A data breach can have significant and far-reaching consequences for both patients and businesses in the healthcare industry. Today, we delve into the impacts of a recent breach and discuss the evolving challenges of managing healthcare vendors with access to sensitive patient information. Plus, we weigh in on patient privacy concerns when it comes to the media.
In this episode:
Breach Equals Class Action Lawsuits – Ep 435
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
HIPAA Briefs
[05:35] May HIPAA-covered health care providers allow media or film crews to film patients in their facilities where patients’ protected health information will be accessible without the patients’ authorization if the patients’ faces are blurred or their identities are otherwise masked in the video?Can a covered health care provider ever allow the media to film patients in areas of their facilities where patients’ PHI will be accessible?
Taking the time to realize that patient privacy should come first, before an interview, a discussion with a reporter or filming anything. You cannot assume it is okay, period.
HIPAA Say What!?!
[14:48] St. Joseph’s Medical Center provided a national media outlet access to COVID-19 patients’ protected health information. The moral of the story is don’t talk to reporters and allow video to be taken of your patients while you are talking to the reporter.St. Joseph’s Medical Center is a non-profit academic medical center in New York
St. Joseph’s Medical Center Resolution Agreement and Corrective Action Plan | HHS.gov
The resolution agreement means SJMC has paid OCR $80,000 and agreed to a 2 year corrective action plan (CAP).
OCR investigated St. Joseph’s Medical Center after the Associated Press published an article about the medical center’s response to the COVID-19 public health emergency, which included photographs and information about the facility’s patients. These images were distributed nationally, exposing protected health information including patients’ COVID-19 diagnoses, current medical statuses and medical prognosis, vital signs, and treatment plans.
OCR determined that St. Joseph’s Medical Center disclosed three patients’ PHI to the Associated Press without first obtaining written authorization from the patients, therefore potentially violating the HIPAA Privacy Rule. Under the HIPAA Privacy Rule, a covered entity (including a health care provider), may not use or disclose protected health information, except either:
- As the HIPAA Privacy Rule permits or requires; or
- The individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
Therefore, regulated entities cannot disclose a patient’s protected health information to the media without first obtaining written authorization from the patient permitting the entity to do so. This includes when health care providers have print or television reporters on the premises.
405(d) Tip of the Week
[19:05] Every role in a healthcare organization has a role to play in cybersecurity. These two new posters highlight the importance of everyone in an organization understanding their part in keeping patients safe from cyber threats. We encourage everyone to share these posters with the medical and IT staff and always remember that Cyber Safety is Patient Safety!Medical Practitioners – Cyber Care is Patient Care
Practice Administrators & IT Professionals – Cyber Care is TOTAL Care
Breach Equals Class Action Lawsuits
[20:31]Nevada based, Perry Johnson & Associates is a transcription service. They have announced a major breach of the data they have on file from all of their clients. Medical Transcriber’s Hack Breach Affects at Least 9 Million
Nov. 3, PJ&A filed a breach report with OCR saying 8.95 million patients were involved. Now that number appears to be closer to 9 million. What’s another 50K patients on the list matter, huh?
Not a lot of specific details out just yet, but they did say the security incident occurred as follows:
An unauthorized party gained access to the PJ&A network between March 27, 2023, and May 2, 2023, and, during that time, acquired copies of certain files from PJ&A systems. We retained a cybersecurity vendor to assist with the investigation, contain the threat, and further secure our systems. We also directed its vendor to review the affected files and determine their precise contents. Importantly, this incident did not involve access to any systems or networks of PJ&A’s healthcare customers.
There are questions we may never get answered. But, they do say:
Beginning on or about September 29, 2023, PJ&A provided the results of its review to its affected customers and began working with them to notify individuals whose information was identified during the review.
[34:01] Northwell Health, the largest healthcare system in New York State, has stated that 3.9 million of their patients were included. Chicago’s Cook County Health sys 1.2 million are their patients. Even with so many in this one it still isn’t the largest one this year. HCA says their breach included 11.3 million patients.This article in Data Breach Today had a section titled “Race to the Courthouse” pointing out that when the article was written there were already 6 proposed federal class action lawsuits filed. They added that at least 4 included Northwell. They added a excerpt from the filing:
This is a reminder of so many points we thought between the notice last week about the attacks being more intense we should also point out the attacks may not happen at the CE but the CE will get blamed along with the BA. At least you hope the BA takes some of the negative press about it!
Yes, legally signing a BAA is all you must do under HIPAA. However, that is just not enough to protect your business from taking the hit. Between lawsuits that come out immediately to hearing your patients thoughts about it on social media, phone calls, emails, and even to reporters is not the way you want to spend a month or two. Look, we brought it back around to the reporters being the source of your pain.
[43:59] It isn’t so easy to just stop using that vendor. As Mike Hamilton, CISO and co-founder of security firm Critical Insight was quoted in another article about Cook County Health, Medical Transcription Hack Affects 1.2 Million Chicagoans:“It would also depend on having an alternative for the provision of the service – in this case, medical transcription.”
Hamilton said business associates that process PHI should be contractually managed in accordance with the risk of unauthorized disclosure.
“This should include terms that specify that a records breach or network compromise originating with that business associate constitutes grounds for contract termination, including language regarding the return or destruction of records in scope.”
Severing ties with a vendor after a security incident involving healthcare data entails a structured process, Moore said. “It starts with notifying the vendor, ensuring continued access to patient records, and deciding whether data should be returned or securely deleted. Data migration and continuity of care planning are crucial to minimizing disruptions in patient services.”
Contractual obligations and regulatory compliance also must be closely followed, with documentation of all actions is essential for legal and regulatory purposes, Moore said.
[50:28] We agree! Review those BAAs and start vetting using HIC-SCRiM or one of the plethora of third party management vendors that are popping up everywhere.Vetting vendors is an integral part of healthcare data security. Healthcare organizations must exercise due diligence when selecting and monitoring vendors to safeguard patient data, maintain compliance with regulations like HIPAA, protect their reputation, and fulfill their legal obligations. Not only is preventing such breaches through robust data security measures crucial for the well-being of all parties involved, but also a proactive approach is vital in an era of increasing cybersecurity threats and the growing importance of data privacy in healthcare.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.