HIPAA Qs Portal Notes
July 5, 2017: HHS ASPR/CIP HPH Cyber Notice: Current International Ransomware Campaign
HHS Office for Civil Rights
OCR provides cybersecurity guidance materials including a cybersecurity checklist, ransomware guidance and cyber awareness newsletters at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html.
For more information on breach reporting, visit https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html.
If you are the victim of a ransomware attack
If your organization is the victim of a ransomware attack, HHS recommends the following steps:
- Please contact your FBI Field Office Cyber Task Force (www.fbi.gov/contact-us/field/field-offices) or US Secret Service Electronic Crimes Task Force (www.secretservice.gov/investigation/#field) immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
- Please report cyber incidents to the US-CERT (www.us-cert.gov/ncas) and FBI’s Internet Crime Complaint Center (www.ic3.gov).
- **NEW** If your facility experiences a suspected cyberattack affecting medical devices, you may contact FDA’s 24/7 emergency line at 1-866-300-4374. Reports of impact on multiple devices should be aggregated on a system/facility level.
- For further analysis and healthcare-specific indicator sharing, please also share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at HCCIC@hhs.gov
Mitigating against this threat
- Educate users on common Phishing tactics to entice users to open malicious attachments or to click links to malicious sites.
- Patch vulnerable systems with the latest Microsoft security patches: https://technet.microsoft.com/en-us/security/bulletins.aspx
- Verify perimeter tools are blocking Tor .Onion sites
- Use a reputable anti-virus (AV) product whose definitions are up-to-date to scan all devices in your environment in order to determine if any of them have malware on them that has not yet been identified. Many AV products will automatically clean up infections or potential infections when they are identified.
- Monitor US-CERT for the latest updates from the U.S. government. See below for current reporting.
- Utilize HPH Sector ISAC and ISAO resources. See below for further information.
Original release date: June 27, 2017
US-CERT has received multiple reports of Petya ransomware infections occurring in networks in many countries around the world. Ransomware is a type of malicious software that infects a computer and restricts users' access to the infected machine until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.
Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate that the ransomware exploits vulnerabilities in Server Message Block (SMB). US-CERT encourages users and administrators to review the US-CERT article on the Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010. For general advice on how to best protect against ransomware infections, review US-CERT AlertTA16-091A. Please report any ransomware incidents to the Internet Crime Complaint Center (IC3).
Sector ISAO and ISAC resources
HITRUST has shared the following Threat Bulletin for distribution.
June 15, 2017: OCR Quick Response Cyber Attack Checklist and Graphic
The U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR) has developed a checklist and a corresponding infographic that explains the steps for a HIPAA covered entity or its business associate (the entity) to take in response to a cyber-related security incident.
A Quick-Response Checklist from the HHS, Office for Civil Rights (OCR)
In the event of a cyber-attack or similar emergency an entity:
Must execute its response and mitigation procedures and contingency plans.[i] For example, the entity should immediately fix any technical or other problems to stop the incident. The entity should also take steps to mitigate any impermissible disclosure of protected health information,[ii] which may be done by the entity’s own information technology staff, or by an outside entity brought in to help (which would be a business associate,[iii] if it has access to protected health information for that purpose).
Should report the crime to other law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigation (FBI), and/or the Secret Service. Any such reports should not include protected health information, unless otherwise permitted by the HIPAA Privacy Rule.[iv] If a law enforcement official tells the entity that any potential breach report would impede a criminal investigation or harm national security, the entity must delay reporting a breach (see below) for the time the law enforcement official requests in writing, or for 30 days, if the request is made orally.[v]
Should report all cyber threat indicators[vi] to the appropriate federal and information-sharing and analysis organizations (ISAOs), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs. Any such reports should not include protected health information. OCR does not receive such reports from its federal or HHS partners.[vii]
Must report the breach[viii] to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals, and notify affected individuals and the media unless a law enforcement official has requested a delay in the reporting. OCR presumes all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach. An entity that discovers a breach affecting fewer than 500 individuals has an obligation to notify: individuals without unreasonable delay, but no later than 60 days after discovery; and OCR within 60 days after the end of the calendar year in which the breach was discovered.
OCR considers all mitigation efforts taken by the entity during in any particular breach investigation.[ix] Such efforts include voluntary sharing of non-protected breach-related information with law enforcement agencies and other federal and analysis organizations as described above.[x]
For more information regarding ransomware, visit https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.
[i] The HIPAA Security Rule requires HIPAA covered entities and business associate to identify and respond to suspect or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. See 45 C.F.R. § 164.308(a)(6). The HIPAA Security Rule also requires HIPAA covered entities and business associates to establish and implement contingency plans, including data backup plans, disaster recovery plans, and emergency mode operation plans. See 45 C.F.R. § 164.308(a)(7). See also https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf?language=es.
[ii] Protected health information or PHI includes all individually-identifiable health information held by HIPAA covered entities and business associate, except for employment records, records covered by FERPA, or information about individuals deceased more than 50 years. PHI includes any health information that relates to the care or payment for care for an individual, and includes, for example, treatment information, billing information, insurance information, contact information, and social security numbers. See also https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
[iii] A business associate includes any vendor that creates, receives, maintains, or transmits protected health information (PHI) for or on behalf of a HIPAA covered entity. This includes vendors that have access to PHI to provide IT-related services to the covered entity. See 45 C.F.R. § 164.103, § 164.308, and § 164.502. See also https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.
[iv] The HIPAA Privacy Rule permits the disclosure to law enforcement agencies under certain circumstances. See 45 C.F.R. § 164.512(f). See also https://www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html.
[v] See the HIPAA Breach Notification Rule at 45 C.F.R. § 164.412.
[vi] The Cybersecurity Information Sharing Act of 2015 (CISA) describes cyber threat indicators as information that is necessary to describe or identify: malicious reconnaissance; methods of defeating a security control or exploitation of a security vulnerability; a security vulnerability; methods of causing a user with legitimate access to defeat of a security control or exploitation of a security vulnerability; malicious cyber command and control; a description of actual or potential harm caused by an incident; any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or any combination thereof. See also https://www.hhs.gov/hipaa/for-professionals/faq/2072/covered-entity-disclose-protected-health-information-purposes-cybersecurity-information-sharing/index.html.
[vii] The Cybersecurity Information Sharing Act of 2015 (CISA) in Sec. 106 provides that “Liability protections are provided to entities acting in accordance with this title that: (1) monitor information systems; or (2) share or receive indicators or defensive measures, provided that the manner in which an entity shares such indicators or measures with the federal government is consistent with specified procedures and exceptions set forth under the DHS sharing process.”
[viii] Breaches affecting fewer than 500 individuals should be reported to affected individuals as soon as possible, but within no later than 60 days, and reported to OCR within 60 days of the end of the calendar year in which the breach was discovered. See the HIPAA Breach Notification Rule at 45 C.F.R. § 164.404 and 164.408.
See the HIPAA Breach Notification Rule at 45 C.F.R. § 164.402-414.
[ix] The HIPAA Enforcement Rule includes provides that in determining the amount of any applicable civil money penalty, OCR may consider mitigating factors, including matters that justice may require. See 45 C.F.R. § 160.408(e). See also https://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html.
[x] The HIPAA Privacy Rule permits the disclosure to law enforcement agencies under certain circumstances. See 45 C.F.R. § 164.512(f). See also https://www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html.
May 18, 2017: HHS Update #4: International Cyber Threat to Healthcare Organizations
Developer portal users: Are you concerned about WannaCry and other ransomware threats? OCR is putting out regular bulletins to help health sector entities protect health information. Below is the latest update.
HHS Update #4: International Cyber Threat to Healthcare Organizations
If you are the victim of ransomware or have cyber threat indicators to share
If your organization is the victim of a ransomware attack, HHS recommends the following steps:
- Please contact your FBI Field Office Cyber Task Force (fbi.gov/contact-us/field/field-offices) immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
- Please report cyber incidents to the US-CERT (us-cert.gov/ncas) and FBI's Internet Crime Complaint Center (www.ic3.gov).
- For further analysis and healthcare-specific indicator sharing, please also share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at HCCIC_RM@hhs.gov
HHS Office of Civil Rights Guidance on HIPAA specific to WannaCry
- As outlined in its guidance available on its website, OCR presumes a breach in the case of ransomware attack. The entity must determine whether such a breach is a reportable breach no later than 60 days after the entity knew or should have known of the breach. A request by law enforcement to hold reports tolls the 60-day reporting deadline. For a copy of the ransomware guidance, please see:https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf?language=es.
- The ransomware guidance also includes important information about ransomware and how compliance with the HIPAA Security Rule helps entities prepare for ransomware attacks, including with regard to contingency planning. For more guidance on the Rule’s requirements, please see https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.
- OCR has shared its FAQ on sharing of cyber threat indicators under CISA with federal partners, and it is available on the OCR website. Please see: https://www.hhs.gov/hipaa/for-professionals/faq/2072/covered-entity-disclose-protected-health-information-purposes-cybersecurity-information-sharing/index.html.
- Reporting information to law enforcement, DHS, or other HHS divisions does not constitute inadvertent or intentional reporting to OCR. All reporting of breaches to OCR should be made as required by the HIPAA Breach Notification Rule. Important Note: If the data is not encrypted by the entity to at least NIST specifications when the ransomware attack is deployed, then OCR presumes a breach occurred, due to the ransomware attack. As such, the entity would need to prove, through forensic or other evidence, that the ePHI was encrypted when the attack occurred, and the ransomware containerized (or encrypted again) already-encrypted ePHI. Please see https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.
CISA Protections for private sector information sharing
DHS has provided guidance to non-federal entities sharing threat indicators and defensive measures with federal entities. This document may be useful to private sector legal counsel for interpreting CISA protections. Please visit the below link for details: https://www.us-cert.gov/sites/default/files/ais_files/Non-Federal_Entity_Sharing_Guidance_%28Sec%20105%28a%29%29.pdf
Where can I find the most up-to-date information from the U.S. government?
- For overall Cyber Situational Awareness visit the US-CERT National Cyber Awareness System webpage at: https://www.us-cert.gov/ncas
- NCCIC portal for those who have access: dhs.gov
- Indicators Associated With WannaCry Ransomware:
- US-CERT - Alert - TA17-132A - https://www.us-cert.gov/ncas/alerts/TA17-132A
- ICS-CERT - Alert - 17-135-01 - https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01
Healthcare and Public Health-directed Resources:
- ASPR TRACIE: Healthcare Cybersecurity Best Practices: https://asprtracie.hhs.gov/documents/newsfiles/NEWS_05_13_2017_08_17_11.pdf
- Fact Sheet on the FDA's Role in Medical Device Security: https://www.fda.gov/downloads/medicaldevices/digitalhealth/ucm544684.pdf
Why connect with your local fusion center?
The federal government leverages the unique skills and capabilities of the National Network of Fusion Centers. With timely, accurate information on potential threats, fusion centers directly contribute to and inform investigations initiated and conducted by federal entities. This National Network is a "force multiplier" in preventing, protecting against, and responding to criminal and terrorist threats.
Find your local fusion center by visiting: https://nfcausa.org/default.aspx/MenuItemID/117/MenuGroup/Public+Home.htm
FDA's Public Workshop - Cybersecurity of Medical Devices
The Food and Drug Administration (FDA), in association with National Science Foundation (NSF) and Department of Homeland Security, Science and Technology (DHS, S&T) is announcing the following public workshop entitled “Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis.” The purpose of this workshop is to examine opportunities for FDA engagement with new and ongoing research, catalyze collaboration among Health Care and Public Health (HPH), stakeholders to identify regulatory science challenges, discuss innovative strategies to address those challenges, and encourage proactive development of analytical tools, processes, and best practices by the stakeholder community to strengthen medical device cybersecurity.
This meeting will be held May 18-19, 2017, beginning at 8:00 am - 5:00 pm at the following location:
FDA White Oak Campus
10903 New Hampshire Avenue
Bldg. 31, Room 1503
Silver Spring, MD, 20993
For further details go to: https://www.fda.gov/MedicalDevices/NewsEvents/WorkshopsConferences/ucm549732.htm
How to request an unauthenticated scan of your public IP addresses from DHS
The US-CERT’s National Cybersecurity Assessment & Technical Services (NCATS) provides integrated threat intelligence and provides an objective third-party perspective on the current cybersecurity posture of the stakeholder’s unclassified operational/business networks.
- NCATS focuses on increasing the general health and wellness of the cyber perimeter by broadly assessing for all known external vulnerabilities and configuration errors on a persistent basis, enabling proactive mitigation prior to exploitation by malicious third parties to reduce risk.
- Attributable data is not shared or disseminated outside of DHS or beyond the stakeholder; non-attributable data is used to enhance situational awareness.
- NCATS security services are available at no-cost to stakeholders. For more information please contact NCATS_INFO@hq.dhs.gov
May 10, 2017: Thinking About Cybersecurity?
HIPAA Developer Portal Users. Thinking about cybersecurity? OCR offers a helpful crosswalk between the HIPAA Security Rule and NIST’s Cybersecurity Framework that you can find on our website at: https://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/index.html
We also wanted to let you know about this upcoming cybersecurity workshop.
The National Institute for Standards and Technology (NIST) is hosting the 2017 Cybersecurity Framework workshop on May 16-17, 2017. This workshop will offer participants the opportunity to:
- Share and learn about Cybersecurity Framework users’ experiences that will help others in making effective use of the Framework,
- Discuss and share their views about proposed updates to the Framework to assist NIST in finalizing Version 1.1 later in 2017, and
- Learn about new Framework-related policy issues and the progress of others' technical work.
The workshop will include multiple plenary sessions as well as concurrent breakout sessions. Registration for the webcast of this event may be found at: https://www.nist.gov/news-events/events/2017/05/cybersecurity-framework-workshop-2017
April 11, 2017: Five More Questions Answered
This week OCR published responses to five questions posted by users on the OCR HIPAA health IT developer portal. They address topics including protection of information, when a business associate relationship exists and identifying what information is protected health information. Find them at http://hipaaqsportal.hhs.gov/.
April 4, 2017: OCR April 2017 Newsletter: Man-in-the-Middle Attacks and HTTPS Inspection Products
The HHS Office for Civil Rights publishes monthly newsletters on cybersecurity and HIPAA Security Rule compliance. The OCR April 2017 cybersecurity newsletter, #14, “Man-in-the-Middle Attacks and “HTTPS Inspection Products” can be found at https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.
March 28, 2017: From OCR: New Resources Available to Health App Developers
Working on a health app? You can reach guidance on HIPAA from our health app developer portal. I want to tell you about another resource, the ONC Tech Lab Innovation space. They are focusing on Connecting and Accelerating a FHIR App Ecosystem, to support technology that can pull information from different sources and present it in a user-friendly way. Take a look at https://www.healthit.gov/techlab/innovation/connecting-accelerating-fhir-app-ecosystem. The Tech Lab is https://www.healthit.gov/techlab/index.html.
Last Monday the Tech Lab hosted a webinar to present the results of several challenges, including the Consumer Health Data Aggregator Challenge. See https://www.healthit.gov/InteropActionDay for more.
On February 1, 2017, OCR announced a civil money penalty against Children’s Medical Center of Dallas based on its impermissible disclosure of unsecured electronic protected health information (ePHI) and non-compliance over many years with multiple standards of the HIPAA Security Rule. The organization has paid the full civil money penalty of $3.2 million. OCR offers helpful guidance on getting started with HIPAA Security Rule compliance on our website.
Feb. 2, 2017: From OCR: A new workshop and HHS announces a civil money penalty against a hospital
Next week in San Diego, OCR will present at a workshop on privacy and security for health tech entrepreneurs, sponsored by the California Health Care Foundation. Registration is open. Also, HHS has announced a civil money penalty against a hospital for, among other failures, not properly encrypting the patient information on mobile devices and multiple breaches. The announcement is below.
First, the workshop: http://bit.ly/2jDDa2y
Health Data Innovator Privacy and Security Workshop
Wednesday, February 08 2017
11:30 AM - 3:00 PM
10996 Torreyana Road, Suite 200
San Diego, CA 92121
Tuesday, February 07 2017
Have you heard of HIPAA, but are not sure how it applies to your work? Are you interested in reducing your data security and privacy risks? On Wednesday, February 8th, in the Biocom Boardroom, Biocom will host a data privacy and security workshop for Bio and Health Tech entrepreneurs and their collaborators. The workshop is supported by the California Health Care Foundation, and facilitated byAcademyHealth.
What to Expect
With a focus on use cases, guidance, and practical takeaways, the workshop will outline your responsibilities and help you navigate the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA), including other federal and California privacy and security laws.
In addition, the workshop will review core principles and the key steps required to build a privacy and cybersecurity program for your product(s).
Workshop presenters include:
- Jodi Daniel, Partner, Crowell & Moring, LLP, and the former Director of the Office of Policy in the Office of the National Coordinator for Health Information Technology (ONC)
The workshop begins with a networking lunch, where you can connect with other colleagues interested in risk assessment and compliance issues. Space is limited.
Who Will You Meet at the Workshop?
Attendees of the workshop include new market entrants and application developers, investors, and others seeking to learn more about health data privacy and security.
February 1, 2017: Lack of timely action risks security and costs money
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) civil money penalty against Children’s Medical Center of Dallas (Children’s) based on its impermissible disclosure of unsecured electronic protected health information (ePHI) and non-compliance over many years with multiple standards of the HIPAA Security Rule. OCR issued a Notice of Proposed Determination in accordance with 45 CFR 160.420, which included instruction for how Children’s could file a request for a hearing. Children’s did not request a hearing. Accordingly, OCR issued a Notice of Final Determination and Children have paid the full civil money penalty of $3.2 million. Children’s is a pediatric hospital in Dallas, Texas, and is part of Children’s Health, the seventh largest pediatric health care provider in the nation.
On January 18, 2010, Children’s filed a breach report with OCR indicating the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport on November 19, 2009. The device contained the ePHI of approximately 3,800 individuals. On July 5, 2013, Children's filed a separate HIPAA Breach Notification Report with OCR, reporting the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013. Children's reported the device contained the ePHI of 2,462 individuals. Although Children's implemented some physical safeguards to the laptop storage area (e.g., badge access and a security camera at one of the entrances), it also provided access to the area to workforce not authorized to access ePHI.
OCR’s investigation revealed Children’s noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013. Despite Children's knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children's issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.
The Notice of Proposed Determination and Notice of Final Determination may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/Childrens
To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/hipaa/index.html
Follow OCR on Twitter at http://twitter.com/HHSOCR
Jan. 24, 2017: Linda Sanches of OCR to speak at the first Digital Diabetes Congress in San Francisco in March
Linda Sanches of OCR will be speaking about HIPAA privacy & integration of patient information collected through mobile tools and applications into EHRs at the first Digital Diabetes Congress, to be held March 7-8, 2017 in San Francisco (https://www.diabetestechnology.org/ddc/).
From the website: “The meeting will cover areas for mobile communication tools and applications used for diabetes. We will emphasize ways to overcome regulatory, design, clinical, research, and financial barriers, so that useful applications can be created for improved outcomes.”
Jan. 17, 2017: January 2017 Cyber Awareness Newsletter Posted
OCR has posted its January 2017 cyber awareness newsletter about HIPAA Security Rule requirements for audit controls. You can find it posted here: https://www.hhs.gov/sites/default/files/january-2017-cyber-newsletter.pdf.
Webinar Date & Time: Thursday, January 12, 2017 at 2:00pm – 3:00pm ET
Oct. 18, 2016: From OCR - New Helpful Links, Notes and Answered Questions Page
This week, we'd like to announce a few more updates:
- We've added some more Helpful Links on the Helpful Links page, and we've also reorganized them.
- We've added a Notes page. It's a one-stop shop for all the messages we've sent from this community. If you missed one or misplaced one, don't worry; you can always get the info from the Notes page.
- We've also added an Answered Qs page where you can easily find the answers to archived questions.
As always, keep coming back to the community to share new questions and comment on existing questions. Thanks!
Oct. 11, 2016: From OCR - New Cloud Computing Guidance Up!
We are excited to announce an important new resource for the health tech industry--Guidance on HIPAA and Cloud Computing. Developers and other users of this portal have raised many questions about how HIPAA applies to business relationships in the rapidly evolving health IT community. With the proliferation and widespread adoption of cloud computing solutions, HIPAA covered entities and business associates are questioning whether and how they can take advantage of cloud computing while complying with the HIPAA Rules. In response, OCR has issued this new guidance to assist organizations, including cloud service providers (CSPs), in understanding their HIPAA obligations. The guidance presents key questions and answers to assist HIPAA regulated CSPs and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain or transmit electronic protected health information using cloud products and services. The questions addressed should look familiar to portal users, as the guidance drew upon your questions and comments. You can find the guidance on the OCR developer portal landing page as well as on OCR’s website.
Safeguarding Health Information: Building Assurance through HIPAA Security
The National Institute for Standards and Technology (NIST) and OCR are pleased to co-host the 9th annual conference, Safeguarding Health Information: Building Assurance through HIPAA Security, on October 19-20, 2016 at the Capital Hilton, Washington, D.C. Registration for this event is now open: https://www2.nist.gov/news-events/events/2016/10/safeguarding-health-information-building-assurance-through-hipaa-security. The conference will highlight the present state of healthcare cybersecurity, and practical strategies, tips and techniques for implementing the HIPAA Security Rule.
Malicious cyber-attacks on electronic health information systems, such as through ransomware, compromise the integrity and availability of data, and are one of the biggest current threats to health information privacy. OCR has issued HIPAA guidance to help health care entities better understand and respond to the threat of ransomware.
In February 2016, OCR issued a crosswalk between the HIPAA Security Rule and the NIST National Cybersecurity Framework, which NIST developed in 2014. This tool helps HIPAA covered entities and business associates manage and reduce cyber risks.
Executive Order 13636, Improving Critical Infrastructure Cybersecurity, directed NIST to develop a Framework for Improving Critical Infrastructure Cybersecurity and to help organizations in various industries understand, communicate, and manage cybersecurity risks. We worked with the National Institute for Standards and Technology (NIST) and the HHS Office of the National Coordinator for Health Information Technology (ONC) to map the SR to the framework.
In the health care space, HIPAA covered entities and business associates must ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that they create, receive, maintain, or transmit. This includes efforts to understand, and address cybersecurity.
The crosswalk is a voluntary tool to assist organizations in assessing and managing security risks, while also assuring critical operations and service delivery.
This crosswalk maps each administrative, physical and technical safeguard standard and implementation specification in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework Subcategory.
The Crosswalk and links to additional resources may be found on OCR’s website at: www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf.
Oct. 5, 2016: From OCR – Health 2.0; new FAQ about Health IT Business Associates; Upcoming Security Conference
Last week I had the opportunity to attend the 10th Health 2.0 fall conference in Santa Clara, CA. When I was not learning about innovative technology collaborations and considering their potential contributions to individual and community health, I was meeting with technology start-ups, patient advocates and policy makers. I also presented on two panels for the Health Data Innovator Privacy and Security Workshop, offered by AcademyHealth and the California Health Care Foundation. The workshop was designed to help health care entrepreneurs and app developers understand HIPAA regulations and other privacy and security laws and consider strategies for navigating them. AcademyHealth and HHS previously collaborated on the Health Datapalooza 2016 workshop, Privacy and Security 2.0: From Challenge to Enabler—the materials are still posted on their site.
Also last week, OCR posted an FAQ about the obligations of Health IT business associates to make health information available to their health plan and health care provider customers. You may find the new FAQ on OCR’s website at: http://www.hhs.gov/hipaa/for-professionals/faq/.
Finally, register for a new event: the National Institute for Standards and Technology (NIST) and OCR are pleased to co-host the 9th annual conference, Safeguarding Health Information: Building Assurance through HIPAA Security, on October 19-20, 2016 at the Capital Hilton, Washington, D.C. Registration for this event is now open: https://www2.nist.gov/news-events/events/2016/10/safeguarding-health-information-building-assurance-through-hipaa-security. The conference will highlight the present state of healthcare cybersecurity, and practical strategies, tips and techniques for implementing the HIPAA Security Rule.
Follow us on Twitter @HHSOCR.
Office for Civil Rights, HHS
July 20, 2016: HIPAA Developers and Friends: HHS released several items over the last week that may interest you.
Ransomware: To help health care entities and business associates better understand and respond to the threat of ransomware, OCR has released new HIPAA guidance on ransomware. The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats. See http://www.hhs.gov/blog/2016/07/11/your-money-or-your-phi.html and http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.
Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA: Our colleagues at the Office of the National Coordinator for Health IT released a new report that takes a look at the challenges of protecting privacy and security of identifiable health information in some new health IT technologies. As more and more health information is digitized with tools like wearables, fitness trackers and even health social media, the need to make sure identifiable health information is private and secure increases. However, many of these tools didn’t exist when HIPAA was first enacted in 1996. OCR and the FTC worked with ONC to produce the report. See https://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/examining-oversight-privacy-security-health-data-collected-entities-not-regulated-hipaa/.
HIPAA Audits: Last week, Phase 2 of the audit program kicked into high gear when OCR issued notice to 167 covered entities that they will be undergoing desk audits. Business associates will be selected and audited later this year. See http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.
$2.7 million settlement for potential HIPAA violations: And, in the category of learn-from-the-experiences-of-others: http://www.hhs.gov/about/news/2016/07/18/widespread-hipaa-vulnerabilities-result-in-settlement-with-oregon-health-science-university.html. In this case, OCR’s investigation uncovered evidence of widespread vulnerabilities within the entity’s HIPAA compliance program, including the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement. In addition, the entity did not act in a timely manner to implement measures to address documented risks and vulnerabilities to a reasonable and appropriate level, and also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk. To learn more about how to protect individual health information, take a look at the helpful links page, and https://www.healthit.gov/providers-professionals/ehr-privacy-security.
June 21, 2016: HIPAA Qs Portal Update
Good afternoon to our HIPAA Qs followers.
Take a look at this blog post by the HHS Chief Privacy Officer, about the new web tool we created in collaboration with our colleagues there and in FDA and FTC. https://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/educating-health-app-developers-regulatory-requirements/
When does information received by a covered entity become subject to HIPAA? What about when a physician hears about a celebrity’s health condition from a TV talk show? This was a comment on the question of HIPAA and patient generated data. OCR responded to this query today.
Last week we answered a question about selling data collected by a consumer-targeted health app. This is the second portal question about de-identification — you can find the other one by searching on the term from the Questions page.
What about text messaging? This topic is the top vote-getter, and we assure you — we noticed. These questions are feeding in to the guidance that we are developing on the topic. Meanwhile, please vote on questions so we understand your priorities.
June 14, 2016: A Pro Tip from HIPAA Qs Portal
A few things to share this week: an interesting article about the Portal and a pro tip for users.
We found this article about the guidance on the HIPAA Qs Portal interesting: It calls the OCR health app guidance “the beginning of an evolution” of mobile in health care. Read it here: http://searchhealthit.techtarget.com/feature/Experts-weigh-in-on-HHS-healthcare-app-development-guidance.
Also, a pro tip: With all the new questions coming in, it's hard to keep track of what you've seen and what you haven't. Did you know that you could see a random assortment of them each time you enter the community?
All you have to do is click on the "Random" tab to see a random assortment of questions. This way, you're not always seeing the most recent or most popular questions, enabling you to potentially catch ones you might have missed. http://hipaaqsportal.hhs.gov/.
June 7, 2016: HIPAA Qs Portal Update
Last week we posted answers to five more questions; take a look at the “Answered Questions” section. We also have added new links we think you might want to explore if you are developing tools for consumers and their health information. You can find them on the helpful links page, and below.
- In January and February, 2016, OCR issued comprehensive guidance on the right of consumers, under the HIPAA Privacy Rule, to access and obtain a copy of their health information, and have it sent to a third party. The guidance explains how that right applies to electronic health information. With the increasing use of and continued advances in health IT, individuals have ever expanding and innovative opportunities to access their health information electronically, more quickly and easily, in real time and on demand. Health app technology companies can build on this guidance to develop consumer facing products that enable consumers to take charge of their health. Health app developers also may offer products to covered providers and health plans that incorporate the required functionality. http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
- Last Thursday, OCR and the Office of the National Coordinator for Health IT released Your Health Information, Your Rights!, a series of three short, educational videos to help consumers understand their right under HIPAA to access and receive a copy of their health information. The videos cover patient health apps. http://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
- Finally, please come back into the community and take our poll on where we should post our guidance.
May 23, 2016: An Update and a Pro Tip From the HIPAA Qs Portal
Thanks again for all your great input to the HIPAA Questions Portal! We've had quite an uptick in participation over the last couple weeks, with several new questions, comments and responses from OCR. So be sure to log back in and check it out!
On that note, If you'd like to keep up to date with everything going on in this community, click "Subscribe to Campaign" here in the navigation bar. (You'll have to be logged in for it to appear.) This will send you an email notification anytime there's a new question or answer posted.
Keep those great questions coming!
May 16, 2016
Greetings! Many of you have let us know that you are having trouble accessing the Health App Use Scenarios and HIPAA guidance and we apologize for the broken links and confusion. We have applied new security settings in the community, and these security actions mean that you can no longer access the document directly from your browser. Instead, from your browser navigate to the community URL: http://hipaaqsportal.hhs.gov/. From there or the helpful links page you can click on the button to open the document. You may need to clear your cache so your browser does not automatically redirect to the no-longer-functioning address.
May 9, 2016
First, thanks again for taking the time to join the discussion at hipaaqsportal.hhs.gov. We appreciate your questions and your feedback and are working to respond in a variety of ways. We have commented directly to some questions. Others we used to develop the health app developer use scenarios—which you can read from our home page. Some questions helped us design the new FTC mobile health app tool, which you can reach on the “which federal laws apply to you” button on the links page.
Secondly, we want to announce a few additions to the community that we hope will make your experience more intuitive and rewarding.
1) Based on your requests, we've added some new content to the helpful links page. Check it out!
2) Speaking of helpful links, we'll be running a poll over the next month to get your feedback on where you'd like us to house additional information developed on the topic of health apps and health privacy and security. Check back in to give us your opinion!
3) Finally, we've debuted a new section where we'll move all questions that have been answered, titled "Answered Questions." You'll now be able to see the question and OCR's response. You'll then have the opportunity to continue commenting on the question to get further clarification.
Thanks again for your participation, and don't forget to log back in to see, vote and comment on the latest questions and answers, and to add your own!