HHS Clarifies HIPAA Liability Around Third-Party Health Apps

Interesting article that tries to summarize some of the latest HHS guidance. Includes “If the individual’s app – chosen by an individual to receive the individual’s requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app,” officials explained.


HHS and HIPAA – Caveats on HHS web site content!

On the HHS web site, HHS links to the NIST SP 800 -52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations

But https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html?language=es

is linking to an OUTDATED (local copy) version of NIST 800-52 from back in 2005. The effective version (from 2014) is at https://csrc.nist.gov/publications/detail/sp/800-52/rev-1/final

Changes are a little bit explained here: https://www.nist.gov/news-events/news/2014/04/nist-revises-guide-use-transport-layer-security-tls-networks

However, there is also a new draft version – with IMPORTANT COMMENTS at 


HHS (HIPAA): Man-in-the-Middle Attacks and “HTTPS Inspection Products” (April 2017)


” Covered entities and business associates using HTTPS interception products or considering their use should consider the risks presented to their electronic PHI transmitted over HTTPS, and intercepted with an HTTPS interception products, as part of their risk analysis, particularly considering the pros and cons discussed by the US-CERT alerts, and the increased vulnerability to malicious third-party MITM attacks.

In addition to reviewing recommendations from US-CERT, covered entities and business associates should also review recommendations from the National Institute of Standards and Technology (NIST) for securing end-to-end communications, especially regarding the configuration, use and updating of TLS/SSL implementations. OCR’s Guidance to Render Unsecured PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals references NIST SP-800 series publications to describe the valid encryption processes to use to ensure that electronically transmitted PHI is not unsecured. “

HIPAA violations: $2.5 million settlement for US Diagnostics company

First settlement involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.

Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.


HIPAA settlement – Fresenius pays $3.5 million USD

Quotes from linked page below

CR’s investigation revealed FMCNA covered entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.

The FMCNA covered entities impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule.

FMC Ak-Chin failed to implement policies and procedures to address security incidents.

FMC Magnolia Grove failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility; and the movement of these items within the facility.

FMC Duval and FMC Blue Island failed to implement policies and procedures to safeguard their facilities and equipment therein from unauthorized access, tampering, and theft, when it was reasonable and appropriate to do so under the circumstances.

FMC Magnolia Grove and FVC Augusta failed to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances.

In addition to a $3.5 million monetary settlement, a corrective action plan requires the FMCNA covered entities to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, develop an encryption report, and educate its workforce on policies and procedures.