Kusserow on Compliance: A reminder about email compliance

The HHS Office for Civil Rights (OCR) continues to report HIPPA Privacy violations involving email transmissions. With the coming New Year, it may be advisable to review electronic patient health information (ePHI) email security, which must adhere to a specific regulatory standard. The HIPAA Security Rule introduced several requirements which must be satisfied before email communications can be considered in compliance with HIPPA. HIPAA email rules require messages to be secured in transit if they contain ePHI and are sent outside a protected internal email network, beyond the firewall.

Additionally, HIPAA email rules require covered entities to implement access controls, audit controls, integrity controls, ID authentication, and transmission security in order to: (a) restrict access to PHI; (b) monitor how PHI is communicated; (c) ensure the integrity of PHI at rest; (d) ensure 10o percent message accountability; and (e) protect PHI from unauthorized access during transit. These standards extend to having a schedule for retaining, archiving, and destroying (after six years) emails containing ePHI. Furthermore, emails must be kept safe in transmissions by using encryption. Emails including PHI shouldn’t be transmitted unless the email is encrypted. If the PHI is in the body text, the message must be encrypted. The following email compliance issues should be verified:

  1. All email communications with PHI are being encrypted
  2. Emails are being monitored for compliance
  3. Data inside emails are being protected from cyberattacks
  4. Emails are being stored in an unalterable state
  5. Email retention schedules are being followed
  6. Email chain of custody standards are being followed
  7. Email access is being controlled with individual accounts and passwords
  1. Email accounts are only being used by registered users
  1. Email messages are complying with accepted professional and business practices
  2. Established log-on controlled access procedures and passwords are being followed

 

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Inova Health System another victim of ransomware attack

Inova Health System is the latest of a dozen health systems affected by a ransomware attack at a third-party software vendor. The Virginia-based health system issued a notice on September 9, 2002 notifying up to 1,045,270 patients and donors, according to a notification Inova submitted to the HHS Office for Civil Rights (OCR). The incident is traced back to Blackbaud Inc., a third-party service vendor used for fundraising and alumni or donor engagement efforts at non-profits and universities. Inova’s notice stated that it was notified by Blackbaud of a ransomware attack which it had discovered and stopped in May 2020.

The attack involved intermittently removing data from the Blackbaud system, which included certain information maintained for Inova. Investigation by Inova found that the personal information affected by the attack may have contained certain personal information of some patients and donors, including: full names, addresses, dates of birth, phone numbers, provider names, dates of service, hospital departments, and/or philanthropic giving history such as donation dates and amounts. The notice also stated there is no evidence that the data will be misused, disseminated or made publicly available and Inova was assured that all compromised data was destroyed and the vulnerability that allowed the incident was closed. The incident did not expose Social Security numbers, financial account information, payment card information, or electronic health records. Blackbaud reportedly prevented the cybercriminals from blocking its system access and fully encrypting its files, however the criminals were able to remove a copy of a subset of data. Blackbaud also reported paying a ransom so that the attackers would destroy their backup file of stolen information.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG response plan—four goals for the COVID-19 Crisis

The HHS Office of Inspector General (OIG) has identified four goals to respond to the COVID-19 Pandemic: protecting people, protecting funds, protecting infrastructure, and promoting effectiveness. The OIG set out its framework in the OIG Strategic Plan: Oversight of COVID-19 Response and Recovery.

PROTECT PEOPLE. The OIG plans for this goal include to: (1) issue guidance on its administrative fraud enforcement authorities related to delivering needed patient care; (2) conduct rapid-cycle reviews of conditions affecting HHS beneficiaries or health care providers; (3) inform/support response efforts; (4) help ensure continuity of HHS operations during the public health emergency; (5) identify and investigate fraud and scams that endanger HHS beneficiaries and the public; (6) alert the public to fraud schemes related to COVID-19; and (7) assess the impacts of HHS programs on the health and safety in the acquisition, management, and distribution of COVID-19 tests and vaccine and treatment research and development.

PROTECT FUNDS. HHS was appropriated $251 billion for COVID-19 response and recovery—to prevent, prepare for, and respond to coronavirus, along with funds from other appropriations. The OIG plans for this  goal include: (1) reviewing of oversight, management, and internal controls for awarding, disbursement, and use of funds; (2) assessing whether recipients met requirements; (3) mitigating major risks that cut across program and agency boundaries; (4) ensuring that intended purposes of funds granted are being used properly; (5) identifying and investigating suspected fraud and exercising OIG’s administrative enforcement authorities; (6) identifying program integrity vulnerabilities and recommend safeguards; and (7) providing alerts to potential fraud risks or schemes to steal funds.

PROTECT INFRASTRUCTURE. Objectives for this goal include: (1) protecting the security and integrity of IT systems and health technology; (2) identifying IT vulnerabilities and incidents, mitigating threats, and restoring IT services; and (3) focusing on identifying and investigating cybersecurity vulnerabilities related to COVID-19 response.

PROMOTE EFFECTIVENESS. The OIG’s plans for this goal include: (1) focusing on COVID-19 efforts to identify successful practices and lessons learned from the emergency preparedness and response; (2) reviewing pandemic preparedness planning to identify how preparedness funding was spent; and (3) assessing COVID-19 impact on HHS programs and beneficiaries, including expanded telehealth in Medicare.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Arrest of the University of Pittsburgh Medical Center hacker

An individual was indicted by a federal grand jury in Pittsburgh and arrested on charges associated with the 2014 “hacking” theft of University of Pittsburgh Medical Center (UPMC) human resources database that included personally identifiable information (PII) of over 65,000 UPMC employees. He was charged with fraud, aggravated identity theft, and selling of the information on the dark web to buyers around the world. The buyers, in turn, engaged in massive campaign of further scams and theft, including the filing of thousands of false IRS tax returns, leading to $1.7 million in false tax return refunds.

Additionally, the indictment alleges that the hacker, from 2014 through 2017, using the acronyms “TDS” or “DS,” regularly sold other PII to buyers on dark web forums, which could be used to commit identity theft and bank fraud. According to the Indictment, the hacker sold the stolen information on dark web forums for use by conspirators, who promptly filed hundreds of false tax return Form-1040 using UPMC employee PII. These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which they converted into Amazon.com gift cards, which were then used to purchase Amazon merchandise which was shipped to Venezuela. The case was investigated by the Secret Service, IRS, and Postal Inspection Service. As a side note, six years ago, the case resulted in a major legal battle after employees sued UPMC for negligence and breach of contract. The state high court also ruled that UPMC may be responsible monetary damages if the plaintiffs can prove the health system acted negligently.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.