Published by the Health Care Compliance Association, Minneapolis, MN • 888.580.8373 • www.hcca-info.org

3 Patient Privacy Court Case

5 System to Pay Calif. $2 Million, ‘Upgrade’ Data Security

6 One-Size-Fits-All Training for HIPAA Security Rule Not a Workable Solution

9 What Not To Do When Training Employees on HIPAA

10 How the Abilify MyCite System Works

12 Privacy Briefs

Contents

OCR Breach ‘Wall of Shame’ Tells TalesOf Woe Mixed with Paths to Redemption

When a laptop is lost, patient data exposed online or emails sent in error, health care organizations might feel the wrath of the government agency that oversees HIPAA compliance through the hammer of heft y fi nes and the imposition of multiyear correc-tive action plans.

Or maybe not. In the vast majority of cases, the HHS Offi ce for Civil Rights (OCR) closes breach inquiries when the covered entity (CE) or business associate (BA) under-takes eff orts that, in many cases, it should have been doing all along, such as conduct-ing a risk analysis.

A recent change in OCR’s breach reporting portal gives organizations experiencing what are termed “large” breaches an easy way of seeing what other CEs and BAs did to escape the imposition of sanctions by OCR. RPP reviewed the breaches resolved in the past 12 months (from December 2016 until this month) to glean how they were resolved (subsequent issues will examine older closed cases).

Similar information about corrective actions can be found in OCR’s formal agree-ments with sanctioned CEs, but these tend to be generic in nature. Compared to the number of breaches (and complaints), there just haven’t been that many sett lements from which to learn.

continued 

Amid Privacy Concerns, Medication UshersIn Brave New World of ‘Digital Medicine’

The fi rst drug with an embedded electronic sensor will become available next year, but the pharmaceutical fi rm behind it is moving slowly, aware of the “complexities” it brings, including questions about the security of patient data.

Approved in November by the Food and Drug Administration (FDA), Abilify My-Cite is a twist on an already-approved medication (now available in generic form) for schizophrenia and bipolar disorder. The new version sends data to a patch worn by the patient, then to a phone app and ultimately to a portal (see diagram, p. 10). The idea is to track when a patient takes the medication (or doesn’t) to help improve compliance—a vexing societal issue that can have life-threatening consequences, particularly in those with psychiatric conditions.

“Given the intricacies and complexities of introducing a novel system like this into the marketplace, we are taking a focused approach to our rollout,” says Kimberly Whitefi eld, spokeswoman for Otsuka America Pharmaceutical, Inc. “We plan to engage a limited number of physicians, and their patients, who are affi liated with our selected health plans.” She could not disclose the names as contracts with partners have not yet been signed.

Whitefi eld adds that the fi rm “is purposefully and deliberately working to earn and keep the trust of individuals with serious mental illness and that of their health care

Volume 17, Number 12 • December 2017

Practical News and Strategies for Complying With HIPAA

EditorTheresa Defi notheresa.defi no@hcca-info.org

Senior WriterJane Anderson

Copy EditorNancy Gordonnancy.gordon@hcca-info.org

continued on p. 10

2 Report on Patient Privacy December 2017

A stroll through the portal also illustrates the many, and varied, ways of losing or exposing protected health information (PHI), a virtual gallery of what not to do. For those who have had such breaches, the listings may also make CEs and BAs feel superior or not so alone, depend-ing on what their breach experiences have been.

All CEs and/or BAs (based on who bears notifica-tion responsibilities) that experience a breach affecting 500 or more individuals must inform patients, the media and OCR. The agency is required by law to investigate each large breach report and post data about them on the agency’s portal. To date, the portal—or website—lists 2,131 of these breaches. The portal is also known as the “wall of shame” in the health care compliance commu-nity. (See https://ocrportal.hhs.gov/ocr/breach/breach_re-port.jsf).

In September, OCR Director Roger Severino said changes to the portal were in response to complaints from the health care industry that the website was out-dated and may have led to a “misimpression of when things were relevant and occurring” (RPP 9/17, p. 1).

OCR divided the reports into two separate pages. The first, “Cases Currently Under Investigation,” lists all breaches reported within the last 24 months that are

currently under investigation by OCR. The portal shows 383 such cases.

Labeled “Archive,” the other tab contains “all re-solved breach reports and/or reports older than 24 months.” There are 1,752 such entries (not counting those that were technically closed but were actually just con-solidated with another breach by the same entity).

A number of cases have been closed without any notation of actions taken by the CE or BA. A breach re-ported in September is the most recent listed as closed, but one reported in March by a Colorado Health Plan is the most recent for which details appear.

Telling details reveal that breaches occurred at drug stores big and small, doctors’ offices and an urgent care center. Boxes containing PHI have been found at a hotel, a home and a dumpster.

Sources of breaches run the gamut from paper to email to malware and former employees. In one case, a reinsurer was to blame. During this period, two CEs shut down after their breaches occurred, one of which involved a severe ransomware attack.

The portal entries show mitigation efforts by breached organizations, such as obtaining attestations, while specific corrective actions include creating a portal for patients to access billing information to retraining workforce members.

The cases also identify when OCR provided “techni-cal assistance,” and what type, to the organization.

In nearly all closures where changes were made by the errant organization, OCR states that the agency “received assurances” from the entity that it had “imple-mented the corrective actions” that are spelled out.

The closed cases include the following:◆◆ Rocky Mountain HMO in Colorado mailed 1,320

“letters containing PHI to incorrect recipients” on Jan. 23. The HMO made the required notifications on March 17. “Following the breach, the CE investigated the cause of the breach and revised its related HIPAA policies and procedures.”

◆◆ Houston Methodist Hospital “sent an email disclos-ing the PHI of 1,417 patients to other patients listed on the email.” Notifications were made on March 17 (no breach date is listed). “In response to the incident, the CE imple-mented an additional technical safeguard to prevent simi-lar situations and re-trained its workforce members on the proper use of email when communicating with patients.”

◆◆ Saliba’s Extended Care Pharmacy of Arizona emailed “an attachment containing patient invoices for December 2016 to six current patients or their personal representatives.” The email had information about 6,599 patients, some of it extensive. In addition to “names, billing addresses [and] account balances,” there were

Report on Patient Privacy (ISSN: 1539-6487) is published 12 times a year by Health Care Compliance Association, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. 888.580.8373, www.hcca-info.org.

Copyright © 2017 by the Health Care Compliance Association. All rights reserved. On an occasional basis, it is okay to copy, fax or email an article or two from RPP. But unless you have HCCA’s permission, it violates federal law to make copies of, fax or email an entire issue; share your subscriber password; or post newsletter content on any website or network. To obtain our quick permission to transmit or make a few copies, or post a few stories of RPP at no charge, please contact customer service at 888.580.8373 or service@hcca-info.org. Contact Skyler Sanderson at 888.580.8373 x 6208 or skyler.sanderson@hcca-info.org if you’d like to review our very reasonable rates for bulk or site licenses that will permit weekly redistributions of entire issues.

Report on Patient Privacy is published with the understanding that the publisher is not engaged in rendering legal, accounting or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought.

Editor: Theresa Defino

Subscriptions to RPP include free electronic delivery in addition to the print copy, e-Alerts when timely news breaks, and extensive subscriber-only services at www.hcca-info.org that include a searchable database of RPP content and archives of past issues.

To order an annual subscription to Report on Patient Privacy ($554 bill me; $524 prepaid), call 800-521-4323 (major credit cards accepted) or order online at www.hcca-info.org.

Subscribers to this newsletter can receive 12 non-live Continuing Education Units (CEUs) per year toward certification by the Compliance Certification Board (CCB)®. Contact CCB at 888-580-8373.

EDITORIAL ADVISORY BOARD: JEFFREY DRUMMOND, Esq., Partner, Jackson Walker LLP, Dallas; ADAM H. GREENE, Esq., Partner, Davis Wright Tremaine LLP, Wash., D.C; REECE HIRSCH, Esq., Morgan, Lewis and Bockius LLP, San Francisco., CA; DAVID HOLTZMAN, Esq., Vice President, Compliance, CynergistTek. Inc.; KIRK J. NAHRA, Esq., Partner, Wiley Rein LLP, Wash., D.C.; JAMES PASSEY, MPH, Director, Compliance & Risk Management, Valley Health System, Hemet, Calif.; ERIC S. TOWER, Esq., Associate General Counsel, Advocate Health Care, Oak Brook, Ill.

December 2017 Report on Patient Privacy 3

For other HCCA resources, visit www.hcca-info.org.

PATIENT PRIVACY COURT CASE

tional right to privacy” and noted, emphatically, that such right to privacy extends even after death: “Death does not retroactively abolish the constitutional protec-tions for privacy that existed at the moment of death.” Experts say that the ruling could have a significant impact beyond pre-filing requirements by making plaintiffs more likely to move forward with a suit and preventing behind-the-scenes collaboration between defendants and potential witnesses. Medical malprac-tice defense attorneys, on the other hand, argue that the ruling strips them of a valuable tool for learning about the potential strengths and weaknesses of a case. (Weaver v. Myers et al., SC15-1538 (Supreme Court of Florida Nov. 9, 2017)).

This monthly column is written by Ellie F. Chapman of Morgan, Lewis & Bockius LLP in San Francisco. It is designed to provide RPP readers with a sampling of the types of patient privacy cases that courts are now hearing. It is not intended to be a comprehensive monthly survey of all patient privacy court actions. Contact Ellie at ellie.chapman@morganlewis.com.

◆ Florida Justices Rule That Florida Citizens Have a Right to Privacy After Death. On November 9, 2017, the Florida Supreme Court struck down a 2013 medical malpractice law that—once a plaintiff provided man-datory notice of intent to file suit—allowed potential defense counsel to meet with a patient’s other treating doctors without the plaintiff’s attorneys present. The plaintiff in the lawsuit, Emma Weaver, argued that such ex parte communications lead to potential violations of patient privacy. In a 4-3 decision, the court agreed with Weaver, ruling that such potential violations of privacy block access to courts by forcing medical mal-practice plaintiffs to choose between their privacy and their legal claims. The opinion went on to criticize the Florida legislature for “gash[ing] Florida’s constitu-

“names and dosage amounts of medications provided” by the pharmacy. Saliba’s discovered the error on Jan. 16; it was reported as required on March 3. In response, the pharmacy “recalled the email sent to all recipients and reached out to the three recipients who confirmed they opened the email message and requested that the recipi-ents permanently delete the email.” In addition, Saliba’s “restricted workforce access to the folder containing patient invoices, retrained billing staff on proper meth-ods for accessing and emailing patient invoices and on its HIPAA policies and procedures, and sanctioned the employee who sent the email. The CE also developed a secure online portal through which patients can directly retrieve their monthly invoices. The CE provided breach notification to HHS, affected individuals, and media, as well as substitute notification. OCR provided the CE with technical assistance regarding the risk analysis and risk management provisions of the HIPAA security rule.”

◆◆ Hillsborough County Aging Services Department reported that a “former employee found and returned a box of paper records containing PHI that had been miss-ing for over five years and that belonged” to the county. No date of the breach is listed, but it was reported on Feb. 16. The box had information about 647 individuals, including “names, addresses, Social Security numbers, enrollment numbers, financial information, and clinical notes.” In response, the Florida county “reviewed and updated its policies and procedures to prevent any simi-lar occurrences in the future, formalizing its procedures for safeguarding PHI outside of the office using pass-

word protected locked cases, and required all employees to review and implement the new procedures.”

◆◆ Bloom Physical Therapy, LLC, doing business as Phy-sicians Physical Therapy Service, wanted to announce a change in ownership, but it broke the news on Feb. 1 by sending an email without using a blind CC, “so that email addresses in the mailing were visible to all recipi-ents. The email was sent to approximately 500 individu-als and may have contained names as a portion of some email addresses.” This was considered a reportable breach; notification was made on Feb. 9. “The CE revised its policies and procedures and retrained staff. OCR pro-vided substantial technical assistance to the CE,” based in Arizona.

◆◆ Walgreen Co. made an error involving snail mail. On Feb. 3, Walgreens reported to OCR that it had “sent an improperly formatted survey letter to individuals” in envelopes with clear windows in a way PHI was visible. “The visible PHI included recent prescription histories, clinical, and demographic data affecting 4,500 individuals in 49 states.” No date was given for when the letters were mailed, after which Walgreens “conducted an investiga-tion to determine the root cause of the breach, revised quality control steps for mailings that contain PHI, and retrained department staff on its revised procedures.”

◆◆ Stephenville Medical & Surgical Clinic’s breach exposed the PHI of 61,701 former patients “whose charts had been purged and/or destroyed” when their names were part of a master list that was erroneously emailed

4 Report on Patient Privacy December 2017

Subscribers who have not yet signed up for Web access — with searchable newsletter archives and more — should click the blue “Login” button at http://www.hcca-info.org/Resources/HCCAPublications/ReportonPatientPrivacy.aspx,

then follow the “Forgot your password?” link to receive further instructions.

“to an unauthorized recipient.” Following the exposure of names and demographic information, the Texas orga-nization “sanctioned the employee responsible for the breach, implemented additional safeguards, and revised and updated its policies and procedures. OCR provided technical assistance regarding individual and media notifi-cation requirements and confirmed that the CE completed the required breach notifications. The CE also offered the affected individuals free credit monitoring services.” The breach was reported on Jan. 23; the portal doesn’t specify when the email was sent by the Texas clinic.

◆◆ Associated Catholic Charities Inc. suffered “a phish-ing attack and automatically forwarded [an] employee’s emails to an external account,” resulting in the exposure of 1,145 individuals’ “names, addresses, dates of birth, social security numbers, and clinical information.” After the breach, reported on Jan. 20, the organization “added additional protection software to its email system and provided employees with additional security awareness training.” The agency states that it also “reviewed the covered entity’s risk analysis to ensure compliance with the security rule.”

◆◆ TriHealth, Inc., of Ohio, “[d]ue to a technical error during a data conversion process…sent correspondence to 1,126 patients’ incorrect addresses.” Information was extensive, “and may have included the full names, former addresses, birthdates, claims information, diagnoses/con-ditions, lab results, medications, and other treatment in-formation.” After the breach, reported on Jan. 19, “the CE retrained staff, corrected addresses, and developed a plan to implement additional safeguards for data conversions.”

◆◆ American Urgent Care Center of Kentucky learned that a former employee took an X-ray logbook on October 28, 2016, that “contained the names and treat-ment dates of 822 individuals.” Afterward, the center “re-vised its policies and re-trained staff, including providers and management. The CE also revised its procedures to eliminate the use of the paper X-ray logbook. As a result of technical assistance from OCR, the CE provided breach notification to HHS, to affected individuals, and in the local newspaper.”

◆◆ Desert Care Family and Sports Medicine of Arizona experienced a ransomware attack, which it reported to OCR on Dec. 20, that encrypted its server and all the data. Despite its efforts and those of a firm called Data Doctors, the practice “was unable to break one of the two encryption variants [and] unable to recover the patient data on the server.” Because it couldn’t access patient information, the organization “provided substitute and media breach notification.” It also notified the local po-lice and the FBI and “added an off-site backup, retrained all of its employees, and obtained a new server.” The agency provided the previous organization with “techni-

cal assistance regarding the security rule risk analysis and risk management provisions.” Nevertheless, Desert Care “closed its business on Dec. 20, 2016 and as of Jan. 1, 2017, another business is operating the practice.”

◆◆ Oak Cliff Orthopaedic Associates learned on Oct. 17, 2016, from local law enforcement that two boxes contain-ing the PHI of 1,057 individuals “were recovered from a hotel located in Texas. The boxes contained patients’ de-mographic, financial, and clinical information.” The prac-tice “contracted with a third-party vendor to mail breach notification to the affected individuals” on Dec. 14. “The CE completed media notification and offered the affected individuals one year of free identity theft protection services” and “set up a call center to assist individuals with questions.” The practice “also improved physical security. OCR provided technical assistance regarding business associates.”

◆◆ Stamitoles Dental Center of Florida “unintentionally disposed of boxes of paper medical records in a publicly accessible dumpster, potentially exposing the names, dates of birth, social security numbers, addresses, tele-phone numbers, clinical information and health insur-ance information of 4,678 individuals.” This occurred on Oct 12, 2016. “The paper medical records were retrieved by the CE the following morning. In response to the breach, the CE retrained its workforce and adopted a new written policy governing the proper destruction and disposal of paper records.” The incident was reported to OCR on Dec. 11, 2016.

◆◆ Black Hawk College of Illinois reported a breach to OCR on Dec. 8, 2016, “out of caution” that involved ran-somware that attacked a server owned by its reinsurer. The attack exposed the PHI of approximately 1,000 in-dividuals from March 12 to Aug. 8, 2016. “The reinsurer provided breach notification to the affected individuals and the CE sent notice to the media and posted a substi-tute notice on its website. The CE also retrained staff and reviewed its BA agreements and its HIPAA policies and procedures.”

◆◆ Preventice Services, LLC, of Texas experienced a breach affecting 6,800 individuals when one of its BAs “erroneously mailed notices that contained other pa-tients’ names and dates of services due to a program-ming error by its sub-contractor.” Preventice Services “worked with the BA and its sub-contractor to correct the programming error and add an additional technical safeguard.” The breach was reported to OCR on Dec. 7, 2016. For its part, “OCR confirmed that appropriate BA agreements were in place prior to the breach, pro-vided technical assistance regarding media notification requirements, and confirmed that the CE completed the required breach notifications, including the posting of [a] substitute notice on its website.”

December 2017 Report on Patient Privacy 5

◆◆ CVS Health’s breach of “completed prescriptions” for 626 individuals occurred amid a hurricane. “An indi-vidual broke into a CVS Pharmacy in Whiteville, N.C., during Hurricane Matthew” and stole prescriptions that “included names, partial birthdates, addresses, medica-tion names and doses, providers’ names, and prescrip-tion numbers.” The pharmacy “reviewed the CE’s policies and procedures on uses and disclosure of PHI and safeguarding PHI, and determined that they were in compliance with the privacy rule.”

For other HCCA resources, visit www.hcca-info.org.

◆◆ Washington Health System Greene’s home care agency reported to OCR on Dec. 2, 2016, that on Sept. 27, 2016, “an employee emailed a patient census list to her personal home email account and provided that infor-mation to another home health agency, Harmony Home Care.” It is not clear why she did so. The former worker and the CEO of the second agency signed attestations of destruction. The system notified 530 patients. The home care agency “closed operations on Oct. 30, 2016.” ✧

Citing a “lack of reasonable safeguards” that led to two data breaches affecting approximately 55,000 patients, the California attorney general has brokered a $2 million settlement with a Santa Barbara-based three-hospital system. Announced Nov. 22, the settlement resolves allegations that Cottage Health broke state privacy laws as well as HIPAA.

The settlement is another reminder that state at-torneys can—and will—flex their enforcement muscles. This California settlement, however, is larger than most arising from state actions. A year ago, for example, a home health agency in New York agreed to pay $25,000 amid allegations that a former worker stole data to help establish a rival firm (RPP 1/17, p. 1). In 2014, a Rhode Island hospital paid $150,000 to the Commonwealth of Massachusetts following the loss of ultrasound films (RPP 8/14, p. 1).

“From 2011 through 2013, over 50,000 of Cottage’s patients had their personally identifying informa-tion (PII) and electronic personal health information (ePHI)—including medical history, diagnosis, labora-tory test results, and medications—accessed and made searchable online so that anyone with an internet con-nection could download and view patient private medi-cal data,” Attorney General Xavier Becerra announced. “Cottage had failed to adequately secure this informa-tion, resulting in this data being indexed by Google and viewable in public search results.”

Further, last year “over 4,500 of Cottage’s patients had their PII and ePHI— including medical record number, account number, name, address, Social Security Number, employment information, admit and discharge dates, and other personal information—accessed and made searchable online,” the announcement continues.

These breaches, Becerra says, “were symptoms of its system-wide data security failures. Cottage failed to employ basic security safeguards, leaving vulnerable

software unpatched or out-of-date, using default or weak passwords, and lacking sufficient perimeter secu-rity, among many other problems.”

In addition to the $2 million payment, Cottage will “upgrade its data security practices,” according to Becerra.

In the settlement, Cottage agreed to “maintain an information security program that ensures that Cot-tage protects the security, integrity, and confidentiality of patients’ medical information that Cottage collects, processes, uses, maintains, and/or stores. The program shall meet reasonable security practices and procedures for the health care industry.”

The system is also required to share with the state the “names of the employee or employees” with over-sight of its privacy and security compliance programs.

The settlement also calls for two years of “annual privacy risk assessment addressing Cottage’s efforts to comply with applicable privacy laws governing Cottage’s patients’ medical information and evaluat-ing the effectiveness of Cottage’s information security program.” The final report is to be sent to the California state attorney as well as shared internally.

A spokeswoman for Cottage supplied RPP with the following statement in response to the settlement. She did not respond to any specific questions.

“This settlement involves unrelated data incidents that occurred in 2013 and 2015. Once we learned of the incidents, our information security team worked to pro-vide resolutions. There is no indication that data was used in any malicious way,” the system states. “At Cot-tage Health, we have used this learning to strengthen our system security layers for improved detection and mitigation of vulnerabilities. Upgrades include new system monitoring, firewalls, network intrusion detec-tion, and access management protocols to help protect private data. We value the trust of our community and

System to Pay Calif. $2 Million, ‘Upgrade’ Data Security

continued on p. 6

6 Report on Patient Privacy December 2017

One-Size-Fits-All Training for HIPAA Security Rule Not a Workable Solution

The premise of mandatory employee training on the HIPAA security rule is simple: untrained workers might inadvertently disclose protected health information (PHI) or make a mistake that enables bad actors to gain access to PHI, so they need to be trained to ward off these problems.

But experts warn that training programs require much more thought than simply instituting a perfunc-tory requirement that workers view a training video once per year. In fact, experts say, effective training requires more thought and effort than most organizations cur-rently provide.

There are dozens of off-the-shelf HIPAA training programs offered—some focused only on the security rule or the privacy rule, and some on all of HIPAA—and they vary widely in effectiveness. “Effective information security…training is absolutely necessary to prevent breaches. The less training that is provided to employees, the more breaches that organizations experience,” says Rebecca Herold, president of SIMBUS360.com and CEO, The Privacy Professor.

Herold tells RPP that humans—not technology—always are the weak link, especially in professions like health care. “Workers who deal with patients, customers, and those who are in a help desk type of job position have been taught to bend over backwards to be helpful,” she says, and “this makes the need to follow security practices, such as validating the identity of callers before giving them PHI, critically important.”

“Folks in these positions absolutely need to have tar-geted training for their specific job responsibilities to get this identity verification, as well as know how to identify social engineering attempts and other related specific situations unique to their job activities. Unique train-

Copyright © 2017 by the Health Care Compliance Association. All rights reserved. Please see the box on page 2 for permitted and prohibited uses of Report on Patient Privacy content.

ing must also be provided to other positions, with other types of responsibilities, as well,” Herold says.

At the same time, employees—not technology—are in a position to stop security breaches before PHI gets disclosed, notes Jim Venturella, vice president of infor-mation technology services and CIO at West Virginia United Health System (WVUHS).

“Employees play an essential role in the preven-tion and detection of the security incidents that lead to breaches,” Venturella tells RPP. “The majority of time, they understand what they should and should not do. However, during a busy shift, it may not always be top of mind. Ongoing communication to employees is key to ensuring they are constantly aware of threats.”

Security Training Can Avert BreachesThe HIPAA training requirements are laid out by

HHS in 45 CFR § 164.530 and mandate instruction that is “necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” Training also must be documented.

According to HHS commentary, covered entities may avoid HIPAA penalties based on the misconduct of a rogue employee so long as they implemented appropri-ate policies and adequately trained the employee. Herold notes that the fines and penalties applied under HIPAA for instances when no training was provided have in-creased dramatically.

But HIPAA security training can do more than just make your fines lower if you do get breached; it also can avert breaches (for example, by training workers what a suspect email looks like) and help detect breach-es in progress so they can be stopped (for example, by training workers to alert IT staff when they suspect something is amiss).

are committed to continuous advances in technology that enable us to protect patient privacy while provid-ing authorized care providers the timely and effective data needed for medical treatments.”

Under the settlement, the health system’s “infor-mation security program…shall include reasonable efforts to:”◆ “Assess hardware and software used within Cottage’s computer network for potential risks and vulnerabili-ties to the confidentiality, integrity, and availability of patients’ medical information, and updating security settings and access controls where appropriate;

◆ Evaluate the response to and protections from exter-nal threats, including firewall security; ◆ Encrypt patients’ medical information in transit in accordance with health care industry best practices; ◆ Maintain reasonable policies and protocols for all information practices regarding data retention, internal audits, security incident tracking reports, risk assess-ments, incident management, and remediation plans; ◆ Conduct periodic vulnerability/penetration testing designed to identify, assess, and remediate vulnerabili-ties within Cottage’s computer network; and ◆ Train employees regarding the collection, use and storage of patients’ medical information.” ✧

continued from p. 5

December 2017 Report on Patient Privacy 7

Web addresses cited in this issue are live links in the PDF version, which is accessible at RPP’s subscriber-only page at http://www.hcca-info.org/Resources/HCCAPublications/ReportonPatientPrivacy.aspx.

A study from IT security consulting firm PhishMe, Inc., found that training employees to report suspected phishing emails can reduce the standard time for detec-tion of a breach from 146 days to just 1.2 hours, reducing the potential fallout from a data breach or ransomware resulting from the attack (RPP 2/17, p. 5).

Of course, breaches can happen even at organiza-tions with the best-trained people. But Herold notes that “many breaches are a result of accidents and…doing things that employees simply didn’t know they weren’t supposed to do. It is easier to make mistakes if you don’t have regular and effective training.”

Lack of knowledge and awareness—especially when those involved aren’t focusing on security issues—leads to far more breaches than malicious intent, Herold says. “Even when malicious intent was involved, it typically exploited human security unawareness in some way.”

Worse, mistakes lead to a misconception that train-ing isn’t actually worth it, since the training that did take place failed to avert the mishap, Herold says. “When information security…incidents happen, too many orga-nizations, and otherwise smart professionals, say that…training doesn’t work and isn’t worth the time, when in fact the problem is that the training they are providing is bad and ineffective,” Herold says.

That’s why more than just a minimum, once-per-year training program is important, Herold says. “It is impor-tant to provide, in addition to formal training, ongoing awareness and activities to help ensure you and your workers perform all your daily job activities in a way that effectively safeguards the information you are working with,” says Herold.

Boring Training Programs Won’t WorkRepetitive yearly employee HIPAA training pro-

grams, while common, are just not effective, says David Harlow, a health care attorney and consultant with a national practice focused on health data privacy and security (see related story, p. 9).

“Training is important, as is testing of employee knowledge, because the single biggest area of risk of se-curity breaches can be summed up in two words: human factors,” Harlow tells RPP. “But the key to effective train-ing is to move away from having employees watch the same online training video year after year and fake the same post-test. That is ultimately a recipe for disaster.”

Ideally, Harlow says, training should be role-based and experience-based. “In other words, employees should be faced with examples of threats, with the types of decisions they would have to make in real life, as part of their training. One classic example of this sort of train-ing is sending fake phishing emails to staff, and seeing who falls for it—who clicks on the link. You can set these

up so that the link takes the employee who was taken in by the phishing email to a web page that explains how he or she should have been able to tell [it was a phishing email], what hallmarks of a phishing email to be alert to, [and] what steps to take instead of falling for it and click-ing on the link,” he says.

According to Venturella, the standards for manda-tory security training are an essential component of best practices for preventing health information breaches. But how organizations implement them matters: “Standards become effective when they are prioritized and properly implemented at health care organizations. Mandatory training is an essential component of this, but it needs to be complemented with other activities on an ongoing basis,” he says.

Demonstrate Relevance to Real LifeIf Venturella was newly in charge of HIPAA security

compliance at a health care entity that hadn’t been meet-ing best practices for employee training, he says his first step would be to identify that organization’s particular shortcomings. “I would do a quick assessment to under-stand the gaps and develop a plan to address the most impactful items in the short term,” he says. “I would also engage leadership to ensure they understood and appre-ciated the importance, since it takes a commitment from the entire leadership team to be successful.”

WVUHS’s employees have played a role in averting breaches, he says. “Every organization is under constant attack, and we have many examples of employees identi-fying potential threats and reporting them to our technol-ogy team to address.”

Security training programs often fail to show how relevant HIPAA security compliance is to employees, even though this is an important factor in getting em-ployee buy-in, Venturella says. WVUHS employees must participate in annual training programs, Venturella says, but “in addition, training is offered as needs are identi-fied.” For instance, the emergence of new types of mal-ware will require updates to the training curriculum.

Venturella adds: “Training should be tailored to meet individual [employee] needs. Many employees have become comfortable with online programs, and this is an essential tool when you have large groups of employees. However, at times direct social interaction can be a more effective venue, and this should be used in a more tar-geted fashion.”

Based on this, the health system uses a variety of different methodologies for training, depending on employee needs and course objectives, Venturella says. “Initial training during new employee orientation is classroom-based. Ongoing, the training is a combina-tion of classroom, online, department presentations and

8 Report on Patient Privacy December 2017

Web addresses cited in this issue are live links in the PDF version, which is accessible at RPP’s subscriber-only page at http://www.hcca-info.org/Resources/HCCAPublications/ReportonPatientPrivacy.aspx.

pushed content—screen savers, emails, intranet.” Using different communication channels helps keep the topic “top-of-mind” for employees, he adds.

The core information security requirements of HIPAA are the same for all types and sizes of covered entities (CEs) and business associates (BAs), so train-ing programs for those organizations will be similar, as well, Herold says. “What may vary are some of the more targeted, specific topics, such as for handling patients checking in at a small clinic versus at a large hospital system. Most small clinics will not have the same types of automated systems to use for check-in as most large hospital systems now use.”

In addition, Herold says there should be different types and topics of training for different groups of em-ployees, based on their job responsibilities. For example, the executive team and legal counsel should have train-ing on the legal requirements and obligations of HIPAA, plus the potential penalties, while IT staff should have training on the specific types of technology requirements under HIPAA, plus when, where and how to correctly implement them, she says. Medical practitioners, mean-while, need to know specific ways to stay in compliance with aspects of security that arise in a clinical setting, such as how to communicate with patients digitally in safe ways, she says.

Regardless of the setting, “training and awareness communications must be relevant to those receiving them to be effective,” says Herold. “Participants in train-ing and awareness must be able to see how the issues relate to them in order to pay attention, and really under-stand the…issues and then carry those lessons learned into their daily work activities.”

Specifically, Herold recommends:◆ Providing training on a quarterly basis,◆ Holding short, targeted training sessions,◆ Keeping training topics narrow, and◆ Covering just two to five topics per session.

“Then, as part of the education program, it is very important for hospitals to send out frequent—at least monthly, but bi-weekly is even better—reminders for security, along with communicating news that shows in-cidents, fines/penalties, etc., that demonstrates how oth-ers had security incidents and…breaches that could have been prevented with more awareness, which comes from more frequent and high-quality training,” Herold says.

Herold says she prefers to see organizations utilizing a variety of different training methods: “Step back and consider that everyone does not learn and understand in the exact same way. Organizations must think about the communications used within training and awareness efforts.” In addition to using 10- to 15-minute training

modules, she employs quizzes to determine how well the students understood the concepts that were covered.

“I’ve also given training activities that involve in-teraction with role-playing and problem-solving activi-ties for the associated activities.” All these engage and help the learners to understand the concepts more fully, she says.

Formal training should occur at least annually, but Herold has found that providing quarterly or even monthly short training sessions is more effective.

Training has to extend beyond the classroom door, as well, she says. “What is also critical—and required by HIPAA, although very few CEs or BAs realize this—is the need to provide ongoing awareness communications, reminders, tips, activities, etc. These will help to keep information… at top of mind for workers between their more formal training sessions,” Herold says.

Vary Training TechniquesThere’s no one-size-fits-all solution to employee

training, Harlow says. “Role-based training is impor-tant,” and in-person, online and experiential train-ing—e.g., fake phishing attacks—all have benefits for organizations, he says.

According to Harlow, the most important factor: “Training needs to be concrete and relevant. The key is customization. Obviously, all hospitals have some com-mon issues. All clinical labs have some common issues. All EHR companies have some common issues. But each is unique. Each has unique internal and external arrange-ments regarding the transmission and use of protected health information. Each has its own idiosyncrasies, its own workflows, [and] its own workarounds that have built up over the years.”

Depending on the organization, training can be done online or in person, he says. “Some educators will tell you that the way in which material is presented matters, depending on the type of the material and on the type of learner. From my perspective, I think it is important to of-fer training and reinforcement through different modali-ties in order to be confident that the message is getting through and that the entire workforce is internalizing norms that yield greater compliance,” Harlow adds

Finally, organizations also need to consider other se-curity guidelines in their training, he adds. For instance, the Federal Trade Commission has requirements for data security that need awareness. “Security doesn’t end with HIPAA compliance, so training needs to be broader as well,” he says.

Contact Herold at rebeccaherold@rebeccaherold.com, Venturella via WVUHS spokesperson Leigh Limer-ick at limerickl@wvumedicine.org and Harlow at david@harlowgroup.net or via his blog Health Blawg. ✧

December 2017 Report on Patient Privacy 9

Call Skyler Sanderson at 888.580.8373 x 6208 or email skyler.sanderson@hcca-info.org to find out about our very reasonable rates for bulk subscriptions and site licenses for your entire campus.

HIPAA security training programs are intended to engage participants and teach them how to maintain the secuirty of protected health information. But many training programs in use today are so poorly designed and executed that they have the opposite effect, says Rebecca Herold, president of SIMBUS360.com and CEO, The Privacy Professor.

“Unfortunately, there are a lot of very poor, and downright horrible, training content packages and tools out there. I’ve reviewed well over 300 different organizational training and awareness programs, and it is sad to see the types of activities and content that is passed off as ‘training,’” Herold tells RPP.

In fact, she says, bad training hurts all educational efforts and “makes otherwise smart people say dumb things about the need for training and awareness.”

Herold is familiar with information security, priva-cy training and awareness programs for organizations that range in size from large multinational (300,000+ employees) organizations to small businesses, clinics and single physician practices, such as chiropractors and acupuncturists. As a result, she’s seen what she considers to be ineffective training in action.

Smaller organizations are most at risk for using inadequate training programs, Herold says, because “there are almost always insufficient training and awareness activities within smaller health care organi-zations, and within most of their business associates’ businesses.”

“For example, one organization simply copied and pasted the actual regulatory text of HIPAA into several hundred PowerPoint slides, put it in a shared folder for their organization, sent a message tell-ing personnel to look at it, and called that training,” she says. “This is not training. Making people scroll through hundreds of screens of what many will find to be mind-numbing text does not provide any edu-cational value. In many other organizations, I found absolutely no training and no awareness communica-tions or events at all,” she says.

Other organizations purchase a training module and then try to reuse the same training module, with-out modification, year after year. “After the first time of doing the training, your personnel will simply zone out the next time they see it, and the training will not be considered to be effective, or sufficient,” Herold says.

Larger organizations aren’t immune from training-related problems, she says. “Organizations—par-ticularly the mid-sized to large organizations—often choose subject matter experts (SMEs) to deliver the training,” Herold says. “However, just because some-one is an expert on a topic does not mean that he or she will also be a good instructor. SMEs often do not see a topic with the same perspective as a person who has no knowledge on the subject…. Ensure that the trainers you use are not only knowledgeable about the topic but are also experienced in effective training methods.”

Not everyone learns in the same way, but many organizations fail to carefully tailor their training and awareness efforts to different groups of employees. “Organizations must think about the communications used within training and awareness efforts,” she says.

In addition, many organizations send awareness messages for anyone and everyone in the organization to read or notice, but “indiscriminate announcements such as these are bound to be ineffective with some types of passersby,” Herold says. This type of “consis-tent and unvarying type of communicating” doesn’t reach everyone in the organization, she says.

According to Herold, these are the most common mistakes that organizations make when planning and delivering their training and awareness activities:◆ Not being motivated to provide education◆ Throwing education together too quickly◆ Delivering education that doesn’t fit the environment◆ Not addressing legal and regulatory requirements◆ Not receiving leadership support◆ Planning inadequately◆ Mismanaging or not specifying a budget◆ Using unmodified education materials◆ Risking information overload◆ Not considering the learner◆ Using poor trainers◆ Using inappropriate/politically incorrect language◆ Dumping information on learners◆ Not evaluating the effectiveness of the program

The key to successful training is employee engage-ment, and trainers need to develop material that’s use-ful for the learners.

Contact Herold at rebeccaherold@rebeccaherold.com. ✧

What Not To Do When Training Employees on HIPAA

10 Report on Patient Privacy December 2017

Subscribers who have not yet signed up for Web access — with searchable newsletter archives and more — should click the blue “Login” button at http://www.hcca-info.org/Resources/HCCAPublications/ReportonPatientPrivacy.aspx,

then follow the “Forgot your password?” link to receive further instructions.

try standard security protocols to protect access to the patient’s personal health information,” Whitefi eld says.

The fi rm “provides physical, administrative and technical safeguards to protect the information collected, processed, maintained and/or transferred,” Whitefi eld ex-plains. “For example, access to this information is limited to authorized employees, vendors, and contractors who need to know that information in order to operate, devel-op or improve the app. Otsuka uses encryption and other methods in an eff ort to protect the data while in transit.”

It also took the unusual step of developing a six-point “Digital Medicine Ethics Statement,” and consult-ing bioethicists.

“To help inform our guiding principles and consid-erations, we have created a bioethics steering committ ee comprised of four recognized experts on the application of ethics to health care, law and medicine,” Whitefi eld says. “In collaboration with the committ ee, we estab-lished a framework to ensure that data is safeguarded to protect people’s privacy.”

The committ ee also addresses “a range of issues related to respecting individual autonomy, maximizing benefi t, minimizing risk, and ensuring fairness in the

providers, family and care team, ensuring that patient confi dentiality and data security is a top priority.”

Otsuka is not a covered entity (CE) under HIPAA, she says. “Otsuka follows industry standards and best practices for privacy and security, including HIPAA as appropriate,” she tells RPP.

The sensor, dubbed an ingestible event marker, and the patch were developed by Proteus Digital Health of Redwood City, Calif. Otsuka American is a subsidiary of Tokyo-based Otsuka Pharmaceutical Co., Ltd., which developed and owns Abilify. Otsuka and Proteus jointly announced the FDA’s Nov. 14th approval of what the companies call the fi rst “digital medicine system.” The label on the medication will call it a “drug-device combi-nation product,” according to Whitefi eld.

Whitefi eld describes a number of safeguards as well as Otsuka’s approach to developing and marketing Abilify MyCite.

Otsuka “is committ ed to ensuring that the data are safe, private and secure by leveraging the highest indus-

Medication Raises Privacy Questionscontinued from p. 1

Source: Otsuka America Pharmaceutical, Inc.

December 2017 Report on Patient Privacy 11

Subscribers who have not yet signed up for Web access — with searchable newsletter archives and more — should click the blue “Login” button at http://www.hcca-info.org/Resources/HCCAPublications/ReportonPatientPrivacy.aspx,

then follow the “Forgot your password?” link to receive further instructions.

availability of the Abilify MyCite System. Having in-sights and expertise from these experienced bioethicists has helped us continue to build trust with patient, care-giver, and provider communities,” she says.

Patients “decide who may access information re-lated to the Abilify MyCite System and who may not,” Whitefield says. “At any time, an individual can grant or withdraw permission for [the] treatment team, family members, or others to access their information related to the Abilify MyCite System by going into the smartphone application.” Up to four people may access the portal, in-cluding family members approved by patients. They “can discontinue sharing some information from the system, or opt out of the program altogether, at any time.”

Otsuka: Info To Be Tightly ControlledBeyond treatment purposes, Otsuka and “third-par-

ty collaborators” will use “de-identified and aggregated data for the purposes of quality control, data analytics, and research,” Whitefield says.

If the patient gives an okay, “designated Otsuka in-dividuals, based on their roles, will be able to see patient data” that is not deidentified, Whitefield says. This will include customer service representatives “who adminis-ter the Abilify MyCite system.”

She adds that “under no circumstances will personal patient information be accessible and used for marketing purposes.”

The firm, “consistent with industry best practices employs data minimization, so sensitive data elements that are not needed—such as individuals’ Social Security Numbers, driver’s license numbers, passport numbers, and account numbers—are not collected through use of the Abilify MyCite System,” according to Whitefield. This concept, which sounds like minimum necessary standards that are required under HIPAA, “significantly reduc[es] the risk of identity theft resulting from use of this product.”

Safeguards are also in place to secure the protected health information (PHI) “collected through the app,” she adds. “Data from the smartphone application is stored on a remote secure cloud-based server.” The PHI on the web-based portal “display[s] patient-shared sum-mary data and do[es] not allow for two-way communica-tion back to the patient.”

PHI “is encrypted while it is stored in the HIPAA-compliant cloud environment, and the cloud service provider does not have a decryption key,” she adds.

Whitefield points out that while “Otsuka endeavors to secure the information, no system can prevent all po-tential security breaches.”

Health care providers “are responsible for their own compliance with privacy and data security laws,” White-

field says, “but specific features have been built into this product and related processes to help ensure the confi-dentiality of patient information collected through use of the product.”

Everyone loses their phone at least once, and patients taking the new drug are unlikely to be any different. But Otsuka has taken precautions for this.

“If the individual loses the smartphone and an unau-thorized person gains access to the phone, the unauthor-ized user would only be able to view information if it is within the 15-minute timeframe before the automatic timeout occurs from the previous log-in. After 15 min-utes, the app would time out, and the unauthorized user would be required to enter the username and password to view any of the information in the app,” Whitefield tells RPP.

As these types of drug-device combos proliferate, CEs should approach them as they do “any type of telemetry solution, whether it’s an at-home heart moni-tor, blood sugar monitor, or anything else that involves sending data back to the provider from a patient’s remote location,” says Jeff Drummond, a partner with Jackson Walker LLP in Dallas.

“Abilify has a little higher creepiness factor since the data it’s sending isn’t some cold impersonal blood pres-sure number but rather evidence of whether the patient is compliant with his or her doctor’s orders,” he says. With “proper data security,” encryption, access and in-tegrity protections, for example, there shouldn’t be what Drummond calls “a HIPAA problem.”

And when there is “proper patient approval,” says Drummond, “you get past the creepy part as well.”

Suggestions for ‘Due Diligence’It must be noted that the Office for Civil Rights

(OCR), which enforces compliance with the HIPAA pri-vacy and security rules, has also made it clear that telem-etry firms and the like aren’t going to get a pass.

In April, OCR settled with its first device company, inking a $2.5 million agreement with BioTelemetry, Inc., which suffered the loss of two unencrypted laptops in 2011 (it was then named CardioNet). Although the PHI of just 2,000 patients was involved, OCR also dinged the company for “an insufficient risk analysis and risk man-agement processes,” and draft but not final “policies or procedures regarding the implementation of safeguards for ePHI [electronic PHI], including those for mobile devices.”

As part of a corrective action plan, OCR required detailed information about encryption of BioTelemetry’s devices and is seeking “certification that all laptops, flash drives, SD cards, and other portable media devices are

12 Report on Patient Privacy December 2017

Call Skyler Sanderson at 888.580.8373 x 6208 or skyler.sanderson@hcca-info.org to find out about our very reasonable rates for bulk subscriptions and site licenses for your entire campus.

PRIVACY BRIEFS

◆ A top House lawmaker has asked HHS to work with health industry stakeholders on a plan to create and deploy “bills of materials,” or BOMs, for health care technologies. BOMs, recommended in the recent Health Care Industry Cybersecurity Task Force re-port (RPP 6/17, p. 4), would exist for each piece of medical technology and would describe the technol-ogy’s components and any known risks associated with those components. In a Nov. 16 letter, House Energy and Commerce Committee Chair Rep. Greg Walden (R-Ore.) asked HHS acting secretary Eric Hargan to “convene a sector-wide effort to develop a plan of action for creating, deploying, and leveraging BOMs for health care technologies.” The cybersecuri-ty task force’s report, along with analysis of malware outbreaks WannaCry and NotPetya, show the need to consider BOMs, Walden said in the letter. Read more at http://bit.ly/2mQYC7z.◆ Two security organizations are warning hospitals and other health care entities that they’re making a serious mistake by not investing appropriately in cybersecurity. The report from the Information Sys-tems Security Association and Enterprise Strategy Group said organizations need to align cybersecurity and business goals, build repeatable processes, invest in training (see related story, p. 6), and assume there will be a perpetual skills shortage for IT security pro-fessionals. “We are not making progress, cyber secu-rity professionals can’t scale, and the implications of the skills shortage are becoming more pervasive and ominous. It is clear that the solution must be about

more than filling jobs. It is about creating an environ-ment from the top down of cyber security as a prior-ity,” said Jon Oltsik, Senior Principal Analyst at the Enterprise Strategy Group (ESG) and the author of the report. Obtain the report at http://bit.ly/2AkgZov.◆ Unintended disclosure remains the highest cause of data breaches in health care entities, accounting for 41% of incidents, according to insurance company Beazley. Hacking or malware accounted for 19%, Beazley says in a report. “Whether it’s an email con-taining PHI sent to the wrong recipient, discharge instructions given to the wrong patient, or a server containing PHI accidentally left open to the public, health care entities continue to struggle with human error on a regular basis,” the report says. See the report at http://bit.ly/2iq4mDB.◆ Patients at the UAB (University of Alabama-Bir-mingham) Viral Hepatitis Clinic may have had their protected health information exposed during an Oct. 25 data breach after two USB memory sticks were lost, UAB Medicine said. Information on 652 patients was contained on the two USB memory sticks, which were used to transfer electronic information to a computer from a machine used to evaluate liver dis-ease. The misplaced devices contained patients’ first and last names, birth date, gender, diagnosis, date and time of examination and numbers and images associated with test results. The data also may have included the name of the referring physician. Social Security numbers and financial information were not included. Read more at http://bit.ly/2iG2lnm.

encrypted, together with a description of the encryption methods used” (RPP 5/17, p. 1).

Caution is also warranted, given this is a “first,” says Joseph Lazzarotti, principal in the Morristown, N.J., of-fice of Jackson Lewis P.C.

According to Lazzarotti, among the issues to be con-sidered: what information the pill collects, control over whether certain information is collected or not, owner-ship of the information; restrictions on data sharing, risks and safeguards for data in transmission and when stored, third-party uses and access controls, and destruc-tion of data.

A CE may also want to address “a plan to communi-cate the use of this [medication] to plan participants and/or patients,” he says.

Currently “and certainly into the future, it is easy to see how the ‘digital pill’ could be continually improved to capture, communicate, and result in the storage of large amounts of sensitive information as it travels through its patients,” Lazzarotti adds. “Clearly there would be privacy and security concerns for patients…”

But given that the inability to “manage chronic dis-eases because of failures in medication adherence is a significant driver of cost,” Abilify MyCite may fill a need. Still, it requires careful scrutiny, he says.

“I would not want to throw a wet blanket on such an initiative, but…it would be prudent and consistent with HIPAA to ask some of these questions and perform some due diligence before implementing” it, he says.

Contact Whitefield at kimberly.whitefield@otsuka-us.com, Drummond at jdrummond@jw.com, and Laz-zarotti at lazzaroj@jacksonlewis.com. ✧