Our HIPAA compliance news section keeps you up to date with HIPAA breaches, OCR updates and HITECH and GDPR compliance issues. Make sure you remain up to date with the latest HIPAA compliance news by subscribing to our newsletter or follow us on Twitter @HIPAAJournal.

December 2021 Healthcare Data Breach Report
Jan18

December 2021 Healthcare Data Breach Report

56 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in December 2021, which is a 17.64% decrease from the previous month. In 2021, an average of 59 data breaches were reported each month and 712 healthcare data breaches were reported between January 1 and December 31, 2021. That sets a new record for healthcare data breaches, exceeding last year’s total by 70 – An 10.9% increase from 2020. Across December’s 56 data breaches, 2,951,901 records were exposed or impermissibly disclosed – a 24.52% increase from the previous month. At the time of posting, the OCR breach portal shows 45,706,882 healthcare records were breached in 2021 – The second-highest total since OCR started publishing summaries of healthcare data breaches in 2009. Largest Healthcare Data Breaches in December 2021 Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause Oregon Anesthesiology Group, P.C. OR Healthcare Provider 750,500 Ransomware Texas ENT Specialists TX Healthcare Provider 535,489 Ransomware Monongalia Health System, Inc....

Read More
New HIPAA Regulations in 2022
Jan14

New HIPAA Regulations in 2022

It has been several years since new HIPAA regulations have been signed into law, but HIPAA changes in 2022 are expected. The last update to the HIPAA Rules was the HIPAA Omnibus Rule in 2013, which introduced new requirements mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR issued a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, that proposed a slew of changes to the HIPAA Privacy Rule, and a Final Rule is expected to be issued in 2022; however, no date has yet been provided on when the 2022 HIPAA changes will take effect and become enforceable. Over the past few years, new HIPAA regulations under consideration include changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS is considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided. There have been calls from many...

Read More
Possible HIPAA Updates and HIPAA Changes in 2022
Jan10

Possible HIPAA Updates and HIPAA Changes in 2022

The Health Insurance Portability and Accountability Act was signed into law in 1996 and while there have been some significant HIPAA updates over the last two decades, the last set of major HIPAA updates occurred in 2013 with the introduction of the HIPAA Omnibus Final Rule. Updates to HIPAA are long overdue but steps were finally made to update HIPAA in December 2020, when the HHS issued a notice of Proposed Rulemaking that detailed several proposed changes to the HIPAA Privacy Rule, and a Final Rule is now due which will likely see many HIPAA changes in 2022. Major HIPAA Updates in the Past 20 Years Since HIPAA was signed into law there have been a few major HIPAA updates. The HIPAA Privacy and Security Rules were introduced which limited uses and disclosures of protected health information, gave patients new rights over their healthcare data, and introduced a set of minimum security standards. Those HIPAA updates were followed by the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which saw the introduction of the Breach...

Read More
2020-2021 HIPAA Violation Cases and Penalties
Jan04

2020-2021 HIPAA Violation Cases and Penalties

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. 2021 saw a slight reduction in the number of settlements and fines for HIPAA violations, with 14 enforcement actions announced by OCR. Even so, 2021 had the second-highest number of HIPAA fines of any year since OCR started enforcing compliance with the HIPAA Rules. While the number of penalties was still high in 2021, there was a sizeable reduction in penalty amounts which totaled $5,982,150 for the year, and $5,100,000 of that total came from just one enforcement action. The reason for this is that most of the penalties were for violations of the HIPAA Right of Access, and were in response to investigations of complaints filed by patients who had not been provided with timely access to their medical records, rather than penalties for...

Read More
The Most Common HIPAA Violations You Should Be Aware Of
Jan02

The Most Common HIPAA Violations You Should Be Aware Of

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
What is Protected Health Information?
Jan02

What is Protected Health Information?

The latest article in our HIPAA basics series answers the question what is protected health information? The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information, but what is protected health information? First, it is worthwhile explaining two other important terms detailed in HIPAA regulations: A covered entity and a business associate. A covered entity is a healthcare provider, health plan, or healthcare clearinghouse which transmits health data electronically for transactions that the U.S. Department of Health and Human Services has adopted standards. A business associate is an organization or individual who performs services on behalf of a HIPAA-covered entity that requires access to, or the use of, protected health information. What is Protected Health Information? Protected health information is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in...

Read More
HIPAA Enforcement by State Attorneys General
Dec28

HIPAA Enforcement by State Attorneys General

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Health Insurance Portability and Accountability Act Rules. The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and can obtain damages on behalf of state residents. The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of an unencrypted hard drive containing the electronic protected health information of 1.5 million individuals and delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000. State Attorney HIPAA cases...

Read More
What is Considered PHI Under HIPAA?
Dec28

What is Considered PHI Under HIPAA?

In a healthcare environment, you are likely to hear health information referred to as protected health information or PHI, but what is considered PHI under HIPAA? What is Considered PHI Under HIPAA Rules? Under HIPAA PHI is considered to be any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity – a healthcare provider, health plan or health insurer, or a healthcare clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services. It is not only past and current health information that is considered PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health related to the provision of care or payment for care. PHI is health information in any form, including physical records, electronic records, or spoken information. Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual...

Read More
What are the Penalties for HIPAA Violations?
Dec23

What are the Penalties for HIPAA Violations?

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.  The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-covered entities to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged, and to whom. Since the Enforcement Final Rule of 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to covered entities that fail to comply with HIPAA Rules. Financial penalties for HIPAA violations were updated by the HIPAA Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect on March 26, 2013. Since the introduction of the Omnibus Rule, the new penalties for HIPAA violations...

Read More
November 2021 Healthcare Data Breach Report
Dec21

November 2021 Healthcare Data Breach Report

The number of reported healthcare data breaches has increased for the third successive month, with November seeing 68 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – a 15.25% increase from October and well above the 12-month average of 56 data breaches a month. From January 1 to November 30, 614 data breaches were reported to the Office for Civil Rights. It is looking increasingly likely that this year will be the worst ever year for healthcare data breaches. The number of data breaches increased, but there was a sizable reduction in the number of breached records. Across the 68 reported breaches, 2,370,600 healthcare records were exposed, stolen, or impermissibly disclosed – a 33.95% decrease from the previous month and well below the 12-month average of 3,430,822 breached records per month. Largest Healthcare Data Breaches Reported in November 2021 In November, 30 data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights, and 4 of those breaches resulted in the exposure/theft of more than 100,000 records. The...

Read More
OCR Issues Guidance on HIPAA and Disclosures of PHI for Extreme Risk Protection Orders
Dec21

OCR Issues Guidance on HIPAA and Disclosures of PHI for Extreme Risk Protection Orders

The Department of Health and Human Services’ Office for Civil Rights (OCR) has published new guidance to explain how the HIPAA Privacy Rule applies to disclosures of protected health information (PHI) to support applications for extreme risk protection orders. In June 2021, the U.S. Department of Justice published model legislation to provide states with a framework for creating their own extreme risk protection order (ERPO) laws. Extreme risk protection orders temporarily prevent a person in crisis, who poses a danger to themselves or others, from accessing firearms. ERPOs are intended to improve public safety and reduce the risk of firearm injuries and deaths. ERPO legislation permits certain entities such as law enforcement officers, family members, and healthcare providers to apply to the courts for an ERPO. Part of that process involves obtaining affidavits or sworn oral statements from petitioners and witnesses. If healthcare providers are involved in ERPOs, the HIPAA Privacy Rule applies and places restrictions on any disclosures of PHI. The HIPAA Privacy Rule permits...

Read More
New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations
Dec16

New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations

The New Jersey Division of Consumer Affairs has agreed to settle a data breach investigation that uncovered violations of the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) Hackensack, NJ-based Regional Cancer Care Associates is an umbrella name for three healthcare providers that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland: Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC. Between April and June 2019, several employee email accounts were compromised. Employees had responded to targeted phishing emails and disclosed their credentials, which allowed the scammers to access their email accounts and the protected health information (PHI) of more than 105,000 individuals. The email accounts contained PHI such as names, Social Security numbers, driver’s license numbers, health records, bank account information, and credit card details. In July 2019, notification letters were sent to 13,047 individuals by a third-party vendor; however, the letters were mismailed to the...

Read More
What is a HIPAA Violation?
Dec14

What is a HIPAA Violation?

Barely a day goes by without a news report of a hospital, health plan, or healthcare professional violating HIPAA, but what is a HIPAA violation and what happens when a violation occurs? What is a HIPAA Violation? The Health Insurance Portability and Accountability Act of 1996 is a landmark piece of legislation that was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs. There have been notable updates to HIPAA to improve privacy protections for patients and health plan members over the years which help to ensure healthcare data is safeguarded and the privacy of patients is protected. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule. A HIPAA violation is a failure to comply with any aspect of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164. The combined text of all HIPAA regulations published by the Department of Health and Human Services...

Read More
HIPAA Social Media Rules
Dec12

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook and Instagram were launched, so there are no specific HIPAA social media rules. However, as with all healthcare-related communications, the HIPAA Privacy Rule still applies whenever covered entities or business associates – or employees of either – use social media networks. There are many benefits to be gained from using social media. Social media networks allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media networks. However, there is also considerable potential for HIPAA rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules? HIPAA and Social Media Healthcare organizations must implement a HIPAA social media policy to reduce the risk of...

Read More
How to Make Your Email HIPAA Compliant
Dec07

How to Make Your Email HIPAA Compliant

Many healthcare organizations would like to be able to send protected health information via email, but how do you make your email HIPAA compliant? What must be done before electronic PHI (ePHI) can be sent via email to patients and other healthcare organizations? How to Make Your Email HIPAA Compliant Whether you need to make your email HIPAA compliant will depend on how you plan to use email with ePHI. If you will only ever send emails internally, it may not be necessary to make your email HIPAA compliant. If your email network is behind a firewall, it is not necessary to encrypt your emails.  Encryption is only required when your emails are sent beyond your firewall. However, access controls to email accounts are required, as it is important to ensure that only authorized individuals can access email accounts that contain ePHI. If you want to use email to send ePHI externally – beyond your firewall – you will need to make your email HIPAA-compliant. There are many email service providers that offer an encrypted email service, but not all are HIPAA compliant and incorporate all...

Read More
Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access
Dec06

Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access

The Health Information Sharing and Analysis Center (Health-ISAC) has released guidance for Chief Information Security Officers (CISOs) on adopting an identity-centric approach to enabling secure and easy access to patient data to meet the interoperability, patient access, and data sharing requirements of the 21st Century Cures Act. New federal regulations tied to the 21st Century Cures Act call for healthcare organizations to provide patients with easy access to their healthcare data and ensure patients can easily share their electronic health information (EHI) data wherever, whenever, and with whomever they want. The failure of a healthcare organization to implement systems to support patient access and interoperability could be considered information blocking and would be subject to fines and penalties. The new federal requirements are for healthcare providers and insurers to allow data sharing through Application Programming Interfaces (APIs) that operate on the Fast Healthcare Interoperability and Resources (FHIR) standard. Healthcare providers and insurers are required to...

Read More
What is HIPAA Certification?
Dec03

What is HIPAA Certification?

A frequently asked question in the healthcare industry is what is HIPAA certification; for although there is no standard or implementation specification within HIPAA that requires Covered Entities or Business Associate to certify compliance, several third-party organizations offer HIPAA certification services. What is HIPAA Certification? Although there is no official HHS-mandated HIPAA certification process or accreditation, it would be beneficial if there was. A HIPAA compliance certification could demonstrate that a Covered Entity or Business Associate understands and complies with HIPPA regulations – thus, for example, saving Covered Entities a considerable amount of time conducting due diligence on prospective vendors. Nonetheless, despite there being no requirement for HIPAA certification, some companies claim to be certified as HIPAA compliant. What this means is they have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance. In the absence of a program endorsed by the Department of Health and Human Services...

Read More
HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats
Dec03

HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats

The Department of Health and Human Services has launched a new website that offers advice and resources to help the healthcare and public health sector mitigate cybersecurity threats. The website was created as part of the HHS 405(d) Aligning Health Care Industry Security Approaches Program, which was established in response to the Cybersecurity Act of 2015. The Cybersecurity Act of 2015 called for the HHS to establish the program and a Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures and processes that healthcare organizations can use. More than 150 individuals from industry and the federal government have collaborated under the program and provided insights into how best to mitigate cyberthreats. The new website supports the motto, Cyber Safety is Patient Safety, and provides videos and other educational material to raise awareness of pertinent threats along with vetted cybersecurity resources to drive behavioral change and...

Read More
What is Considered Protected Health Information Under HIPAA?
Dec02

What is Considered Protected Health Information Under HIPAA?

Protected health information – or PHI – is often mentioned in relation to HIPAA and healthcare, but what is considered protected health information under HIPAA? What is Considered Protected Health Information Under HIPAA Law? If you work in healthcare or are considering doing business with healthcare clients that requires access to health data, you will need to know what is considered protected health information under HIPAA law. The HIPAA Security Rule demands that safeguards be implemented to ensure the confidentiality, integrity, and availability of PHI, while the HIPAA Privacy Rule places limits the uses and disclosures of PHI. Violate any of the provisions in the HIPAA Privacy and Security Rules and you could be financially penalized. There are even criminal penalties for HIPAA violations. Claiming ignorance of HIPAA law is not a valid defense. Protected Health Information Definition Under HIPAA, protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created,...

Read More
26th Annual Compliance Institute: March 28 – 31, 2022
Dec02

26th Annual Compliance Institute: March 28 – 31, 2022

Health Care Compliance Association (HCCA) will be hosting the 26th Annual Compliance Institute at the Phoenix Convention Center, Phoenix, AZ, March 28 – 31, 2022. HCCA is a member-based association for healthcare compliance professionals that is dedicated to enabling the lasting success and integrity of all professionals working for, with, or supporting healthcare organizations. Established in 1996, HCCA now has more than 12,000 members across the United States.  HCCA promotes the highest standards in compliance programs, creates high-quality educational training events, and provides a forum for interaction and information exchange within the healthcare compliance community. The Compliance Institute is HCCA’s primary educational and networking event. Running over 4 days, attendees will be able to attend 109 educational sessions, benefit from professional development opportunities, and will be able to network and improve their career prospects. The educational sessions highlight real-world compliance issues, emerging trends, and practical applications that attendees can use to...

Read More
HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations
Dec01

HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations

The HHS’ Office for Civil Rights (OCR) is continuing with its enforcement of compliance with the HIPAA Right of Access and has recently announced a further 5 financial penalties. The HIPAA Right of Access enforcement initiative was launched in the fall of 2019 in response to a significant number of complaints from patients who had not been provided with timely access to their medical records. The HIPAA Privacy Rule requires covered entities to provide individuals with access to their medical records. A copy of the requested information must be provided within 30 days of the request being received, although an extension of 30 days may be granted in limited circumstances. HIPAA-covered entities are permitted to charge patients for exercising this important Privacy Rule right, but may only charge a reasonable, cost-based fee. Labor costs are only permitted for copying or otherwise creating and delivering the PHI after it has been identified. The enforcement actions to date have not been imposed for charging excessive amounts, only for impermissibly refusing to provide a copy of the...

Read More
Who Does HIPAA Apply To?
Nov28

Who Does HIPAA Apply To?

Who Does HIPAA Apply To? Confusion sometimes exists over the question of who does HIPAA apply to because the requirement to protect individually identifiable health information is covered in only a small section of a very substantial Act. Even when this small section is extracted and analyzed, it is still not always clear who does HIPAA apply to and which organizations need to implement HIPAA compliance programs. Does HIPAA Apply to Everybody? The Health Insurance Portability and Accountability Act (PDF) is a substantial body of legislation passed by Congress in 1996. As the title of the Act suggests, it addresses the portability of health insurance and the accountability of group health plans to provide benefits when members of group health plans have pre-existing conditions. In this respect, HIPAA applies to the majority of workers, most health insurance providers, and employers who sponsor or co-sponsor employee health insurance plans. However, HIPAA consists of four further titles covering topics from medical liability reform to taxes on expatriates who give up U.S....

Read More
What is the Civil Penalty for Knowingly Violating HIPAA?
Nov26

What is the Civil Penalty for Knowingly Violating HIPAA?

What is the civil penalty for knowingly violating HIPAA Rules? What is the maximum financial penalty for a HIPAA violation and when are fines issued? In this post we answer these questions and explain about the penalties for violating HIPAA Rules What is HIPAA? The Health Insurance Portability and Accountability Act – HIPAA – is a federal law that applies to healthcare organizations and healthcare employees. HIPAA requires healthcare organizations to develop policies and procedures to protect the privacy of patients and implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). HIPAA places restrictions on the uses of health data, who can be provides with copies of health information, and gives patients the right to obtain copies of their health data. HIPAA covered entities are typically healthcare providers, health plans, and healthcare clearinghouses. HIPAA also applies to vendors and suppliers (business associates) that require access to PHI to perform their contracted duties. As with other federal laws, there are...

Read More
October 2021 Healthcare Data Breach Report
Nov22

October 2021 Healthcare Data Breach Report

October saw 59 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 25.5% increase from September. Over the past 12 months, from November 2020 to October 2021, there have been 655 reported breaches of 500 or more records, 546 of which have been reported in 2021. The protected health information (PHI) of 3,589,132 individuals was exposed, stolen, or impermissibly disclosed across the 59 reported data breaches, which is 186% more records than September. Over the past 12 months, from November 2020 to October 2021, the PHI of 39,938,418 individuals has been exposed or stolen, with 34,557,664 individuals known to have been affected by healthcare data breaches so far in 2021. Largest Healthcare Data Breaches in October 2021 There were 18 data breaches reported to the HHS’ Office for Civil Rights in October that impacted 10,000 or more individuals, as detailed in the table below. Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Breach Cause Eskenazi Health IN...

Read More
HHS Increases HIPAA Penalties for 2021 per the Inflation Adjustment Act
Nov17

HHS Increases HIPAA Penalties for 2021 per the Inflation Adjustment Act

Under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015*, the Office of the Assistant Secretary for Financial Resources of the Department of Health and Human Services (HHS) has issued a final rule that implements adjustments to the maximum civil monetary penalties for HIPAA violations for 2021. According to the Department of Health and Human Services, the 2021 annual inflation adjustment “is determined using the percent increase in the Consumer Price Index for all Urban Consumers (CPI–U) for the month of October of the year in which the amount of each CMP was most recently established or modified.” The cost-of-living adjustment multiplier for 2021 is 1.01182. Previous cost-of-living multipliers are indicated below: 2017 – 1.01636 2018 – 1.02041 2019 – 1.02522 2020 – 1.01764 The final rule took effect on Monday, November 15, 2021, and applies to penalties assessed on or after November 15, 2021, if the violation occurred on or after November 2, 2015. These penalties will apply until the next inflation increase is applied. The annual...

Read More
Is it a HIPAA Violation to Email Patient Names?
Nov14

Is it a HIPAA Violation to Email Patient Names?

We have been asked is it a HIPAA violation to email patient names and other protected health information? In answer to this and similar questions, we will clarify how HIPAA relates to email and explain some of the precautions HIPAA covered entities and healthcare employees should take to ensure compliance when using email to send electronic protected health information. Is it a HIPAA Violation to Email Patient Names? Patient names (first and last name or last name and initial) are one of the 18 identifiers classed as protected health information (PHI) in the HIPAA Privacy Rule. HIPAA does not prohibit the electronic transmission of PHI. Electronic communications, including email, are permitted, although HIPAA-covered entities must apply reasonable safeguards when transmitting ePHI to ensure the confidentiality and integrity of data. It is not a HIPAA violation to email patient names per se, although patient names and other PHI should not be included in the subject lines of emails as the information could easily be viewed by unauthorized individuals. Even when messages are protected...

Read More
New Jersey Fines Two Printing Companies $130,000 for HIPAA and CFA Violations
Nov12

New Jersey Fines Two Printing Companies $130,000 for HIPAA and CFA Violations

The New Jersey Attorney General has approved a $130,000 settlement with two printing firms to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act (CFA) that resulted in a breach of the protected health information (PHI) of 55,715 New Jersey residents. Command Marketing Innovations, LLC (CMI) and Strategic Content Imaging, LLC (SCI) provided services to a leading New Jersey-based managed healthcare organization that involved printing and mailing benefits statements. Between October 31, 2016, and November 2, 2016, a printing error resulted in PHI such as claims numbers, dates of service, provider names, facility names, and descriptions of services being mailed to incorrect recipients. When printing firms or other vendors provide services to HIPAA-covered entities that require access to PHI, they are required to enter into a business associate agreement with the covered entity and must comply with the requirements of the HIPAA Security Rule. The responsibilities of HIPAA business associates include...

Read More
What is a Limited Data Set Under HIPAA?
Nov07

What is a Limited Data Set Under HIPAA?

A limited data set under HIPAA is a set of identifiable healthcare information that the HIPAA Privacy Rule permits covered entities to share with certain entities for research purposes, public health activities, and healthcare operations without obtaining prior authorization from patients, if certain conditions are met. In contrast to de-identified protected health information, which is no longer classed as PHI under HIPAA Rules, a limited data set under HIPAA is still identifiable protected information. Therefore it is still subject to HIPAA Privacy Rule regulations. A HIPAA limited data set can only be shared with entities that have signed a data use agreement with the covered entity. The data use agreement allows the covered entity to obtain satisfactory assurances that the PHI will only be used for specific purposes, that the PHI will not be disclosed by the entity with which it is shared, and that the requirements of the HIPAA Privacy Rule will be followed. The data use agreement, which must be accepted prior to the limited data set being shared, should outline the following:...

Read More
How Should You Respond to an Accidental HIPAA Violation?
Nov06

How Should You Respond to an Accidental HIPAA Violation?

The majority of HIPAA covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond? How Should Employees Report an Accidental HIPAA Violation? Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, an email containing PHI is sent to the wrong person, or any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer. Your Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR). You should explain that a mistake was made and what has happened. You will need to explain which patient’s...

Read More
OSHA and HIPAA Compliance
Nov05

OSHA and HIPAA Compliance

In healthcare, OSHA and HIPAA compliance are both essential. There are separate standards that must be adhered to for compliance, but there are broad similarities in terms of reporting, recordkeeping, and enforcement. The Occupational Safety and Health Act (OSH Act) The Occupational Safety and Health Act (OSH Act) was signed into law more than 50 years ago and remains as relevant today as it was when President Nixon added his signature to the bill on December 29, 1970. The OSH Act covers the private sector and the federal government and requires employers to create and maintain a safe and healthful working environment, and ensure employees are protected from hazards in the workplace. The OSH Act created the Occupational Safety and Health Administration (OHSA) within the Department of Labor, which is responsible for outreach, education, assistance, and is also the enforcer of compliance with the OSH Act. OHSA sets health and safety standards against which employers are measured. Those standards are published in Title 29 of the Code of Federal Regulations (29 U.S.C. §§ 651 to 678),...

Read More
What Happens if You Break HIPAA Rules?
Nov03

What Happens if You Break HIPAA Rules?

HIPAA requires covered entities to provide training to staff to ensure HIPAA Rules and regulations are understood. During HIPAA training, healthcare employees should be aware of the possible penalties for HIPAA violations, but what are those penalties, and what happens if you break HIPAA Rules? What Happens if You Break HIPAA Rules? If you break HIPAA Rules there are four potential outcomes: The violation could be dealt with internally by an employer You could be terminated You could face sanctions from professional boards You could face criminal charges which include fines and imprisonment What happens if you break HIPAA Rules will depend on the severity of the violation. The actions of employers, professional boards, federal regulators, and the Department of Justice will depend on several factors: The nature of the violation Whether there was knowledge that HIPAA Rules were being violated, or by exercising due diligence, it should have been clear that HIPAA Rules were being violated Whether action was taken to correct the violation Whether there was malicious intent or HIPAA...

Read More
Is G Suite HIPAA Compliant?
Nov03

Is G Suite HIPAA Compliant?

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules? Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider. Making G Suite HIPAA Compliant (by default it isn’t) As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules. Obtain a BAA from Google One important requirement of HIPAA is to obtain a signed, HIPAA-compliant...

Read More
OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance
Nov02

OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance

The Department of Health and Human Services’ Office for Civil Rights has advised HIPAA-covered entities to assess the protections they have implemented to secure their legacy IT systems and devices. A legacy system is any system that has one or more components that have been supplanted by newer technology and reached end-of-life. When software and devices reach end-of-life, support comes to an end, and patches are no longer issued to correct known vulnerabilities. That makes legacy systems and devices vulnerable to cyberattacks. Healthcare organizations should be aware of the date when support will no longer be provided, and a plan should be developed to replace outdated software and devices; however, there are often valid reasons for continuing to use outdated systems and devices. Legacy systems may work well and be well-tailored to an organization’s business model, so there may be a reluctance to upgrade to new systems that are supported. Upgrading to a newer system may require time, funds, and human resources that are not available, or it may not be possible to replace a legacy...

Read More
Is AWS HIPAA Compliant?
Oct27

Is AWS HIPAA Compliant?

Is AWS HIPAA compliant? Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes. And No. AWS can be HIPAA compliant, but it is also easy to make configuration mistakes that will leave protected health information (PHI) unprotected and accessible by unauthorized individuals, violating HIPAA Rules. Amazon Will Sign a Business Associate Agreement for AWS Amazon is keen for healthcare organizations to use AWS, and as such, a business associate agreement will be signed. Under that agreement, Amazon will support the security, control, and administrative processes required under HIPAA. Previous, under the terms of the AWS BAA, the AWS HIPAA compliance program required covered entities and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer the case. As part of its efforts to help healthcare organizations use AWS safely and securely without violating...

Read More
Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI
Oct27

Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI

A new study has revealed widespread security failures at healthcare organizations, including poor access controls, few restrictions on access to protected health information (PHI), and poor password practices, all of which are putting sensitive data at risk. The study, conducted by the data security and insider threat detection platform provider Varonis, involved an analysis of around 3 billion files at 58 healthcare organizations, including healthcare providers, pharmaceutical companies, and biotechnology firms. The aim of the study was to determine whether security controls had been implemented to secure sensitive data and to help organizations better understand their cybersecurity vulnerabilities in the face of increasing threats. The Health Insurance Portability and Accountability Act (HIPAA) requires access to PHI to be limited to employees who need to view PHI for work purposes. When access is granted, the HIPAA minimum necessary standard applies, and only the minimum amount of PHI should be accessible. Each user must be provided with a unique username that allows access to...

Read More
How to Report a HIPAA Violation
Oct26

How to Report a HIPAA Violation

It is important for all employees in the healthcare and healthcare insurance industries to understand what constitutes a HIPAA violation and how to report a HIPAA violation. Understanding what constitutes a HIPAA violation should be included in the Covered Entity´s HIPAA training, as should the correct person to direct the report to – who then has the responsibility to determine whether ot not the HIPAA violation should be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Potential HIPAA violations must be investigated internally by HIPAA Covered Entities and – where applicable – their Business Associates to determine the severity of the breach, the risk to individuals impacted by the incident, and to ensure action is taken promptly to correct the violation and mitigate risk. The sooner a potential HIPAA violation is reported, the easier it will be to limit the potential harm that may be caused and to prevent further violations of HIPAA Rules. Reporting HIPAA Violations Internally When healthcare or insurance professionals...

Read More
Who Enforces HIPAA?
Oct25

Who Enforces HIPAA?

Since the passing of the Health Insurance Portability and Accountability Act (HIPAA) Enforcement Rule in 2006, noncompliance with HIPAA can result in a significant financial penalty, but who enforces HIPAA? Which federal departments are responsible for ensuring HIPAA Rules are followed by covered entities and their business associates? Who Enforces HIPAA? The primary enforcer of HIPAA Rules is the Department of Health and Human Services’ Office for Civil Rights (OCR). However, the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009, saw state attorneys general given the power to assist OCR in the enforcement of HIPAA. The Centers for Medicare and Medicaid Services (CMS) also has some enforcement powers and the U.S. Food and Drug Administration (FDA) and the Federal Communications Commission (FCC) have participated in HIPAA enforcement to some degree. HIPAA Enforcement by the HHS’ Office for Civil Rights The HHS’ Office for Civil Rights investigates all data breaches reported by covered entities and business...

Read More
September 2021 Healthcare Data Breach Report
Oct20

September 2021 Healthcare Data Breach Report

There was a 23.7% month-over-month increase in reported healthcare data breaches in September, which saw 47 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights. While that is more than 1.5 breaches a day, it is under the average of 55.5 breaches per month over the past 12 months. While data breaches increased, there was a major decrease in the number of breached healthcare records, dropping 75.5% from August to 1,253,258 records across the 47 reported data breaches, which is the third-lowest total over the past 12 months. Largest Healthcare Data Breaches Reported in September 2021 16 healthcare data breaches were reported in September 2021 that involved the exposure, theft, or impermissible disclosure of more than 10,000 healthcare records. The largest breach of the month was reported by the State of Alaska Department of Health & Social Services. The breach was initially thought to have resulted in the theft of the personal and protected health information (PHI) of all state residents, although the breach was...

Read More
What are the HIPAA Administrative Simplification Regulations?
Oct20

What are the HIPAA Administrative Simplification Regulations?

The HIPAA Administrative Simplification Regulations – detailed in 45 CFR Part 160, Part 162, and Part 164 – require healthcare organizations to adopt national standards, often referred to as electronic data interchange or EDI standards. The purpose of these regulations is to save time and costs by streamlining the paperwork required for processes such as billing, verifying patient eligibility, and sending and receiving payments. HIPAA Administrative Simplification Standards The HIPAA Administrative Simplification Regulations include four standards covering transactions, identifiers, code sets, and operating rules. By adopting these standards and switching from paperwork to electronic transactions, healthcare organizations can reduce the paperwork burden, receive payments faster, obtain information more rapidly, and easily check the status of claims. The regulations require HIPAA covered entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities – to adopt standards for transactions involving the electronic exchange of...

Read More
Is Zoom a HIPAA Compliant Video and Web Conferencing Platform?
Oct19

Is Zoom a HIPAA Compliant Video and Web Conferencing Platform?

Zoom is a popular video and web conferencing platform that has been adopted by more than 750,000 businesses, but is the service suitable for use by healthcare organizations for sharing PHI. Is Zoom HIPAA compliant? What is Zoom? Zoom is a cloud-based video and web conferencing platform that allows workers across multiple locations to take part in meetings, share files, and collaborate. The platform supports webinars and includes a business IM service. Zoom has already been adopted by many healthcare organizations around the globe who use the platform to consult with other providers and communicate with patients. However, in the United States, healthcare providers, health plans, and healthcare clearinghouses (collectively “HIPAA covered entities”) using the platform must comply with HIPAA Rules. Any software solution use to share patient information must incorporate a host of security protections to ensure protected health information (PHI) is safeguarded. Further, cloud-based platform providers (i.e. in this case Zoom) are classed as a business associates and are also...

Read More
De-identification of Protected Health Information: How to Anonymize PHI
Oct18

De-identification of Protected Health Information: How to Anonymize PHI

Healthcare organizations and their business associates that want to share protected health information must do so in accordance with the HIPAA Privacy Rule, which limits the possible uses and disclosures of PHI, but de-identification of protected health information means HIPAA Privacy Rule restrictions no longer apply. HIPAA Privacy Rule restrictions only covers individually identifiable protected health information. If you de-identify PHI so that the identity of individuals cannot be determined, and re-identification of individuals is not possible, PHI can be freely shared. The de-identification of protected health information enables HIPAA covered entities to share health data for large-scale medical research studies, policy assessments, comparative effectiveness studies, and other studies and assessments without violating the privacy of patients or requiring authorizations to be obtained from each patient prior to data being disclosed. HIPAA-Compliant De-identification of Protected Health Information HIPAA-compliant de-identification of protected health information is possible...

Read More
What Are Covered Entities Under HIPAA?
Oct18

What Are Covered Entities Under HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) applies to HIPAA-covered entities and their business associates, but what are covered entities under HIPAA, and what sort of companies are classed as business associates? Covered Entities Under HIPAA Covered entities under HIPAA are individuals or entities that transmit protected health information for transactions for which the Department of Health and Human Services has adopted standards (see 45 CFR 160.103). Transactions include transmission of healthcare claims, payment and remittance advice, healthcare status, coordination of benefits, enrollment and disenrollment, eligibility checks, healthcare electronic fund transfers, and referral certification and authorization. Covered entities under HIPAA include health plans, healthcare providers, and healthcare clearinghouses. Health plans include health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare for example), and military and veterans’ health programs. Healthcare clearinghouses are organizations that...

Read More
What is the Purpose of HIPAA?
Oct18

What is the Purpose of HIPAA?

The Health Insurance Portability and Accountability Act – or HIPAA as it is better known – is an important legislative Act affecting the U.S. healthcare industry, but what is the purpose of HIPAA? Healthcare professionals often complain about the restrictions of HIPAA – Are the benefits of the legislation worth the extra workload? What is the Purpose of HIPAA? HIPAA was first introduced in 1996. In its earliest form, the legislation helped to ensure that employees would continue to receive health insurance coverage when they were between jobs. The legislation also required healthcare organizations to implement controls to secure patient data to prevent healthcare fraud, although it took several years for the rules for doing so to be penned. HIPAA also introduced several new standards that were intended to improve efficiency in the healthcare industry, requiring healthcare organizations to adopt the standards to reduce the paperwork burden. Code sets had to be used along with patient identifiers, which helped pave the way for the efficient transfer of healthcare data between...

Read More
New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty
Oct14

New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty

A New Jersey infertility clinic accused of violating HIPAA and New Jersey laws by failing to implement appropriate cybersecurity measures has settled the investigation with the state and will pay a $495,000 penalty. Millburn, NJ-based Diamond Institute for Infertility and Menopause, LLC (Diamond) operates two healthcare facilities in New Jersey, one in New York, and provides consultancy services in Bermuda. Providing those services involves the collection, storage, and use of personal and protected health information (PHI). Between August 2016 and January 2017, at least one unauthorized individual accessed Diamond’s network which contained the PHI of 14,663 patients, 11,071 of which were New Jersey residents. As a HIPAA-covered entity, Diamond is required to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI. Diamond is also subject to New Jersey laws and is similarly required to implement reasonable and adequate safeguards to protect medical data from unauthorized access. Diamond Investigated for...

Read More
Is Skype HIPAA Compliant?
Oct13

Is Skype HIPAA Compliant?

Text messaging platforms such as Skype are a convenient way of quickly communicating information, but is Skype HIPAA compliant? Can Skype be used to send text messages containing electronic protected health information (ePHI) without risking violating HIPAA Rules? There is currently some debate surrounding Skype and HIPAA compliance. Skype includes security features to prevent unauthorized access of information transmitted via the platform and messages are encrypted. But does Skype satisfy all requirements of HIPAA Rules? This article will attempt to answer the question, Is Skype HIPAA compliant? Is Skype a Business Associate? Is Skype a HIPAA business associate? That is a matter that has been much debated. Skype could be considered an exception under the Conduit Rule – being merely a conduit through which information flows. If that is the case, a business associate agreement would not be necessary. However, a business associate agreement is necessary if a vendor creates, receives, maintains, or transmits ePHI on behalf of a HIPAA-covered entity or one of its business associates....

Read More
How to Secure Patient Information (PHI)
Oct13

How to Secure Patient Information (PHI)

HIPAA requires healthcare organizations of all sizes to secure protected health information (PHI), but how can covered entities secure patient information? If you are asked how you secure patient information, could you provide an answer? How Can You Secure Patient Information? HIPAA requires healthcare organizations and their business associates to implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although there is little detail provided on how to secure patient information in HIPAA regulations. This is intentional, as the pace that technology is advancing is far greater than the speed at which HIPAA can be updated. If details were included, they would soon be out of date. Technology is constantly changing and new vulnerabilities are being discovered in systems and software previously thought to be secure. Securing patient information is therefore not about implementing security solutions and forgetting about them. To truly secure patient information you must regularly review your security controls, update policies and procedures, maintain...

Read More
Why is HIPAA Important?
Oct12

Why is HIPAA Important?

The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of legislation, but why is HIPAA important? What changes did HIPAA introduce and what are the benefits to the healthcare industry and patients? HIPAA was introduced in 1996, primarily to address one particular issue: Insurance coverage for individuals that are between jobs. Without HIPAA, employees faced a loss of insurance coverage when they were between jobs. A second goal of HIPAA was to prevent healthcare fraud and ensure that all ‘protected health information’ was appropriately secured and to restrict access to health data to authorized individuals. Why is HIPAA Important for Healthcare Organizations? HIPAA introduced a number of important benefits for the healthcare industry to help with the transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely. The standards for recording health data and electronic...

Read More
What is HIPAA Authorization?
Oct09

What is HIPAA Authorization?

We are often asked to clarify certain elements of HIPAA Rules. One recent question relates to disclosures of protected health information (PHI) and medical records – ‘What is HIPAA authorization?’ What is HIPAA Authorization? The HIPAA Privacy Rule (effective since April 14, 2003) introduced standards covering allowable uses and disclosures of health information, including to whom information can be disclosed and under what circumstances protected health information can be shared. The HIPAA Privacy Rule permits the sharing of health information by healthcare providers, health plans, healthcare clearinghouses, business associates of HIPAA-covered entities, and other entities covered by HIPAA Rules under certain circumstances. In general terms, permitted uses and disclosures are for treatment, payment, or health care operations. HIPAA authorization is consent obtained from a patient or health plan member that permits a covered entity or business associate to use or disclose PHI to an individual/entity for a purpose that would otherwise not be permitted by the HIPAA Privacy Rule....

Read More
How to Report a HIPAA Violation Anonymously
Oct06

How to Report a HIPAA Violation Anonymously

In this post we explain how to report a HIPAA violation anonymously if you feel your (or someone else’s) privacy has been violated of if HIPAA Rules are not being followed in your organization. When Can an Alleged HIPAA Violation be Reported? Most healthcare organizations go to great lengths to ensure they are in compliance with HIPAA Rules, but occasionally HIPAA regulations are violated by management or employees. In such cases, a complaint can be lodged with the Department of Health and Human Services’ Office for Civil Rights (OCR) – the main enforcer of HIPAA Rules. However, complaints will only result in action being taken if the complaint is submitted within 180 days of the date of discovery that HIPAA Rules were violated. In limited cases, when there is ‘good cause’ that it was not possible to file a complaint within 180 days, an extension may be granted. Note that OCR cannot investigate any alleged violation of the HIPAA Privacy Rule that occurred before April 14, 2003 or Security Rule violations that occurred before April 20, 2005 because compliance with those...

Read More
Is WhatsApp HIPAA Compliant?
Oct06

Is WhatsApp HIPAA Compliant?

When WhatsApp announced it was introducing end-to-end encryption, it opened up the prospect of healthcare organizations using the platform as an almost free secure messaging app, but is WhatsApp HIPAA compliant? Many healthcare employees have been asking if WhatsApp is HIPAA compliant, and some healthcare professionals are already using the text messaging app to send protected health information (PHI). However, while WhatsApp does offer far greater protection than SMS messages and some other text messaging platforms, we believe WhatsApp is not a HIPAA compliant messaging platform. Why Isn’t WhatsApp HIPAA Compliant? First, it is important to point out that no software platform or messaging app can be truly HIPAA compliant, because HIPAA compliance is not about software. It is about users. Software can support HIPAA compliance and incorporate all the necessary safeguards to ensure the confidentiality, integrity, and availability of ePHI, but those controls can easily be undone by users. HIPAA does not demand that encryption is used. Provided an alternate, equivalent measure is...

Read More
OCR Issues Guidance on HIPAA and COVID-19 Vaccination Status Disclosures
Oct05

OCR Issues Guidance on HIPAA and COVID-19 Vaccination Status Disclosures

The Department of Health and Human Services’ Office for Civil Rights has issued guidance to educate the public on how the Health Insurance Portability and Accountability Act (HIPAA) Rules apply to disclosures of COVID-19 vaccination status information and requests from individuals about whether a person has been vaccinated against COVID-19. In the guidance, OCR confirmed that HIPAA only applies to HIPAA-regulated entities. HIPAA regulated entities are healthcare providers, health plans, and healthcare clearinghouses that conduct standard electronic transactions, and business associates of those entities that require access to or encounter protected health information (PHI). OCR reminded the public that the HIPAA Privacy Rule does not apply to employers or employment records. That includes information collected or stored by HIPAA-regulated entities in their capacity as an employer. OCR explained how HIPAA applies to COVID-19 vaccination information in certain situations through a website Q&A and states: The HIPAA Privacy Rule does not prohibit businesses or individuals from...

Read More
How Employees Can Help Prevent HIPAA Violations
Oct03

How Employees Can Help Prevent HIPAA Violations

Healthcare organizations and their business associates must comply with the HIPAA Privacy, Security, and Breach Notifications Rules and implement safeguards to prevent HIPAA violations. However, even with controls in place to reduce the risk of HIPAA violations, data breaches still occur. In most industries, it is hackers and other cybercriminals that are responsible for the majority of security breaches, but in healthcare it is insiders. While healthcare organizations can take steps to improve their defenses and implement technologies to identify breaches rapidly when they occur, healthcare employees also need to help prevent HIPAA violations.  Employers can help employees by providing regular HIPAA training. Employees Can Help to Prevent HIPAA Violations Healthcare privacy breaches often occur as a result of carelessness or a lack of understanding of HIPAA Rules. Healthcare organizations should therefore ensure employees receive full training on HIPAA and know the allowable uses and disclosures of PHI and to secure ePHI at all times. Refresher training sessions should also be...

Read More
What to Do if You Discover a HIPAA Violation in the Workplace
Oct02

What to Do if You Discover a HIPAA Violation in the Workplace

You suspect there has been a HIPAA violation in the workplace, should you report the violation? If so, how should you report the potential violation and who needs to be told? Is it Necessary to Report a HIPAA Violation in the Workplace? If you think you have accidentally violated HIPAA Rules or you believe a work colleague or your employer is failing to comply with HIPAA Rules, the potential violation(s) should be reported. Since the passing of the HIPAA Enforcement Rule, HIPAA-covered entities can be financially penalized for HIPAA violations. If an uncorrected HIPAA violation is discovered during an investigation of a complaint, a data breach or HIPAA audit, the HHS’ Office for Civil Rights may choose to pursue a financial settlement to resolve the violation. Such actions are far less likely when a violation has been discovered internally and corrected to prevent a recurrence. If a patient’s privacy has been violated, by reporting the violation internally you will allow your employer to take steps to reduce the potential for further harm and will be helping to ensure that similar...

Read More
What Does HIPAA Cover?
Oct01

What Does HIPAA Cover?

It has been 22 years since the Health Insurance Portability and Accountability Act (HIPAA) was Introduced, but there is still some confusion about HIPAA, what the legislation does for patients, who is required to comply with HIPAA Rules, and what does HIPAA cover. Who Does HIPAA Cover? HIPAA is a federal law that introduced standards in healthcare relating to patient privacy and the protection of medical data. HIPAA covers healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities. HIPAA applies to most entities that fall into the above categories, except those that do not conduct transactions electronically. Healthcare providers include hospitals, clinics, physicians, nursing homes, pharmacies, chiropractors, dentists, and psychologists. Health plans include health insurers, company health plans, HMOs, and government programs that pay for healthcare such as Medicaid and Medicare. Healthcare clearinghouses are organizations that transform nonstandard health data into a standard format. A business associate is an individual or...

Read More
Is OneDrive HIPAA Compliant?
Sep30

Is OneDrive HIPAA Compliant?

Many covered entities want to take advantage of cloud storage services, but can Microsoft OneDrive be used? Is OneDrive HIPAA compliant? Many healthcare organizations are already using Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a convenient platform for storing and sharing files. Microsoft Supports HIPAA-Compliance There is certainly no problem with HIPAA-covered entities using OneDrive. Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be used without violating HIPAA Rules. That said, before OneDrive – or any cloud service – can be used to create, store, or send files containing the electronic protected health information of patients, HIPAA-covered entities must obtain and sign a HIPAA-compliant business associate agreement (BAA). Microsoft was one of the first cloud service providers to agree to sign a BAA with HIPAA-covered entities, and offers a BAA through the Online Services Terms. The BAA includes OneDrive for Business, as well...

Read More
What is a HIPAA Subpoena?
Sep28

What is a HIPAA Subpoena?

The U.S. Department of Justice has recently been cracking down on healthcare offenses, with investigations often involving a HIPAA subpoena being issued. The subpoena compels HIPAA-regulated entities to release information such as patient medical records that they would otherwise not be permitted to disclose due to Privacy Rule restrictions on uses and disclosures. The HIPAA Privacy Rule permits disclosures of protected health information (PHI) if compelled to do so by a valid subpoena. What is a HIPAA Subpoena? A HIPAA subpoena is an administrative subpoena which requires a HIPAA-regulated entity to release documents to support investigations of federal criminal healthcare offenses pursuant to 18 U.S.C. § 3486, and the use of these subpoenas is becoming more common. A HIPAA subpoena is similar to a federal grand jury subpoena, in that they both compel a HIPAA regulated entity to release specific information to assist with investigations into healthcare offenses. A HIPAA subpoena is an administrative subpoena, but they are not generally issued for investigations that are purely...

Read More
Lisa J. Pino Named New Director of HHS’ Office for Civil Rights
Sep27

Lisa J. Pino Named New Director of HHS’ Office for Civil Rights

Lisa J. Pino has been named Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) and replaces Robinsue Frohboese, who has served as acting OCR Director since President Trump-appointed Roger Severino resigned from the post in mid-January. OCR is the main enforcer of compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, the Patient Safety and Quality Improvement Act, and Patient Safety Rule, as well as enforcing federal civil rights, conscience and religious freedom laws. Pino is from New York City, a fluent Spanish speaker, and the first-generation daughter of immigrant parents. She completed a B.A., M.A., and J.D. at Arizona State University with honors, and Harvard Kennedy School leadership program as a National Hispana Leadership Institute Fellow. Pino has served as legal aid attorney in the Southwest, fighting to protect the rights of migrant farm workers. Her civil rights activities carried on while working for the United States Department of Agriculture (USDA) where...

Read More
Is it a HIPAA Violation to Ask for Proof of Vaccine Status?
Sep25

Is it a HIPAA Violation to Ask for Proof of Vaccine Status?

According to several media sources, there appears to be a degree of confusion about the purpose of HIPAA, who it applies to, and whether asking someone if they have had a COVID-19 vaccine constitutes a HIPAA violation. The confusion was highlighted recently when, on May 18, 2021, Rep. Marjorie Taylor Greene, (R-Ga) was asked whether she had been vaccinated, as she had refused to wear a mask on the House floor in breach of House rules. Greene told reporters that asking her about her vaccine status was a HIPAA violation, but this was not correct as HIPAA does not apply in such situations. It is not only Rep. Greene who is unsure about the purpose of HIPAA and who it applies to. Several organizations have also raised concerns that asking employees to provide proof of being vaccinated against COVID-19 in order to avoid wearing a facemask, maintain social distancing, or self-isolate after exposure to an infected person may also be a violation of HIPAA. HIPAA and Its Purpose The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of...

Read More
Is FaceTime HIPAA Compliant?
Sep19

Is FaceTime HIPAA Compliant?

Is FaceTime HIPAA compliant? Can FaceTime be used by HIPAA covered entities to communicate electronic protected health information (ePHI) without violating HIPAA Rules? In this article we will examine the protections in place to keep transmitted information secure, whether Apple will sign a business associate agreement for FaceTime, and if a BAA is necessary. Will Apple Sign A BAA for FaceTime? An extensive search of the Apple website has revealed no indication that Apple will sign a business associate agreement with healthcare organizations for any of its services. The only mention of its services in relation to HIPAA-covered entities is in relation to iCloud, which Apple clearly states should not be used by healthcare providers or their business associates to create, receive, maintain or transmit PHI. Since Apple is not prepared to sign a business associate agreement for FaceTime, that would indicate FaceTime is not a HIPAA compliant service. However, business associate agreements only need to be signed by business associates. So, is Apple a business associate? The HIPAA Conduit...

Read More
OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative
Sep13

OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed its 20th financial penalty under the HIPAA Right of Access enforcement initiative that was launched in late 2019. Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, has been ordered to pay a penalty of $80,000 to resolve the alleged HIPAA Right of Access violation, is required to adopt a corrective action plan to address the noncompliance discovered by OCR, and will be monitored for compliance by OCR for a period of one year. The Privacy Rule of the Health Insurance Portability and Accountability Act gave individuals the right to obtain a copy of their protected health information held by a HIPAA covered entity, and for parents and legal guardians to obtain a copy of the medical records of their minor children. HIPAA covered entities must provide the requested records within 30 days and are only permitted to charge a reasonable cost-based fee for providing copies. In certain circumstances, covered entities can apply for a 30-day extension, making...

Read More
When Was HIPAA Enacted?
Sep09

When Was HIPAA Enacted?

How long has compliance with the Health Insurance Portability and Accountability Act (HIPAA) been necessary? When was HIPAA enacted and what were the compliance dates for the original act and its subsequent amendments? When was HIPAA Enacted? HIPAA was enacted on August 21, 1996 when President Bill Clinton added his signature and signed the legislation into law. One of the key aims of the legislation was to improve the portability health insurance coverage – Ensuring employees retained health insurance coverage when between jobs. HIPAA also made healthcare organizations accountable for health data and helped to ensure health information remains private and confidential. HIPAA also combated wastage in healthcare and helped to prevent fraud and abuse in healthcare delivery and health insurance, while also simplifying the administration of healthcare. HIPAA was enacted and signed into law in 1996, but there have been major updates to HIPAA legislation over the years, notably the introduction of the HIPAA Privacy Rule, The HIPAA Security Rule, the incorporation of HITECH Act...

Read More
California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents
Aug25

California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to send notifications to the HHS’ Office for Civil Rights (OCR) about data breaches and healthcare organizations are also required to comply with state data breach notification laws. Many states have introduced their own data privacy laws, which typically require notifications to be sent to appropriate state Attorneys General if a data breach exceeds a certain threshold. States have the authority to bring civil actions against healthcare organizations that fail to issue breach notifications under both HIPAA and state laws. In California, the threshold for reporting breaches is in line with HIPAA. If a data breach is experienced that impacts 500 or more California residents, the California Department of Justice (DOJ) must be notified. Recently, there have been several instances where the California DOJ has not been notified about ransomware attacks on California healthcare facilities, even though the personal and protected health...

Read More
July 2021 Healthcare Data Breach Report
Aug23

July 2021 Healthcare Data Breach Report

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day. The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records. Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month! Largest Healthcare Data Breaches in July 2021 Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the...

Read More
Future of HIPAA: Reflections at the 25th Anniversary of HIPAA
Aug21

Future of HIPAA: Reflections at the 25th Anniversary of HIPAA

The Health Insurance Portability and Accountability Act is now 25 years old. How effective has this healthcare law been and what is the future of HIPAA? It is now exactly 25 years to the day since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton. On August 21, 1996, when President Clinton added his signature to the legislation, few people would have realized how HIPAA would evolve and grow into the comprehensive national health privacy law that it is today. It is difficult to argue that HIPAA has not been an overall success, but the legislation has attracted a fair amount of criticism over the years, especially due to the considerable administrative burden it initially placed on healthcare organizations. On balance, the improvements to healthcare that have come from compliance with HIPAA more than outweigh the negatives. The biggest successes are the improvements to patient privacy and data security, the rights given to patients with respect to their healthcare data, greater efficiency in the healthcare system, and changes...

Read More
Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case
Jul23

Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case

The Department of Justice has announced nine San Diego residents have been charged in two separate indictments in connection with the theft of patients’ protected information and the submission of fraudulent pandemic unemployment insurance claims. Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, new unemployment benefits were offered to individuals affected by the COVID-19 pandemic, who would not, under normal circumstances, qualify for payments. In one of the cases, Matthew Lombardo, a former Scripps Health employee, was charged with felony HIPAA violations for obtaining and disclosing the protected health information of patients to his alleged co-conspirators. Lombardo was also charged with conspiracy to commit wire fraud, along with three alleged co-conspirators – Konrad Piekos, Ryan Genetti, and Dobrila Milosavljevic. Piekos, Genetti, and Milosavljevic were also charged with aggravated identity theft and are alleged to have used the stolen information to submit fraudulent pandemic unemployment insurance claims. The San Diego Sheriff’s’...

Read More
Is Google Drive HIPAA Compliant?
Jul21

Is Google Drive HIPAA Compliant?

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant? Is Google Drive HIPAA Compliant? The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a manner that violates HIPAA Rules. G Suite – formerly Google Apps, of which Google Drive is a part – does support HIPAA compliance. The service does not violate HIPAA Rules provided HIPAA Rules are followed by users. G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied. The use of any software or cloud platform in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business...

Read More
Is Dropbox HIPAA Compliant?
Jul14

Is Dropbox HIPAA Compliant?

Healthcare organizations can benefit from using Dropbox, but is Dropbox HIPAA compliant? Can the service be used to store and share protected health information? Is Dropbox HIPAA Compliant? Dropbox is a popular file hosting service used by many organizations to share files, but what about protected health information? Is Dropbox HIPAA compliant? Dropbox claims it now supports HIPAA and HITECH Act compliance but that does not mean Dropbox is HIPAA compliant. No software or file sharing platform can be HIPAA compliant as it depends on how the software or platform is used. That said, healthcare organizations can use Dropbox to share or store files containing protected health information without violating HIPAA Rules. The Health Insurance Portability and Accountability Act requires covered entities to enter into a business associate agreement (BAA) with an entity before any protected health information (PHI) is shared. Dropbox is classed as a business associate so a BAA is required. Dropbox will sign a business associate agreement with HIPAA-covered entities. To avoid a HIPAA...

Read More
Is Google Voice HIPAA Compliant?
Jun30

Is Google Voice HIPAA Compliant?

Google Voice is a popular telephony service, but is Google Voice HIPAA compliant or can it be used in a HIPAA compliant way? Is it possible for healthcare organizations – or healthcare employees – to use the service without violating HIPAA Rules? Is Google Voice HIPAA Compliant? Google Voice is a popular and convenient telephony service that includes voicemail, voicemail transcription to text, the ability to send text messages free of charge, and many other useful features. It is therefore unsurprising that many healthcare professionals would like to use the service at work, as well as for personal use. In order for a service to be used in healthcare in conjunction with any protected health information (PHI) it must be possible to use it in a HIPAA compliant way. That means the service must be covered by the conduit exemption rule – which was introduced when the HIPAA Omnibus Final Rule came into effect – or it must incorporate a range of controls and safeguards to meet the requirements of the HIPAA Security Rule. As with SMS, faxing, and email, Google Voice is not...

Read More
No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation
Jun28

No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation

The U.S. Court of Appeals for the Fourth Circuit has ruled that there is no private cause of action in the Health Insurance Portability and Accountability Act (HIPAA) to address improper disclosures of protected health information; however, the ruling suggests there is potentially a cause of action under the 14th amendment when an individual’s privacy is violated. The case, Payne v. Taslimi, named Christopher N. Payne as plaintiff and Jahal Taslimi as the defendant. Payne was a Deep Meadow Correctional Center inmate and Taslimi a prison doctor. Payne took legal action against Taslimi over an alleged improper disclosure of his confidential medical information. Payne alleged Taslimi had approached his bed and stated in a voice loud enough for others to hear that the plaintiff had not taken his HIV medication. Payne alleged staff members, other inmates, and civilians had heard the doctor. In the lawsuit, Payne claimed his medical records were confidential and his HIPAA rights had been violated at Deep Meadow Correctional Center by Taslimi, as well as his right to privacy under the...

Read More
Former Mayo Clinic Doctor Charged Over Improper Medical Record Access
Jun28

Former Mayo Clinic Doctor Charged Over Improper Medical Record Access

In October 2020, Mayo Clinic announced a former employee was discovered to have impermissibly accessed the medical records of approximately 1,600 patients. According to a statement issued by the Mayo Clinic, the former employee viewed demographic information, date of birth, medical record number, clinical notes, and in some cases images. Mayo Clinic said its investigation uncovered no evidence to suggest any patient data was copied or retained. All affected patients were notified about the breach by mail. The employee in question was Ahmad Maher Abdel-Munim Alsughayer, 28, of Saginaw, MI, who was a doctor at Mayo Clinic. Alsughayer ended his employment with Mayo Clinic in August 2020, around the time that the privacy violation was discovered. A criminal case has now been opened by the Olmsted County Attorney’s Office. Alsughayer has been charged with gross misdemeanor unauthorized computer access and has been scheduled to appear in court on July 8, 2021. The criminal case stems from allegations that Alsughayer had abused his access rights to view medical records when there was no...

Read More
Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation
Jun25

Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation

A former Cedar Rapids Hospital employee has been sentenced to 5 years’ probation for wrongfully accessing and distributing the protected health information of her ex-boyfriend. Jennifer Lynne Bacor, 41, of Las Vegas, NV, was employed as a patient care technician at a Cedar Rapids hospital. The position gave her access to systems containing the individually identifiable information of patients. While she was authorized to access that information, she was only permitted to view the information of patients in order to complete her work duties. Bacor’s ex-boyfriend had visited the hospital on multiple occasions in 2017 to receive treatment. Bacor used her login credentials to access his medical records from October 2013 to September 2017 on multiple occasions between April and October 2017, when there was no legitimate work reason for doing so. Accessing the protected health information of an individual when there is no legitimate work purpose for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA), for which criminal charges can be filed. Bacor...

Read More
May 2021 Healthcare Data Breach Report
Jun18

May 2021 Healthcare Data Breach Report

May was the worst month of 2021 to date for healthcare data breaches. There were 63 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in May. For the past three months, breaches have been reported at a rate of more than 2 per day. The average number of healthcare data breaches per month has now risen to 54.67. May was also the worst month of the year in terms of the severity of breaches. 6,535,130 healthcare records were breached across those 63 incidents. The average number of breached healthcare records each month has now risen to 3,323,116. 17,733,372 healthcare records have now been exposed or impermissibly disclosed so far in 2021 and almost 40 million records (39.87M) have been breached in the past 12 months. Largest Healthcare Data Breaches Reported in April 2021 As was the case in April, there were 19 healthcare data breaches involving 10,000 or more records and 7 of those breaches involved 100,000 or more records. All but one of those breaches was a hacking incident or involved It systems being compromised by...

Read More
Webinar 06/16/21: Social Media and HIPAA Compliance
Jun10

Webinar 06/16/21: Social Media and HIPAA Compliance

Social media platforms such as Facebook, Twitter, Snapchat, and Instagram make it easy for healthcare organizations to advertise their services and win new business. Healthcare providers can use social media sites to communicate with patients, provide updates on their services, and engage patients and get them to take a more active role in their healthcare. While there are many benefits that can come from social media in healthcare, many healthcare organizations rightly see social media networks as minefield of HIPAA violations. This is not only true for the corporate accounts of healthcare providers, but also the personal social media accounts of their employees. An employee communicating on social media after a particularly difficult day could easily divulge information that could violate patient privacy. There have been many cases of healthcare employees communicating on social media networks, including private Facebook groups, and sharing sensitive information about patients in violation of the HIPAA Rules. Virtually all healthcare employees have smartphones, and it is common...

Read More
What Information is Protected Under HIPAA Law?
Jun08

What Information is Protected Under HIPAA Law?

What Information is Protected Under HIPAA Law The Healthcare Insurance Portability and Accountability Act (HIPAA) consist of five Titles, each with their own set of HIPAA laws. Four of the five sets of HIPAA laws are straightforward and cover topics such as the portability of healthcare insurance between jobs, the coverage of persons with pre-existing conditions, and tax provisions for medical savings accounts. However, Title II – the section relating to administrative simplification, preventing healthcare fraud and abuse, and medical liability reform – is far more complicated. It contains subsets of HIPAA laws which sometimes overlap with each other and several of the provisions in Title II have been modified, updated, or impacted by subsequent acts of legislation. Furthermore, since HIPAA was enacted, the U.S. Department for Health and Human Services (HHS) has promulgated six sets of “Rules”; which, as they are codified in 45 CFR Parts 160, 162, and 164, are strictly speaking HIPAA laws within HIPAA laws. These are most commonly referred to as the Administrative Simplification...

Read More
Diabetes, Endocrinology & Lipidology Center Pays $5,000 to Resolve HIPAA Right of Access Case
Jun02

Diabetes, Endocrinology & Lipidology Center Pays $5,000 to Resolve HIPAA Right of Access Case

The HHS’ Office for Civil Rights has announced a settlement has been reached with The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) that resolves a potential HIPAA Right of Access violation. This is the 8th financial penalty to be announced in 2021 to resolve violations of the HIPAA Rules, and the 19th settlement under OCR’s HIPAA Right of Access enforcement initiative that was launched in the fall of 2019. DELC is a West Virginia-based healthcare provider specializing in treating endocrine disorders. In August 2019, OCR received a complaint that alleged DELC had failed to respond to a request for a copy of protected health information in a timely manner. The HIPAA Privacy Rule requires a copy of an individual’s protected health information contained in a designated record set to be provided within 30 days of a request being received. In this case, the complainant wanted a copy of her minor child’s protected health information and DELC had failed to provide those records within the allowed 30 days. OCR notified DELC on October 30, 2019 about the investigation into...

Read More
Clinical Laboratory Settles HIPAA Security Rule Violations with OCR for $25,000
May25

Clinical Laboratory Settles HIPAA Security Rule Violations with OCR for $25,000

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with Peachstate Health Management, LLC, dba AEON Clinical Laboratories to resolve multiple violations of the HIPAA Security Rule. Peachstate is a CLIA-certified laboratory that provides a range of services including clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC). OCR launched a compliance investigation on August 31, 2016 following a breach of unsecured protected health information reported by the U.S. Department of Veterans Affairs (VA) on January 7, 2015 involving its business associates, Authentidate Holding Corporation (AHC). The VA had contracted with AHC to manage the VA’s Telehealth Services Program. The aim of the OCR investigation was to assess whether the breach was the result of the failure to comply with the HIPAA Privacy and Security Rules. During the course of the investigation, OCR learned that AHC had entered into a reverse merger with Peachstate on January 27, 2016 and had...

Read More
Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes
May13

Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes

Several healthcare groups have expressed concern about the HIPAA Privacy Rule changes proposed by the Department of Health and Human Services (HHS) in December 2020 and published in the Federal Register in January. The HHS has received comments from more than 1,400 individuals and organizations and will now review all feedback before issuing a final rule or releasing a new proposed rule. There have been calls for changes to the HIPAA Privacy Rule to be made to align it more closely with other regulations, such as the 21st Century Cures Act, the 42 CFR Part 2 regulations covering federally assisted substance use disorder (SUD) treatment programs, and for there to be greater alignment with state health data privacy laws. Some of the proposed HIPAA Privacy Rule changes are intended to remove barriers to data sharing for care coordination, but the changes may still conflict with state laws, especially in relation to SUD treatment. There is concern that poor alignment with other regulations could be a major cause of confusion and could create new privacy and security risks. Another area...

Read More
NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance
May05

NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance

The National Institute of Standards and Technology (NIST) is planning on revising and updating its guidance on implementing the HIPAA Security Rule and is seeking comment from stakeholders on aspects of the guidance that should be changed. NIST published the guidance – NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – in October 2008. During the past 13 years, cybersecurity has evolved and the threat landscape has changed considerably. NIST’s cybersecurity resources have also evolved during that time and an update to the guidance is now long overdue. NIST will be updating the guidance to reference its new cybersecurity resources, will amplify awareness of non-NIST resources relevant to compliance with the HIPAA Security Rule, and will update its implementation guidance for HIPAA-covered entities and business associates. Specifically, NIST has requested comment from stakeholders on their experiences applying and using the resource guide, including the...

Read More
Can E-Signatures Be Used Under HIPAA Rules?
May03

Can E-Signatures Be Used Under HIPAA Rules?

The use of digital signatures in the healthcare industry has helped to improve the efficiency of many processes, yet the question still remains can e-signatures be used under HIPAA rules. Effectively the answer is “yes”, provided that mechanisms are put in place to ensure the legality and security of the contract, document, agreement or authorization, and there is no risk to the integrity of PHI. What Does HIPAA Say About E-Signatures? Proposals for the use of e-signatures under HIPAA rules were included in the first draft of the 2003 Security Rule, but then removed before the legislation was enacted. Subsequent guidance relating to Business Associate Agreements and the exchange of electronic health information has been published on the U.S: Department of Health and Human Resources website that states: “No standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.” Generally, a signature is not required for many...

Read More
March 2021 Healthcare Data Breach Report
Apr19

March 2021 Healthcare Data Breach Report

There was a 38.8% increase in reported healthcare data breaches in March. 62 breaches of 500 or more records reported to the HHS’ Office for Civil Rights, with hacking incidents dominating the breach reports. The high number of reported breaches is largely due to an increase in data breaches at business associates. The number of breached records also increased sharply with 2,913,084 healthcare records exposed or impermissibly disclosed across those 62 incidents; an increase of 135.89% from February. Largest Healthcare Data Breaches Reported in March 2021 The table below shows the 25 largest healthcare data breaches to be reported in March, all of which were hacking/IT incidents. 76% involved compromised network servers with the remaining 24% involving breaches of email accounts. 60% of these breaches involved business associates. Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Health Net Community Solutions Health Plan 686,556 Hacking/IT Incident Network Server Health Net of California Health Plan 523,709 Hacking/IT...

Read More
HHS Information Blocking and Interoperability Regulations Now in Effect
Apr09

HHS Information Blocking and Interoperability Regulations Now in Effect

The new information blocking and interoperability regulations developed by the Department of Health and Human Services as part of the 21st Century Cures Act took effect on Monday this week. It has been over a year since the final rule was released, and now the benefits of the information blocking and interoperability provisions can now be realized. The final rule defines information blocking and stipulates the penalties for providers that engage in activities that interfere with access, exchange, and use of electronic health information (EHI). The final rule also gives patients new rights over their healthcare data and allows them to request it be sent to the application of their choosing. The compliance date was April 5, 2021, after which healthcare providers, certified health IT developers, and health information exchanges must comply with the provisions of the final rule. For the first 18 months from April 5, 2021, the information blocking provision only applies to a subset of EHI detailed in the US Core Data for Interoperability (v1). Core EHI includes clinical notes,...

Read More
Survey Reveals Sharing EHR Passwords is Commonplace
Apr06

Survey Reveals Sharing EHR Passwords is Commonplace

While data on the practice of password sharing in healthcare is limited, one survey suggests the practice of sharing EHR passwords is commonplace, especially with interns, medical students, and nurses. The research was conducted by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also involved researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center. The study was conducted on 299 medical students, nurses, medical residents, and interns and the results of the survey were recently published in Healthcare Informatics Research. The information stored in EHRs is sensitive and must be protected. Regulations such as HIPAA control access to that information. All individuals that require access to the information in EHR systems must be issued with a unique user ID and password or alternate – but equally effective – authentication method. Any attempts to access protected health information must be logged to allow healthcare organizations to monitor for...

Read More
HIPAA Compliance for Pharmacies
Apr06

HIPAA Compliance for Pharmacies

HIPAA is a federal law that establishes the acceptable uses and disclosures of protected health information (PHI), sets standards for the secure storage and transmission of PHI, and gives patients the right to obtain copies of their PHI. HIPAA compliance for pharmacies is not an option. The penalties for failing to comply with HIPAA can be severe. Key Elements of HIPAA Compliance for Pharmacies The combined text of HIPAA Rules published by the Department of Health and Human Services’ Office for Civil Rights is 115 pages, so covering all elements of HIPAA compliance for pharmacies is beyond the scope of this post; however, some of the key elements of HIPAA compliance for pharmacies have been outlined below. Conduct risk analyses – A comprehensive, organization wide risk analysis must be conducted to identify all risks to the confidentiality, integrity, and availability of ePHI. Any risks identified must be subjected to a HIPAA-compliant risk management process. A risk analysis is not a onetime checkbox item. Risk analyses must be conducted regularly, such as when there is a change...

Read More
What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?
Apr02

What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996 and led to the development of the HIPAA Privacy Rule in 2003 and the HIPAA Security Rule in 2005, but how did the Health Information Technology for Economic and Clinical Health (HITECH) Act change HIPAA and what is the relationship between HITECH, HIPAA, and electronic health and medical records? What is the Relationship Between HITECH and HIPAA and Medical Records? Title I of HIPAA is concerned with the portability of health insurance and protecting the rights of workers between jobs to ensure health insurance coverage is maintained, which have nothing to do with the HITECH Act. However, there is a strong relationship between HITECH and HIPAA Title II. Title II of HIPAA includes the administrative provisions, patient privacy protections, and security controls for health and medical records and other forms of protected health information (PHI). One of the main aims of the HITECH Act was to encourage the adoption of electronic health and medical records by creating financial incentives...

Read More
New Jersey Plastic Surgery Practice Pays $30K to OCR to Settle HIPAA Right of Access Case
Mar29

New Jersey Plastic Surgery Practice Pays $30K to OCR to Settle HIPAA Right of Access Case

The HHS’ Office for Civil Rights has announced a settlement has been reached with Ridgewood, NJ-based Village Plastic Surgery to resolve potential violations of the HIPAA Right of Access. Under the terms of the settlement, Village Plastic Surgery will pay a $30,000 penalty and will adopt a corrective action plan that requires policies and procedures to be implemented related to access to protected health information (PHI). OCR will also monitor Village Plastic Surgery for compliance for 2 years. OCR launched an investigation into Village Plastic Surgery following receipt of a complaint from a patient of the practice on September 7, 2019. The patient had requested a copy of the medical records held by the plastic surgery practice but had not been provided with those records within the maximum time allowed by the HIPAA Privacy Rule. OCR intervened and, during the course of its investigation, Village Plastic Surgery did not provide the patient with the requested records. OCR investigators determined that the delay in providing the records, which exceeded the 30 allowed days for acting...

Read More
Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000
Mar25

Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000

Arbour Hospital, a mental health clinic in Boston, MA, has settled a HIPAA Right of Action investigation with the HHS’ Office for Civil Rights (OCR) and has agreed to pay a $65,000 penalty. OCR was informed about a potential violation of the HIPAA Right of Access on July 5, 2019. A patient of Arbour Hospital alleged he had requested a copy of his medical records from the hospital on May 7, 2019 but had not been provided with those records within two months. When a healthcare provider receives a request from a patient who wishes to exercise their HIPAA Privacy Rule right to obtain a copy of their healthcare records, a copy of those records must be provided as soon as possible and no later than 30 days after the request is received. A 30-day extension is possible in cases where records are stored offsite or are otherwise not easily accessible. In such cases, the patient requesting the records must be informed about the extension in writing within 30 days and be provided with the reason for the delay. OCR contacted Arbour Hospital and provided technical assistance on the HIPAA Right...

Read More
How Often is HIPAA Training Required?
Mar20

How Often is HIPAA Training Required?

HIPAA-covered entities and their business associates must ensure that all members of the workforce that encounter protected health information (PHI) in any of its forms need to be provided with training, but how often is HIPAA training required and how flexible are the HIPAA Rules when it comes to providing employee HIPAA training? What Does HIPAA Say About Employee Training? Both the HIPAA Privacy Rule and HIPAA Security Rule have training provisions. The HIPAA Privacy Rule states: “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” The HIPAA Security Rule training standard states: “Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).” The Privacy Rule does not specify the content of training courses, and scant information is provided in the Security Rule as to...

Read More
How Often Do You Need HIPAA Training?
Mar19

How Often Do You Need HIPAA Training?

The question of how often do you need HIPAA training does not have a definitive answer because the HIPAA training requirements are deliberately flexible in order to adapt to different types of Covered Entities and Business Associates, and the functions they perform. However, the failure to provide adequate HIPAA training can have serious consequences. OCR is Cracking Down on Noncompliance! It can be difficult to fit training into busy workflows; but, if adequate training is not provided, it is possible for Covered Entities and Business Associates to be fined for non-compliance with HIPAA – even if there is no unauthorized use or disclosure of Protected Health Information. This is because HIPAA training is a requirement of both the HIPAA Privacy and Security Rules. The HHS’ Office for Civil Rights has stepped up enforcement of HIPAA compliance. In 2020, the number of investigations conducted by OCR increased by 18%, nineteen financial penalties were imposed, and 1,357 organizations were required to take corrective action to resolve non-compliance issues following patient complaints,...

Read More
When Did HIPAA Take Effect?
Mar16

When Did HIPAA Take Effect?

The Health Insurance Portability and Accountability Act was a landmark piece of legislation that was originally intended to simplify the administration of healthcare, eliminate wastage and prevent healthcare fraud, and to ensure insurance coverage was not lost when employees were between jobs. When Did HIPAA Take Effect? HIPAA was signed into law by President Clinton on August 21, 1996, although HIPAA has been updated several times over the past 20 years and many new provisions have been incorporated to improve privacy protections and security to ensure health information remains confidential. The main updates to HIPAA are summarized below. The HIPAA Privacy Rule The HIPAA Privacy Rule was a major update to HIPAA and introduced many of the aspects for which HIPAA is known today. The HIPAA Privacy Rule defined ‘Protected Health Information (PHI), patients were given the right to obtain copies of their protected health information from HIPAA covered entities, and strict rules were introduced on the allowable uses and disclosures of PHI. When did the Privacy Rule of HIPAA Take...

Read More
Is Microsoft Teams HIPAA Compliant?
Mar15

Is Microsoft Teams HIPAA Compliant?

Microsoft Teams is a popular communications platform used by many businesses to communicate more effectively, but can the solution be used in healthcare? Is Microsoft Teams HIPAA compliant? Microsoft Teams is a unified communication platform that includes workplace chat, video meetings, and file sharing and can be integrated into a range of different applications. The platform can be used to improve communication and collaboration in the workplace and with business associates. The platform is based on Office 365 (click here for information on Office 365 and HIPAA). Office 365 can be used in a HIPAA compliant manner, but in order for Microsoft Teams to be HIPAA compliant it must include a range of security features to keep any electronic protected health information secure. In the security compliance section of the Microsoft website, Microsoft explains that Microsoft Teams delivers advanced security and compliance and is included in its Tier-D compliance category. Tier D services have safeguards active by default and are compliant with ISO 27001, ISO 27018, SSAE16 SOC 1 and SOC 2,...

Read More
Is Office 365 HIPAA Compliant?
Mar12

Is Office 365 HIPAA Compliant?

Is Microsoft Office 365 HIPAA compliant? Can healthcare organizations use Office 365 and remain in compliance with HIPAA and HITECH Act Rules? What is Office 365? Office 365 is a suite of subscription products developed by Microsoft that includes Word, Excel, PowerPoint, OneNote, Outlook, Publisher, and Access. Office 365 for Healthcare Microsoft is willing to enter into a business associate agreement (BAA) with HIPAA covered entities for Office 365 and Microsoft Dynamics CRM Online, provided the latter is purchased through Volume Licensing Programs or the Dynamics CRM Online Portal. The Microsoft BAA also covers the use of the Microsoft Azure cloud platform. Microsoft does not demand that a BAA be obtained prior to use of Office 365, as the BAA is automatically made available to customers with an online service contract. However, HIPAA covered entities should obtain a BAA prior to use of Office 365 in conjunction with any electronic protected health information (ePHI). They should also specify an administrative contact. In the event of a security breach, the administrative contact...

Read More
Is HIPAA Training Required Annually?
Mar12

Is HIPAA Training Required Annually?

The frequency of HIPAA training sessions needed to comply with the HIPAA Privacy Rule is a source of confusion, with many healthcare providers interpreting the HIPAA text to mean HIPAA training is required annually, even though annual training sessions are not explicitly stated as a requirement anywhere in the HIPAA text. Similarly, the frequency of security awareness training is not stated, other than HIPAA requiring ‘periodic’ retraining. To help ensure you get your HIPAA training right, we have listed some of the best practices below which will ensure you do not fall afoul of regulators and attract a fine for noncompliance. Is HIPAA Training Required Annually? The HIPAA text does not provide a deadline for providing training and incorporates flexibility to make it easier for healthcare organizations to fit training into busy workflows. The HIPAA Privacy Rule states that “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the...

Read More
Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation
Mar12

Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation

A coalition of 41 state Attorneys General has agreed to settle an investigation into Retrieval-Masters Creditors Bureau dba American Medical Collection Agency (AMCA) over a 2019 data breach that resulted in the exposure/theft of the protected health information of at least 21 million Americans. Retrieval-Masters Creditors Bureau is a debt collection agency, with its AMCA arm providing small debt collection services to healthcare clients such as laboratories and medical testing facilities. From August 1, 2018 until March 30, 2019, an unauthorized individual had access to AMCA’s systems and exfiltrated sensitive data such as names, personal information, Social Security numbers, payment card information and, for some individuals, medical test information and diagnostic codes. The AMCA data breach was the largest healthcare data breach reported in 2019. AMCA notified states about the breach starting June 3, 2019, and individuals affected by the breach were offered two years of complimentary credit monitoring services. The high cost of remediation of the breach saw AMCA file for...

Read More
Comment Period on Proposed HIPAA Privacy Rule Changes Extended by 45 Days
Mar10

Comment Period on Proposed HIPAA Privacy Rule Changes Extended by 45 Days

Changes to the HIPAA Rules are infrequent, so when updates are proposed they tend to include a slew of new requirements and updates to existing provisions. Before any updates are made, a request for information (RFI) is issued to allow the HHS to obtain feedback on aspects of the HIPAA Rules that are causing problems, and areas where improvements could be made. Following the RFI, a notice of proposed rulemaking is issued by the HHS followed by a comment period. The comment period is the last chance for industry stakeholder, including patients and their families, to voice their opinions about the proposed changes before they are signed into law. After issuing an RFI, the HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking on December 10, 2020, along with the standard 60-day comment period from the date of publication in the Federal Register (January 21, 2021). The comment period was due to expire on March 22, 2021. Since the proposed changes include updates to the HIPAA Privacy Rule that will impact virtually everyone in the healthcare industry, the HHS has taken...

Read More
Arizona High Court Revives Privacy Lawsuit Stemming from Pharmacy ED Medication Disclosure
Mar09

Arizona High Court Revives Privacy Lawsuit Stemming from Pharmacy ED Medication Disclosure

This week, the Arizona Supreme Court revived a HIPAA violation lawsuit filed by a Phoenix man over a privacy violation by a pharmacy employee related to an erectile dysfunction medication prescription. Greg Shepherd, 50, had visited his doctor for a routine medical appointment in January 2016 and his doctor provided him with a erectile dysfunction medication sample. He received a call from the Costco pharmacy later and was told that the full prescription for the ED medication was available to collect. Shepherd explained that he did not want the medication and cancelled the prescription. Shepherd called the pharmacy a month later to check whether an unrelated prescription was ready to collect, and the pharmacy informed again him that his ED prescription was still waiting to be collected. Shepherd declined the medication a second time and told the pharmacy to cancel the prescription for the second time. Shepherd, who had been trying to reconcile with his ex-wife, authorized her to collect an unrelated, regular prescription refill from the pharmacy. When she visited the pharmacy, the...

Read More
Two Employees Fired for Impermissible PHI Disclosures to Third Parties
Mar08

Two Employees Fired for Impermissible PHI Disclosures to Third Parties

Humana has discovered an employee of a subcontractor of a business associate impermissibly disclosed the protected health information of 62,950 of its members to a third-party for training purposes. Cotiviti was contracted by Humana to provide assistance requesting medical records and used a subcontractor to review the requested medical records. Under HIPAA, subcontractors used by business associates are also required to comply with HIPAA. The privacy violations occurred between October 12, 2020 and December 16, 2020 and Cotiviti notified Humana about the HIPAA violation on December 22, 2020. Cotiviti has worked with Humana to ensure that safeguards are implemented to prevent similar privacy breaches in the future, and that those safeguards are put in place at any subcontractors it uses. The individual who disclosed the data is no longer employed by the subcontractor. The types of data disclosed includes member names’, addresses, phone numbers, email addresses, dates of birth, full or partial Social Security Numbers, insurance identification numbers, provider names, dates of...

Read More
Is a HIPAA Violation Grounds for Termination?
Mar07

Is a HIPAA Violation Grounds for Termination?

Is a HIPAA violation grounds for termination? What actions are healthcare organizations likely to take if they discover an employee has violated HIPAA Rules? Since the introduction of the HIPAA Enforcement Rule, the HHS’ Office for Civil Rights has been able to pursue financial penalties for HIPAA violations. Organizations discovered to have violated HIPAA Rules or failed to have implemented policies and procedures in line with HIPAA Rules can face severe financial penalties. But what about individual employees who accidentally or deliberately violate HIPAA and patient privacy? Do Most Healthcare Organizations Consider a HIPAA Violation Grounds for Termination? Not all HIPAA violations are equal, although any violation of HIPAA Rules is a serious matter that warrants investigation and action by healthcare organizations. When a HIPAA violation is reported – by an employee, colleague or patient – healthcare organizations will investigate the incident and will attempt to determine whether HIPAA laws were violated, and if so, how the violation occurred, the implications for...

Read More
What Happens if You Violate HIPAA?
Mar07

What Happens if You Violate HIPAA?

If you work in healthcare you should have a good working knowledge of HIPAA rules, exercise diligence, and ensure that HIPAA Rules are always followed, but what happens if you violate HIPAA? What are the likely repercussions for accidentally or knowingly violating HIPAA Rules? What happens if you violate HIPAA will depend on the type of violation, its severity, the harm caused to others, and the extent to which you knew that HIPAA Rules were being violated. Disciplinary Action and Termination If at the time of the violation you were unaware that you make a mistake, the violation was minor, and no harm has been caused, the violation may be dealt with internally. Verbal or written warnings may be issued and further training on HIPAA compliance would be appropriate. For more serious violations, especially in cases where HIPAA Rules have been knowingly violated, termination is likely. The violation may be reported to licensing boards who can place restrictions on licenses. Suspension and loss of license is a possibility. Civil Penalties The Department of Health and Human Services’...

Read More
What Happens if a Nurse Violates HIPAA?
Mar03

What Happens if a Nurse Violates HIPAA?

What happens if a nurse violates HIPAA Rules? How are HIPAA violations dealt with and what are the penalties for individuals that accidentally or deliberately violate HIPAA and access, disclose, or share protected health information (PHI) without authorization?   The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be followed by all covered entities and their business associates. The failure to comply with HIPAA Rules can result in significant penalties for HIPAA covered entities. Business associates of covered entities can also be fined directly for HIPAA violations, but what about individual healthcare workers such as nurses? What happens if a nurse violates HIPAA Rules? What are the Penalties if a Nurse Violates HIPAA? Accidental HIPAA violations by nurses happen, even when care is taken to follow HIPAA Rules. While all HIPAA violations can potentially result in disciplinary action, most employers would accept that accidental violations are bound to occur from time to time. In many cases, minor violations of HIPAA...

Read More
March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches
Feb25

March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches

The deadline for reporting healthcare data breaches of fewer than 500 records that were discovered in 2020 is fast approaching. HIPAA covered entities and business associates have until March 1, 2021 to submit breach reports to the Department of Health and Human Services’ Office for Civil Rights (OCR)that were discovered between January 1, 2020 and December 31, 2020. HIPAA defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” A risk assessment should be conducted to determine the probability that PHI has been compromised, that must include the nature and extent of PHI involved, the probability of identification of individuals; the person who used/disclosed the PHI; whether PHI was viewed or acquired by an unauthorized...

Read More
Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months
Feb24

Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months

A Georgia man who falsely claimed a former acquaintance had violated patient privacy and breached the HIPAA Rules has been sentenced to 6 months in jail and fined $1,200. In October 2019, Jeffrey Parker, 44, of Rincon, GA, claimed to be a HIPAA whistleblower and alerted the authorities about serious privacy violations by a nurse at a Savannah, GA hospital, including emailing graphic pictures of traumatic injuries of hospital patients internally and externally. According to court documents, Parker “engaged in an intricate scheme” to frame a former acquaintance for violations of the Federal Health Insurance Portability and Accountability Act’s Privacy Rule. To back up the fake claims, Parker created multiple email accounts in the names of real patients and used those accounts to send false accusations of privacy violations. Emails were sent to the hospital where the nurse worked, the Federal Bureau of Investigation (FBI), and the Department of Justice (DOJ). Parker also alleged that he had been threatened for his actions as a whistleblower and law enforcement took steps to ensure his...

Read More
January 2021 Healthcare Data Breach Report
Feb19

January 2021 Healthcare Data Breach Report

January saw a 48% month-over-month reduction in the number of healthcare data breaches of 500 or more records, falling from 62 incidents in December to just 32 in January. While this is well below the average number of data breaches reported each month over the past 12 months (38), it is still more than 1 data breach per day. There would have been a significant decline in the number of breached records were it not for a major data breach discovered by Florida Healthy Kids Corporation that affected 3.5 million individuals. With that breach included, 4,467,098 records were reported as breached in January, which exceeded December’s total by more than 225,000 records. Largest Healthcare Data Breaches Reported in January 2021 The breach reported by Florida Healthy Kids Corporation was one of the largest healthcare data breaches of all time. The breach was reported by the health plan, but actually occurred at one of its business associates. The health plan used an IT company for hosting its website and an application for applications for insurance coverage. The company failed to apply...

Read More
HHS Secretary Announces Limited HIPAA Waiver in Texas Due to the Winter Storm
Feb19

HHS Secretary Announces Limited HIPAA Waiver in Texas Due to the Winter Storm

Following President Joseph R. Biden’s declaration of an emergency in the State of Texas, Norris Cochran, Acting Secretary of the Department of Health and Human Services, declared a public health emergency due to the consequences of the winter storm in the state of Texas. Pursuant to Section 1135(b)(7) of the Social Security Act, the HHS Secretary announced a limited waiver of sanctions and penalties arising from noncompliance with certain provisions of the HIPAA Privacy Rule. For the period of the waiver, sanctions and penalties will not be imposed for noncompliance with the following HIPAA Privacy Rule requirements: The requirement to obtain a patient’s agreement to speak with family members of friends – 45 C.F.R. § 164.510(a); The requirement to honor a patient’s request to opt out of the facility directory – 45 C.F.R. § 164.510(b); The requirement to distribute a notice of privacy practices – 45 C.F.R. § 164.520; The patient’s right to request privacy restrictions – 45 C.F.R. § 164.522(a); The patient’s right to request confidential communications –...

Read More
Is WebEx HIPAA Compliant?
Feb18

Is WebEx HIPAA Compliant?

Is Webex HIPAA compliant? Is the online meeting and web conferencing platform suitable for use by healthcare organizations or should the service be avoided? In this post we assess the security controls and features of the platform and determine whether use of Webex could be considered a HIPAA violation. What is Webex? Webex by Cisco is a web and video conferencing and collaboration platform that helps businesses connect with remote workers and partners as if they are in the same room. With tools such as Webex, healthcare organizations can communicate quickly and easily with the workforce, no matter where employees are located. Regional operational meetings can be conducted, medical education can take place online, and healthcare employees can be trained on new processes and procedures. These platforms can also potentially be used for communicating with patients. However, before any collaboration tools can be used in connection with protected health information (PHI), healthcare organizations must be certain that the tools support HIPAA compliance. So how does Webex fare in this...

Read More
Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation
Feb15

Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation

The HHS’ Office for Civil Rights (OCR) has fined Sharp HealthCare $70,000 for failing to provide a patient with timely access to his medical records. This is the sixteenth financial penalty to be agreed with OCR under the HIPAA Right of Access enforcement initiative that was launched in late 2019. OCR received a complaint from a patient on June 11, 2019 that alleged Sharp Healthcare, doing business as Sharp Rees-Stealy Medical Centers (SRMC), failed to provide him with a copy of his medical records within 30 days, as is required by the HIPAA Privacy Rule. The patient claimed to have made a request in writing on April 2, 2019 but had not been provided with the requested records after waiting more than 2 months. OCR investigated and provided technical assistance to SRMC on the HIPAA Right of Access provision of the HIPAA Privacy Rule and the requirement to send medical records to a third party if requested by a patient. OCR closed the complaint on June 25, 2019. The same patient filed a second complaint with OCR on August 19, 2019 when the requested medical records had still not been...

Read More
Renown Health Pays $75,000 to Settle HIPAA Right of Access Case
Feb11

Renown Health Pays $75,000 to Settle HIPAA Right of Access Case

The Department of Health and Human Services’ Office for Civil Rights (OCR) is continuing to crackdown on noncompliance with the HIPAA Right of Access. This week, OCR announced its fifteenth settlement to resolve a HIPAA Right of Access enforcement action. Renown Health, a not-for-profit healthcare network in Northern Nevada, agreed to settle its HIPAA case with OCR to resolve potential violations of the HIPAA Right of Access and has agreed to pay a financial penalty of $75,000. OCR launched an investigation after receiving a complaint from a Renown Health patient who had not been provided with an electronic copy of her protected health information. In January 2019, the patient submitted a request to Renown Health and asked for her medical and billing records to be sent to her attorney. After waiting more than a month for the records to be provided, the patient filed a complaint with OCR. It took Renown Health until December 27, 2019 to provide the requested records, almost a year after the initial request was made. The HIPAA Privacy Rule (45 C.F.R. § 164.524) requires medical...

Read More
Is Slack HIPAA Compliant?
Feb06

Is Slack HIPAA Compliant?

Slack is a powerful communication tool for improving collaboration, but is Slack HIPAA compliant? Can Slack be used by healthcare organizations for sharing protected health information without risking a HIPAA violation? Is Slack HIPAA Compliant? There has been considerable confusion about the use of Slack in healthcare and whether Slack is HIPAA compliant. For a long time since the launch, Slack was not a HIPAA compliant communication solution, although steps have been taken to develop a version of the platform that can be used by healthcare organizations. That version is called Slack Enterprise Grid. In 2017, Geoff Belknap, Chief Security Officer at Slack, said “our team has spent over a year investing our time and effort into meeting the rigorous security needs of our customers who work in highly regulated industries.” Slack Enterprise Grid was announced at the start of 2017. It should be noted that Slack Enterprise Grid is not the same as Slack. It has been built on different code, and has been developed specifically for use by companies with more than 500 employees. Slack...

Read More
Micky Tripathi and Robinsue Frohboese Head ONC and OCR at the HHS
Jan22

Micky Tripathi and Robinsue Frohboese Head ONC and OCR at the HHS

The Biden administration has appointed Micky Tripathi as the National Coordinator for Health IT at the Department of Health and Human Services’ Office. Tripathi will head the Office of the National Coordinator for Health IT, which is tasked with coordinating efforts to implement advanced health information technology to ensure the secure exchange of health information. The ONC is currently overseeing efforts to provide Americans with easy access to their health records through their smartphones and is implementing 21st Century Cures Act provisions that promote health IT interoperability and prohibit information blocking. Tripathi has a wealth of experience in secure health information exchange and is aware of the current interoperability issues in the healthcare industry. Prior to joining the ONC, Tripathi was most recently the chief alliance officer at the healthcare analytics and software company Arcadia, where he was responsible for developing partnerships to enhance healthcare with advanced IT technology. Tripathi has also served as manager of the strategy and management...

Read More
HHS Increases HIPAA Penalties for 2020 to Account for Inflation
Jan20

HHS Increases HIPAA Penalties for 2020 to Account for Inflation

The Department of Health and Human Services has adopted new minimum and maximum penalties for HIPAA violations for 2020 to account for changes to the cost of living. The HHS’ Office of the Assistant Secretary for Financial Resources has now implemented a final rule on the new federal civil monetary penalties under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The changes to penalty amounts are intended to maintain the deterrent effect of federal civil monetary penalties. The adjustments to the penalties are calculated based on the Consumer Price Index for all Urban Consumers (CPI–U) from the previous month, which are applied as a multiplier to the existing minimum and maximum civil monetary penalty amounts. The cost-of-living multiplier for 2020 is 1.01764. Previous cost-of-living multipliers were 1.01636 (2017), 1.02041 (2018), and 1.02522 (2019). The final rule took effect on Sunday, January 17, 2020, and applies to penalties assessed on or after January 17, 2020, if the violation occurred on or after November 2, 2015. These penalties will apply...

Read More
OCR Announces Enforcement Discretion Regarding Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments
Jan20

OCR Announces Enforcement Discretion Regarding Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments

The Department of Health and Human Services’ Office for Civil Rights has announced it will be exercising enforcement discretion and will not impose financial penalties on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in connection with the good faith use of online or web-based scheduling applications (WBSAs) for scheduling individual appointments for COVID-19 vaccinations. The notice of enforcement discretion applies to the use of WBSAs for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the COVID-19 public health emergency. The notification is effectively immediately, is retroactive to December 11, 2020, and will remain in effect for the duration of the COVID-19 nationwide public health emergency. A WBSA is a non-public facing online or web-based application that allows individual appointments to be scheduled in connection with large scale COVID-19 vaccination. The purpose of a WBSA is to allow covered healthcare providers to rapidly schedule large numbers of appointments for COVID-19 vaccinations....

Read More
2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020
Jan19

2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020

More large healthcare data breaches were reported in 2020 than in any other year since the HITECH Act called for the U.S. Department of Health and Human Services’ Office for Civil Rights to start publishing healthcare data breach figures on its website. In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year. More than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010. Key Takeaways 25% year-over-year increase in healthcare data breaches. Healthcare data breaches have doubled since 2014. 642 healthcare data breaches of 500 or more records were reported in 2020. 1.76 data breaches of 500 or more healthcare records were reported each day in 2020. 2020 saw more than 29 million healthcare records breached. One breach involved more than 10...

Read More
The HIPAA Conduit Exception Rule and Transmission of PHI
Jan19

The HIPAA Conduit Exception Rule and Transmission of PHI

The HIPAA Conduit Exception Rule is a source of confusion for many HIPAA covered entities, but it is essential that this aspect of HIPAA is understood. Failure to correctly classify a service provider as a conduit or a business associate could see HIPAA Rules violated and a significant financial penalty issued for noncompliance. The HIPAA Omnibus Final Rule and Business Associates On January 25, 2013, the HIPAA Omnibus Final Rule was issued. The HIPAA Omnibus Final Rule introduced a swathe of updates to HIPAA Rules, including the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA Omnibus Final Rule included an update to the definition of a business associate. Prior to January 25, 2013, a business associate was a person or entity that creates, receives, or transmits protected health information (PHI) on behalf of a covered entity. The Omnibus rule added ‘maintains’ to that definition. That meant companies that store electronic information – or physical records – are considered business associates. The Omnibus Rule also...

Read More
December 2020 Healthcare Data Breach Report
Jan18

December 2020 Healthcare Data Breach Report

2020 ended with healthcare data breaches being reported at a rate of 2 per day, which is twice the rate of breaches in January 2020. Healthcare data breaches increased 31.9% month over month and were also 31.9% more than the 2020 monthly average. There may still be a handful more breaches to be added to the OCR breach portal for 2020 but, as it stands, 642 healthcare data breaches of 500 or more records have been reported to OCR in 2020. That is more than any other year since the HITECH Act required OCR to start publishing data breach summaries on its website.   December was the second worst month of 2020 in terms of the number of breached records. 4,241,603 healthcare records were exposed, compromised, or impermissibly disclosed across the month’s 62 reported data breaches. That represents a 272.35% increase in breached records from November and 92.25% more than the monthly average in 2020. For comparison purposes, there were 41 reported breaches in December 2019 and 397,862 healthcare records were breached. Largest Healthcare Data Breaches Reported in December 2020 Name of...

Read More
Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty
Jan18

Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty

The Department of Health and Human Services’ Office for Civil Rights has announced the health insurer Excellus Health Plan has agreed to pay a $5.1 million penalty to settle a HIPAA violation case stemming from a 2015 data breach that affected 9.3 million individuals. The breach in question was discovered by Excellus Health Plan in 2015, the same year that massive data breaches were discovered by the health insurers Anthem Inc. (78.8 million records) and Premera Blue Cross (10.6 million records). All three entities have now settled breach investigations with OCR and have paid substantial financial penalties. Excellus Health Plan, doing business as Excellus BlueCross BlueShield and Univera Healthcare, serves individuals in upstate and western New York. In August 2015, the health insurer discovered hackers had gained access to its computer systems. The breach investigation revealed access to its systems was first gained around December 23, 2013 and continued until May 11, 2015. The breach was reported to OCR on September 9, 2015. The hackers installed malware on its systems,...

Read More
M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal
Jan15

M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal

The U.S. Court of Appeals for the Fifth Circuit has overturned a $4,348,000 HIPAA violation penalty imposed on University of Texas M.D. Anderson Cancer Center by the Department of Health and Human Services’ Office for Civil Rights. The Civil Monetary Penalty was imposed on M.D. Anderson in 2018 following an investigation of three data breaches that were reported to the Office for Civil Rights between 2013 and 2014 that involved the loss/theft of unencrypted devices between 2012 and 2013. Two unencrypted flash drives containing the ePHI of 2,264 and 3,598 patients were lost, and an unencrypted laptop computer containing the ePHI of 29,021 patients was stolen. The Office for Civil Rights investigation concluded that M.D. Anderson was in violation of two provisions of the HIPAA Rules. The first violation was the failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and the second prohibits unauthorized disclosures of ePHI. HIPAA penalties are tiered and are based on the level of culpability, with the Office...

Read More
OCR Continues HIPAA Right of Access Crackdown with $200,000 Fine
Jan13

OCR Continues HIPAA Right of Access Crackdown with $200,000 Fine

The HHS’ Office for Civil Rights (OCR) is continuing to crackdown on healthcare providers that are not providing patients with timely access to their medical records. Yesterday, OCR announced a settlement had been agreed with Banner Health to resolve a HIPAA Right of Access investigation. Banner Health agreed to pay $200,000 to settle the case. The HIPAA Privacy Rule gives individuals the right to access, inspect, and obtain a copy of their own protected health information. When a request is received, HIPAA-covered entities are required to provide a copy of the requested records within 30 days. In late 2019, OCR announced it was cracking down on noncompliance with this important provision of HIPAA. Since then, 14 financial penalties have been imposed on covered entities that have failed to provide patients with timely access to their medical records. Phoenix, AZ-based Banner Health is one of the largest health care systems in the United States. The non-profit health system operates 30 hospitals and many primary care, urgent care, and specialty care facilities. OCR received two...

Read More
HITECH Act Amendment Creating Cybersecurity Safe Harbor Signed into Law
Jan12

HITECH Act Amendment Creating Cybersecurity Safe Harbor Signed into Law

On January 5, 2020, President Trump added his signature to a bill (HR 7898) that amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and creates a safe harbor for companies that have implemented recognized security best practices prior to experiencing a data breach. While the bill does not go as far as preventing the Department of Health and Human Services’ Office for Civil Rights from imposing financial penalties for HIPAA compliance issues that contributed to a data breach, the amendment requires OCR to take into consideration the security measures that were in place to reduce cybersecurity risk in the 12 months prior to a data breach. The main aim of the bill is to incentivize healthcare organizations to adopt an established, formalized, and recognized cybersecurity framework and adhere to industry security best practices, as doing so will provide a degree of insulation against regulatory enforcement actions. The bill requires the HHS to consider an entity’s use of recognized security best practices when investigating reported data breaches...

Read More
What is Individually Identifiable Health Information?
Jan11

What is Individually Identifiable Health Information?

What is individually identifiable health information and what must HIPAA-covered entities do to the information before it can be shared for reasons not detailed in the permitted uses and disclosures of the HIPAA Privacy Rule? What is Individually Identifiable Health Information? Before answering the question, what is individually identifiable health information, it is necessary to define health information. HIPAA defines health information as any information created or received by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or business associate of a HIPAA-covered entity. Health information includes past, present, and future information about mental and physical health and the condition of an individual, the provision of healthcare to an individual, and information related to payment for healthcare, again in the past, present, or future. Health information also includes demographic information about an individual. Individually identifiable health information is a subset of health information, and as the name suggests, is health information...

Read More
Jail Terms for HIPAA Violations by Employees
Jan10

Jail Terms for HIPAA Violations by Employees

The penalties for HIPAA violations by employees can be severe, especially those involving the theft of protected health information. HIPAA violations by employees can attract a fine of up to $250,000 with a maximum jail term of 10 years and a 2-year jail term for aggravated identity theft. Jail terms for HIPAA violations are relatively rare, but there have been several cases where HIPAA violations by employees have been referred to the Department of Justice and have resulted in financial penalties and jail time. Some cases that have resulted in jail terms for HIPAA violations by employees are listed below, along with cases where jail terms have only narrowly been avoided. Jail Term for Former Transformations Autism Treatment Center Employee In February 2017, a former behavioral analyst at the Transformations Autism Treatment Center (TACT) was discovered to have stolen the protected health information of patients following termination. Jeffrey Luke, 29, of Collierville, TN gained access to a TACT Google Drive account containing the PHI of patients following termination and...

Read More
OCR Announces its 19th HIPAA Penalty of 2020
Dec23

OCR Announces its 19th HIPAA Penalty of 2020

The Department of Health and Human Services’ Office for Civil Rights (OCR) has settled a HIPAA Right of Access compliance case with Peter Wrobel, M.D., P.C., doing business as Elite Primary Care. Elite Primary Care is a provider of primary health services in Georgia. OCR launched a compliance investigation following receipt of a complaint from an Elite Primary Care patient on April 22, 2019 who alleged he had been denied access to his health records. OCR contacted the practice and provided technical assistance on the HIPAA Right of Access on May 2, 2019. OCR advised the practice to review the facts of the request and provide access to the requested records if the request met the requirements of the HIPAA Privacy Rule. The patient subsequently submitted a request for access in writing which was received by the practice on June 5, 2019. The patient filed a second complaint with OCR on October 9, 2019, as the practice continued to deny him access to his requested records. Elite Primary Care sent the patient’s medical records to his new healthcare provider on November 21, 2019 and...

Read More
November 2020 Healthcare Data Breach Report
Dec22

November 2020 Healthcare Data Breach Report

For the second successive month, the number of reported healthcare data breaches has fallen; however, it should be noted that the number of breaches reported in October 2020 was almost three times the average monthly number due, in a large part, to the ransomware attack on the cloud service provider Blackbaud. November saw 47 data breaches of 500 or more healthcare records reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and business associates, 25.39% fewer than October. Even with that reduction, breaches are still well above the 12-month average of 41 data breaches a month (Median = 38 breaches).   The number of healthcare records exposed in healthcare data breaches similarly fell for the second successive month. In November, 1,139,151 healthcare records were exposed or impermissibly disclosed, a 54.73% fall from October. The average number of monthly breached healthcare records over the past 12 months is 1,885,959 records and the median is 1,101,902 records. Largest Healthcare Data Breaches Reported in November 2020 Name of Covered Entity State Covered...

Read More
OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA
Dec21

OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA

The Department of Health and Human Services’ Office for Civil Rights has published new guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules covering disclosures of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA). An HIE is an organization that enables the sharing of electronic PHI (ePHI) between more than two unaffiliated entities such as healthcare providers, health plans, and their business associates. HIEs’ share ePHI for treatment, payment, or healthcare operations, for public health reporting to PHAs, and for providing other functions and services such as patient record location and data aggregation and analysis. HIPAA supports the use of HIEs and the sharing of health data to improve public health, which has been especially important during the COVID-19 public health emergency. The HIPAA Privacy Rule permits HIPAA-covered entities and their business associates to disclose protected health information to an HIE for reporting to a PHA that is engaged in...

Read More
OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules
Dec18

OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules

The Department of Health and Human Services’ Office for Civil Rights has published its 2016-2017 HIPAA Audits Industry Report, highlighting areas where HIPAA-covered entities and their business associates are complying or failing to comply with the requirements of the Health Insurance Portability and Accountability Act. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to conduct periodic audits of HIPAA covered entities and business associates to assess compliance with the HIPAA Rules. Between 2016 and 2017, the HHS conducted its second phase of compliance audits on 166 covered entities and 41 business associates to assess compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules. The 2016/2017 HIPAA compliance audits were conducted on a geographically representative, broad cross-section of covered entities and business associates and consisted of desk audits – remote reviews of HIPAA documentation – rather than on-site audits. All entities have since been notified of the findings of their...

Read More
FTC Settles 2019 Consumer Data Breach Case with SkyMed
Dec18

FTC Settles 2019 Consumer Data Breach Case with SkyMed

The Nevada-based emergency services provider SkyMed has reached a settlement with the Federal Trade Commission (FTC) following an audit of its information security practices in the wake of a 2019 data breach that exposed consumers’ personal information. SkyMed was notified by security researcher Jeremiah Fowler in 2019 that it had a misconfigured Elasticsearch database that was leaking patient information. The lack of protection meant the records of 136,995 patients could be accessed over the internet without the need for any authentication. The database could be accessed using any Internet browser and personal information in the database could be downloaded, edited, or even deleted. The database contained information such as patient names, addresses, email addresses, dates of birth, membership account numbers, and health information, according to Fowler. Fowler also identified artifacts related to ransomware in the database. When notified about the exposed database, SkyMed launched an investigation but found no evidence to indicate any information in the database had been misused....

Read More
House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices
Dec16

House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices

A new bill (HR 7898) has been passed by the House Energy and Commerce Committee which seeks to amend the HITECH Act to require the Department of Health and Human Services to recognize whether cybersecurity best practices have been adopted by HIPAA-covered entities and business associates when making certain determinations, such as financial penalties following security breaches or for other regulatory purposes. The HIPAA Safe Harbor Bill, if signed into law, would reward covered entities and business associates that have met cybersecurity practices through reduced financial penalties and shorter compliance audits. The legislation calls for the HHS Secretary to consider whether the entity has adequately demonstrated recognized security practices have been in place for no less than 12 months, which may mitigate financial penalties, result in an early, favorable termination of an audit, or mitigate other remedies which may otherwise have been agreed with respect to resolving potential HIPAA Security Rule violations. The bill defines ‘Recognized Security Practices’ as “standards,...

Read More
What is Considered PHI?
Dec13

What is Considered PHI?

In response to questions sent to HIPAA Journal, we have written a series of posts answering some of the most basic elements of HIPAA, the latest being what is considered PHI? What is PHI, PII, and IIHA? Terms such as PHI and PII are commonly referred to in healthcare, but what do they mean and what information do they include? PHI is an acronym of Protected Health Information, while PII is an acronym of Personally Identifiable Information. Before explaining these terms, it is useful to first explain what is meant by health information, of which protected health information is a subset. Health information is information related to the provision of healthcare or payment for healthcare services that is created or received by a healthcare provider, public health authority, healthcare clearinghouse, health plan, business associate of a HIPAA-covered entity, or a school/university or employer. Health information relates to past, present, and future health conditions or physical/mental health that is related to the provision of healthcare services or payment for those services. Personally...

Read More
HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights
Dec10

HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights

The Department of Health and Human Services has issued a notice of proposed rulemaking detailing multiple HIPAA Privacy Rule changes that are intended to remove regulatory burdens, improve care coordination, and give patients better access to their protected health information (PHI). OCR issued a request for public input on potential HIPAA Privacy Rule changes in December 2018 under the HHS’ Regulatory Sprint to Coordinated Care. The regulatory sprint was intended to accelerate transformation of the healthcare system and remove some of the barriers that have hampered the coordination of care, were making it difficult for healthcare providers to share patient information and placed an unnecessary burden on patients and their families who were trying to get their health information exchanged. In response to the request for information, the HHS received around 1,300 comments spanning 4,000 pages. The HHS has had to strike a balance between providing more flexibility to allow health information to be shared easily and ensuring the privacy and security of healthcare data. “Our proposed...

Read More
October 2020 Healthcare Data Breach Report
Nov23

October 2020 Healthcare Data Breach Report

October saw well above average numbers of data breaches reported the HHS’ Office for Civil Rights. There were 63 reported breaches of 500 or more records, which is a 33.68% reduction from September but still 41.82% more breaches than the monthly average over the last 12 months. The elevated numbers of breaches can be partly explained by continued reports from healthcare organizations that were impacted by the ransomware attack on the cloud software firm Blackbaud. The protected health information of more than 2.5 million individuals were exposed or compromised in those 63 breaches, which is 74.08% fewer records than September, but still 26.81% more than the monthly average number of breached records over the past 12 months. Largest Healthcare Data Breaches Reported in October 2020 Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected Breach Cause Luxottica of America Inc. Business Associate Hacking/IT Incident 829,454 Ransomware Attack AdventHealth Orlando Healthcare Provider Hacking/IT Incident 315,811 Blackbaud Ransomware Presbyterian Healthcare Services...

Read More
HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center
Nov20

HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center

The HHS’ Office for Civil Rights has announced its 18th HIPAA financial penalty of the year with the 12th fine under its HIPAA Right of Access enforcement initiative. In 2019, OCR announced a new drive to ensure individuals are given timely access to their health records, at a reasonable cost, as mandated by the HIPAA Privacy Rule. It had become clear to OCR that healthcare providers were not always fully complying with this important HIPAA Privacy Rule provision and some patients were having trouble obtaining a copy of their medical records. The latest financial penalty of $65,000 was imposed on the University of Cincinnati Medical Center, LLC (UCMC) and stemmed from a complaint received by OCR on May 30, 2019 from a patient who had sent a request to UCMC on February 22, 2019 asking for an electronic copy of the medical records maintained in UCMC’s electronic health record system to be sent to her lawyer. The HIPAA Right of Access requires copies of medical records to be provided, on request, no later than 30 days after receipt of the request. 45 C.F.R. § 164.524 also states that...

Read More
Private Practitioner Pays $15,000 Penalty for HIPAA Right of Access Failure
Nov13

Private Practitioner Pays $15,000 Penalty for HIPAA Right of Access Failure

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 11th financial penalty under its HIPAA Right of Access enforcement initiative. Dr. Rajendra Bhayani, a Regal Park, NY-based private practitioner specializing in otolaryngology has agreed to pay a financial penalty of $15,000 to settle the case and adopt a corrective action plan to address areas of noncompliance discovered by OCR during the investigation. OCR launched an investigation after a complaint was received from a patient in September 2018 alleging Dr. Bhayani had failed to provider her with a copy of her medical records. The patient had sent a request to the otolaryngologist in July 2018, but two months later and the records had still not been provided. OCR contacted Dr. Bhayani and provided technical assistance on the HIPAA Right of Access and closed the complaint; however, a second complaint was received from the patient a year after the first in July 2019 claiming she had still not been provided with her medical records. OCR intervened again and the records were eventually...

Read More
Office for Civil Rights Announces 10th HIPAA Fine Under Right of Access Initiative
Nov06

Office for Civil Rights Announces 10th HIPAA Fine Under Right of Access Initiative

The U.S. Department of Health and Human Services’ Office for Civil Rights has announced its 10th financial penalty under its HIPAA Right of Access enforcement initiative. California-based Riverside Psychiatric Medical Group has agreed to pay a financial penalty of $25,000 to resolve a potential HIPAA Right of Access violation and will adopt a corrective action plan to ensure compliance with this important provision of the HIPAA Privacy Rule. The HHS will monitor Riverside Psychiatric Medical Group for 2 years to ensure continued compliance. OCR launched an investigation following receipt of a complaint from a patient in March 2019 alleging Riverside Psychiatric Medical Group failed to provide a copy of her medical records after she had made several requests, with the first request made in February 2019. OCR contacted Riverside Psychiatric Medical Group and provided technical assistance on how the practice could comply with the HIPAA Right of Access and the case was closed. A month later, in April 2019, a second complaint was received from the patient saying she had still not been...

Read More
Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000
Nov04

Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000

Wakefern Food Corporation has agreed to pay $235,000 in civil financial penalties to resolve allegations of violations of federal and state laws related to a data breach involving the protected health information of 9,700 customers of two ShopRite supermarkets in Millville, New Jersey and Kingston, New York. In addition to the financial penalties, the settlement requires improvements to be made to data security practices. Wakefern Food Corporation is the parent company of Union Lake Supermarket, LLC, which owns the ShopRite store in Millville and ShopRite Supermarkets, Inc., which owns the ShopRite store in Kingston, NY. In 2016, Wakefern replaced electronic devices that were used to collect customer signatures and purchase information at the two locations. The old devices were disposed of in regular dumpsters without first destroying the devices or purging/clearing the stored data to ensure sensitive information could not be recovered. The devices contained the protected health information of 9,700 customers of the two stores including names, contact information, zip codes,...

Read More
ONC Extends Deadline for Compliance with its Information Blocking and Interoperability Rule
Nov03

ONC Extends Deadline for Compliance with its Information Blocking and Interoperability Rule

The deadline for compliance with the information blocking and health IT certification requirements of the 21st Century Cures Act have been extended due to the ongoing COVID-19 pandemic. On October 29, 2020, the US Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) announced the release of an interim final rule with comment period that extended the compliance dates and timeframes for meeting certain information blocking and Conditions and Maintenance of Certification (CoC/MoC) requirements. The ONC’s Cures Act Final Rule, released on March 9, 2020, defined exceptions to the information blocking provision of the 21st Century Cures Act and adopted new Health IT certification requirements which, through the use of application programming interfaces (APIs), would enhance patients’ access to their own health data through their smartphones at no cost. Compliance deadlines were set for 2020, but health IT stakeholders expressed concern about meeting the deadlines due to the COVID-19 pandemic. On April 21, 2020, ONC announced that it would...

Read More
Failure to Terminate Former Employee’s Access Rights Results in $202,400 HIPAA Fine for New Haven, CT
Nov02

Failure to Terminate Former Employee’s Access Rights Results in $202,400 HIPAA Fine for New Haven, CT

The City of New Haven, Connecticut has agreed to pay a $202,400 financial penalty to the Department of Health and Human Services’ Office for Civil Rights to resolve a HIPAA violation case. An OCR investigation was launched in May 2017 following receipt of a data breach notification from New Haven on January 24, 2017. OCR investigated whether the data breach was linked to potential violations of HIPAA Rules. During the investigation, OCR discovered the New Haven Health Department had terminated an employee on July 27, 2016 during her probationary period. The former employee returned to the New Haven Heath Department on July 27, 2016 with her union representative and used her work key to access her old office, where she locked herself inside with her union representative. While in her office, the former employee logged into her old computer using her username and password and copied information from her computer onto a USB drive. She also removed personal items and documents from the office, and then exited the premises. A file on the computer contained the protected health...

Read More
Aetna Hit with $1 Million HIPAA Fine for Three Data Breaches
Oct29

Aetna Hit with $1 Million HIPAA Fine for Three Data Breaches

Aetna Life Insurance Company and the affiliated covered entity (Aetna) has agreed to settle multiple potential HIPAA violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) that were discovered during the investigation of three data breaches that occurred in 2017. The first of those data breaches was reported to OCR in June 2017 and concerned the exposure of the protected health information (PHI) of health plan members over the Internet. Two web services were used to display health plan-related documents to its members, but those documents could be accessed over the Internet without the need for any login credentials. The lack of authentication allowed the documents to be indexed by search engines and displayed in search results. Aetna’s investigation revealed the PHI of 5,002 individuals had been exposed, which included names, insurance identification numbers, claim payment amounts, procedures service codes, and dates of service. The second two HIPAA breaches involved the exposure and impermissible disclosure of highly sensitive information in...

Read More
September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised
Oct22

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020. Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records. Causes of September 2020 Healthcare Data Breaches The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers. Blackbaud was able to contain the breach; however, prior...

Read More
OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative
Oct12

OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative

The HHS’ Office for Civil Rights (OCR) is continuing its crackdown on healthcare providers that are not fully complying with the HIPAA right of access. Last week, OCR announced its ninth enforcement action against a HIPAA-covered entity for the failure to provide patients with timely access to their medical records at a reasonable cost. HIPAA gives patients the right to view or receive a copy of their medical records. When a request is made for access to medical records, HIPAA-covered entities must provide access or supply a copy of the requested medical records as soon as possible, but no later than 30 days after the request is received. By obtaining a copy of their medical records, patients can share those records with other providers, research organizations, or individuals of their choosing. Patients can check their medical records for errors and submit requests to correct any mistakes. In the event of a ransomware attack that renders medical records inaccessible, patients who have a copy of their records ensure that their health histories are never lost. Under the OCR HIPAA...

Read More
Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation
Oct09

Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation

Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC have settled a multi-state action with 28 state attorneys general for $5 million. A joint investigation, led by Tennessee Attorney General Herbert H. Slatery III, was launched following a breach of the protected health information (PHI) of 6.1 million individuals in 2014. At the time of the breach, Community Health Systems owned, leased, or operated 206 affiliated hospitals. According to a 2014 8-K filing with the U.S. Securities and Exchange Commission, the health system was hacked by a Chinese advanced persistent threat group which installed malware on its systems that was used to steal data. PHI stolen by the hackers included names, phone numbers, addresses, dates of birth, sex, ethnicity, Social Security numbers, and emergency contact information. The same breach was investigated by the HHS’ Office for Civil Rights, which announced late last month that a settlement had been reached with CHSPCS over the breach and a $2.3 million penalty had been paid to resolve potential HIPAA violations discovered during...

Read More
OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure
Oct08

OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure

The Department of Health and Human Services’ Office for Civil Rights has announced its 12th HIPAA penalty of 2020 and its 8th under the HIPAA Right of Access enforcement initiative that was launched in 2019. The $160,000 settlement is the largest HIPAA penalty to date for a failure to provide an individual with timely access to their requested medical records. On January 24, 2018, Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (SJHMC), received a request from the mother of a patient who wanted a copy of her son’s medical records. The mother was acting as the personal representative of her son. After not receiving all of the requested records by April 25, 2018, the mother lodged a complaint with the Office for Civil Rights. OCR investigated the potential HIPAA violation and determined the complainant had requested four specific sets of medical records from SJHMC. The first request was sent on January 24, 2018, and the same records were requested on March 22, April 3, and May 2, 2018. SJHMC did respond to the requests and provided some, but not all, of the...

Read More
Georgia Man Pleads Guilty to Attempting to Frame a Former Acquaintance for Violating HIPAA Rules
Oct06

Georgia Man Pleads Guilty to Attempting to Frame a Former Acquaintance for Violating HIPAA Rules

A healthcare worker who was accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules and patient privacy by sending photographs of patients to unauthorized individuals has been cleared of any wrongdoing, following an investigation by federal law enforcement. A former acquaintance of the healthcare worker was discovered to have concocted a scheme to frame his former acquaintance for fictitious HIPAA violations and is now facing a prison sentence for making false statements. Jeffrey Parker, 43, of Richmond Hill, GA, concocted an elaborate scheme to frame the former acquaintance for violations of patient privacy. In U. S. District Court in the Southern District of Georgia, Parker pled guilty to one count of false statements and admitted creating fake email addresses and concocting information in an effort to harm a former acquaintance. Parker portrayed himself as a whistleblower and contacted the U.S. Department of Justice (DOJ), Federal Bureau of Investigation (FBI) and the hospital where the healthcare worker was employed to make false allegations of...

Read More
What are the HIPAA Breach Notification Requirements?
Oct04

What are the HIPAA Breach Notification Requirements?

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information is discovered.  The HIPAA training for staff must include procedures for reporting breaches. While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started serving healthcare clients may similarly be unsure of the reporting requirements and actions that must be taken following a breach. The issuing of notifications following a breach of unencrypted protected health information is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty. With this in mind, we have compiled a summary of the HIPAA breach notification requirements for covered entities and...

Read More
Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties
Oct01

Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties

The Indianapolis, IN-based health insurer Anthem Inc. has settled a multi-state investigation by state attorneys general over its 78.8 million record data breach in 2014. One settlement was agreed with Attorneys General in 43 states and Washington D.C for $39.5 million and a separate settlement was reached with the California Attorney General for $8.7 million.  The settlements resolve violations of Federal and state laws that contributed to the data breach – the largest ever breach of healthcare data in the United States. The cyberattack on Anthem occurred in 2014. Hackers targeted the health insurer with phishing emails, the responses to which gave them the foothold in the network they needed. From there, the hackers spent months exploring Anthem’s network and exfiltrating data from its customer databases. Data stolen in the attack included the names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers of current and former health plan members and employees. And was announced by Anthem in February 2015. A Chinese national and an unnamed...

Read More
OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross
Sep28

OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $6.85 million HIPAA penalty on Premera Blue Cross to resolve HIPAA violations discovered during the investigation of a 2014 data breach involving the electronic protected health information of 10.4 million individuals. Mountlake Terrace, WA-based Premera Blue Cross is the largest health plan in the Pacific Northwest and serves more than 2 million individuals in Washington and Alaska. In May 2014, an advanced persistent threat group gained access to Premera’s computer system where they remained undetected for almost 9 months. The hackers targeted the health plan with a spear phishing email that installed malware. The malware gave the APT group access to ePHI such as names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information. The breach was discovered by Premera Blue Cross in January 2015 and OCR was notified about the breach in March 2015. OCR launched an investigation into the breach and discovered “systemic...

Read More
Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures
Sep23

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its 10th HIPAA violation fine of 2020. This is the 7th financial penalty to resolve HIPAA violations that has been announced in as many days. The latest financial penalty is the largest to be imposed in 2020 at $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic protected health information (ePHI) of 6,121,158 individuals. CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a business associate and is required to comply with the HIPAA Security Rule. On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed...

Read More
Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic
Sep21

Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic

The HHS’ Office for Civil Rights has announced a $1.5 million settlement has been reached with Athens Orthopedic Clinic PA to resolve multiple violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules. OCR conducted an investigation into a data breach reported by the Athens, GA-based healthcare provider on July 29, 2016.  Athens Orthopedic Clinic had been notified by Dissent of Databreaches.net on June 26, 2016 that a database containing the electronic protected health information (ePHI) of Athens Orthopedic Clinic patients had been listed for sale online by a hacking group known as The Dark Overlord. The hackers are known for infiltrating systems, stealing data, and issuing ransom demands, payment of which are required to prevent the publication/sale of data. Athens Orthopedic Clinic investigated the breach and determined that the hackers gained access to its systems on June 14, 2016 using vendor credentials and exfiltrated data from its EHR system. The records of 208,557 patients were stolen in the attack, including names, dates of birth, Social Security...

Read More
HHS Releases Updated Security Risk Assessment Tool
Sep16

HHS Releases Updated Security Risk Assessment Tool

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that a new version of its Security Risk Assessment (SRA) Tool has now been released. The SRA tool was developed by the Office of the National Coordinator for Health Information Technology (ONC) in collaboration with OCR to help small- to medium-sized healthcare providers comply with the security risk assessment requirements of the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program. A security risk assessment is conducted to identify all risks to the confidentiality, integrity, and availability of protected health information (PHI). The risk assessment should identify any unaddressed risks, which can then be addressed by implementing appropriate physical, technical, and organizational safeguards. HIPAA compliance audits and investigations of data breaches have revealed healthcare providers often struggle with the risk assessment. Risk assessment failures are one of the most common reasons why HIPAA penalties are issued....

Read More
HIPAA Right of Access Failures Result in Five OCR HIPAA Fines
Sep16

HIPAA Right of Access Failures Result in Five OCR HIPAA Fines

The Department of Health and Human Services’ Office for Civil Rights has announced five settlements have been reached to resolve HIPAA violations discovered during the investigation of complaints from patients who had experienced problems obtaining a copy of their health records. The HIPAA Privacy Rule gives individuals the right to have timely access to their health records at a reasonable cost. If an individual chooses to exercise their rights under HIPAA and submit a request for a copy of their health records, a healthcare provider must provide those records without reasonable delay and within 30 days of receiving the request. After receiving multiple complaints from individuals who had been prevented from obtaining a copy of their health records, OCR launched its HIPAA right of access initiative in 2019 and made compliance with the HIPAA right of access one of its enforcement priorities. Two settlements were reached with HIPAA covered entities in 2019 over HIPAA right of access failures. Bayfront Health St Petersburg and Korunda Medical, LLC were each ordered to pay a financial...

Read More
OCR Publishes New Resources for MHealth App Developers and Cloud Services Providers
Sep04

OCR Publishes New Resources for MHealth App Developers and Cloud Services Providers

The Department of Health and Human Services’ Office for Civil Rights has announced it has published additional resources for mobile health app developers and has updated and renamed its Health App Developer Portal. The portal – Resources for Mobile Health Apps Developers – provides guidance for mobile health app developers on the HIPAA Privacy, Security, and Breach Notification Rules and how they apply to mobile health apps and application programming interfaces (APIs). The portal includes a guidance document on Health App Use Scenarios and HIPAA, which explains when mHealth applications must comply with the HIPAA Rules and if an app developer will be classed as a business associate. “Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is secure and will be used and disclosed only as approved or expected,” explained OCR. “Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security, and Breach Notification Rules.” The portal provides access to...

Read More
Radiology Groups Issue Warning About PHI Exposure in Online Medical Presentations
Aug28

Radiology Groups Issue Warning About PHI Exposure in Online Medical Presentations

The American College of Radiology, the Society for Imaging Informatics in Medicine, and the Radiological Society of North America have issued a warning about the risk of accidental exposure of protected health information (PHI) in online medical presentations. Healthcare professionals often create presentations that include medical images for educational purposes; however, care must be taken to ensure that protected health information is not accidentally exposed or disclosed. Medical images contain embedded patient identifiers to ensure the images can be easily matched with the right patient but advances in web crawling technology is now allowing that information to be extracted, which places patient privacy at risk. The web crawling technology used by search engines such as Google and Bing have enabled the large-scale extraction of information from previously stored files. Advances in the technology now allow information in slide presentations that was previously considered to be de-identified to be indexed, which can include patient identifiers. Source images can be extracted...

Read More
HHS Announces Limited HIPAA Privacy Rule Waivers Due to Hurricane Laura and the Californian Wildfires
Aug28

HHS Announces Limited HIPAA Privacy Rule Waivers Due to Hurricane Laura and the Californian Wildfires

The Secretary of the HHS, Alex Azar, has declared a public health emergency exists in the states of Louisiana and Texas as a result of the consequences of Hurricane Laura, and in California due to ongoing wildfires. During public health emergencies the HIPAA Rules are not suspended; however, the HHS Secretary may choose to waive certain provisions of the HIPAA Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act. In addition to the declaration of public health emergencies, the HHS Secretary has declared that sanctions and penalties against hospitals will be waived for the following provisions of the HIPAA Privacy Rule. The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b). The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a). The requirement to distribute a notice of privacy practices. See 45 CFR 164.520. The patient’s right to request privacy restrictions. See 45 CFR 164.522(a)....

Read More