Healthcare record breaches tripled in 2018

There was at least one health data breach a day and 503 health data breaches overall in 2018 according to analysis released this week.

The number of breached patient records tripled in 2018, to the tune of some 15 million patient records, according to research released this week.

Those numbers – 5,579,438 records in 2017 to 15,085,302 records in 2018 – come despite only a modest uptick in health data breaches, from 477 in 2017 to 503 in 2018.

The research, Protenus’ 2019’s Annual Breach Barometer Report, looked at healthcare data breaches reported in 2018, including information taken from the Department of Health and Human Services’ Office for Civil Rights, letters to state attorney generals, and

The numbers are about in line with research published throughout the year last year. In August the firm said there were 3.14 million patient records breached across 150 incidents in Q2 alone that year, a number which when extrapolated across a year, gets close to 15 million records.

Looking at the cause of breaches, hacking-related incidents took the cake in 2018, accounting for 44 percent of breaches, a number that correlates to a jump in incidents, 178 in 2017 to 222 in 2018. Insider theft, a topic the researchers included human error and insider wrongdoing incidents in, was still prevalent but less so than the previous year. In 2017 insiders carried out more than a third of breaches, 37 percent. In 2018 insiders committed 28 percent of breaches.

Nearly half, 49 percent, of incidents involved the disclosure of health data by a business association or third party. Family snooping remains a big issue and can cause of breaches too; 67 percent of insider breaches came as the result of family members, while snooping co-workers were responsible for 16 percent.

It should come as little surprise that healthcare providers were among the hardest hit in 2018, accounting for 353 breaches, roughly 70 percent of all breaches. 62 of the breaches were reported by health plans and 39 were reported by other entities.

Those statistics lend credence to research published last November that suggests that more protected health information (PHI) is leaked by healthcare providers, not hackers. Research carried out by Michigan State University and Johns Hopkins University found that a quarter of the cases the researchers looked at were caused by internal unauthorized access or disclosure, more than twice the amount caused by external hackers.

That’s just one research paper, one that looked at breaches between October 2009 and December 2017, it should be added.

The 44 percent figure in Protenus’ research accounts for 11.3 million patient records impacted by hacking in 2018, more than three times the 3.4 million compromised by hacking in 2017.

One of 2018’s biggest breaches came after AccuDoc, a third party billing vendor of Atrium Health, formerly Carolinas HealthCare System, experienced a breach in September. The North Carolina-based healthcare system indirectly had the billing information of 2.65 million people compromised as a result. Insurance policy information, medical record numbers, invoice numbers, account balances and dates of service may have also been accessed.

These days, it’s difficult for healthcare orgs to be completely immune from cyberattacks. A survey published (.PDF) by the Healthcare Information and Management Systems Society (HIMSS) earlier this month said that two-thirds of non-acute and vendor organizations experienced a security incident over the last 12 months. To that effect, only a small fraction of respondents, 22 percent, said they didn’t experience a significant security incident during the past 12 months.

Securing a modern healthcare organization can be a challenge but is essential in order to safeguard patient data. The Office for Civil Rights at the US Department of Health and Human Services encourages organizations to perform security risk assessments to identify vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. Orgs should also ensure they perform security training, phishing simulation tests, and mitigate issues inherent with legacy systems.

Implementing a data protection platform that can secure PHI, both in the cloud, on internal desktops and laptops, or network servers, can ensure data security while satisfying the requirements of today’s regulatory environment.

“Breached Healthcare Records Tripled in 2018”. Digital Guardian, US. Retrieved February 15, 2019.

Verizon 2018 Data Breach Investigations Report

What went wrong? An exploration in trends and data.

Within the 53,000+ incidents and 2,200-odd breaches you’ll find real takeaways on what not to do, or at the very least, what to watch for.

At first glance, identifying 53K+ incidents in only 12 months suggests an information security dystopia, an uneven playing field where the bad guys consistently win out. And, the 2018 Data Breach Investigations Report (DBIR) is full of nefarious events by offenders both known and unknown.

However, that same catalog of unscrupulous activities offers security pros a first-hand view into current cybercrime trends, and a map towards developing a prosperous and mature security program.

View the full DBIR here.


Healthcare is the only industry where the threat from inside is greater than that from outside. Human error is a major contributor to those stats. Employees are also abusing their access to systems or data, although in 13% of cases, it’s driven by fun or curiosity—for example, where a celebrity has recently been a patient.

The Healthcare vertical is rife with Error and Misuse. In fact, it is the only industry vertical that has more internal actors behind breaches than external. In addition to these problem areas, ransomware is endemic in the industry.

Not easy like Sunday morning

If we were to assess the overall wellness of the Healthcare vertical with regard to security, the prognosis would not be terrifying, but neither would it be encouraging. Something along the lines of “greatly improve your diet, stop smoking and increase your workout routine or else” would cover it. Before we judge them too harshly, however, we must keep in mind a few important facts about the Healthcare vertical:

  • They deal with a vast amount of highly sensitive data that they must retain and protect;
  • That data must be kept current and accurate and must be accessible in a very timely manner for the healthcare professionals who need it (as life or death decisions might be based on it);
  • It is subject to a much higher standard of scrutiny with regard to privacy and disclosure requirements than are most other verticals, due to regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Et tu, Brute?

As Caesar found out the hard way, often those who do you the most harm can be those closest to you. The Healthcare industry has the dubious distinction of being the only vertical that has a greater insider threat (when looking at breaches) than it does an external threat. This somewhat bleak finding is linked closely to the fact that there is a large amount of both errors and employee misuse in this vertical. With regard to incidents Healthcare is almost seven times more likely to feature a causal error than other verticals in our dataset, but you might not want to ponder that when you go in to get that appendix removed.

Errors most often appear in the form of misdelivery (62%)—which is the sending of something intended for one person to a different recipient—and is followed by a grouping of misplacing assets, misconfigurations, publishing errors and disposal errors.

Misuse, on the other hand, takes the form of privilege abuse (using logical access to assets, often databases, without having a legitimate medical or business need to do so) in 74% of cases. Interestingly, the motive (when known) is most often (47%) that of “fun or curiosity.” Examples of this are when an employee sees that their date from last weekend just came in for a checkup, or a celebrity visits the hospital and curiosity
gets the better of common sense. Not to be forgotten, our faithful friend avarice is still alive and well, with financial gain being the motivation in 40% of internal misuse breaches.

Ransomware is everywhere

No doubt over Thanksgiving dinner you and your family fell in to conversation about the possible reasons for the rise of the Crimeware pattern to the number two position in the Healthcare vertical. Of course, you did. It’s only natural. It is due to the ransomware epidemic that continues to plague the Healthcare industry. Ransomware accounts for 85% of all malware in Healthcare. Due to Department of Health and Human Services regulations, ransomware outbreaks are treated as breaches (rather than data at risk) for reporting purposes. Consequently, it is difficult to know if Healthcare is more susceptible to ransomware than are organizations in other industries, or if the high percentages of it being recorded are simply a product of more stringent reporting requirements. Regardless of the reason, the wise security practitioner will take immediate steps to combat this ubiquitous attack type. Due to the ease of the attack, the low risk for the criminal, and the potential for high monetary yields, it is likely here for a lengthy stay in spite of the quality of the hospital food.

Please do not feed the phish

Social attacks (mostly phishing and pretexting) appear in approximately 14% of incidents in Healthcare and are a definite matter for concern. Phishing (70% of social attacks) occurs when an attacker sends a communication—usually an email—to an individual attempting to influence them to open an infected file or click on a malicious link. Once the victim clicks, the criminal can upload malware and engage in other insidious acts that will enable prolonged access to the system. Pretexting (20%) is a similar social attack but is somewhat more involved. In this scenario, the criminal emails, calls or even visits an employee in person and engages them in conversation to fool the victim into providing the attacker with credentials, or other sensitive data, with which they can launch an attack. Like a sort of Norman Vincent Peale gone wrong. Healthcare has a wide attack surface for social tactics due to the very nature of what they do. Relatives and friends calling in to check on patients, third-party providers of equipment and services and so on can provide a social engineering criminal with a great deal of both opportunities and cover.

Please report to lost and stolen

The theft of assets accounts for 90% of the physical action types in Healthcare. The number of stolen assets also went up this year, but that is likely caseload bias. Regardless, laptops and other portable devices, and paper documents consistently go missing from healthcare organizations each year. Victim work areas (offices) account for 36% of theft locations, and employees’ personal vehicles account for 32% of theft. The latter is particularly worrisome because in many instances, the asset in question residing in an employee’s personal vehicle was likely to be a policy violation. However, it must be admitted that we do not have the hard data to definitively prove that statement, but it is offered in the same spirit as “Do you know what the penalty for cruelty to laptops is in this state? No, sir, I don’t. Well, it’s probably pretty stiff.”

Things to consider

Dr., I can’t read this Rx

The theft or misplacement of unencrypted devices continues to feed our breach dataset. Full Disk Encryption (FDE) is both an effective and low-cost method of keeping sensitive data out of the hands of criminals. FDE mitigates the consequences of physical theft of assets by limiting exposure to fines and reporting requirements. Reduce your risk footprint where you can. Seriously, please do this as we are tired of repeating this same recommendation!

Institute a smackdown policy

Ensure that policies and procedures are in place which mandate monitoring of internal Protected Health Information (PHI) accesses. Make all employees aware via security training and warning banners that if they view any patient data without a legitimate business need there is potential for corrective actions.

Don’t spread the virus

Preventive controls regarding defending against malware installation are of utmost importance. Take steps to minimize the impact that ransomware can have on your network. Our data shows that the most common vectors of malware are via email and malicious websites, so focus your efforts around those factors.

“2018 Data Breach Investigations Report”. Verizon Enterprise, US. Retrieved February 18, 2019.

Four ways Aligned Risk Management makes HIPAA easier in 2019

Many health care organizations struggle to comply with required HIPAA regulations and many have forfeited important Merit-base Incentive Payment System (MIPS) incentive funds. Aligned Risk Management is here to ensure that every health care organization can affordably comply with HIPAA and MIPS. Below are four simple steps you can take today.

  1. Visit our HIPAA site.
  2. Call or email for a free HIPAA checkup.
  3. Take advantage of our low cost, comprehensive HIPAA privacy and security risk assessment.
  4. Check out our free FAQ.

Visit our HIPAA site.

Here you will find many free educational opportunities, tools, policy and procedure templates, and other important materials to assist you with your HIPAA compliance efforts.

Call or email for a free HIPAA checkup.

505-908-9040 or

Have an easy conversation with our certified HIPAA professional and gain confidence about your current HIPAA and MIPS readiness, or find out what steps you can take to benefit your organization and patients.

Take advantage of our low cost, comprehensive HIPAA privacy and security risk assessment.

505-908-9040 or

Federal HIPAA regulations and the advancing care information (ACI) category of MIPS require you to perform an audit-worthy security risk analysis and complete a risk management plan to become HIPAA and MIPS compliant. Aligned Risk Management will guide you through the process and provide you with the policy and procedure templates, tools, and materials necessary to comply with HIPAA, pass an audit, and receive the MIPS incentives you deserve.

Check out our free FAQ.

Whether you are new to HIPAA or just need a refresher, you will find our HIPAA webinars informative
and helpful. Join us as we share our HIPAA knowledge and experience, and answer your HIPAA

Memo: Train your staff on the use of password management software

Aligned Risk Management recommends password management software for all staff and especially for staff who work with a large number of external web application accounts.

  • A password manager can help encourage the use of long, complex, and unique passwords.
  • A password manager can reduce the need for users to commit their passwords to memory, making it less likely that they could expose their passwords inadvertently to social engineering attackers.
  • Automated password managers will fail to populate password fields on look-alike phishing pages, which can alert users that they are not accessing the system they expected.
  • Best practices recommended by the National Institute of Standards and Technology (NIST) endorse the use of password managers.

“Verifiers SHOULD permit claimants to use ‘paste’ functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.”

National Institute of Standards and Technology, NIST Special Publication 800-63-3: Digital Identity Guidelines.

EHRs are killing medical innovation

“The purpose of humanity is not just to sit behind a counter and do things. More free time is not a terrible thing.”

Bill Gates, paraphrased

I have innovated. I developed a mutation assay. I discovered that vacuum ultraviolet light from excimer lasers is safe to use on human tissue. I invented an imaging device to detect burn wound depth and discovered the best laser to debride burn wounds. I invented a laser-based treatment for acne. I developed and patented an online gamified collective intelligence solution to identify dermatology images. I have participated and published as a clinician in numerous population health studies. I’ve got a few more things that I want to build and do based on my four years of medical school education, eight years of post-medical school residency and fellowship training in internal medicine, dermatology and cutaneous surgical oncology and two decades of clinical practice. Ideas for innovation arise from experience as a clinician-physician. We physician-clinicians care for patients, use all our senses, and our minds to recognize problems and apply solutions to improve the value (outcomes/costs) of preventive, medical, surgical or palliative outcomes. One needs to spend only a few hours in the basement stacks of Harvard’s Countway Medical Library to recognize the speed of physician-clinician led medical innovation which has in many ways dwarfed Moore’s Law.

For physician-clinician innovation to occur, doctors need extra-hours to work on innovative projects. Clinician-physicians working alone or with others often sacrifice family and friends to accomplish meaningful innovation, but the pay-off intrinsically for the physician and extrinsically for society and patients has been worth it. Impediments to physician-clinician led innovation has devolved during the last five years that are robbing continued progress against diseases and optimized preventive, medical, surgical and palliative care outcomes. The gift of giving clinicians time to gaze, dream and work together to apply the art and sciences of medicine towards the advancement of health care innovation has been stolen by electronic health records (EHR) and insurance company prior authorization (PA) rationing industries.

When EHRs were first introduced, health information technology seemed like a sound idea. Patient personal medical health information, labs, photos as well as physicians’ assessments and plans would be inputted into interoperable EHRs by physicians around the nation. The EHR in return would tabulate and reveal individual and aggregated data from interoperable EHRs according to all medical chart variables resulting in optimized preventive, medical, surgical and palliative outcomes and costs as well as improved clinical safety for patients and clinical efficiency for their physicians. We now know, despite federal law forcing American physicians to lease EHRs plus an additional $35 billion in taxpayer subsidies poured into the EHR industry — none of the assumed clinical advantages of EHRs have reached fruition. Blockchain or FHIR type decentralized interoperable encoded population health benefiting patients and physicians isn’t happening because optimizing data value equals outcomes/cost solutions are proprietary to industry and may diminish the earnings of the health insurance, pharmaceutical, medical malpractice, hospital, and EHR industries.

Another major unintended consequence of the government forcing physicians to use EHRs has been the shift of physician-clinician work, financial resources and time away from direct patient care and innovation into manual data entry. A recent study published in the Annals of Internal Medicine revealed that for every hour a physician spends in direct patient care the physician must perform two hours of EHR data entry. A similar study by the AMA reveal that the physicians EHR data entry tasks often follow the physician home into the late evening hours (pajama time) leaving little time for extra-clinical activities such as family, friends and continuing medical education or innovation. Yet, not one EHR company in America will be transparent and reveal its physician time-motion EHR use data to refute the damning published research. Most patient personal health information, lab data and images entered by physicians (who pay the EHR companies for the privilege of entering data) are sold by the EHR companies to ancillary health care companies but not tabulated, aggregated and returned to physicians or patients to improve outcomes/costs.

With little or no extra time for extracurricular activities beyond their practices and inputting data for sale by the EHR companies, there can be little physician-clinician innovation on any kind of translatable scale.

In addition to the EHR industry, another time drain has devolved to interfere with the ability of the physician-clinicians to innovate. Until recently, physicians would use their clinical intelligence based on years of training, continuing medical education and clinical experience to optimize preventive, medical, surgical and palliative outcomes and costs for their patients and their families. Physicians perform histories and physical examinations often resulting in prescriptions for medications, diagnostic orders, specialist referrals or recommended treatments to optimize prevention, medical, surgical and palliative outcomes for patients and their families. This science of the physician-patient interaction combined with the art of empathy is the essence of what doctors do.

Today, most private health insurance corporations ration and interfere with physicians diagnostics and treatment decisions via a health insurance industry solution termed, “prior authorization” (PA) to enhance insurance company profits. Prior authorization forces millions of patients and their physicians daily to spend hours daily manually completing multiple pages of paper or internet forms for re-submission to a non-physician insurance industry bureaucrat who — after days, weeks or months of delay — decides if the physicians recommended diagnostics or treatments for his or her patient will be reimbursed or allowed by the health insurance company.

Most often, health insurance corporate PA decisions against the patients and against medical advice are not made by a board-certified physician who performs a history or physical exam or discussion with the targeted patient. There is not a patient or physician in America with private health insurance who hasn’t experienced the demeaning and potentially dangerous task of manual PA health care rationing of medications, diagnostics or treatments. What’s good for the patient based on the physician’s assessment may be harmful to the earnings of the insurance or pharmaceutical benefits company, and thus PA rationing was spawned.

Spending tens of hours each week on the clinically valueless and inefficient tasks of data entry into EHRs and attempting to override insurance company prior authorization rationing leaves no time for the physician-clinician to innovate or iterate advances in medicine. The future of health care and the value equals outcomes/costs of health care in America will continue to be damaged by the EHR and health insurance industries by inhibiting clinicians-physicians from participating in medical innovation and clinical translation in America.

“EHRs are killing medical innovation”. Kevin MD, US. Retrieved February 15, 2019.

Critical Parts of a Quality Risk Management Plan (Part 1)

A Risk Management Plan is the part of your compliance approach that plans, identifies, and analyzes risks.

The premier HIPAA compliance consulting firm, Aligned Risk Management.

Parts of a Risk Management Plan

  1. Risk Planning
  2. Risk Identification
  3. Risk Analysis
  4. Risk Response Plans
  5. Risk Register

Risk Planning

Risk is defined by the Project Management Institute as an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives. Risk management is the process of identifying, analyzing, mitigating, and communicating risks.


All systems have vulnerabilities. The US Department of Health and Human Services defines a vulnerability as:

[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

The US Department of Health and Human Services defines a risk as:

The net mission impact considering the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular vulnerability and the resulting impact if this should occur.

Risks arise from legal liability or mission loss due to:

Unauthorized (malicious or accidental) disclosure, modification, or destruction of information; Unintentional errors and omissions; IT disruptions due to natural or man-made disasters; Failure to exercise due care and diligence in the implementation and operation of the IT system.

When a risk event occurs, it is no longer uncertain. It becomes an issue.

Risk is a function of the likelihood of a given threat exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization, mitigated by controls. The relationship among these five concepts forms the basis of our risk assessment approach, which can be thought of as a formula:

(Impact · Likelihood) × (Threat · Vulnerability)


The risk level is calculated using three underlying components:

  • Likelihood: The probability of the event happening. How likely is it that a threat acts on the vulnerability?
  • Impact: The consequences of the risk event. What happens if the threat acts on the vulnerability?
  • Effectiveness of Existing Controls: Existing controls and their effectiveness at mitigating risk. What is being actively done to mitigate the effects of a risk?

Likelihood × Impact − Controls ⇒ Risk Level

To illustrate, a plane crashing into your office has a high impact, but a low probability. In fact the probability is so low that the overall risk is probably insignificant. On the opposite end of the scale, a road construction project getting delayed due to rain is an event with a low impact but a high probability of occurrence. Thus, it is a significant risk.

A HIPAA Risk Management Plan should begin with an analysis of the risk tolerance of the organization, a Risk Assessment.

  • What projects have been completed in the past and what unexpected issues occurred?
  • What was the response of the organization?
  • What permanent changes were made? Were they justified?
  • Did the response cause a corresponding loss of business?
  • Did the response cause a corresponding loss of future projects?

Risk Levels

Another part of the risk planning portion of the Risk Management Plan is the definition of risk levels. Here is an example:

  • Very Low: The event is highly unlikely to occur under regular circumstances.
  • Low: The event is unlikely but should be noted by the project team.
  • Medium: The event has a normal chance of occurring and the project team should be aware of it.
  • High: The event has a reasonable chance of occurring. It should be regularly discussed and mitigation actions taken.
  • Very High: The occurrence of the event should be actively managed and mitigation actions taken.

Aligned Risk Management breaks down risk levels into four categories: Negligible, Marginal, Serious, and Critical.

Negligible Risk

Theoretical risk. Unlikely to be a serious concern.

  • Vulnerability is very unlikely to be exercised, OR
  • Existing controls are highly effective at mitigating the risk, OR
  • Potential impact on security, privacy and availability of ePHI is low

Marginal Risk

Unlikely to be an immediate concern, especially in light of other, more severe risks.

  • Some likelihood that vulnerability could be exercised
  • Existing controls provide some effective mitigation of risk

Serious Risk

Potential for significant impact on operations. Effective Risk Management or reasonable plan for such recommended in near future.

  • Vulnerability is likely to be exercised
  • Existing controls provide inadequate mitigation of risk
  • Potential for significant impact on security, privacy or availability of ePHI

Critical Risk

Failure to implement controls required by HIPAA. Potential liability and exposure to penalties. Potential for malicious exploitation. Exercise of vulnerability could cause mission-critical damage to business operations. Prompt intervention strongly recommended.

  • Vulnerability is very likely to be exercised or is currently being exercised
  • Existing controls provide little effective mitigation of risk
  • Potential for high or even catastrophic impact on security, privacy or availability of ePHI


A good brainstorming tool is to consider the assumptions made by the project. Most projects have disclaimers in their underlying contracts absolving the performing party of various obvious risks, but what about the next most obvious ones?

  • What assumptions has the project budget made?
  • What assumptions has the project schedule made (completion date, milestones, etc.)?
  • What expertise or prior experience does the company have in this work? How long ago was this experience? What areas require additional training?
  • Which relationships are being assumed to be strong that are not necessarily (owner, sponsor, client, contractor, consultant)?
  • How many previous projects with similar components have been completed successfully? What were the project issues?

Stay tuned for Part 2 of Aligned Risk Management’s series, Critical Parts of a Quality Risk Management Plan.

Project Engineer, Building Better Project Managers.

HIPAA compliance consulting

HIPAA compliance consulting firm
The premier HIPAA compliance consulting firm, Aligned Risk Management.

Aligned Risk Management helps healthcare organizations streamline and simplify HIPAA compliance efforts so that you can get back to providing the critical services your patients need. Our expert consulting staff works with you to ensure the privacy, security, and integrity of your systems. This specialized knowledge makes us the leading consulting firm for HIPAA compliance and healthcare risk management.

We’ll play defense so you don’t have to…

Defense of protected health information and the security of your systems is important to the safety of your patients. But it is also critical to the success of your practice. Data privacy concerns make headlines every day, and healthcare companies are especially vulnerable to the effects of unaddressed risk. Patient concern is growing. Regulations are poised to become more demanding. You want to concentrate on better serving your patients, and we make that possible.

HIPAA compliance has to start somewhere…

Everything starts with a HIPAA risk assessment report, which our analysts will perform and interpret for you. They perform the assessment according to the standards outlined in NIST Special Publication 800-30 (Guide for Conducting Risk Assessments), the gold standard for assessing risk. The results of this report are used to define actionable steps informed by deep-dive interviews with your organization’s key staff, regular site visits, policy document analysis, and vendor contract reviews.

…but our process doesn’t stop with just a risk assessment.

It doesn’t stop there. Risk management is a process, so our program includes regular follow-ups to make sure that you are successful. We assist in implementing recommendations and in documenting your efforts to ensure your success in case of an audit. Together, we’ll find high-value solutions that really matter, instead of wasting resources on unnecessary tools or time-consuming procedures that do not fit the way your organization operates.

Compliance with HIPAA can feel overwhelming. The most frequent question we hear is “Where do I start?” Start right here with Aligned Risk Management, and put yourself ahead of the curve.

Ready to get started? Schedule a meeting with Patrick.

Does HIPAA and the HITECH Act Impact Medical Device and Pharma Companies?

The Question:

Are medical device or pharmaceutical companies designated as a qualifying entity subject to HIPAA and HITECH?

The Answer:


Classifying the entity

Are medical device or pharmaceutical companies designated as a qualifying entity subject to HIPAA and the HITECH Act? Yes. In general, a provider that “transmits any health information in electronic form in connection with a transaction covered by this subchapter” is considered a covered entity. Moreover, according to the 45 CFR §160.103(2)(ii)(3), “a covered entity may be a business associate of another covered entity.” In fact, CMS recognized that as a government agency, it is subject to HIPAA, the HITECH Act and related rules in an October 2012 report issued by the Office of the Inspector General, “CMS Response to Breaches and Medical Identity Theft.”

In turn, a business associate, as defined by the HIPAA Rules, is “a person who performs functions or activitieson behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information” (emphasis added). A subcontractor is a person who contracts with a business associate and stores, handles or transmits PHI. Regardless, under Section 164.308(b) of the Security Rule and 164.502(e) of the Privacy Rule, a covered entity or business associate is required to enter into an arrangement known as a business associate agreement to provide parameters and some legal protection when a contracted entity is handling PHI.

Effective Feb. 18, 2010, Section 13408 of the HITECH Act provides that health information organizations, e-prescribing gateways, vendors of personal health records and other persons that facilitate data transmission and require access to PHI, regardless of their status as a covered entity, business associate or subcontractor, are subject to business associate agreements in accordance with the HIPAA Rules.

Therefore, medical device and pharmaceutical companies can be classified as a qualifying entity subject to HIPAA and the HITECH Act. As such, they are subject to handling, storing and transmitting in accordance with the requisite laws and regulations. The consequences from civil and criminal monetary penalties alone are significant. Since the HITECH Act expressly expanded HIPAA’s requirements to business associates and subcontractors, the same standards for access to medical records, business associate agreements and other provisions equally apply.

Patient access rights

The tension between patients wanting to have access to their health data from a medical device, which is implanted in them, and a medical device company is highlighted. According to a representative of a medical device maker quoted in the article, “Federal rules prohibit giving Ms. Hubbard’s data to anyone but her doctor and hospital. Our customers are physicians and hospitals.” In general, 45 C.F.R. §164.524, Access of Individuals to Protected Health Information, sets forth the parameters of the HIPAA Privacy Rule. Included in these standards are the circumstances for providing protected health information to a patient and exceptions. Nothing in the scenario of the PHI being transmitted from a patient’s implant to a medical device company, who would be classified as a business associate in this instance invokes an exception to deny the patient’s request.

Section 13410(d) of the Health Information Technology for Economic and Clinical Health Act authorizes penalties to be assessed for violations of the Privacy Rule. In February 2011, HHS issued a Final Notice of Determination and held Cignet Health, a business associate, liable for $4.3 million in civil monetary penalties when they denied 41 patients access to their medical records. As OCR Director Georgina Verdugo indicated, “covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements.” And, “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.” This area should be considered in drafting business associate agreements. Therefore, business associates such as Medtronic are required to release the PHI to the patient requesting the information, unless one of the exceptions is met, and the patient is informed.

“How Does HIPAA and the HITECH Act Impact Medical Device and Pharma Companies?”. Becker Hospital Review, US. Retrieved December 20, 2018.

HHS seeks public input on improving care coordination and reducing the regulatory burdens of the HIPAA Rules

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), issued a Request for Information (RFI) seeking input from the public on how the Health Insurance Portability and Accountability Act (HIPAA) Rules, especially the HIPAA Privacy Rule, could be modified to further the HHS Secretary’s goal of promoting coordinated, value-based healthcare. This RFI is a part of the Regulatory Sprint to Coordinated Care, an initiative led by Deputy Secretary Eric Hargan.

HHS developed the HIPAA Rules to protect individuals’ health information privacy and security interests, while permitting information sharing needed for important purposes. However, in recent years, OCR has heard calls to revisit aspects of the Rules that may limit or discourage information sharing needed for coordinated care or to facilitate the transformation to value-based health care. The RFI requests information on any provisions of the HIPAA Rules that may present obstacles to these goals without meaningfully contributing to the privacy and security of protected health information (PHI) and/or patients’ ability to exercise their rights with respect to their PHI.

“This RFI is another crucial step in our Regulatory Sprint to Coordinated Care, which is taking a close look at how regulations like HIPAA can be fine-tuned to incentivize care coordination and improve patient care, while ensuring that we fulfill HIPAA’s promise to protect privacy and security,” said Deputy Secretary Hargan. “In addressing the opioid crisis, we’ve heard stories about how the Privacy Rule can get in the way of patients and families getting the help they need. We’ve also heard how the Rule may impede other forms of care coordination that can drive value. I look forward to hearing from the public on potential improvements to HIPAA, while maintaining the important safeguards for patients’ health information.”

“We are looking for candid feedback about how the existing HIPAA regulations are working in the real world and how we can improve them,” said OCR Director Roger Severino. “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”

In addition to requesting broad input on the HIPAA Rules, the RFI also seeks comments on specific areas of the HIPAA Privacy Rule, including:

  • Encouraging information-sharing for treatment and care coordination
  • Facilitating parental involvement in care
  • Addressing the opioid crisis and serious mental illness
  • Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act
  • Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices

Public comments on the RFI will be due by February 11, 2019. The RFI may be downloaded from the Federal Register at:

“HHS seeks public input on improving care coordination and reducing the regulatory burdens of the HIPAA Rules”. United States Department of Health, US. Retrieved December 12, 2018.

Your medical record is worth more to hackers than your credit card