◆ HHS changed its tone on care coordination and case management in the final Confidentiality of Substance Use Disorder Patient Records regulation (42 C.F.R. § 2), known as Part 2. In the regulation, which was published in the Federal Register on July 15, care coordination and case management were added to a list of 17 activities, including billing and fraud, waste and abuse activities, that now will be treated as payment and health care operations. When combined with other provisions, this means a patient can consent to share substance use disorder information with a Part 2 entity, and that entity can further disclose the information to its contractors for payment and health care operations. The reversal from HHS will be welcomed by Part 2 providers, said Los Angeles attorney Adam Hepworth, with Foley & Lardner. “Before, it would have been hard to get substance use disorder information from a Part 2 entity to a care coordination entity because there wasn’t really a direct pathway for an individual to consent to it, but in the final rule, there is more than one way,” Hepworth said. “This is a simple and straightforward way.” The Part 2 rule applies to organizations that provide drug and alcohol diagnosis and treatment and receive federal assistance, potentially including providers participating in Medicare and/or Medicaid. HHS’s Substance Abuse and Mental Health Services Administration (SAMHSA) enforces the rule, which dates back to 1975. Part 2 was revised in 2017 and 2018, when regulators modernized it and pushed it somewhat closer to HIPAA in light of the opioid crisis. In the new final rule, SAMHSA also worked to better align Part 2 with HIPAA. Physicians and other clinicians now will have slightly more freedom to share substance use treatment information with non-Part 2 providers. Under the rule, if the substance use disorder patient records from Part 2 providers are “segregated” in the medical records, then providers who do not fall under Part 2 will not be required to apply stringent Part 2 requirements to other parts of the medical records. Instead, providers can use the information as long as they comply with HIPAA. Also, SAMHSA modified the written consent requirements so that patients aren’t required to specify the individual to whom a disclosure will be made; instead, the name of the entity is good enough. “If you want to link someone up with social services or food safety, there was no way to operationalize that,” Hepworth noted. “That was a huge barrier. SAMHSA is incrementally easing the barrier, because in today’s times, people are trying to follow a model of whole-person care and address the social determinants of health.” The final rule goes into effect Aug. 14.
◆ About 10,000 patients saw their protected health information breached as part of an incident at the University of Utah Health. The health system said that there was unauthorized access to some of its employees’ email accounts between April 7 and May 22. The health system said it secured each affected account shortly after identifying the unauthorized access, which occurred as a result of a phishing scheme. Investigations revealed that some patient information was contained in the email accounts. Information disclosed could have included patient names, dates of birth, medical record numbers and limited clinical information related to the care patients received at the health system’s facilities. The health system notified patients earlier this year of similar attacks, and since that time, it said it has been working to implement enterprise-wide security enhancements, including expanded use of multifactor authentication. There’s no indication that patient information was misused, the health system said.
◆ Nearly 6,000 people may have had their data exposed in a breach at Detroit’s Beaumont Health System in January. Beaumont said that an unauthorized third party accessed patient data after an email breach among employee accounts. The breach occurred between Jan. 3 and Jan. 29 and included patient names, procedures and personal information. According to the health system’s statement:
Upon learning of this issue, Beaumont promptly disabled the accessed email accounts and required mandatory password resets to prevent further misuse … After an extensive forensic investigation and comprehensive manual document review, we discovered on June 5, 2020 that one or more of the email accounts accessed between January 3, 2020 and January 29, 2020 contained identifiable personal and/or protected health information. Our investigation was unable to determine definitively if any information was viewed or acquired by the unauthorized third party.
Beaumont said it “has no knowledge of any misuse of data by any unauthorized individuals.” Information in the email accounts included names, dates of birth, diagnosis and procedure information, treatment locations and types, prescription information and medical record numbers.
◆ IBM Security’s annual study looking at the worldwide financial impact of data breaches found that breaches cost companies $3.86 million per breach on average, and that compromised employee accounts were the most expensive root cause. The study, based on in-depth analysis of data breaches experienced by more than 500 organizations worldwide, found that 80% of incidents resulted in the exposure of customers’ personally identifiable information. Companies in the United States continued to experience the highest data breach costs in the world—$8.64 million on average. Responding health care companies worldwide continued to incur the highest average breach costs at $7.13 million—more than a 10% increase compared to the 2019 IBM study.
◆ The Louisiana Department of Health is pushing back against local health departments that it says are misusing lists of people who have tested positive for COVID-19. Early in the pandemic, the state-level health department began sending to local emergency officials lists of patients who had tested positive in an effort to help first responders know when to prepare for interacting with someone who has the virus. But now, the state health department said local health officials are violating patient privacy laws by sharing some HIPAA-protected information unnecessarily and are misinterpreting the data to reach erroneous conclusions. Local health officials must sign a data-sharing agreement in order to continue getting access to the information, state health officials said.
◆ Police in Wilmington, North Carolina, said they would not file charges after finding discarded medical materials, including medical records, in a dumpster behind the former facility of Southcare Minute Clinic. Investigating officers found medical files, needles and other hazardous materials in the dumpster. The officers determined that no crime had been committed, but noted that “the facility did violate HIPAA rules.” The North Carolina Department of Health and Human Services is considering the case, and will determine if the facility should be fined, the police said. The dumpster was removed within 48 hours of being reported to the police.
◆ A data breach at a Maryland long-term care provider potentially exposed the personal information of nearly 50,000 residents. Lorien Health Services, which offers assisted living, skilled nursing and rehabilitation at nine locations in Maryland, suffered a ransomware attack from the hacker group NetWalker. According to the publication McKnight’s Senior Living, after Lorien refused to pay the ransom demand, NetWalker posted screenshots of the stolen information. According to Lorien, the ransomware incident occurred on June 6, and by June 10, the investigation had determined that personal information had been accessed. Information that was accessed may have included residents’ names, Social Security numbers, dates of birth, addresses, and health diagnosis and treatment information. Lorien is offering complementary credit monitoring and identity protection services to those who were affected by the incident.
◆ Personal information of more than 1,500 veterans in Montana may have been accessed during a data breach involving files from the Montana Veterans Administration Health Care System earlier this year. The Veterans Health Administration (VHA) announced the breach on July 23, after being notified on June 4 by the former contractor that experienced the breach. The company, which had been contracted to maintain VHA data, said VHA files may have been among those accessed and/or acquired between April 20 and April 30 by an unauthorized actor. Full names, Social Security numbers and facility information were included in the information that may have been accessed. The health care system said it would offer free annual credit reports and free credit monitoring.