HIPAA Journal – contacting COVID-19 patients

OCR explained that the HIPAA Privacy Rule does not prohibit healthcare providers from contacting COVID-19 patients to request blood and plasma donations and prior authorization from the patient is not required.

  • Healthcare providers can contact patients to advise them about the opportunities for donating blood and plasma to support the response to COVID-19 to improve other patents’ chances of beating the disease.

The Senate Health, Education, Labor, and Pensions (HELP) Committee is working through the 31 policies that were implemented in relation to Telehealth within the last few months.

  • The success of Telehealth was seen by the University of Virginia (UVA) as it experienced a 9,000% increase in virtual visits between February and May, according to Karen Rheuban, M.D., director of the UVA Center for Telehealth. Sen. Alexander explained that Ascension Saint Thomas had gone from providing around 50 telehealth visits a year to more than 30,000 per month between April and May. Between April and May, telehealth accounted for around 45% of all visits.

Ransomware groups are finding vulnerabilities in remote desktop protocol (RDP) and virtual private networks (VPN) across the U.S.

  • Weak multi-factor authentication and unpatched vulnerabilities in VPN software have come to be key contributors to attacks that have happened.

Recent cyber/ransomware attacks related to the Healthcare industry

  • Rangely District Hospital in Colorado experienced a ransomware attack in April of 2020. It was not possible to encrypt some of their files which included PHI. 6,339 patients were likely affected by this attack.
  • Electronic Waveform Lab, a Huntington Beach, CA-based manufacturer of medical, surgical, ophthalmic, and veterinary instruments, had experienced an attack where their servers were hacked. Minimal amount of PHI was on their serves and they were able to recover from the attack with saving their servers and data.
  • Sunrise Treatment Center in Cincinnati, OH had an unauthorized user gain credentials of an employee’s email account and likely over 3,660 patients were affected by this attack. The unauthorized user also tried to have the employees wire money to a foreign bank account but was shut down immediately.
  • Gateway Health, a managed care organization serving members in Pennsylvania, had their imaging servers gain unauthorized access by an individual outside the organization. PHI of patients at Gateway Health were likely compromised.
  • Cano Health (FL) had email accounts of three employees hacked by individuals outside the Organization for over two years. The breach was discovered in April of 2020, but records showed that access was granted prior. The attack affected over 28,268 patients.

Are you 100% sure you are HIPAA compliant?