-identified data between the hospital and Google using a data use agreement that let Google use their processing tools to glean treatment information and much more by analyzing outcomes, etc.  UCM has a suit against it for sharing even the de-identified information with Google.  There is much more to the Google story to come when we talk about third-parties.

If I have to pick, doing anything with de-identified data is better than complete records.  The problem is that Google has access to so much data they could try to re-identify it and have a good bit of success would be my guess.  However, a contract that locks down their ability to use the data only in certain ways, if done properly, could protect you.

They did make a public announcement that they were doing this which is what prompted the discussions and actions that have been brought.  The class action suits are by those who disagree with that idea and don’t want Google to ever get their data period, at least not without their consent.  That really comes into play in the other case.

Improper Terminations Case

Before we are done, there is another HIPAA related cases happening from a different angle that should not be missed.  When employers do terminate employees for violating HIPAA the employees are suing their employer for firing them.  I just read an article reviewing a case in PA that dealt with that issue.  An employee was fired for violating HIPAA and sued claiming that the actions involved did not warrant termination.  We always stress that there is a clear cut sanction policy for exactly this reason.  They had one that was very vague.   That approach leaves it possible for both sides to argue what constitutes a violation at the level of termination.  In this review a very specific point was made based on the court ruling in favor of the employee.

An employee handbook that merely provides a statement that violating HIPAA or FERPA laws will result in disciplinary action does not provide employees with sufficient information as to the expected conduct to protect the privacy and confidentiality of . It is a stinging realization that a covered entity must accept that an employee terminated for violating a HIPAA policy would be eligible to receive unemployment compensation and worse for a covered entity to face OCR or the Department of Education enforcement action because of the lack of or inadequate policies and procedures.

3. States are becoming very active in prosecuting and adding new laws to give them more enforcement tools.

The 12 state settlement with Med informatics engineering told us a lot.  Check out the details in Vendor Pays $1M + 5 Yr Action Plan – Ep 208 to see just how much the state’s involvement matters.

States have added more privacy and data breach notification laws see Nevada, NY, California, etc.  It will not stop until there is a resolution at the federal level.

We know most of this has been reviewed in the above predictions at this point.  So, let’s get to the two big stories that our last two points hit and missed.

4. Supply Chain becomes a priority.

OMG!  Did this one become a huge issues in 2019!  There are many stories about these issues we have covered in episodes this year.  Wow, just wow, is what we have said in many of them.

This list of episodes makes it clear we hit the nail on the head with this one.

Ep 196 2 Third Party Breach Stories

Ep 203 3 Supply Chain Security Stories

Ep 209 BA Guidance On Liabilities From OCR

Ep 216 Who Is A BA?

Ep 218 Questions To Ask IT

Ep 233 What’s in your BAA?

Third party issues continue to make the news and have been consistently becoming a larger issue for everyone involved.  Just look at the two cases we are still following for 2019 that probably won’t clear up any time soon.

American Medical Collections Agency

The AMCA data breach which has left a trail of breach reports by being announced by lab companies.  As of this writing, 7 of the top 15 breaches on the OCR Breach Portal (aka Wall of Shame) reported in 2019 come from that one breach.  This one is huge with a long list of implications, especially since the company is basically out of business after immediately losing 4 of it’s largest clients.  Where this goes remains to be seen.  Do not be surprised if there is one person that fell for phishing or an insider was involved in exfiltrating data to criminals.  It may be years before we know it all but it will come out.  It needs to anyway because this one is way too big.

Google and Ascension

And then we get to the Google and Ascension deal.  There are big issues with this one for sure.  My first problem is how sneaky it looks just in the way it came out.  There wasn’t a public announcement about Ascension’s agreement to send Google’s Project Nightingale complete medical records.  In July, Google just mentioned the project in an earnings call.  The Wall Street Journal looked into it and started asking about it before long everyone is asking about it.  Prior to that moment, not a word from the companies seems to have been announced about the deal.  The best way to make people feel comfortable about your intentions is to do the deal in secret right?  Yeah, about that they said in later discussions.  I, for one, have very big concerns.

This is very different than the Chicago deal because in this one they defined Google as a Business Associate who would take the entire record set and use it to find information with the AI they are calling Project Nightingale.  In this situation

The NY Times report included this statement:

At least a few Ascension employees in the project have raised concerns that Google employees downloaded patient data, according to the internal documents. They have also raised concerns about whether all of the Google software involved in processing Ascension patient data complies with a federal privacy law. NY Times: Google to Store and Analyze Millions of Health Records

When organizations as big and data hungry as Google start to have full access to medical records we all have to think twice.  I just don’t see them having regular conversations about making sure PHI remains confidential when they are sitting in planning meetings.  Google is a data company.  They sell a huge number of services that are possible due to the vast amount of data they hold.  Individual privacy is not something they are known for when it comes to what they do with vast amounts of your data.

If insiders at Ascension are worried that PHI isn’t being handled properly then we should all be concerned.  Sounds like those are the folks that take HIPAA seriously not the ones making all these deals between the two companies.

5. Crypto-mining will become a bigger threat than ransomware.

Wow, did this one blow up!  Ransomware fell out of favor with the criminals in 2018 because they switched to attacks related directly to the cryptocurrency market.  That seemed to be more lucrative.  Unfortunately, for several reasons they returned to ransomware attacks in 2019.

Ransomware Is Getting Scarier – Ep 194

We Are Shutting It Down – Ep 200

Consider ransom payments BEFORE attacks – Ep 211

Tales From The Dark Side Of HIPAA – Ep 227

The really bad news about the switch back to ransomware is they have found a renewed success by attacking businesses directly.  They are making big money attacking IT vendors and using them as a gateway to hit all of the MSP’s clients at one time.  We even talked about that in our Halloween episode.

Well we may not have been perfect but we certainly made a good stab at it.  In a few weeks we will review our predictions for the coming year.  There are a lot of things up in the air but plenty of places for us to make an educated guess as to where we will be a year from now.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.