Breach Equals Class Action Lawsuits – Ep 435 

A data breach can have significant and far-reaching consequences for both patients and businesses in the healthcare industry. Today, we delve into the impacts of a recent breach and discuss the evolving challenges of managing healthcare vendors with access to sensitive patient information. Plus, we weigh in on patient privacy concerns when it comes to the media.

In this episode:

Breach Equals Class Action Lawsuits – Ep 435

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

HIPAA Briefs

Can a covered health care provider ever allow the media to film patients in areas of their facilities where patients’ PHI will be accessible?

2023-Can health care providers invite or arrange for members of the media, including film crews, to enter treatment areas of their facilities without prior written authorization | HHS.gov

Guidance on Covered Health Care Providers and Restrictions on Media Access to Protected Health Information about Individuals in

Taking the time to realize that patient privacy should come first, before an interview, a discussion with a reporter or filming anything. You cannot assume it is okay, period.

HIPAA Say What!?!

St. Joseph’s Medical Center is a non-profit academic medical center in New York

St. Joseph’s Medical Center Resolution Agreement and Corrective Action Plan | HHS.gov

The resolution agreement means SJMC has paid OCR $80,000 and agreed to a 2 year corrective action plan (CAP).

OCR investigated St. Joseph’s Medical Center after the Associated Press published an article about the medical center’s response to the COVID-19 public health emergency, which included photographs and information about the facility’s patients. These images were distributed nationally, exposing protected health information including patients’ COVID-19 diagnoses, current medical statuses and medical prognosis, vital signs, and treatment plans.

OCR determined that St. Joseph’s Medical Center disclosed three patients’ PHI to the Associated Press without first obtaining written authorization from the patients, therefore potentially violating the HIPAA Privacy Rule. Under the HIPAA Privacy Rule, a covered entity (including a health care provider), may not use or disclose protected health information, except either:

• As the HIPAA Privacy Rule permits or requires; or
• The individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.

Therefore, regulated entities cannot disclose a patient’s protected health information to the media without first obtaining written authorization from the patient permitting the entity to do so. This includes when health care providers have print or television reporters on the premises.

405(d) Tip of the Week

Medical Practitioners – Cyber Care is Patient Care

Practice Administrators & IT Professionals – Cyber Care is TOTAL Care

Breach Equals Class Action Lawsuits

Cyber Incident Notice – PJ&A

Nevada based, Perry Johnson & Associates is a transcription service. They have announced a major breach of the data they have on file from all of their clients. Medical Transcriber’s Hack Breach Affects at Least 9 Million

Nov. 3, PJ&A filed a breach report with OCR saying 8.95 million patients were involved. Now that number appears to be closer to 9 million. What’s another 50K patients on the list matter, huh?

Not a lot of specific details out just yet, but they did say the security incident occurred as follows:

An unauthorized party gained access to the PJ&A network between March 27, 2023, and May 2, 2023, and, during that time, acquired copies of certain files from PJ&A systems. We retained a cybersecurity vendor to assist with the investigation, contain the threat, and further secure our systems. We also directed its vendor to review the affected files and determine their precise contents. Importantly, this incident did not involve access to any systems or networks of PJ&A’s healthcare customers.

There are questions we may never get answered. But, they do say:

Beginning on or about September 29, 2023, PJ&A provided the results of its review to its affected customers and began working with them to notify individuals whose information was identified during the review.

This article in Data Breach Today had a section titled “Race to the Courthouse” pointing out that when the article was written there were already 6 proposed federal class action lawsuits filed. They added that at least 4 included Northwell. They added a excerpt from the filing:

This is a reminder of so many points we thought between the notice last week about the attacks being more intense we should also point out the attacks may not happen at the CE but the CE will get blamed along with the BA. At least you hope the BA takes some of the negative press about it!

Yes, legally signing a BAA is all you must do under HIPAA. However, that is just not enough to protect your business from taking the hit. Between lawsuits that come out immediately to hearing your patients thoughts about it on social media, phone calls, emails, and even to reporters is not the way you want to spend a month or two. Look, we brought it back around to the reporters being the source of your pain.

“It would also depend on having an alternative for the provision of the service – in this case, medical transcription.”

Hamilton said business associates that process PHI should be contractually managed in accordance with the risk of unauthorized disclosure.

“This should include terms that specify that a records breach or network compromise originating with that business associate constitutes grounds for contract termination, including language regarding the return or destruction of records in scope.”

Severing ties with a vendor after a security incident involving healthcare data entails a structured process, Moore said. “It starts with notifying the vendor, ensuring continued access to patient records, and deciding whether data should be returned or securely deleted. Data migration and continuity of care planning are crucial to minimizing disruptions in patient services.”

Contractual obligations and regulatory compliance also must be closely followed, with documentation of all actions is essential for legal and regulatory purposes, Moore said.

Vetting vendors is an integral part of healthcare data security. Healthcare organizations must exercise due diligence when selecting and monitoring vendors to safeguard patient data, maintain compliance with regulations like HIPAA, protect their reputation, and fulfill their legal obligations. Not only is preventing such breaches through robust data security measures crucial for the well-being of all parties involved, but also a proactive approach is vital in an era of increasing cybersecurity threats and the growing importance of data privacy in healthcare.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.