Recent HIPAA, ransomware & data privacy issues to put at the top of your list

The Holidays are always a hectic time of year. Here are some timely events that healthcare industry participants should appreciate.

First, a significant number of people at one point in their lives, have “peaked” at presents before the actual holiday. When it comes to medical records “peaking” out of curiosity, self-gain, and/or financial remuneration is prohibited under HIPAA and may lead to either a civil and/or criminal action, as well as adverse action from a state licensure board. A recent example occurred at a health system in Kentucky, where software detected a physician’s illegal access of patient records, including mental health records. Specifically, the physician accessed “the patient records of women he wanted to pursue romantically.” The health system’s Chief Medical Officer filed a related grievance with the Kentucky Board of Medical Licensure and the physician was terminated as a member of the medical staff. The Kentucky Board investigated, the physician underwent additional training, his attorney was involved in the communications, and the physician’s medical license is on probation for five years.

Second, most people have “regifted” an item at some point. Many forms of ransomware are “opened” by one person, only to be “reopened” again by another individual. On November 21, 2022, the Office of Information Security (HHS) and the Health Sector Cybersecurity Coordination Center issued a report about Lorenz Ransomware. This particular ransomware has been around for approximately two years and engages in “big-game hunting” or whale phishing – that is targeting larger organizations in the extortion process. “Lorenz is known to target organizations globally using customized code, and can demand hundreds of thousands of dollars in ransoms.” One of the key take-aways from the report follows:

Lorenz is human-operated ransomware, run by operators known to be customize their executable code, tailoring it for their targets. This implies that they may maintain persistent access for reconaissance purposes for some extended period of time prior to ransomware deployment. They often follow the pattern of initial access, followed by reconaissance and lateral movement, ultimately seeking a Windows domain controller in search of administrator credentials.

As articulated in my recent Physicians Practice article, cybercriminals use holidays and weekends to strike. Be sure to have appropriate safeguards and remain vigilant in both personal and professional transactions.

Finally, for those who celebrate Christmas, an alignment of incentives often occurs between children and adults - improved behavior because Santa is watching. On November 28th, HHS issued a Notice of Proposed Rule Making (NPRM) that “would implement provisions of Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) that, among other things, require HHS to bring [42 CFR] Part 2 into greater alignment with certain aspects of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement Rules.” Part 2 and HIPAA currently diverge in relation to substance use disorder (SUD) records – posing different requirements and creating barriers and compliance challenges. Public comments are due 60 days after November 28, 2022. HHS is encouraging all stakeholders, including patients and their families, as well as facilities and medical professionals, to submit comments. The key areas follow:

Today’s proposed rule outlines several important changes that can help safeguard the health and outcomes of individuals with SUD and create greater flexibility for information sharing envisioned by Congress in its passage of Section 3221 of the CARES Act. Proposed changes include:

• Permitted use and disclosure of Part 2 records based on a single patient consent given once for all future uses and disclosures for treatment, payment, and health care operations.

• Permitted redisclosure of Part 2 records in any manner permitted by the HIPAA Privacy Rule, with certain exceptions.

• New patient rights under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.

• Expanded prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings.

• New HHS enforcement authority, including the imposition of civil money penalties for violations of Part 2.

• Updated breach notification requirements to HHS and affected patients.

• Updated HIPAA Privacy Rule Notice of Privacy Practices requirements to address uses and disclosures of Part 2 records and individual rights with respect to those records.

In sum, maintaining a culture of compliance is critical for any person. The Holiday Season can be particularly challenging; however, the stakes are high.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.