HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Our HIPAA compliance news section keeps you up to date with HIPAA breaches, OCR updates and HITECH and GDPR compliance issues. Make sure you remain up to date with the latest HIPAA compliance news by subscribing to our newsletter or follow us on Twitter @HIPAAJournal.

NIST Urged to Make HIPAA Security Rule Implementation Guidance More Usable by Small Providers
Oct05

NIST Urged to Make HIPAA Security Rule Implementation Guidance More Usable by Small Providers

The Health Sector Coordinating Council (HSCC) has urged the National Institute for Standards & Technology to provide tailored guidance for smaller and lesser-resourced healthcare organizations on implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and makes several other recommendations to improve the utility of its new HIPAA Security Rule implementation guidance. Background Recently, NIST issued a draft update (SP 800-66r2) to its 2008 publication: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and sought feedback from industry stakeholders ahead of the publication of the final version of the guidance. SP 800-66r2 provides guidance for HIPAA-regulated entities on assessing and managing risks to ePHI, suggests activities that should be considered as part of an information security program, and provides several useful resources that HIPAA-regulated entities can use to help them implement the requirements of the HIPAA Security Rule. HSCC is a private sector-led...

Read More
Is Google Meet HIPAA Compliant?
Sep26

Is Google Meet HIPAA Compliant?

Google Meet is an advanced VoIP and videoconferencing service that can be used by healthcare providers to provide telehealth services, remote consultations, and virtual patient visits. But is Google Meet HIPAA compliant? Google Meet is rapidly becoming the go-to videoconferencing service for organizations in all industries due to its integrations with other productivity tools in the Google Workspace Suite. However, if the service is used by healthcare providers to communicate Protected Health Information, certain measures must be put in place to make Google Meet HIPAA compliant. First of all, before Google Meet is used to collect, share, or transmit Protected Health Information, a healthcare provider must subscribe to a Business Google Workspace or Cloud Identity account and sign Google´s Business Associate Addendum.  The Addendum provides information about which of Google´s services can be used in compliance with HIPAA and what the customers´ obligations are. The BAA Alone Does Not Make Google Meet HIPAA Compliant However, signing the Business Associate Addendum does not – by...

Read More
3 Dental Practices Fined for HIPAA Right of Access Violations
Sep23

3 Dental Practices Fined for HIPAA Right of Access Violations

The HHS’ Office for Civil Rights (OCR) has agreed to settle three HIPAA investigations of potential HIPAA Right of Access violations by dental practices. All three of the investigations were initiated after complaints from patients about the failure of their dental practices to provide them with timely access to their medical records, with one of the cases also involving an allegation of overcharging for a copy of medical records. A patient of the Georgia-based dental and orthodontics provider, Great Expressions Dental Center of Georgia, P.C. (GEDC-GA), filed a complaint with OCR in November 2020 after being told that she could not be provided with a copy of her medical records unless she paid a $170 copying fee. The HIPAA Right of Access does permit healthcare organizations to charge patients for providing a copy of their medical records, but the costs must be reasonable and cost-based. OCR’s investigation confirmed that the patient was not provided with a copy of her records until February 2021, 15 months after the initial request. OCR also determined that GEDC-GA’s...

Read More
Can Medical Records be Subpoenaed?
Sep22

Can Medical Records be Subpoenaed?

In answer to the question can medical records be subpoenaed; the answer is yes because every type of record can be subpoenaed. Possibly a more relevant question would be “how should healthcare providers respond to a subpoena for medical records”? In most states, there are three types of subpoenas – a “witness subpoena” that requires an entity to appear in court to give evidence, a “deposition subpoena” that requires an entity to provide copies of records and/or attend a deposition hearing, and a “subpoena duces tecum” that requires an entity to provide copies of records and/or attend a court hearing. All three types of subpoenas can be used to subpoena medical records or require a healthcare provider to answer questions/testify about a medical record. Although are not exclusive to any particular type of case, a witness subpoena will most likely be used in a legal action where both a patient and a healthcare provider are the parties in a case (i.e., a medical negligence claim). The other two types of subpoenas will most commonly involve cases in which the healthcare provider is not...

Read More
Is it Okay to Share ePHI via a Business Password Manager?
Sep21

Is it Okay to Share ePHI via a Business Password Manager?

One of the capabilities of many business password managers is the ability to send encrypted messages to any recipient. Often this capability is used to securely share login credentials or other confidential data. But is it okay to share ePHI via a business password manager? Over the past few years, the capabilities of business password managers – particularly vault-based password managers – have grown significantly. For example, whereas SSO integration was once big news, these days we are talking more about password-less logins and it has been estimated that biometric facial recognition hardware will be present in 90% of smartphones by 2024. With regards to the ability to send encrypted messages, this first started as a means of sending passwords to users in the same business subscription. It evolved into sending notes, files, and other data to users in the same business subscription, and then further evolved to sending encrypted messages of any kind to any recipient regardless of whether they are using a password manager. Why Share ePHI via a Business Password Manager? There...

Read More
What Happens after a HIPAA Complaint is Filed?
Sep21

What Happens after a HIPAA Complaint is Filed?

What happens after a HIPAA complaint is filed can vary according to who it is filed with, whether or not the complaint is justified, and the nature of the complaint. When you register with a healthcare provider or become a member of a group health plan, you are given a Notice of Privacy Practices. The Notice of Privacy Practices explains how the healthcare provider or health plan can use or disclose your health information and also what rights you have to restrict specific uses and disclosures and request a copy of any health information held about you. The Notice of Privacy Practices should also provide details of who you can complain to if you think a healthcare provider or health plan has used or disclosed your health information impermissibly, or if your rights have been violated. Usually, the contact details are those of the organization´s Privacy Office and the Department of Health & Human Services´ Office for Civil Rights. It is also possible to file a complaint with your State Attorney General. However, the majority of states require that you complain to the...

Read More
Understanding the HIPAA Medical Records Destruction Rules
Sep20

Understanding the HIPAA Medical Records Destruction Rules

Some of the biggest fines for HIPAA violations have been for failing to comply with the medical records destruction rules. Consequently, it is vital Covered Entities and Business Associates are aware how to destruct medical records compliantly. Each state has its own requirements for retaining medical records; and, in some cases, certain types of medical records have to be retained for longer periods than others. Federal laws can also dictate how long specific records have to be retained (i.e., OSHA 1910.1200(g)), and if these records are maintained in a designated record set, they are considered to PHI and Covered Entities are required to keep them until the retention period expires. Although HIPAA has document retention requirements, there are no minimum retention periods for medical records. However, the Privacy Rule does require that Covered Entities implement appropriate administrative, technical, and physical safeguards to protect the privacy of medical records for whatever period the records are maintained by the Covered Entity. This requirement also applies to the...

Read More
30 Senators Call for HIPAA Privacy Rule Update to Better Protect Women’s Privacy
Sep16

30 Senators Call for HIPAA Privacy Rule Update to Better Protect Women’s Privacy

A group of 30 senators is urging the Department of Health and Human Services to update the Health Insurance Portability and Accountability Act (HIPAA) to better protect the privacy of patients’ reproductive health information in the wake of the Supreme Court decision on Dobbs v. Jackson Women’s Health Organization and the overturning of Roe Vs Wade, which removed the Federal right to an abortion that had existed for almost 50 years. Following the decision, several states have either banned abortion for state residents or implemented restrictions, with some already seeking to investigate and punish women for seeking abortion care. The senators, led by Senate Committee on Health, Education, Labor and Pensions (HELP) Chair Patty Murray (D-Wa.), wrote to HHS Secretary, Xavier Becerra, calling for further rulemaking to update the HIPAA Privacy Rule to broadly restrict HIPAA-regulated entities from sharing individuals’ reproductive health information without explicit consent, specifically the sharing of that information with law enforcement, or related to civil or criminal proceedings...

Read More
Melanie Fontes-Rainer Appointed Director of the HHS’ Office for Civil Rights
Sep15

Melanie Fontes-Rainer Appointed Director of the HHS’ Office for Civil Rights

U.S Department of Health and Human Services Director Xavier Becerra has formally sworn in Melanie Fontes Rainer as the new Director of the HHS’ Office for Civil Rights (OCR).  Fontes Rainer will lead the department’s enforcement of federal civil rights and HIPAA compliance and will direct the department’s policy and strategic initiatives. Fontes Rainer previously served as Acting Director, replacing Lisa J. Pino who left the post in July 2022 after 11 months as Director. Prior to joining OCR, Fontes Rainer served as Counselor to Secretary Becerra and provided strategy guidance on issues pertaining to civil rights, patient privacy, reproductive health, the Affordable Care Act (ACA), competition in healthcare, equity, and the private insurance market. In that role, she led the implementation of the No Surprises Act, which has helped to improve the transparency of medical billing and save consumers money. Fontes Rainer sits on the White House Task Force on Reproductive Healthcare Access, and recently advised the Secretary and the Administration on how best to respond to the...

Read More
Improper Disposal of PHI Results in $300,640 HIPAA Penalty
Aug24

Improper Disposal of PHI Results in $300,640 HIPAA Penalty

Massachusetts-based New England Dermatology P.C., dba New England Dermatology and Laser Center (NDELC), has agreed to settle a HIPAA violation case with the HHS’ Office for Civil Rights (OCR) and has paid a $300,640 penalty to resolve alleged violations of the HIPAA Privacy Rule. On May 11, 2021, NDELC notified OCR about a privacy breach involving the protected health information of 58,106 patients. On March 31, 2021, NDELC disposed of empty specimen containers in a regular dumpster in the MDELC parking lot. The containers had labels that included patients’ names, dates of birth, sample collection date, and the names of the providers that took the specimens. OCR investigated the incident and NDELC revealed it was a standard practice to dispose of empty specimen containers with regular waste, and that practice had been in effect from February 4, 2011, until March 31, 2021. The administrative safeguards of the HIPAA Privacy Rule – 45 C.F.R. § 164.530(c) – require appropriate administrative, technical, and physical safeguards to be implemented to protect the privacy of...

Read More
Are Phone Calls HIPAA Compliant?
Aug23

Are Phone Calls HIPAA Compliant?

The answer to the question are phone calls HIPAA compliant can be dependent on who is making the call, what the call concerns and who the call is to. Before discussing are phone calls HIPAA compliant, it is important to establish who HIPAA applies to. This is because almost two-thirds of complaints about HIPAA violations are rejected because they allege a violation has been committed by a business that is not subject to the HIPAA Rules. In such cases, HHS´ Office for Civil Rights has no jurisdiction to investigate complaints and so rejects them. HIPAA applies to most health plans, health care clearinghouses, and healthcare providers (“Covered Entities”), and to Business Associates and subcontractors providing a service for on behalf of a Covered Entity. Healthcare-related calls from these sources to individuals are permissible provided the recipient has given their implied consent to receive a call and the call follows FTC guidelines. Additionally, to make phone calls HIPAA compliant, Covered Entities and Business Associates are required to comply with the General Rules for Uses...

Read More
What is the Maximum Penalty for Violating HIPAA?
Aug22

What is the Maximum Penalty for Violating HIPAA?

The maximum penalty for violating HIPAA is currently $1,919,173 (September 2022). However, this figure represents the maximum penalty per violation type, and Covered Entities and Business Associates found guilty of multiple violations can expect to pay much more. When Congress passed HIPAA in 1996, it set the maximum penalty for violating HIPAA at $100 per violation with an annual cap of $25,000. These limits were applied when the Department of Health & Human Services (HHS) published the Enforcement Rule in 2006 and they stayed in force until the publication of the Final Omnibus Rule in 2013. Among other changes to HIPAA, the Final Omnibus Rule introduced amendments to the Enforcement Rule attributable to passage of the HITECH Act in 2009. The HITECH Act mandated a four tier penalty structure for HIPAA violations and new minimum and maximum penalties for violating HIPAA. The four tiers were based on the level of culpability associated with the violation: Tier 1 – Lack of Knowledge:  The person did not know (and, by exercising reasonable diligence, would not have known) that the...

Read More
Is Cloud Computing HIPAA Compliant?
Aug15

Is Cloud Computing HIPAA Compliant?

Cloud computing has revolutionized the way healthcare organizations operate, but ensuring cloud computing is HIPAA compliant can be a challenge. Many healthcare organizations have already embraced cloud technologies, but as with any technology, care must be taken as there is considerable potential for HIPAA violations in the cloud. Here we consider how healthcare organizations can use cloud computing in a HIPAA-compliant manner. There is an extensive range of Cloud Service Providers (CSPs) and their products differ in terms of storage limits, accessibility, and security configurations, Covered Entities are advised to research CSPs and ensure that a product supports HIPAA compliance. They should establish how they will use the cloud computing technologies, conduct a risk assessment, and ensure all staff members are trained on how to use a CSP’s products and services. All CEs are required to obtain a signed business associate agreement (BAA) from their chosen CSP prior to using that service in connection with any protected health information (PHI). BAAs outline the responsibilities...

Read More
Is Square HIPAA Compliant?
Aug15

Is Square HIPAA Compliant?

Answering the question is Square HIPAA compliant is a little complicated because, although Square is HIPAA compliant for some services offered by the company, it is not necessary for Square to be HIPAA compliant for others. Square is a multi-tool business solution that started life as point-of-sale payment processing system (hence the URL www.squareup.com). In recent years, it has extended its services to include an ecommerce platform, team management software, payroll services, and much more. In December 2021, the company changed its name to Block, but still provides services under the Square brand. For HIPAA Covered Entities wishing to use Square´s services, the issue of is Square HIPAA compliant is a little complicated because, when a Covered Entity only uses Square for its payment processing services, compliance with HIPAA is not required. This is because financial institutions are exempted from Privacy Rule standards when processing payments for health plan premiums or health care. This exemption appears in the original 1996 text of HIPAA (§ 1179) and was confirmed by the...

Read More
1H 2022 Healthcare Data Breach Report
Aug11

1H 2022 Healthcare Data Breach Report

Ransomware attacks are rife, hacking incidents are being reported at high levels, and there have been several very large healthcare data breaches reported so far in 2022; however, our analysis of healthcare data breaches reported in 1H 2022, shows that while data breaches are certainly being reported in high numbers, there has been a fall in the number of reported breaches compared to 1H 2021. Between January 1, 2022, and June 30, 2022, 347 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – the same number of data breaches reported in 2H, 2021. In 1H, 2021, 368 healthcare data breaches were reported to OCR, 21 fewer breaches than the corresponding period this year. That represents a 5.71% reduction in reported breaches. The number of healthcare records breached has continued to fall. In 1H, 2021, 27.6 million healthcare records were breached. In 2H, 2021, the number of breached records fell to 22.2 million, and the fall continued in 1H, 2022, when 20.2 million records were breached. That is a...

Read More
Is Signal HIPAA Compliant?
Aug01

Is Signal HIPAA Compliant?

Signal is a popular open source, messaging application that is free to use, which has made it popular with businesses and consumers, but can the platform be used for communication in healthcare? Is Signal HIPAA compliant? HIPAA Compliance and Instant Messaging Platforms Instant messaging platforms are convenient and make it easy to communicate with patients; however, if the platforms are used to transmit electronic protected health information, they must be HIPAA compliant. That means appropriate technical, administrative, and physical safeguards must be implemented to ensure the confidentiality, integrity, and availability of any transmitted or stored ePHI. The provider of an instant messaging platform would be classed as a HIPAA business associate, which means they must enter into a business associate agreement with a HIPAA-covered entity. Signal, like several other instant messaging apps, has a strong focus on privacy and offers end-to-end encryption of messages. Signal will also encrypt phone calls and video calls to prevent interception and eavesdropping. While this may seem...

Read More
Is Ivy Pay HIPAA Compliant?
Jul29

Is Ivy Pay HIPAA Compliant?

Is Ivy Pay HIPAA compliant? It is possibly the most HIPAA compliant payment processing service for Covered Entities. However, at the present time, it is only available for qualified, licensed therapists and is not a service every Covered Entity can take advantage of. Ivy Pay is a payment processing service that evolved from what was effectively a search engine through which clients could reach therapists and “try before you buy”. The service works in a slightly different way from most payment processing services inasmuch as it has been designed to save therapists time and not distract clients from the benefits of therapy at the end of each session. The payment process consists of a client registering their credit card with Ivy Pay. Then, when a session is finished, rather than the client having to initiate a payment transaction, their therapist enters the charge into an app which connects with Ivy Pay´s servers. Ivy Pay charges the credit card, deducts a small commission, sends the payment to the therapist’s bank account, and advises the client by SMS text that a charge against...

Read More
Cloud Security Alliance Releases Third Party Vendor Risk Management Guidance for Healthcare Organizations
Jul27

Cloud Security Alliance Releases Third Party Vendor Risk Management Guidance for Healthcare Organizations

Cyber actors are increasingly targeting business associates of HIPAA-covered entities as they provide an easy way to gain access to the networks of multiple healthcare organizations. To help healthcare delivery organizations (HDOs) deal with the threat, the Cloud Security Alliance (CSA) has published new guidance on third-party vendor risk management in healthcare. The guidance was drafted by the Health Information Management Working Group and includes examples and use cases and provides information on some of the risk management program tools that can be used by HDOs for risk management. Third-party vendors provide invaluable services to HDOs, including services that cannot be effectively managed in-house; however, the use of vendors introduces cybersecurity, reputational, compliance, privacy, operational, strategic, and financial risks that need to be managed and mitigated. The guidance is intended to help HDOs identify, assess, and mitigate the risks associated with the use of third-party vendors to prevent and limit the severity of security incidents and data breaches....

Read More
NIST Updates Guidance on HIPAA Security Rule Compliance
Jul22

NIST Updates Guidance on HIPAA Security Rule Compliance

The National Institute of Standards and Technology (NIST) has updated its guidance for HIPAA-regulated entities on implementing the HIPAA Security Rule to help them better protect patients’ personal and protected health information. The Security Rule of the Health Insurance Portability and Accountability Act established national standards for protecting the electronic protected health information (ePHI) that HIPAA-regulated entities create, receive, maintain or transmit. Ensuring compliance with the HIPAA Security Rule is more important than ever due to the increasing number of cyberattacks on HIPAA-regulated entities. NIST published the first revision of its HIPAA Security Rule guidance in 2008, 6 years before the release of the NIST Cybersecurity Framework. Over the past 14 years, NIST has released other cybersecurity guidance and has regularly updated its Security and Privacy Controls (NIST SP 800-53). One of the main reasons for updating the HIPAA Security Rule guidance was to integrate it into NIST guidance that did not exist when Revision 1 was published in 2008. “One of our...

Read More
June 2022 Healthcare Data Breach Report
Jul20

June 2022 Healthcare Data Breach Report

June 2022 saw 70 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – two fewer than May and one fewer than June 2021. Over the past 12 months, from July 2021 to June 2022, 692 large healthcare data breaches have been reported and the records of 42,431,699 individuals have been exposed or impermissibly disclosed. The past two months have seen data breaches reported at well over the 12-month average of 57.67 breaches a month. The past 6 months have seen data breaches reported at similar levels to the second half of 2021 (345 in 1H 2022 v 347 in 2H 2021), but data breaches are down 6.25% from the first half of 2021 (368 in 1H 2021 v 345 in 2H 2022). For the third successive month, the number of exposed or compromised records has increased. In June, 5,857,143 healthcare records were reported as breached. That is the highest monthly total so far in 2022. June saw 32.48% more records breached than the previous month and 65.64% more than the monthly average over the past 12 months. While huge numbers of...

Read More
OCR Announces 11 Further Financial Penalties for HIPAA Right of Access Failures
Jul18

OCR Announces 11 Further Financial Penalties for HIPAA Right of Access Failures

The Department of Health and Human Services’ Office for Civil Rights has sent a warning to healthcare providers about the importance of compliance with the HIPAA Right of Access with the announcement that a further 11 financial penalties for HIPAA-covered entities that have failed to provide patients with timely access to their medical records. The latest batch of enforcement actions brings the total number of financial penalties imposed under the HIPAA Right of Access enforcement initiative up to 38. The HIPAA Right of Access gives people the right to inspect their protected health information that is held by a HIPAA-covered entity, check the information for errors, and request that any errors are corrected. People can also request a copy of their protected health information from healthcare providers and health plans. When such a request is made, the requested information must be provided in full within 30 days of the request being received. In very limited circumstances, an extension of 30 days is allowed. Requests can be submitted by patients or their nominated representatives,...

Read More
Is PayPal HIPAA Compliant?
Jul15

Is PayPal HIPAA Compliant?

A number of sources tackling the question is PayPal HIPAA compliant conclude it is not because the company shares customers´ details with partners and refuses to sign a Business Associate Agreement. However, because PayPal is not HIPAA compliant for some services, this does not mean it cannot be used by Covered Entities to accept patient-initiated payments. In the text of the 1996 HIPAA Act, there is an administrative simplification provision relating to payment processing (§1179). This section states that the HIPAA Rules do not apply to banks and financial institutions when they are “authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care or health plan premiums”. To eliminate questions about whether financial institutions qualify as Business Associates, the Department for Health and Human Services (HHS) later commented in the preamble to the Final Omnibus Rule that “the HIPAA Rules, including the business associate provisions, do not apply to financial institutions with respect to the payment processing activities...

Read More
Oklahoma State University Settles HIPAA Case with OCR for $875,000
Jul15

Oklahoma State University Settles HIPAA Case with OCR for $875,000

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has announced that Oklahoma State University – Center for Health Sciences (OSU-CHS) has agreed to settle a HIPAA investigation stemming from a web server hacking incident and has agreed to pay a financial penalty of $875,000 to resolve potential violations of the HIPAA Privacy, Security, and Breach Notification Rules. OSU-CHS is a public land-grant research university that provides preventive, rehabilitative, and diagnostic care in Oklahoma. OCR launched a HIPAA investigation after receiving a breach report on January 5, 2018, in response to the hacking of an OSU-CHS web server. OSU-CHS determined that malware had been installed on the server which allowed the hacker(s) to access the electronic protected health information of 279,865 individuals. The information exposed and potentially obtained by an unauthorized third party included names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. OSU-CHS initially declared that the data breach...

Read More
Senators Call for HIPAA Privacy Rule Change to Prohibit Disclosures of Reproductive Health Care Information to Law Enforcement
Jul08

Senators Call for HIPAA Privacy Rule Change to Prohibit Disclosures of Reproductive Health Care Information to Law Enforcement

The HHS’ Office for Civil Rights has recently issued guidance to healthcare organizations following the overturning of Roe v. Wade following the SCOTUS Dobbs v. Jackson Women’s Health Organization ruling, which removed the right to abortion at the federal level and allowed states to set their own laws. The guidance explained how the HIPAA Privacy Rule permits disclosures of protected health information – including reproductive health care information – to law enforcement but does not require such disclosures. OCR explained in the guidance when such disclosures of reproductive health care information would be considered HIPAA violations under the HIPAA Privacy Rule. Two U.S. senators – Michael F. Bennet (D-Co) and Catherine Cortez Masto (D-NV) – recently wrote to the Secretary of the Department of Health and Human Services, Xavier Becerra, calling for the HHS to go further and make an update to the HIPAA Privacy Rule to ensure that the private and confidential health information of patients seeking reproductive healthcare is better protected. “The [SCOTUS} decision has...

Read More
Is Venmo HIPAA compliant?
Jul08

Is Venmo HIPAA compliant?

It may be one of the most popular payment apps in the United States, but is Venmo HIPAA compliant? Surprisingly, for payment processing services, Venmo doesn´t need to be HIPAA compliant. However, there are reasons why Covered Entities might want to avoid offering this payment option to patients. There is a common misconception among some sources that Venmo should not be used by Covered Entities to accept payments from patients because Venmo will not sign a Business Associate Agreement. However, there is nothing in HIPAA that prevents Covered Entities using any service to receive patient-originate payments and – under section 1179 of the Act – financial institutions are exempted from complying with the Privacy Rule when facilitating a financial transaction. Due to the misconception about payment processors, the Department of Health and Human Services (HHS) clarified the position in the preamble to the 2013 Final Omnibus Rule. HHS stated: “The HIPAA Rules, including the business associate provisions, do not apply to banking and financial institutions with respect to the payment...

Read More
Is Trello HIPAA compliant?
Jul01

Is Trello HIPAA compliant?

Is the project management software Trello HIPAA compliant? Owned by Atlassian, Trello offers a range of tools that help to coordinate workflows, facilitate collaboration between co-workers, and automate specific tasks. Such project-management platforms are increasingly popular solutions across a variety of organizations, and they have great potential for use in the healthcare sector.  But before Trello is used to manage a project which includes the disclosure of PHI, Covered Entities must ensure Trello can be used in a HIPAA-compliant manner. This means the service must implement minimum security standards that ensure the safety, confidentiality, and accessibility of protected health information (PHI). This requirement is stipulated by the HIPAA Security Rule. Without these minimum safeguards, PHI is vulnerable to access by unauthorized individuals, threatening the privacy of patients. Trello does implement some security measures, such as end-to-end encryption of data in transit. It regularly checks its product to assess how vulnerable it is to cyber-attacks and backs up data...

Read More
OCR Issues Guidance for Providers and Individuals Following Supreme Court Decision on Roe v. Wade
Jun30

OCR Issues Guidance for Providers and Individuals Following Supreme Court Decision on Roe v. Wade

President Biden and U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra recently called on HHS agencies to take action to protect access to sexual and reproductive health care, which includes abortion, pregnancy complications, and other related care, following the decision of the Supreme Court in Dobbs vs. Jackson Women’s Health Organization. The Supreme Court’s decision overruled  Roe v. Wade and Planned Parenthood v. Casey and took away the right of women to have a safe and legal abortion, instead, the decision will be made by individual states. 13 states have trigger laws based on Rose v. Wade that outlaw abortions and other states are expected to make similar changes. Yesterday, the HHS Office for Civil Rights (OCR) issued new guidance for healthcare providers and patients seeking access to reproductive health care services to ensure patient privacy is protected. The guidance explains that the federal Health Insurance Portability and Accountability Act (HIPAA) requires individuals’ private medical information, which includes information about...

Read More
GAO: HHS Should Establish Mechanism for Obtaining Feedback on HIPAA Data Breach Reporting Process
Jun28

GAO: HHS Should Establish Mechanism for Obtaining Feedback on HIPAA Data Breach Reporting Process

The Government Accountability Office (GAO) has recommended that the Department of Health and Human Services (HHS) establish a feedback mechanism to improve the effectiveness of its data breach reporting process. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, called for the Secretary of the HHS to create and maintain a list of data breaches involving the unsecured protected health information of 500 or more individuals on its website. The HHS’ Office for Civil Rights (OCR) Breach Portal includes breaches of the personally identifiable protected health information (PHI), such as unauthorized access and disclosures, exposures, and the loss and theft of PHI. The number of reported data breaches has been increasing each year, with 2021 seeing 714 data breaches of 500 or more records reported to OCR. GAO explained in its report that between 2015 and 2021, the number of individuals affected by healthcare data breaches at healthcare providers, health plans, healthcare clearinghouses, and business...

Read More
Reader Offer: Free Annual HIPAA Risk Assessment
Jun28

Reader Offer: Free Annual HIPAA Risk Assessment

Free Expert HIPAA Risk Assessment Book a session with our sponsor Compliancy Group who will take you through all aspects of the mandatory annual HIPAA risk assessment process. The deliverable at the end of the process is a detailed document identifying gaps and deficiencies in your HIPAA safeguards and a mandatory remediation plan to address any risks and vulnerabilities that were uncovered. There is no charge or obligation for this service which is provided by Compliancy Group. Please use the booking form to arrange a convenient time for your session.  

Read More
Video: Why HIPAA Compliance is Important for Healthcare Professionals
Jun28

Video: Why HIPAA Compliance is Important for Healthcare Professionals

Many sources explaining why HIPAA compliance is important for healthcare professionals tend to focus on the purpose of HIPAA regulations rather than the benefits of compliance for healthcare professionals. The same sources also tend to focus on how noncompliance affects patients and employers, rather than the impact it can have on healthcare professionals´ lives. This article discusses why HIPAA compliance is important for healthcare professionals from a healthcare professional´s perspective. It explains why healthcare professionals cannot avoid HIPAA; and that, by complying with HIPAA, healthcare professionals can foster patient trust, keep patients safer, and contribute towards better patient outcomes. This is turn raises morale, creates a more rewarding work experience, and enables healthcare professionals to get more from their vocation. Conversely, the failure to comply with HIPAA can have significant professional and personal consequences. Yet the failure to comply with HIPAA is not always a healthcare professional´s fault. Sometimes it can be due to insufficient training or...

Read More
Is HubSpot HIPAA compliant?
Jun24

Is HubSpot HIPAA compliant?

Several articles exist suggesting ways to make HubSpot HIPAA compliant. However, prior to using any of these suggestions, or integrating an extension into the HubSpot platform, Covered Entities and Business Associates must understand the flow of Protected Health Information to ensure it does not pass through the HubSpot platform. The question of is HubSpot HIPAA compliant is easy to answer by reviewing HubSpot´s Terms of Service. Clause 2.9 stipulates “You will not use the subscription service in any way that violates the terms […] or for any purpose […] prohibited by this agreement”. The clause then lists several industry-specific regulations (including HIPAA) and states “you may not use the subscription service where your communications would be subject to such laws”. The transmission of Protected Health Information (PHI) between Covered Entities or between Covered Entities and Business Associates is “subject to such laws”; as is any communication between a patient (even a prospective patient) and a Covered Entity if the nature of the communication relates to the “past, present,...

Read More
May 2022 Healthcare Data Breach Report
Jun21

May 2022 Healthcare Data Breach Report

May 2022 saw a 25% increase in healthcare data breaches of 500 or more records. 70 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in May 2022, which is the highest monthly total this year and well above the 12-month average of 56.75 data breaches per month. This level of reported data breaches has not been seen since June 2021. Across those data breaches, the records of 4,410,538 individuals were exposed, stolen, or impermissibly disclosed, which is more than twice the number of records that were breached in April, and almost 40% higher than the average number of records breached each month over the past 12 months. Largest Healthcare Data Breaches Reported in May 2022 In May 2022, there were 31 reports of healthcare data breaches that involved the records of more than 10,000 individuals. The largest breach to be reported affected the HIPAA business associate, Shields Health Care Group, which provides MRI and other imaging services in New England. The exact nature of the attack was not disclosed, but...

Read More
Webinar Today: July 20, 2022: Compliance vs. Security: Why you Need Both to be HIPAA Compliant
Jun20

Webinar Today: July 20, 2022: Compliance vs. Security: Why you Need Both to be HIPAA Compliant

Healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities that come into contact with protected health information (PHI) are required to ensure policies, processes, and people are compliant with the Rules of the Health Insurance Portability and Accountability Act (HIPAA). Ensuring you have a good security posture is an important part of HIPAA compliance. The HIPAA Security Rule requires HIPAA-regulated entities to have appropriate safeguards in place to ensure the confidentiality, integrity, and availability of ePHI, and to manage risks to protected health information and reduce them to a low and acceptable level. Ensuring you have a good security posture has never been more important. Cyber threat actors have stepped up their attacks on the healthcare industry and data breaches are occurring at record levels. Further, following the ‘Safe Harbor’ update to the HITECH Act, if you are able to demonstrate you have implemented recognized security practices, you will be protected against fines, sanctions, and extensive audits and...

Read More
Study Reveals One Third of Top 100 U.S. Hospitals are Sending Patient Data to Facebook
Jun17

Study Reveals One Third of Top 100 U.S. Hospitals are Sending Patient Data to Facebook

An analysis of hospitals’ websites has revealed one-third of the top 100 hospitals in the United States are sending patient data to Facebook via a tracker called Meta Pixel, without apparently obtaining consent from patients. Meta Pixel is a snippet of JavaScript code that is used to track visitor activity on a website. According to Meta, “It works by loading a small library of functions which you can use whenever a site visitor takes an action (called an event) that you want to track (called a conversion). Tracked conversions appear in the Ads Manager where they can be used to measure the effectiveness of your ads, to define custom audiences for ad targeting, for dynamic ads campaigns, and to analyze [the] effectiveness of your website’s conversion funnels.” Meta Pixel can collect a variety of data, including information about the buttons clicked and the pages visited by clicking those buttons, and the data collected is linked to the individual by their IP address, which identifies the device that the visitor is using. That information is then automatically sent to Facebook....

Read More
ONC and OCR Release Updated Security Risk Assessment Tool
Jun16

ONC and OCR Release Updated Security Risk Assessment Tool

The Department of Health and Human Services (HHS)’ Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) have released a new version of the HHS Security Risk Assessment (SRA) Tool. The HIPAA Security Rule requires HIPAA-regulated entities to conduct a comprehensive, organization-wide risk analysis to identify the risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). All risks identified must then be subject to risk management processes to reduce the identified risks and vulnerabilities to a low and acceptable level. Risk analyses/assessments are vital for HIPAA compliance. They help HIPAA-covered entities determine if they are compliant with the administrative, physical, and technical safeguards of the HIPAA Security Rule and help to identify the most effective and appropriate administrative, physical, and technical safeguards to protect ePHI. Investigations and audits of HIPAA-regulated entities have shown that the risk assessment/analysis is an...

Read More
OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends
Jun14

OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends

Start preparing now and get your telehealth services HIPAA compliant as when the COVID-19 Public Health Emergency (PHE) ends, the telehealth HIPAA flexibilities stop. That is the advice of the Department of Health and Human Services’ Office for Civil Rights, which released new guidance this week on HIPAA and audio-only telehealth services. The Period of Enforcement Discretion Will End In March 2020, the HHS’ Office for Civil Rights issued a Telehealth Notification and said it would be exercising enforcement discretion and would not be imposing sanctions and penalties for HIPAA violations with respect to the good faith provision of telehealth services. The move was intended to make it easier for healthcare organizations to offer telehealth services to patients to help prevent the spread of COVID-19. OCR permitted healthcare organizations to use remote communication tools for telehealth, which included apps and platforms that would not normally be considered ‘HIPAA-compliant,’ and did not require HIPAA-covered entities to enter into a business associate agreement with the...

Read More
OCR to Produce Video Presentation on HITECH Act Recognized Security Practices
Jun13

OCR to Produce Video Presentation on HITECH Act Recognized Security Practices

The HHS’ Office for Civil Rights (OCR) is producing a video presentation to help HIPAA-regulated entities implement “Recognized Security Practices.” The Health Information Technology for Economic and Clinical Health (HITECH) Act was recently amended (Public Law 116-321) to require OCR to consider recognized security practices that have been in place for at least 12 months prior to certain Security Rule enforcement and audit activities. OCR previously issued a Request for Information regarding the HITECH Act recognized security practices, the comment period for which ended last week. There has been confusion about what constitutes recognized security practices and how it is possible to demonstrate to OCR that recognized security practices have been adopted and have been continuous for the 12 months prior to a data breach or OCR investigation. In the video presentation, Nicholas Heesters, Senior Advisor for Cybersecurity at OCR will explain the 2021 HITECH Act amendment regarding recognized security practices, provide guidance on demonstrating security practices have been in place,...

Read More
Healthcare Groups Provide Feedback on HITECH Recognized Security Practices
Jun10

Healthcare Groups Provide Feedback on HITECH Recognized Security Practices

Earlier this year, the HHS’ Office for Civil Rights issued a request for information (RFI) on how the financial penalties for HIPAA violations should be distributed to individuals who have been harmed by those HIPAA violations, and the “recognized security practices” under the amended Health Information Technology for Economic and Clinical Health (HITECH) Act. The comment period has now closed, and OCR is considering the feedback received. Background It has long been OCR’s intention to distribute a proportion of the funds raised through its HIPAA enforcement actions to victims of those HIPAA violations; however, to date, OCR has not developed a methodology for doing so and requested feedback on a method for distributing the funds to ensure they are directed to victims effectively. In January 2021, the HITECH Act was amended by Congress to encourage healthcare organizations to adopt recognized security practices. The amendment called for the Secretary of the Department of Health and Human Services to consider whether recognized security practices had been adopted by a...

Read More
What are the HIPAA Photography Rules?
Jun10

What are the HIPAA Photography Rules?

The HIPAA photography rules are some of the most complex rules in HIPAA. They vary according to the nature of the photograph, its purpose, and whether it is part of a designated record set. Furthermore, the HIPAA rules for photos may or may not apply depending on who is taking the photos, while the environment in which photos are taken can also influence hospital policies. Photos are only mentioned twice in HIPAA – once in the Safe Harbor method of de-identifying PHI, and once in the list of individually identifiable health information that has to be removed from a designated record set to make it a limited data set. Because these are the only mentions of photographs in HIPAA, many Covered Entities assume that every photograph should be classified as Protected Health Information (PHI) and subject to Privacy and Security Rule standards. But that is not the case. Individually identifiable information such as photos and videos only become individually identifiable health information when they are created or received by a Covered Entity and relate to “the past, present, or future...

Read More
Is Salesforce HIPAA Compliant?
Jun03

Is Salesforce HIPAA Compliant?

Are cloud-based companies such as Salesforce HIPAA compliant? The answer will, of course, depend what measures are put in place to ensure products and services comply with the HIPAA Privacy and Security Rule, how the products and services are used, and that a Business Associate Agreement is in place before any ePHI is transmitted to remote servers. Salesforce is a well-known Customer Relationship Management (CRM) service that facilitates communications between businesses and customers. Through the “marketing cloud”, Salesforce offers products for customer service, data analytics, and marketing, and developers can also build apps on the Salesforce platform. By default, there are a number of features in Salesforce that support its use in a HIPAA-compliant manner. Salesforce has a minimum standard security protocol with a 128- bit encryption key and requires an HTTPS connection – both of which are steps towards protecting data in accordance with the HIPAA Security Rule. However, there are some compliance issues with certain products and services. For example, the basic Event...

Read More
The Benefits of HIPAA Compliance for Medical Practices
Jun01

The Benefits of HIPAA Compliance for Medical Practices

One of the challenges when discussing the benefits of HIPAA compliance for medical practices is proving the benefits are directly attributable to HIPAA. For example, one frequently claimed benefit of HIPAA compliance is improved efficiency. But, has efficiency improved due to complying with HIPAA or would it have improved anyway because of other measures? Similarly, how do you prove HIPAA compliance protects PHI against data breaches if you don´t experience a data breach? Alternatively, what if you do implement every HIPAA safeguard, but a breach still occurs because an individual with authorization to access PHI misused the authorization? Although in the latter case, the medical practice may not be liable, a data breach has still occurred. Furthermore, while there is evidence to show that the increased adoption and use of EHRs has resulted in the more efficient delivery of healthcare and a reduction in medical errors, the increased adoption and use of EHRs is more attributable to the HITECH Act than HIPAA – the HIPAA Security Rule stipulating how data should be protected, rather...

Read More
April 2022 Healthcare Data Breach Report
May20

April 2022 Healthcare Data Breach Report

After four successive months of declining numbers of data breaches, there was a 30.2% increase in reported data breaches. In April 2022, 56 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). While the number of reported breaches increased month-over-month, the number of healthcare records that were exposed or impermissibly disclosed decreased by 30% to 2,160,194 – the lowest monthly number since October 2021. The average breach size in April 2022 was 38,575 records, and the median breach size was 6,546 records. Largest Healthcare Data Breaches in April 2022 22 healthcare data breaches were reported in April 2022 that affected 10,000 or more individuals. The worst breach was a hacking incident reported by Adaptive Health Integrations, a provider of software and billing/revenue services to laboratories, physician offices, and other healthcare companies. More than half a million healthcare individuals were affected.  The Arkansas healthcare provider ARcare suffered a malware attack that disrupted its...

Read More
What are the HIPAA Administrative Simplification Regulations?
May20

What are the HIPAA Administrative Simplification Regulations?

The HIPAA Administrative Simplification Regulations – detailed in 45 CFR Part 160, Part 162, and Part 164 – require healthcare organizations to adopt national standards, often referred to as electronic data interchange or EDI standards. The purpose of these regulations is to save time and costs by streamlining the paperwork required for processes such as billing, verifying patient eligibility, and sending and receiving payments. HIPAA Administrative Simplification Standards The HIPAA Administrative Simplification Regulations include four standards covering transactions, identifiers, code sets, and operating rules. By adopting these standards and switching from paperwork to electronic transactions, healthcare organizations can reduce the paperwork burden, receive payments faster, obtain information more rapidly, and easily check the status of claims. The regulations require HIPAA covered entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities – to adopt standards for transactions involving the electronic exchange of...

Read More
OIG Exceptions to the Anti-Kickback Statute
May16

OIG Exceptions to the Anti-Kickback Statute

Since 1991, the Office of the Inspector General (OIG) at the Department of Health and Human Services has promulgated more than twenty OIG exceptions to the Anti-Kickback Statute that prohibits the payment or solicitation of remuneration to induce or reward patient referrals or the generation of business payable by federal health care programs. Although in many industries it is a normal practice to pay a fee or commission for business referrals, it is prohibited in federal health care programs under 42 CFR § 1320a-7b – known as the Anti-Kickback Statute. This is because healthcare professionals decide what health care services patients use and what drugs they are prescribed; and medical decisions that are influenced by the promise of remuneration could negatively impact patient outcomes and increase program costs. Therefore, the Anti-Kickback Statute made it a criminal offense to knowingly and willfully offer, pay, solicit, or receive anything of value (not just money) for patient referrals, healthcare services, or healthcare products paid for by the federal government (i.e.,...

Read More
How to File a HIPAA Complaint
May13

How to File a HIPAA Complaint

HIPAA gives individuals the right to file a HIPAA complaint against Covered Entities and Business Associates if they believe a violation of HIPAA has occurred. However, despite being provided with information explaining this right, some individuals remain unsure what a HIPAA violation is, who do you file a HIPAA complaint with, and how you do it. The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers and health plans to make reasonable and appropriate efforts to ensure the confidentiality, integrity, and availability of individually identifiable health information. The Act also gives patients and plan members the right to see what information is maintained about them, request corrections if any information is inaccurate or incomplete, and know who their information has been shared with. To ensure patients and plan members are aware of how their information is used and what their rights are, healthcare providers and health plans are required to give each new patient or enrollee a Notice of Privacy Practices. The Notice of Privacy Practices...

Read More
OSHA and HIPAA Compliance
May05

OSHA and HIPAA Compliance

In healthcare, OSHA and HIPAA compliance are both essential despite being separate standards. However, although separate, there are broad similarities in terms of reporting, recordkeeping, and enforcement. The Occupational Safety and Health Act (OSH Act) The Occupational Safety and Health Act (OSH Act) was signed into law more than 50 years ago and remains as relevant today as it was when President Nixon added his signature to the bill on December 29, 1970. The OSH Act covers the private sector and the federal government, and requires employers to create and maintain a safe and healthful working environment, and ensure employees are protected from hazards in the workplace. The OSH Act created the Occupational Safety and Health Administration (OSHA) within the Department of Labor, which is responsible for outreach, education, and assistance, and is also the enforcer of compliance with the OSH Act. OSHA sets workplace health and safety standards which are published in Title 29 of the Code of Federal Regulations (29 U.S.C. §§ 651 to 678). The construction, maritime, and agriculture...

Read More
Can E-Signatures Be Used Under HIPAA Rules?
May03

Can E-Signatures Be Used Under HIPAA Rules?

The use of digital signatures in the healthcare industry has helped to improve the efficiency of many processes, yet the question still remains can e-signatures be used under HIPAA rules. Effectively the answer is “yes”, provided that mechanisms are put in place to ensure the legality and security of the contract, document, agreement or authorization, and there is no risk to the integrity of PHI. What Does HIPAA Say About E-Signatures? Proposals for the use of e-signatures under HIPAA rules were included in the first draft of the 2003 Security Rule, but then removed before the legislation was enacted. Subsequent guidance relating to Business Associate Agreements and the exchange of electronic health information has been published on the U.S: Department of Health and Human Resources website that states: “No standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.” Generally, a signature is not required for many...

Read More
HIPAA Enforcement Rule
Apr26

HIPAA Enforcement Rule

The HIPAA Enforcement Rule of 2006 – and subsequent amendments attributable to the passage of HITECH – details the procedures for investigating violations of HIPAA and the penalties that the HHS Office for Civil Rights can impose on Covered Entities and Business Associates for failing to comply with the Privacy, Security, and Breach Notification Rules. In 1996, the passage of HIPAA gave the Secretary of Health and Human Services (HHS) the authority to impose financial penalties for violations of the Administrative Simplification provisions (see Sections 1176 and 1177). The Administrative Simplification provisions led to the publication of the HIPAA Privacy and Security Rules which were enacted in 2002 and 2003 respectively. The authorization to enforce the HIPAA Privacy and Security Rules (and later, the Breach Notification Rule) was delegated to the HHS´ Office for Civil Rights. However, despite receiving more than 13,000 complaints in the first two years, the Office for Civil Rights failed to bring a single enforcement action – giving Covered Entities the impression...

Read More
March 2022 Healthcare Data Breach Report
Apr19

March 2022 Healthcare Data Breach Report

For the fourth successive month, the number of reported healthcare data breaches has fallen. In March 2022, 43 healthcare data breaches of 500 or more records were reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), which is a 6.52% fall from February and well below the 12-month average of 57.75 data breaches a month. However, there was a 36.94% increase in the number of breached records compared to February. Across the 43 reported breaches, 3,083,988 healthcare records were exposed, stolen, or impermissibly disclosed, which is slightly below the average of 3,424,818 breached records a month over the past 12 months. Largest Healthcare Data Breaches in March 2022 In March 2022, there were 25 data breaches reported to OCR that affected 10,000 or more individuals, all but one of which were hacking incidents. The largest data breach of the month affected over half a million patients. Christie Business Holdings Company, which operates Christie Clinic in Illinois, discovered an employee email account had been accessed by unauthorized individuals...

Read More
On-the-spot Email Interventions Reduce Repeat Medical Record Snooping Incidents by 95%
Apr19

On-the-spot Email Interventions Reduce Repeat Medical Record Snooping Incidents by 95%

Immediate intervention following an instance of unauthorized access to protected health information (PHI) by a healthcare employee is 95% effective at preventing repeat offenses, according to a new study published in JAMA Open Network. Healthcare data breaches are occurring at record levels, and while large data breaches are often the result of hacking and other IT incidents, insider breaches such as snooping on medical records are common. According to HHS data, in 2019, 92% of combined small and large breaches were tied to unauthorized access. While many cases of employees snooping on the medical records of VIP patients have been covered in the media, these types of snooping incidents are relatively uncommon. It is much more common for healthcare employees to access the medical records of family members, friends, and colleagues, and those privacy violations can be just as damaging for patients. All cases of unauthorized access start with an employee accessing a single patient record, but they can easily turn into major data breaches if left unchecked. There have been several HIPAA...

Read More
What is a HIPAA Violation?
Apr18

What is a HIPAA Violation?

To best answer the question what is a HIPAA violation, it is necessary to explain what HIPAA is, who it applies to, and what constitutes a violation; for although most people believe they know what a HIPAA violation is, evidence suggests otherwise. The evidence that there may be a misunderstanding about what a HIPAA violation is comes from the Department of Health and Human Services (HHS) Enforcement Highlights web page. The web page is regularly updated with statistics relating to complaints about HIPAA violations, compliance reviews, and enforcement action. According to the most recent update, the HHS has received almost 300,000 complaints since the compliance date of the Privacy Rule (April 2003). On its behalf, the Office for Civil Rights (OCR) has conducted tens of thousands of compliance reviews or intervened with technical assistance before a review was necessary. However, in more than 200,000 cases, complaints received by HHS have not been reviewed by OCR for reasons such as the entity alleged to have violated HIPAA was not a HIPAA Covered Entity, or the alleged activity...

Read More
What Are Covered Entities Under HIPAA?
Apr16

What Are Covered Entities Under HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) applies to HIPAA-covered entities and their business associates, but what are covered entities under HIPAA, and what sort of companies are classed as business associates? Covered Entities Under HIPAA Covered entities under HIPAA are individuals or entities that transmit protected health information for transactions for which the Department of Health and Human Services has adopted standards (see 45 CFR 160.103). Transactions include transmission of healthcare claims, payment and remittance advice, healthcare status, coordination of benefits, enrollment and disenrollment, eligibility checks, healthcare electronic fund transfers, and referral certification and authorization. Covered entities under HIPAA include health plans, healthcare providers, and healthcare clearinghouses. Health plans include health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare for example), and military and veterans’ health programs. Healthcare clearinghouses are organizations that...

Read More
What are HIPAA Covered Entities?
Apr13

What are HIPAA Covered Entities?

The term HIPAA Covered Entities is most often defined as health plans, healthcare clearinghouses, and healthcare providers that are required to comply with the HIPAA Privacy, Security, and Breach Notification Rules. However, not all health plans and healthcare providers are Covered Entities, and – in some circumstances – entities beyond the definition of  Covered Entities are required to comply with the HIPAA Rules. Most health plans, healthcare clearinghouses, and healthcare providers that transmit Protected Health Information (PHI) electronically to carry out financial or administrative activities related to healthcare are required to comply with HIPAA. These are known as HIPAA Covered Entities, but there are exceptions to this definition. Exceptions to the definition of HIPAA Covered Entities exist because some health plans are exempt from the HIPAA requirements (i.e., self-funded and self-administered employer health plans with fewer than 50 participants), and some healthcare providers do not transmit PHI electronically (i.e., rural ambulance services). There are also times...

Read More
HIPAA Social Media Rules
Apr12

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook and Instagram were launched, so there are no specific HIPAA social media rules. However, as with all healthcare-related communications, the HIPAA Privacy Rule still applies whenever covered entities or business associates – or employees of either – use social media networks. There are many benefits to be gained from using social media. Social media networks allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media networks. However, there is also considerable potential for HIPAA rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules? HIPAA and Social Media Healthcare organizations must implement a HIPAA social media policy to reduce the risk of...

Read More
OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals
Apr07

OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals

The Department of Health and Human Services’ Office for Civil Rights has released a Request for information (RFI) related to two outstanding requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The HITECH Act, as amended in 2021 by the HIPAA Safe Harbor Act, requires the HHS consider the security practices that have been implemented by HIPAA-regulated entities when considering financial penalties and other remedies to resolve potential HIPAA violations discovered during investigations and audits. The aim of the HIPAA Safe Harbor Act is to encourage HIPAA-regulated entities to implement cybersecurity best practices. The reward for organisations that have followed industry-standard security best practices for the 12 months prior to a data breach occurring is lower financial penalties for data breaches and less scrutiny by the HHS . Another outstanding requirement that dates back to when the HITECH Act was signed into law, is for the HHS to share a percentage of the civil monetary penalties (CMPs) and settlement payments...

Read More
How to Report a HIPAA Violation Anonymously
Apr06

How to Report a HIPAA Violation Anonymously

In this post we explain how to report a HIPAA violation anonymously if you feel your (or someone else’s) privacy has been violated of if HIPAA Rules are not being followed in your organization. When Can an Alleged HIPAA Violation be Reported? Most healthcare organizations go to great lengths to ensure they are in compliance with HIPAA Rules, but occasionally HIPAA regulations are violated by management or employees. In such cases, a complaint can be lodged with the Department of Health and Human Services’ Office for Civil Rights (OCR) – the main enforcer of HIPAA Rules. However, complaints will only result in action being taken if the complaint is submitted within 180 days of the date of discovery that HIPAA Rules were violated. In limited cases, when there is ‘good cause’ that it was not possible to file a complaint within 180 days, an extension may be granted. Note that OCR cannot investigate any alleged violation of the HIPAA Privacy Rule that occurred before April 14, 2003 or Security Rule violations that occurred before April 20, 2005 because compliance with those...

Read More
HIPAA Compliance for Pharmacies
Apr06

HIPAA Compliance for Pharmacies

HIPAA compliance for pharmacies is a complex subject to tackle because, not only do most pharmacies have to comply with the provisions of the Administrative Simplification Regulations, but many may be subject to more stringent laws than HIPAA – in which case they will have to implement measures beyond those required by the HIPAA Privacy and Security Rules. Although it is widely accepted that pharmacies qualify as HIPAA Covered Entities, it is not immediately apparent how they qualify as HIPAA Covered Entities. This is because the Administrative Simplification Regulations define HIPAA Covered Entities as “a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter”. Most pharmacies, but not all, transmit health information in connection with transactions for which the Department of Health and Human Services (HHS) has adopted standards, and this would qualify them as HIPAA Covered Entities – if they meet the definition of a health care provider. This is where...

Read More
What is Considered a Breach of HIPAA?
Apr03

What is Considered a Breach of HIPAA?

It is important to know what is considered a breach of HIPAA because Covered Entities are required to report breaches of HIPAA to affected individuals and the Department of Health and Human Services under the Breach Notification Rule. Covered Entities that fail to comply with the Breach Notification Rule – or fail to do so in a timely manner – can be issued substantial penalties. The text of HIPAA is very clear about what is considered a breach of HIPAA – § 164.402 of the Breach Notification Rule defining a breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part [the HIPAA Privacy Rule] which compromises the security or privacy of the protected health information.” When a breach of HIPAA is identified, Covered Entities must notify affected individuals within sixty days. The notification must include a description of the breach, the nature of information that was acquired, accessed, used, or disclosed, and advice about what steps individuals should take to protect themselves from potential...

Read More
HIPAA Permitted Disclosures
Apr02

HIPAA Permitted Disclosures

One of the biggest compliance challenges for Covered Entities and Business Associates is understanding HIPAA permitted disclosures. This is because there are a number of scenarios in which exceptions exist to the general guidance about when it is permitted to disclose Protected Health Information (PHI) without patient authorization. According to the Privacy Rule, Covered Entities must disclose PHI in only two scenarios – 1) when a patient requests access to their PHI or an accounting of disclosures, and 2) when the Department of Health and Human Services (HHS) conducts a review or a compliance investigation, or undertakes enforcement action. In neither scenario is patient authorization necessary. Other Disclosures Permitted by the HIPAA Privacy Rule Thereafter, Covered Entities are permitted, but not required, to disclose PHI without patient authorization for the following purposes or situations: To the Individual The Privacy Rule states that, except for the required HIPAA permitted disclosures for patient access or accounting of disclosures, Covered Entities may disclose PHI to...

Read More
What to Do if You Discover a HIPAA Violation in the Workplace
Apr02

What to Do if You Discover a HIPAA Violation in the Workplace

You suspect there has been a HIPAA violation in the workplace, should you report the violation? If so, how should you report the potential violation and who needs to be told? Is it Necessary to Report a HIPAA Violation in the Workplace? If you think you have accidentally violated HIPAA Rules or you believe a work colleague or your employer is failing to comply with HIPAA Rules, the potential violation(s) should be reported. Since the publication of the HIPAA Enforcement Rule, HIPAA-covered entities can be financially penalized for HIPAA violations. If an uncorrected HIPAA violation is discovered during an investigation of a complaint, a data breach or HIPAA audit, the HHS’ Office for Civil Rights may choose to pursue a financial settlement to resolve the violation. Such actions are far less likely when a violation has been discovered internally and corrected to prevent a recurrence. If a patient’s privacy has been violated, by reporting the violation internally you will allow your employer to take steps to reduce the potential for further harm and will be helping to ensure that...

Read More
What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?
Apr02

What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996 and led to the development of the HIPAA Privacy Rule in 2003 and the HIPAA Security Rule in 2005, but how did the Health Information Technology for Economic and Clinical Health (HITECH) Act change HIPAA and what is the relationship between HITECH, HIPAA, and electronic health and medical records? What is the Relationship Between HITECH and HIPAA and Medical Records? There is a strong relationship between HITECH and HIPAA as Title II of HIPAA includes the administrative simplification provisions that led to the development of the Privacy and Security Rules, while one of the main aims of the HITECH Act was to encourage the adoption of electronic health and medical records by creating financial incentives for making the transition from paper to digital records. In order to enable the increased adoption of electronic health and medical records and keep the data maintained in these devices secure, the HITECH Act strengthened the HIPAA Privacy and Security Rules, required Business...

Read More
What Does HIPAA Cover?
Apr01

What Does HIPAA Cover?

It has been 22 years since the Health Insurance Portability and Accountability Act (HIPAA) was Introduced, but there is still some confusion about HIPAA, what the legislation does for patients, who is required to comply with HIPAA Rules, and what does HIPAA cover. Who Does HIPAA Cover? HIPAA is a federal law that introduced standards in healthcare relating to patient privacy and the protection of medical data. HIPAA covers healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities. HIPAA applies to most entities that fall into the above categories, except those that do not conduct transactions electronically. Healthcare providers include hospitals, clinics, physicians, nursing homes, pharmacies, chiropractors, dentists, and psychologists. Health plans include health insurers, company health plans, HMOs, and government programs that pay for healthcare such as Medicaid and Medicare. Healthcare clearinghouses are organizations that transform nonstandard health data into a standard format. A business associate is an individual or...

Read More
OCR Announces 4 Financial Penalties to Resolve HIPAA Violations
Mar29

OCR Announces 4 Financial Penalties to Resolve HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first financial penalties of 2022 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Three of the cases were settled with OCR, and one resulted in a civil monetary penalty being imposed. OCR is continuing to enforce compliance with the HIPAA Right of Access, with two of the enforcement actions resolving HIPAA violations of this important HIPAA provision. One of the fines was been imposed, in part, for overcharging a patient who requested a copy of their medical records – The first financial penalty under the 2019 enforcement initiative to allege overcharging for copies of medical records. To date, OCR has imposed 27 financial penalties on healthcare providers that have failed to provide patients with timely access to their medical records. The other two cases involved impermissible disclosures of the protected health information of patients. “Between the rising pace of breaches of unsecured protected health information and continued cyber...

Read More
How to Report a HIPAA Violation
Mar26

How to Report a HIPAA Violation

It is important for all employees in the healthcare and healthcare insurance industries to understand what constitutes a HIPAA violation and how to report a HIPAA violation. Understanding what constitutes a HIPAA violation should be included in the Covered Entity´s HIPAA training, as should the correct person to direct the report to – who then has the responsibility to determine whether ot not the HIPAA violation should be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Potential HIPAA violations must be investigated internally by HIPAA Covered Entities and – where applicable – their Business Associates to determine the severity of the breach, the risk to individuals impacted by the incident, and to ensure action is taken promptly to correct the violation and mitigate risk. The sooner a potential HIPAA violation is reported, the easier it will be to limit the potential harm that may be caused and to prevent further violations of HIPAA Rules. Reporting HIPAA Violations Internally When healthcare or insurance professionals...

Read More
What is the Civil Penalty for Knowingly Violating HIPAA?
Mar26

What is the Civil Penalty for Knowingly Violating HIPAA?

It is understandable when misunderstandings exist about the civil penalty for knowingly violating HIPAA due to the scope of the Health Insurance Portability and Accountability Act (HIPAA), the frequent references to other statutes, and the subsequent changes to the Administrative Simplification provisions of the Act. If you search for the term “knowingly” in the text of HIPAA, you will find multiple references relating to defrauding health plans and embezzling money from healthcare benefit programs (i.e. Medicare), but only one relating to the wrongful disclosure of individually identifiable health information – and this section relates to criminal penalties for knowingly violating HIPAA rather than civil penalties. However, just before this section, the Act gives the Secretary of Health & Human Services (HHS) the authority to impose financial penalties for the failure to comply with the requirements and standards of the Administrative Simplification provisions unless the person liable for the penalty “did not know and by exercising reasonable diligence would not have known”...

Read More
February 2022 Healthcare Data Breach Report
Mar22

February 2022 Healthcare Data Breach Report

For the third successive month, the number of data breaches reported to the HHS’ Office for Civil Rights (OCR) has fallen. 46 healthcare data breaches of 500 or more records were reported to OCR in February – an 8% fall from January. February saw the lowest number of data breaches in the past 5 months. Even with the reduction in breaches, on average, more than 2 healthcare data breaches have been reported each day over the past 12 months. From March 1, 2021, to February 28, 2022, there have been 723 reported data breaches of 500 or more records. Across February’s 46 incidents, the records of 2,525,023 individuals were exposed or compromised – a 2.28% fall from the previous month – which is considerably lower than the 3,506,400 records that have been breached each month, on average, from March 1, 2021, to February 28, 2022. At least 42,076,805 healthcare records were exposed over that period. In February, the average breach size was 48,957 records and the median breach size was 7,014 records. Largest Healthcare Data Breaches Reported in February 2022 22 HIPAA-regulated entities...

Read More
How to Become HIPAA Compliant
Mar21

How to Become HIPAA Compliant

If you would like to start doing business with healthcare organizations you will need to know how to become HIPAA compliant, what HIPAA compliance entails, and how you can prove to healthcare organizations that you have implemented all the required safeguards and privacy controls to ensure the confidentiality, integrity, and availability of any protected health information you will be provided with or given access to. How to Become HIPAA Compliant There are no shortcuts if you want to become HIPAA compliant. HIPAA compliance means implementing controls and safeguards to ensure the confidentiality, integrity, and availability of protected health information and developing policies and procedures in line with the HIPAA Privacy Rule (2000), the HIPAA Security Rule (2003), the Health Information Technology for Economic and Clinical Health Act (2009), and the Omnibus Final Rule (2013). To become HIPAA compliant, you will need to study the full text of the Administrative Simplification Regulations (45 CFR Parts 160, 162, and 164) – which the Department of Health and Human Services’...

Read More
De-identification of Protected Health Information: How to Anonymize PHI
Mar18

De-identification of Protected Health Information: How to Anonymize PHI

Healthcare organizations and their business associates that want to share protected health information must do so in accordance with the HIPAA Privacy Rule, which limits the possible uses and disclosures of PHI, but de-identification of protected health information means HIPAA Privacy Rule restrictions no longer apply. HIPAA Privacy Rule restrictions only covers individually identifiable protected health information. If you de-identify PHI so that the identity of individuals cannot be determined, and re-identification of individuals is not possible, PHI can be freely shared. The de-identification of protected health information enables HIPAA covered entities to share health data for large-scale medical research studies, policy assessments, comparative effectiveness studies, and other studies and assessments without violating the privacy of patients or requiring authorizations to be obtained from each patient prior to data being disclosed. HIPAA-Compliant De-identification of Protected Health Information HIPAA-compliant de-identification of protected health information is possible...

Read More
OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks
Mar18

OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks

Healthcare hacking incidents have been steadily rising for a number of years. There was a 45% increase in hacking/IT incidents between 2019 and 2020, and in 2021, 66% of breaches of unsecured electronic protected health information were due to hacking and other IT incidents. A large percentage of those breaches could have been prevented if HIPAA-regulated entities were fully compliant with the HIPAA Security Rule. The Department of Health and Human Services’ Office for Civil Rights explained in its March 2022 cybersecurity newsletter that compliance with the HIPAA Security Rule will prevent or substantially mitigate most cyberattacks. Most cyberattacks on the healthcare industry are financially motivated and are conducted to steal electronic protected health information or encrypt patient data to prevent legitimate access. The initial access to healthcare networks is gained via tried and tested methods such as phishing attacks and the exploitation of known vulnerabilities and weak authentication protocols, rather than exploiting previously unknown vulnerabilities. Prevention of...

Read More
How to Secure Patient Information (PHI)
Mar13

How to Secure Patient Information (PHI)

HIPAA requires healthcare organizations of all sizes to secure protected health information (PHI), but how can covered entities secure patient information? If you are asked how you secure patient information, could you provide an answer? How Can You Secure Patient Information? HIPAA requires healthcare organizations and their business associates to implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although there is little detail provided on how to secure patient information in HIPAA regulations. This is intentional, as the pace that technology is advancing is far greater than the speed at which HIPAA can be updated. If details were included, they would soon be out of date. Technology is constantly changing and new vulnerabilities are being discovered in systems and software previously thought to be secure. Securing patient information is therefore not about implementing security solutions and forgetting about them. To truly secure patient information you must regularly review your security controls, update policies and procedures, maintain...

Read More
What Information is Protected Under HIPAA Law?
Mar08

What Information is Protected Under HIPAA Law?

What Information is Protected Under HIPAA Law The Healthcare Insurance Portability and Accountability Act (HIPAA) consist of five Titles, each with their own set of HIPAA laws. Four of the five sets of HIPAA laws are straightforward and cover topics such as the portability of healthcare insurance between jobs, the coverage of persons with pre-existing conditions, and tax provisions for medical savings accounts. However, Title II – the section relating to administrative simplification, preventing healthcare fraud and abuse, and medical liability reform – is far more complicated. It contains subsets of HIPAA laws which sometimes overlap with each other and several of the provisions in Title II have been modified, updated, or impacted by subsequent acts of legislation. Furthermore, since HIPAA was enacted, the U.S. Department for Health and Human Services (HHS) has promulgated six sets of “Rules”; which, as they are codified in 45 CFR Parts 160, 162, and 164, are strictly speaking HIPAA laws within HIPAA laws. These are most commonly referred to as the Administrative Simplification...

Read More
Is a HIPAA Violation Grounds for Termination?
Mar07

Is a HIPAA Violation Grounds for Termination?

Is a HIPAA violation grounds for termination? What actions are healthcare organizations likely to take if they discover an employee has violated HIPAA Rules? Since the introduction of the HIPAA Enforcement Rule, the HHS’ Office for Civil Rights has been able to pursue financial penalties for HIPAA violations. Organizations discovered to have violated HIPAA Rules or failed to have implemented policies and procedures in line with HIPAA Rules can face severe financial penalties. But what about individual employees who accidentally or deliberately violate HIPAA and patient privacy? Do Most Healthcare Organizations Consider a HIPAA Violation Grounds for Termination? Not all HIPAA violations are equal, although any violation of HIPAA Rules is a serious matter that warrants investigation and action by healthcare organizations. When a HIPAA violation is reported – by an employee, colleague or patient – healthcare organizations will investigate the incident and will attempt to determine whether HIPAA laws were violated, and if so, how the violation occurred, the implications for...

Read More
What Happens if You Violate HIPAA?
Mar07

What Happens if You Violate HIPAA?

If you work in healthcare you should have a good working knowledge of HIPAA rules, exercise diligence, and ensure that HIPAA Rules are always followed, but what happens if you violate HIPAA? What are the likely repercussions for accidentally or knowingly violating HIPAA Rules? What happens if you violate HIPAA will depend on the type of violation, its severity, the harm caused to others, and the extent to which you knew that HIPAA Rules were being violated. Disciplinary Action and Termination If at the time of the violation you were unaware that you make a mistake, the violation was minor, and no harm has been caused, the violation may be dealt with internally. Verbal or written warnings may be issued and further training on HIPAA compliance would be appropriate. For more serious violations, especially in cases where HIPAA Rules have been knowingly violated, termination is likely. The violation may be reported to licensing boards who can place restrictions on licenses. Suspension and loss of license is a possibility. Civil Penalties The Department of Health and Human Services’...

Read More
What is a Limited Data Set Under HIPAA?
Mar07

What is a Limited Data Set Under HIPAA?

A limited data set under HIPAA is a set of identifiable healthcare information that the HIPAA Privacy Rule permits covered entities to share with certain entities for research purposes, public health activities, and healthcare operations without obtaining prior authorization from patients, if certain conditions are met. In contrast to de-identified protected health information, which is no longer classed as PHI under HIPAA Rules, a limited data set under HIPAA is still identifiable protected information. Therefore it is still subject to HIPAA Privacy Rule regulations. A HIPAA limited data set can only be shared with entities that have signed a data use agreement with the covered entity. The data use agreement allows the covered entity to obtain satisfactory assurances that the PHI will only be used for specific purposes, that the PHI will not be disclosed by the entity with which it is shared, and that the requirements of the HIPAA Privacy Rule will be followed. The data use agreement, which must be accepted prior to the limited data set being shared, should outline the following:...

Read More
Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk
Mar07

Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk

There have been calls for healthcare organizations to take steps to improve security due to a major rise in hacking incidents, ransomware attacks, and vulnerability disclosures in 2021. Record numbers of healthcare data breaches were reported last year, and tens of millions of healthcare records were compromised. Adhering to the minimum requirements of the HIPAA Security Rule and conducting risk analyses, having robust risk management practices, conducting vulnerability scans, and implementing technical safeguards such as intrusion prevention systems, next-generation firewalls, and spam filters are all important measures to improve cybersecurity and ensure HIPAA compliance, but it is also important to improve the human aspect of cybersecurity. Risky employee behaviors need to be eradicated and the workforce needs to be trained to be more security-aware and taught how to recognize common attacks that target individuals, such as phishing and social engineering. The human aspect of cybersecurity is often one of the weakest links in the security chain, which has been highlighted by a...

Read More
How Employees Can Help Prevent HIPAA Violations?
Mar03

How Employees Can Help Prevent HIPAA Violations?

Healthcare organizations and their business associates must comply with the HIPAA Privacy, Security, and Breach Notifications Rules and implement safeguards to prevent HIPAA violations. However, even with controls in place to reduce the risk of HIPAA violations, data breaches still occur. In most industries, it is hackers and other cybercriminals that are responsible for the majority of security breaches, but in healthcare it is insiders. While healthcare organizations can take steps to improve their defenses and implement technologies to identify breaches rapidly when they occur, healthcare employees also need to help prevent HIPAA violations.  Employers can help employees by providing regular HIPAA training. Employees Can Help to Prevent HIPAA Violations Healthcare privacy breaches often occur as a result of carelessness or a lack of understanding of HIPAA Rules. Healthcare organizations should therefore ensure employees receive full training on HIPAA and know the allowable uses and disclosures of PHI and to secure ePHI at all times. Refresher training sessions should also be...

Read More
What Happens if a Nurse Violates HIPAA?
Mar03

What Happens if a Nurse Violates HIPAA?

What happens if a nurse violates HIPAA Rules? How are HIPAA violations dealt with and what are the penalties for individuals that accidentally or deliberately violate HIPAA and access, disclose, or share protected health information (PHI) without authorization?   The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be followed by all covered entities and their business associates. The failure to comply with HIPAA Rules can result in significant penalties for HIPAA covered entities. Business associates of covered entities can also be fined directly for HIPAA violations, but what about individual healthcare workers such as nurses? What happens if a nurse violates HIPAA Rules? What are the Penalties if a Nurse Violates HIPAA? Accidental HIPAA violations by nurses happen, even when care is taken to follow HIPAA Rules. While all HIPAA violations can potentially result in disciplinary action, most employers would accept that accidental violations are bound to occur from time to time. In many cases, minor violations of HIPAA...

Read More
HIPAA Violation Reporting
Mar02

HIPAA Violation Reporting

There is no one-size-fits-all HIPAA violation reporting process because different organizations have different policies and procedures for reporting HIPAA violations, while the process for reporting violations to HHS´ Office for Civil Rights varies according to the nature of the violation and who is making the report. There are many different types of HIPAA violations, but some are not as serious as others. For example, the failure to send periodic security reminders (an implementation specification of 45 CFR § 164.308) is a HIPAA violation, but it is unlikely to have as serious consequences as the theft of an unencrypted laptop containing the unsecured ePHI of twenty thousand patients. Consequently, a single Covered Entity or Business Associate may have several HIPAA violation reporting processes depending on the nature and potential severity of the event. Similarly, the HHS´ Office for Civil Rights – the HIPAA enforcement agency – has three reporting processes through which organizations, members of the workforce, and patients can report a HIPAA violation. HIPAA Violation...

Read More
OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture
Mar01

OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture

In a recent blog post, Director of the HHS’ Office for Civil Rights, Lisa J. Pino, urged HIPAA-regulated entities to take steps to strengthen their cybersecurity posture in 2022 in light of the increase in cyberattacks on the healthcare industry. 2021 was a particularly bad year for healthcare organizations, with the number of reported healthcare data breaches reaching record levels. 714 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in 2021 and more than 45 million records were breached. The breach reports were dominated by hacking and other IT incidents that resulted in the exposure or theft of the healthcare data of more than 43 million individuals. In 2021, hackers took advantage of healthcare organizations dealing with the COVID-19 pandemic and conducted several attacks that had a direct impact on patient care and resulted in canceled surgeries, medical examinations, and other services as a result of IT systems being taken offline and network access being disabled. Pino also drew attention to the critical vulnerability...

Read More
Is Zoom HIPAA Compliant?
Mar01

Is Zoom HIPAA Compliant?

Zoom is a popular video and web conferencing platform that has been adopted by more than 750,000 businesses, but is the service suitable for use by healthcare organizations for sharing PHI. Is Zoom HIPAA compliant? What is Zoom? Zoom is a cloud-based video and web conferencing platform that allows workers across multiple locations to take part in meetings, share files, and collaborate. The platform supports webinars and includes a business IM service. Zoom has already been adopted by many healthcare organizations around the globe who use the platform to consult with other providers and communicate with patients. However, in the United States, healthcare providers, health plans, and healthcare clearinghouses (collectively “HIPAA covered entities”) using the platform must comply with HIPAA Rules. Any software solution use to share patient information must incorporate a host of security protections to ensure protected health information (PHI) is safeguarded. Further, cloud-based platform providers (i.e. in this case Zoom) are classed as a business associates and are also...

Read More
Who Does HIPAA Apply To?
Feb28

Who Does HIPAA Apply To?

Who Does HIPAA Apply To? Confusion sometimes exists over the question of who does HIPAA apply to because the requirement to protect individually identifiable health information is covered in only a small section of a very substantial Act. Even when this small section is extracted and analyzed, it is still not always clear who does HIPAA apply to and which organizations need to implement HIPAA compliance programs. Does HIPAA Apply to Everybody? The Health Insurance Portability and Accountability Act (PDF) is a substantial body of legislation passed by Congress in 1996. As the title of the Act suggests, it addresses the portability of health insurance and the accountability of group health plans to provide benefits when members of group health plans have pre-existing conditions. In this respect, HIPAA applies to the majority of workers, most health insurance providers, and employers who sponsor or co-sponsor employee health insurance plans. However, HIPAA consists of four further titles covering topics from medical liability reform to taxes on expatriates who give up U.S....

Read More
January 2022 Healthcare Data Breach Report
Feb22

January 2022 Healthcare Data Breach Report

50 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR) in January 2022. January was the second successive month where the number of reported data breaches fell, although 38.9% more breaches were reported last month than in January 2020. The protected health information of 2,304,607 individuals was exposed or impermissibly disclosed across those 50 breaches – 22% fewer records than December 2021, and well below the 12-month average of 3.51 million records a month. 726 data breaches of 500 or more records were reported to OCR in the 12 months from February 2021 to January 2022, and 42,175,121 records were breached across those 726 incidents.   Largest Healthcare Data Breaches in January 2022 18 healthcare data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights in January 2022, including one major data breach that affected more than 1.35 million Broward Health patients. Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Breach...

Read More
What is the Purpose of HIPAA?
Feb18

What is the Purpose of HIPAA?

The Health Insurance Portability and Accountability Act – or HIPAA as it is better known – is an important legislative Act affecting the U.S. healthcare industry, but what is the purpose of HIPAA? Healthcare professionals often complain about the restrictions of HIPAA – Are the benefits of the legislation worth the extra workload? What is the Purpose of HIPAA? HIPAA was first introduced in 1996. In its earliest form, the legislation helped to ensure that employees would continue to receive health insurance coverage when they were between jobs. The legislation also required healthcare organizations to implement controls to secure patient data to prevent healthcare fraud, although it took several years for the rules for doing so to be penned. HIPAA also introduced several new standards that were intended to improve efficiency in the healthcare industry, requiring healthcare organizations to adopt the standards to reduce the paperwork burden. Code sets had to be used along with patient identifiers, which helped pave the way for the efficient transfer of healthcare data between...

Read More
Bipartisan Legislation Introduced to Modernize Health Data Privacy Laws
Feb14

Bipartisan Legislation Introduced to Modernize Health Data Privacy Laws

Healthcare privacy laws in the United States are due an update to bring them into the modern age to ensure individually identifiable health information is protected no matter how it is collected and shared. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is now more than 2 decades old, and while the Department of Health and Human Services (HHS) has proposed updates to the HIPAA Privacy Rule that are due to be finalized this year, even if the proposed HIPAA Privacy Rule changes are signed into law, there will still be regulatory gaps that place health data at risk. The use of technology for healthcare and health information has grown in a way that could not be envisaged when the Privacy Rule was signed into law. Health information is now being collected by health apps and other technologies, and individuals’ sensitive health information is being shared with and sold by technology companies. The HIPAA Privacy and Security Rules introduced requirements to ensure the privacy and security of health data, but HIPAA only applies to HIPAA-covered entities –...

Read More
What is Considered PHI?
Feb13

What is Considered PHI?

In response to questions sent to HIPAA Journal, we have written a series of posts explaining some of the basic elements of HIPAA, the latest being what is considered PHI? What is PHI, PII, and IIHA? Terms such as PHI and PII are commonly referred to in healthcare, but what do they mean and what information do they include? PHI is an acronym of Protected Health Information, while PII is an acronym of Personally Identifiable Information. Before explaining these terms, it is useful to first explain what is meant by health information, of which protected health information is a subset. Health information is information related to the provision of healthcare or payment for healthcare services that is created or received by a healthcare provider, public health authority, healthcare clearinghouse, health plan, business associate of a HIPAA-covered entity, or a school/university or employer. Health information relates to past, present, and future health conditions or physical/mental health that is related to the provision of healthcare services or payment for those services. Personally...

Read More
Why is HIPAA Important?
Feb12

Why is HIPAA Important?

The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of legislation, but why is HIPAA important? What changes did HIPAA introduce and what are the benefits to the healthcare industry and patients? HIPAA was introduced in 1996, primarily to address one particular issue: Insurance coverage for individuals that are between jobs. Without HIPAA, employees faced a loss of insurance coverage when they were between jobs. A second goal of HIPAA was to prevent healthcare fraud and ensure that all ‘protected health information’ was appropriately secured and to restrict access to health data to authorized individuals. Why is HIPAA Important for Healthcare Organizations? HIPAA introduced a number of important benefits for the healthcare industry to help with the transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely. The standards for recording health data and electronic...

Read More
February 11, 2022: Deadline for Providing GAO With Feedback on HHS Data Breach Reporting Requirements
Feb08

February 11, 2022: Deadline for Providing GAO With Feedback on HHS Data Breach Reporting Requirements

The Government Accountability Office (GAO) has launched a rapid response survey of healthcare organizations and business associates covered by the Health Insurance Portability and Accountability Act (HIPAA) seeking feedback on their experiences reporting data breaches to the Secretary of the Department of Health and Human Services (HHS). The questionnaire was initially due to remain open until 4 p.m. EST on Friday, February 4, 2022., but the deadline has now been extended by a week to February 11, 2022. The survey is being conducted through Survey Monkey and can be accessed here. Congress requested the GAO review the number of data breaches reported to the HHS since 2015, and the survey seeks to identify some of the challenges, if any, faced by covered entities and business associates in meeting the data breach reporting requirements of the HHS. The GAO will also determine what efforts the HHS has made to address any breach reporting issues and improve the data breach reporting process. The survey is being distributed by the Health-ISAC, Health Sector Coordinating Council (HSCC)...

Read More
How to Make Your Email HIPAA Compliant
Feb07

How to Make Your Email HIPAA Compliant

Many healthcare organizations would like to be able to send protected health information via email, but how do you make your email HIPAA compliant? What must be done before electronic PHI (ePHI) can be sent via email to patients and other healthcare organizations? How to Make Your Email HIPAA Compliant Whether you need to make your email HIPAA compliant will depend on how you plan to use email with ePHI. If you will only ever send emails internally, it may not be necessary to make your email HIPAA compliant. If your email network is behind a firewall, it is not necessary to encrypt your emails.  Encryption is only required when your emails are sent beyond your firewall. However, access controls to email accounts are required, as it is important to ensure that only authorized individuals can access email accounts that contain ePHI. If you want to use email to send ePHI externally – beyond your firewall – you will need to make your email HIPAA-compliant. There are many email service providers that offer an encrypted email service, but not all are HIPAA compliant and incorporate all...

Read More
Can A Patient Sue for A HIPAA Violation?
Feb07

Can A Patient Sue for A HIPAA Violation?

Can a patient sue for a HIPAA violation? There is no private cause of action in HIPAA, so it is not possible for a patient to sue for a HIPAA violation. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Rules. So, if it is not possible for a patient to sue for a HIPAA violation, does that mean legal action cannot be taken against a covered entity when HIPAA has clearly been violated? While HIPAA does not have a private cause of action, it is possible for patients to take legal action against healthcare providers and obtain damages for violations of state laws. In some states, it is possible to file a lawsuit against a HIPAA covered entity on the grounds of negligence or for a breach of an implied contract, such as if a covered entity has failed to protect medical records. In such cases, it will be necessary to prove that damage or harm has been caused as a result of negligence or the theft of unsecured personal information....

Read More
RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach
Feb04

RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach

The Rhode Island Attorney General is investigating UnitedHealthcare and the Rhode Island Public Transit Authority (RIPTA) over a cyberattack and data breach that resulted in hackers gaining access to RIPTA’s network that contained the sensitive personal and protected health information of up to 22,000 individuals. The Office of the Rhode Island Attorney General was notified about the security breach on December 23, 2021. RIPTA said it discovered and blocked a cyberattack on August 5, 2021, with its investigation confirming the hackers gained access to its network on August 3, 2021. Files stored on the compromised part of its network included extensive information on its employees, including names, dates of birth, Social Security numbers, and health plan ID numbers, along with the sensitive information of thousands of state employees who had never worked at RIPTA. RIPTA reported the breach to the HHS’ Office for Civil Rights as affecting 5,015 individuals but said in its breach notice that the incident had resulted in the exposure of the personal data of 17,378 individuals....

Read More
Concerning Healthcare Data Breach Reporting Trend
Feb01

Concerning Healthcare Data Breach Reporting Trend

The HIPAA Breach Notification Rule calls for data breach notifications to be issued to the Secretary of the HHS “without unnecessary delay” and no later than 60 days after the date of discovery of a data breach. The same time frame applies to issuing notification letters to affected individuals. There has been a trend in recent years for HIPAA-regulated entities to wait the full 60 days from the date of discovery of the breach to issue notifications to affected individuals and the HHS, but recently growing numbers have taken the date of discovery as the date when the breach investigation has been completed, or even the date when the full review of impacted documents is finished. In some cases, notifications have been issued many months after the initial system breach was detected. There may be valid reasons for a delay in reporting, such as a request from law enforcement to delay making a cyberattack or data theft incident public to avoid interfering with the law enforcement investigation; however, it is rare for individual notifications to mention these law enforcement requests....

Read More
What is Considered PHI Under HIPAA?
Jan28

What is Considered PHI Under HIPAA?

In a healthcare environment, you are likely to hear health information referred to as protected health information or PHI, but what is considered PHI under HIPAA? What is Considered PHI Under HIPAA Rules? Under HIPAA PHI is considered to be any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity – a healthcare provider, health plan or health insurer, or a healthcare clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services. It is not only past and current health information that is considered PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health related to the provision of care or payment for care. PHI is health information in any form, including physical records, electronic records, or spoken information. Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual HIPAA...

Read More
New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach
Jan25

New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach

The first settlement of 2022 to resolve a healthcare data breach has been announced by New York Attorney General Letitia James. The Ohio-based vision benefits provider EyeMed Vision Care has agreed to pay a financial penalty of $600,000 to resolve a 2020 data breach that saw the personal information of 2.1 million individuals compromised nationwide, including the personal information of 98,632 New York residents. The data breach occurred on or around June 24, 2020, and saw unauthorized individuals gain access to an EyeMed email account that contained sensitive consumer data provided in connection with vision benefits enrollment and coverage. The attacker had access to the email account for around a week and was able to view emails and attachments spanning a period of 6 years dating back to January 3, 2014. The emails contained a range of sensitive information including names, contact information, dates of birth, account information for health insurance accounts, full or partial Social Security numbers, Medicare/Medicaid numbers, driver’s license numbers, government ID numbers,...

Read More
What are the Penalties for HIPAA Violations?
Jan23

What are the Penalties for HIPAA Violations?

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.  The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-covered entities to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged, and to whom. Since the Enforcement Final Rule of 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to HIPAA-covered entities that fail to comply with HIPAA Rules. Financial penalties for HIPAA violations were updated by the HIPAA Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect on March 26, 2013. Since the introduction of the Omnibus Rule, the new penalties for HIPAA...

Read More
The HIPAA Conduit Exception Rule and Transmission of PHI
Jan19

The HIPAA Conduit Exception Rule and Transmission of PHI

The HIPAA Conduit Exception Rule is a source of confusion for many HIPAA covered entities, but it is essential that this aspect of HIPAA is understood. Failure to correctly classify a service provider as a conduit or a business associate could see HIPAA Rules violated and a significant financial penalty issued for noncompliance. The HIPAA Omnibus Final Rule and Business Associates On January 25, 2013, the HIPAA Omnibus Final Rule was issued. The HIPAA Omnibus Final Rule introduced a swathe of updates to HIPAA Rules, including updates attributable to the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA Omnibus Final Rule included an update to the definition of a business associate. Prior to January 25, 2013, a business associate was a person or entity that creates, receives, or transmits protected health information (PHI) on behalf of a covered entity. The Omnibus rule added ‘maintains’ to that definition. That meant companies that store electronic information – or physical records – are considered business associates. The Omnibus Rule also...

Read More
December 2021 Healthcare Data Breach Report
Jan18

December 2021 Healthcare Data Breach Report

56 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in December 2021, which is a 17.64% decrease from the previous month. In 2021, an average of 59 data breaches were reported each month and 712 healthcare data breaches were reported between January 1 and December 31, 2021. That sets a new record for healthcare data breaches, exceeding last year’s total by 70 – An 10.9% increase from 2020. Across December’s 56 data breaches, 2,951,901 records were exposed or impermissibly disclosed – a 24.52% increase from the previous month. At the time of posting, the OCR breach portal shows 45,706,882 healthcare records were breached in 2021 – The second-highest total since OCR started publishing summaries of healthcare data breaches in 2009. Largest Healthcare Data Breaches in December 2021 Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause Oregon Anesthesiology Group, P.C. OR Healthcare Provider 750,500 Ransomware Texas ENT Specialists TX Healthcare Provider 535,489 Ransomware Monongalia Health System, Inc....

Read More
When is a HIPAA Consent Form Required?
Jan16

When is a HIPAA Consent Form Required?

A signed HIPAA consent form must be obtained by HIPAA-covered entities prior to any use or disclosure of an individual’s identifiable protected health information that is not expressly permitted by the HIPAA Privacy Rule. A HIPAA consent form is a legal document authorizing specific uses and disclosures, but there is no requirement to notarize the forms. The forms must be retained as they may need to be provided to regulators during audits and compliance investigations as they serve as proof that authorization has been obtained in writing to waive certain Privacy Rule restrictions. When is a HIPAA Consent Form Required? The HIPAA Privacy Rule created national standards covering the privacy of individually identifiable health information, defined protected health information, and introduced strict requirements covering uses and disclosures of healthcare data. The HIPAA Privacy Rule does not prohibit any use or disclosure of individually identifiable health information, but certain uses and disclosures are only permitted if individual consent is obtained. Under the HIPAA Privacy...

Read More
New HIPAA Regulations in 2022
Jan14

New HIPAA Regulations in 2022

It has been several years since new HIPAA regulations have been signed into law, but HIPAA changes in 2022 are expected. The last update to the HIPAA Rules was the HIPAA Omnibus Rule in 2013, which introduced new requirements mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR issued a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, that proposed a slew of changes to the HIPAA Privacy Rule, and a Final Rule is expected to be issued in 2022; however, no date has yet been provided on when the 2022 HIPAA changes will take effect and become enforceable. Over the past few years, new HIPAA regulations under consideration include changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS is considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided. There have been calls from many...

Read More
Is it a HIPAA Violation to Email Patient Names?
Jan14

Is it a HIPAA Violation to Email Patient Names?

We have been asked is it a HIPAA violation to email patient names and other protected health information? In answer to this and similar questions, we will clarify how HIPAA relates to email and explain some of the precautions HIPAA covered entities and healthcare employees should take to ensure compliance when using email to send electronic protected health information. Is it a HIPAA Violation to Email Patient Names? Patient names (first and last name or last name and initial) are one of the 18 identifiers classed as protected health information (PHI) in the HIPAA Privacy Rule. HIPAA does not prohibit the electronic transmission of PHI. Electronic communications, including email, are permitted, although HIPAA-covered entities must apply reasonable safeguards when transmitting ePHI to ensure the confidentiality and integrity of data. It is not a HIPAA violation to email patient names per se, although patient names and other PHI should not be included in the subject lines of emails as the information could easily be viewed by unauthorized individuals. Even when messages are protected...

Read More
What is Individually Identifiable Health Information?
Jan11

What is Individually Identifiable Health Information?

What is individually identifiable health information and what must HIPAA-covered entities do to the information before it can be shared for reasons not detailed in the permitted uses and disclosures of the HIPAA Privacy Rule? What is Individually Identifiable Health Information? Before answering the question, what is individually identifiable health information, it is necessary to define health information. HIPAA defines health information as any information created or received by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or business associate of a HIPAA-covered entity. Health information includes past, present, and future information about mental and physical health and the condition of an individual, the provision of healthcare to an individual, and information related to payment for healthcare, again in the past, present, or future. Health information also includes demographic information about an individual. Individually identifiable health information is a subset of health information, and as the name suggests, is health information...

Read More
HIPAA Updates and HIPAA Changes in 2022
Jan10

HIPAA Updates and HIPAA Changes in 2022

The Health Insurance Portability and Accountability Act was signed into law in 1996 and while there have been some significant HIPAA updates over the last two decades, the last set of major HIPAA updates occurred in 2013 with the introduction of the HIPAA Omnibus Final Rule. Updates to HIPAA are long overdue but steps were finally made to update HIPAA in December 2020, when the HHS issued a notice of Proposed Rulemaking that detailed several proposed changes to the HIPAA Privacy Rule, and a Final Rule is now due which will likely see many HIPAA changes in 2022. Major HIPAA Updates in the Past 20 Years Since HIPAA was signed into law there have been a few major HIPAA updates. The HIPAA Privacy and Security Rules were introduced which limited uses and disclosures of protected health information, gave patients new rights over their healthcare data, and introduced a set of minimum security standards. Those HIPAA updates were followed by the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which saw the introduction of the Breach...

Read More
Does HIPAA Apply to Schools?
Jan09

Does HIPAA Apply to Schools?

HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities but how does HIPAA apply to schools? In this post we explore when HIPAA applies to schools and how the Health Insurance Portability and Accountability Act intersects with the Family Educational Rights and Privacy Act (FERPA). Does HIPAA Apply to Schools? Generally, HIPAA does not apply to schools because they are not HIPAA covered entities, but in some situations a school can be a covered entity if healthcare services are provided to students. In such cases, HIPAA may still not apply because any student health information collected would be included in the students’ education records and education records are exempt from the HIPAA Privacy Rule as they are covered by FERPA. More and more schools are offering healthcare services to their students. Medical professionals are employed by some schools, some have on-site health clinics, and they often dispense medications and administer vaccines. When healthcare services are provided, health information will be...

Read More
How Should You Respond to an Accidental HIPAA Violation?
Jan06

How Should You Respond to an Accidental HIPAA Violation?

The majority of HIPAA covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond? How Should Employees Report an Accidental HIPAA Violation? Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, an email containing PHI is sent to the wrong person, or any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer. Your Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR). You should explain that a mistake was made and what has happened. You will need to explain which patient’s...

Read More
What are the HIPAA Breach Notification Requirements?
Jan04

What are the HIPAA Breach Notification Requirements?

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information (PHI) is discovered. HIPAA training for staff must also include the procedures for reporting breaches of unsecured PHI. While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started providing a service to Covered Entities may similarly be unsure of the reporting requirements and actions that must be taken following a breach. The issuing of notifications following a breach of unencrypted PHI is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty in additional to that impose for the data breach itself. With this in mind, we have compiled a summary of...

Read More
2020-2021 HIPAA Violation Cases and Penalties
Jan04

2020-2021 HIPAA Violation Cases and Penalties

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. 2021 saw a slight reduction in the number of settlements and fines for HIPAA violations, with 14 enforcement actions announced by OCR. Even so, 2021 had the second-highest number of HIPAA fines of any year since OCR started enforcing compliance with the HIPAA Rules. While the number of penalties was still high in 2021, there was a sizeable reduction in penalty amounts which totaled $5,982,150 for the year, and $5,100,000 of that total came from just one enforcement action. The reason for this is that most of the penalties were for violations of the HIPAA Right of Access, and were in response to investigations of complaints filed by patients who had not been provided with timely access to their medical records, rather than penalties for...

Read More
What Happens if You Break HIPAA Rules?
Jan03

What Happens if You Break HIPAA Rules?

HIPAA requires covered entities to provide training to staff to ensure HIPAA Rules and regulations are understood. During HIPAA training, healthcare employees should be aware of the possible penalties for HIPAA violations, but what are those penalties, and what happens if you break HIPAA Rules? What Happens if You Break HIPAA Rules? If you break HIPAA Rules there are four potential outcomes: The violation could be dealt with internally by an employer You could be terminated You could face sanctions from professional boards You could face criminal charges which include fines and imprisonment What happens if you break HIPAA Rules will depend on the severity of the violation. The actions of employers, professional boards, federal regulators, and the Department of Justice will depend on several factors: The nature of the violation Whether there was knowledge that HIPAA Rules were being violated, or by exercising due diligence, it should have been clear that HIPAA Rules were being violated Whether action was taken to correct the violation Whether there was malicious intent or HIPAA...

Read More
What is HIPAA Certification?
Jan03

What is HIPAA Certification?

HIPAA certification has two meanings. It can either be a point in time accreditation demonstrating an organization has passed a HIPAA compliance audit, or a recognition that members of the organization´s workforce have achieved the level of HIPAA knowledge required to comply with the organization´s policies and procedures. Both are useful accreditations to have. There are two things organizations and their workforces should be aware of before undertaking a HIPAA certification program. There are no requirements in HIPAA for organizations and/or their workforces to certify compliance, and certification is not a “get out of jail free card” that will absolve negligent parties from HIPAA violations. So why get certified? Why Get Certified as being HIPAA Compliant? The first reason for getting certified is that, in order to achieve an accreditation, organizations will have to adopt best privacy practices and implement the administrative, technical, and physical safeguards of the HIPAA Security Rule. This in itself will reduce the likelihood of HIPAA violations and data breaches – leading...

Read More
What is Considered Protected Health Information Under HIPAA?
Jan02

What is Considered Protected Health Information Under HIPAA?

Protected health information – or PHI – is often mentioned in relation to HIPAA and healthcare, but what is considered protected health information under HIPAA? What is Considered Protected Health Information Under HIPAA Law? If you work in healthcare or are considering doing business with healthcare clients that requires access to health data, you will need to know what is considered protected health information under HIPAA law. The HIPAA Security Rule demands that safeguards be implemented to ensure the confidentiality, integrity, and availability of PHI, while the HIPAA Privacy Rule places limits the uses and disclosures of PHI. Violate any of the provisions in the HIPAA Privacy and Security Rules and you could be financially penalized. There are even criminal penalties for HIPAA violations. Claiming ignorance of HIPAA law is not a valid defense. Protected Health Information Definition Under HIPAA, protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created,...

Read More
The Most Common HIPAA Violations You Should Avoid
Jan02

The Most Common HIPAA Violations You Should Avoid

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
What is Protected Health Information?
Jan02

What is Protected Health Information?

The latest article in our HIPAA basics series answers the question what is protected health information? The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information, but what is protected health information? First, it is worthwhile explaining two other important terms detailed in HIPAA regulations: A covered entity and a business associate. A covered entity is a healthcare provider, health plan, or healthcare clearinghouse which transmits health data electronically for transactions that the U.S. Department of Health and Human Services has adopted standards. A business associate is an organization or individual who performs services on behalf of a HIPAA-covered entity that requires access to, or the use of, protected health information. What is Protected Health Information? Protected health information is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in...

Read More
HIPAA Enforcement by State Attorneys General
Dec28

HIPAA Enforcement by State Attorneys General

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Health Insurance Portability and Accountability Act Rules. The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and can obtain damages on behalf of state residents. The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of an unencrypted hard drive containing the electronic protected health information of 1.5 million individuals and delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000. State Attorney HIPAA cases...

Read More
Is it a HIPAA Violation to Ask for Proof of Vaccine Status?
Dec25

Is it a HIPAA Violation to Ask for Proof of Vaccine Status?

According to several media sources, there appears to be a degree of confusion about the purpose of HIPAA, who it applies to, and whether asking someone if they have had a COVID-19 vaccine constitutes a HIPAA violation. The confusion was highlighted recently when, on May 18, 2021, Rep. Marjorie Taylor Greene, (R-Ga) was asked whether she had been vaccinated, as she had refused to wear a mask on the House floor in breach of House rules. Greene told reporters that asking her about her vaccine status was a HIPAA violation, but this was not correct as HIPAA does not apply in such situations. It is not only Rep. Greene who is unsure about the purpose of HIPAA and who it applies to. Several organizations have also raised concerns that asking employees to provide proof of being vaccinated against COVID-19 in order to avoid wearing a facemask, maintain social distancing, or self-isolate after exposure to an infected person may also be a violation of HIPAA. HIPAA and Its Purpose The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of...

Read More
November 2021 Healthcare Data Breach Report
Dec21

November 2021 Healthcare Data Breach Report

The number of reported healthcare data breaches has increased for the third successive month, with November seeing 68 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – a 15.25% increase from October and well above the 12-month average of 56 data breaches a month. From January 1 to November 30, 614 data breaches were reported to the Office for Civil Rights. It is looking increasingly likely that this year will be the worst ever year for healthcare data breaches. The number of data breaches increased, but there was a sizable reduction in the number of breached records. Across the 68 reported breaches, 2,370,600 healthcare records were exposed, stolen, or impermissibly disclosed – a 33.95% decrease from the previous month and well below the 12-month average of 3,430,822 breached records per month. Largest Healthcare Data Breaches Reported in November 2021 In November, 30 data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights, and 4 of those breaches resulted in the exposure/theft of more than 100,000 records. The...

Read More
OCR Issues Guidance on HIPAA and Disclosures of PHI for Extreme Risk Protection Orders
Dec21

OCR Issues Guidance on HIPAA and Disclosures of PHI for Extreme Risk Protection Orders

The Department of Health and Human Services’ Office for Civil Rights (OCR) has published new guidance to explain how the HIPAA Privacy Rule applies to disclosures of protected health information (PHI) to support applications for extreme risk protection orders. In June 2021, the U.S. Department of Justice published model legislation to provide states with a framework for creating their own extreme risk protection order (ERPO) laws. Extreme risk protection orders temporarily prevent a person in crisis, who poses a danger to themselves or others, from accessing firearms. ERPOs are intended to improve public safety and reduce the risk of firearm injuries and deaths. ERPO legislation permits certain entities such as law enforcement officers, family members, and healthcare providers to apply to the courts for an ERPO. Part of that process involves obtaining affidavits or sworn oral statements from petitioners and witnesses. If healthcare providers are involved in ERPOs, the HIPAA Privacy Rule applies and places restrictions on any disclosures of PHI. The HIPAA Privacy Rule permits...

Read More
New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations
Dec16

New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations

The New Jersey Division of Consumer Affairs has agreed to settle a data breach investigation that uncovered violations of the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) Hackensack, NJ-based Regional Cancer Care Associates is an umbrella name for three healthcare providers that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland: Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC. Between April and June 2019, several employee email accounts were compromised. Employees had responded to targeted phishing emails and disclosed their credentials, which allowed the scammers to access their email accounts and the protected health information (PHI) of more than 105,000 individuals. The email accounts contained PHI such as names, Social Security numbers, driver’s license numbers, health records, bank account information, and credit card details. In July 2019, notification letters were sent to 13,047 individuals by a third-party vendor; however, the letters were mismailed to the...

Read More
What is a HIPAA Waiver Form?
Dec15

What is a HIPAA Waiver Form?

A HIPAA waiver form is a form given to an individual by a HIPAA-covered entity that authorizes the use of the individual’s protected health information (PHI) or disclosure of the information to a third party for a reason not expressly permitted by the HIPAA Privacy Rule. The HIPAA Privacy Rule – 45 CFR §164.500-534 – places restrictions on uses and disclosures of individually identifiable protected health information. HIPAA-covered entities are permitted under the HIPAA Privacy Rule to use or disclose an individual’s protected health information without obtaining consent for reasons related to treatment, payment for healthcare services, and healthcare operations. Consent is also not required for disclosures of an individual’s PHI to the Department of Health and Human Services in relation to a compliance investigation, review, or enforcement action, and for any of the 12 national priority purposes, which include public interest and benefit activities, judicial and administrative proceedings, law enforcement purposes, tissue donation, workers’ compensation, to prevent a...

Read More
Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access
Dec06

Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access

The Health Information Sharing and Analysis Center (Health-ISAC) has released guidance for Chief Information Security Officers (CISOs) on adopting an identity-centric approach to enabling secure and easy access to patient data to meet the interoperability, patient access, and data sharing requirements of the 21st Century Cures Act. New federal regulations tied to the 21st Century Cures Act call for healthcare organizations to provide patients with easy access to their healthcare data and ensure patients can easily share their electronic health information (EHI) data wherever, whenever, and with whomever they want. The failure of a healthcare organization to implement systems to support patient access and interoperability could be considered information blocking and would be subject to fines and penalties. The new federal requirements are for healthcare providers and insurers to allow data sharing through Application Programming Interfaces (APIs) that operate on the Fast Healthcare Interoperability and Resources (FHIR) standard. Healthcare providers and insurers are required to...

Read More
HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats
Dec03

HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats

The Department of Health and Human Services has launched a new website that offers advice and resources to help the healthcare and public health sector mitigate cybersecurity threats. The website was created as part of the HHS 405(d) Aligning Health Care Industry Security Approaches Program, which was established in response to the Cybersecurity Act of 2015. The Cybersecurity Act of 2015 called for the HHS to establish the program and a Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures and processes that healthcare organizations can use. More than 150 individuals from industry and the federal government have collaborated under the program and provided insights into how best to mitigate cyberthreats. The new website supports the motto, Cyber Safety is Patient Safety, and provides videos and other educational material to raise awareness of pertinent threats along with vetted cybersecurity resources to drive behavioral change and...

Read More
26th Annual Compliance Institute: March 28 – 31, 2022
Dec02

26th Annual Compliance Institute: March 28 – 31, 2022

Health Care Compliance Association (HCCA) will be hosting the 26th Annual Compliance Institute at the Phoenix Convention Center, Phoenix, AZ, March 28 – 31, 2022. HCCA is a member-based association for healthcare compliance professionals that is dedicated to enabling the lasting success and integrity of all professionals working for, with, or supporting healthcare organizations. Established in 1996, HCCA now has more than 12,000 members across the United States.  HCCA promotes the highest standards in compliance programs, creates high-quality educational training events, and provides a forum for interaction and information exchange within the healthcare compliance community. The Compliance Institute is HCCA’s primary educational and networking event. Running over 4 days, attendees will be able to attend 109 educational sessions, benefit from professional development opportunities, and will be able to network and improve their career prospects. The educational sessions highlight real-world compliance issues, emerging trends, and practical applications that attendees can use to...

Read More
HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations
Dec01

HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations

The HHS’ Office for Civil Rights (OCR) is continuing with its enforcement of compliance with the HIPAA Right of Access and has recently announced a further 5 financial penalties. The HIPAA Right of Access enforcement initiative was launched in the fall of 2019 in response to a significant number of complaints from patients who had not been provided with timely access to their medical records. The HIPAA Privacy Rule requires covered entities to provide individuals with access to their medical records. A copy of the requested information must be provided within 30 days of the request being received, although an extension of 30 days may be granted in limited circumstances. HIPAA-covered entities are permitted to charge patients for exercising this important Privacy Rule right, but may only charge a reasonable, cost-based fee. Labor costs are only permitted for copying or otherwise creating and delivering the PHI after it has been identified. The enforcement actions to date have not been imposed for charging excessive amounts, only for impermissibly refusing to provide a copy of the...

Read More
October 2021 Healthcare Data Breach Report
Nov22

October 2021 Healthcare Data Breach Report

October saw 59 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 25.5% increase from September. Over the past 12 months, from November 2020 to October 2021, there have been 655 reported breaches of 500 or more records, 546 of which have been reported in 2021. The protected health information (PHI) of 3,589,132 individuals was exposed, stolen, or impermissibly disclosed across the 59 reported data breaches, which is 186% more records than September. Over the past 12 months, from November 2020 to October 2021, the PHI of 39,938,418 individuals has been exposed or stolen, with 34,557,664 individuals known to have been affected by healthcare data breaches so far in 2021. Largest Healthcare Data Breaches in October 2021 There were 18 data breaches reported to the HHS’ Office for Civil Rights in October that impacted 10,000 or more individuals, as detailed in the table below. Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Breach Cause Eskenazi Health IN...

Read More
HIPAA Authorization Form for Parents
Nov17

HIPAA Authorization Form for Parents

Healthcare providers need to have a HIPAA authorization form for parents to sign to authorize the use or disclosure of their minor children’s medical records for reasons not permitted by the HIPAA Privacy Rule. Adult children must also sign a HIPAA authorization form for parents to be permitted to have access to their healthcare data. Privacy Rule Right of Access and Restrictions on Uses and Disclosures of PHI Under the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) individuals have the right to obtain a copy of their protected health information from a HIPAA-covered entity. This right allows individuals to check their medical records for errors, and individuals are permitted to request that any errors be corrected. The right of access also allows patients to obtain a copy of their medical records to provide to another healthcare provider or to an organization conducting medical research. Parents and legal guardians are permitted by the HIPAA Privacy Rule to obtain a copy of the medical records of their minor children. The HIPAA Privacy Rule places...

Read More
HHS Increases HIPAA Penalties for 2021 per the Inflation Adjustment Act
Nov17

HHS Increases HIPAA Penalties for 2021 per the Inflation Adjustment Act

Under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015*, the Office of the Assistant Secretary for Financial Resources of the Department of Health and Human Services (HHS) has issued a final rule that implements adjustments to the maximum civil monetary penalties for HIPAA violations for 2021. According to the Department of Health and Human Services, the 2021 annual inflation adjustment “is determined using the percent increase in the Consumer Price Index for all Urban Consumers (CPI–U) for the month of October of the year in which the amount of each CMP was most recently established or modified.” The cost-of-living adjustment multiplier for 2021 is 1.01182. Previous cost-of-living multipliers are indicated below: 2017 – 1.01636 2018 – 1.02041 2019 – 1.02522 2020 – 1.01764 The final rule took effect on Monday, November 15, 2021, and applies to penalties assessed on or after November 15, 2021, if the violation occurred on or after November 2, 2015. These penalties will apply until the next inflation increase is applied. The annual...

Read More
New Jersey Fines Two Printing Companies $130,000 for HIPAA and CFA Violations
Nov12

New Jersey Fines Two Printing Companies $130,000 for HIPAA and CFA Violations

The New Jersey Attorney General has approved a $130,000 settlement with two printing firms to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act (CFA) that resulted in a breach of the protected health information (PHI) of 55,715 New Jersey residents. Command Marketing Innovations, LLC (CMI) and Strategic Content Imaging, LLC (SCI) provided services to a leading New Jersey-based managed healthcare organization that involved printing and mailing benefits statements. Between October 31, 2016, and November 2, 2016, a printing error resulted in PHI such as claims numbers, dates of service, provider names, facility names, and descriptions of services being mailed to incorrect recipients. When printing firms or other vendors provide services to HIPAA-covered entities that require access to PHI, they are required to enter into a business associate agreement with the covered entity and must comply with the requirements of the HIPAA Security Rule. The responsibilities of HIPAA business associates include...

Read More
Is G Suite HIPAA Compliant?
Nov03

Is G Suite HIPAA Compliant?

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules? Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider. Making G Suite HIPAA Compliant (by default it isn’t) As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules. Obtain a BAA from Google One important requirement of HIPAA is to obtain a signed, HIPAA-compliant...

Read More
OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance
Nov02

OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance

The Department of Health and Human Services’ Office for Civil Rights has advised HIPAA-covered entities to assess the protections they have implemented to secure their legacy IT systems and devices. A legacy system is any system that has one or more components that have been supplanted by newer technology and reached end-of-life. When software and devices reach end-of-life, support comes to an end, and patches are no longer issued to correct known vulnerabilities. That makes legacy systems and devices vulnerable to cyberattacks. Healthcare organizations should be aware of the date when support will no longer be provided, and a plan should be developed to replace outdated software and devices; however, there are often valid reasons for continuing to use outdated systems and devices. Legacy systems may work well and be well-tailored to an organization’s business model, so there may be a reluctance to upgrade to new systems that are supported. Upgrading to a newer system may require time, funds, and human resources that are not available, or it may not be possible to replace a legacy...

Read More
Is AWS HIPAA Compliant?
Oct27

Is AWS HIPAA Compliant?

Is AWS HIPAA compliant? Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes. And No. AWS can be HIPAA compliant, but it is also easy to make configuration mistakes that will leave protected health information (PHI) unprotected and accessible by unauthorized individuals, violating HIPAA Rules. Amazon Will Sign a Business Associate Agreement for AWS Amazon is keen for healthcare organizations to use AWS, and as such, a business associate agreement will be signed. Under that agreement, Amazon will support the security, control, and administrative processes required under HIPAA. Previous, under the terms of the AWS BAA, the AWS HIPAA compliance program required covered entities and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer the case. As part of its efforts to help healthcare organizations use AWS safely and securely without violating...

Read More
Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI
Oct27

Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI

A new study has revealed widespread security failures at healthcare organizations, including poor access controls, few restrictions on access to protected health information (PHI), and poor password practices, all of which are putting sensitive data at risk. The study, conducted by the data security and insider threat detection platform provider Varonis, involved an analysis of around 3 billion files at 58 healthcare organizations, including healthcare providers, pharmaceutical companies, and biotechnology firms. The aim of the study was to determine whether security controls had been implemented to secure sensitive data and to help organizations better understand their cybersecurity vulnerabilities in the face of increasing threats. The Health Insurance Portability and Accountability Act (HIPAA) requires access to PHI to be limited to employees who need to view PHI for work purposes. When access is granted, the HIPAA minimum necessary standard applies, and only the minimum amount of PHI should be accessible. Each user must be provided with a unique username that allows access to...

Read More
Who Enforces HIPAA?
Oct25

Who Enforces HIPAA?

Since the passing of the Health Insurance Portability and Accountability Act (HIPAA) Enforcement Rule in 2006, noncompliance with HIPAA can result in a significant financial penalty, but who enforces HIPAA? Which federal departments are responsible for ensuring HIPAA Rules are followed by covered entities and their business associates? Who Enforces HIPAA? The primary enforcer of HIPAA Rules is the Department of Health and Human Services’ Office for Civil Rights (OCR). However, the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009, saw state attorneys general given the power to assist OCR in the enforcement of HIPAA. The Centers for Medicare and Medicaid Services (CMS) also has some enforcement powers and the U.S. Food and Drug Administration (FDA) and the Federal Communications Commission (FCC) have participated in HIPAA enforcement to some degree. HIPAA Enforcement by the HHS’ Office for Civil Rights The HHS’ Office for Civil Rights investigates all data breaches reported by covered entities and business...

Read More
September 2021 Healthcare Data Breach Report
Oct20

September 2021 Healthcare Data Breach Report

There was a 23.7% month-over-month increase in reported healthcare data breaches in September, which saw 47 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights. While that is more than 1.5 breaches a day, it is under the average of 55.5 breaches per month over the past 12 months. While data breaches increased, there was a major decrease in the number of breached healthcare records, dropping 75.5% from August to 1,253,258 records across the 47 reported data breaches, which is the third-lowest total over the past 12 months. Largest Healthcare Data Breaches Reported in September 2021 16 healthcare data breaches were reported in September 2021 that involved the exposure, theft, or impermissible disclosure of more than 10,000 healthcare records. The largest breach of the month was reported by the State of Alaska Department of Health & Social Services. The breach was initially thought to have resulted in the theft of the personal and protected health information (PHI) of all state residents, although the breach was...

Read More
New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty
Oct14

New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty

A New Jersey infertility clinic accused of violating HIPAA and New Jersey laws by failing to implement appropriate cybersecurity measures has settled the investigation with the state and will pay a $495,000 penalty. Millburn, NJ-based Diamond Institute for Infertility and Menopause, LLC (Diamond) operates two healthcare facilities in New Jersey, one in New York, and provides consultancy services in Bermuda. Providing those services involves the collection, storage, and use of personal and protected health information (PHI). Between August 2016 and January 2017, at least one unauthorized individual accessed Diamond’s network which contained the PHI of 14,663 patients, 11,071 of which were New Jersey residents. As a HIPAA-covered entity, Diamond is required to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI. Diamond is also subject to New Jersey laws and is similarly required to implement reasonable and adequate safeguards to protect medical data from unauthorized access. Diamond Investigated for...

Read More
Is Skype HIPAA Compliant?
Oct13

Is Skype HIPAA Compliant?

Text messaging platforms such as Skype are a convenient way of quickly communicating information, but is Skype HIPAA compliant? Can Skype be used to send text messages containing electronic protected health information (ePHI) without risking violating HIPAA Rules? There is currently some debate surrounding Skype and HIPAA compliance. Skype includes security features to prevent unauthorized access of information transmitted via the platform and messages are encrypted. But does Skype satisfy all requirements of HIPAA Rules? This article will attempt to answer the question, Is Skype HIPAA compliant? Is Skype a Business Associate? Is Skype a HIPAA business associate? That is a matter that has been much debated. Skype could be considered an exception under the Conduit Rule – being merely a conduit through which information flows. If that is the case, a business associate agreement would not be necessary. However, a business associate agreement is necessary if a vendor creates, receives, maintains, or transmits ePHI on behalf of a HIPAA-covered entity or one of its business associates....

Read More
What is HIPAA Authorization?
Oct09

What is HIPAA Authorization?

We are often asked to clarify certain elements of HIPAA Rules. One recent question relates to disclosures of protected health information (PHI) and medical records – ‘What is HIPAA authorization?’ What is HIPAA Authorization? The HIPAA Privacy Rule (effective since April 14, 2003) introduced standards covering allowable uses and disclosures of health information, including to whom information can be disclosed and under what circumstances protected health information can be shared. The HIPAA Privacy Rule permits the sharing of health information by healthcare providers, health plans, healthcare clearinghouses, business associates of HIPAA-covered entities, and other entities covered by HIPAA Rules under certain circumstances. In general terms, permitted uses and disclosures are for treatment, payment, or health care operations, and reporting issues such as domestic abuse to public health agencies. HIPAA authorization is consent obtained from a patient or health plan member that permits a covered entity or business associate to use or disclose PHI to an individual/entity for a...

Read More
Is WhatsApp HIPAA Compliant?
Oct06

Is WhatsApp HIPAA Compliant?

When WhatsApp announced it was introducing end-to-end encryption, it opened up the prospect of healthcare organizations using the platform as an almost free secure messaging app, but is WhatsApp HIPAA compliant? Many healthcare employees have been asking if WhatsApp is HIPAA compliant, and some healthcare professionals are already using the text messaging app to send protected health information (PHI). However, while WhatsApp does offer far greater protection than SMS messages and some other text messaging platforms, we believe WhatsApp is not a HIPAA compliant messaging platform. Why Isn’t WhatsApp HIPAA Compliant? First, it is important to point out that no software platform or messaging app can be truly HIPAA compliant, because HIPAA compliance is not about software. It is about users. Software can support HIPAA compliance and incorporate all the necessary safeguards to ensure the confidentiality, integrity, and availability of ePHI, but those controls can easily be undone by users. HIPAA does not demand that encryption is used. Provided an alternate, equivalent measure is...

Read More
OCR Issues Guidance on HIPAA and COVID-19 Vaccination Status Disclosures
Oct05

OCR Issues Guidance on HIPAA and COVID-19 Vaccination Status Disclosures

The Department of Health and Human Services’ Office for Civil Rights has issued guidance to educate the public on how the Health Insurance Portability and Accountability Act (HIPAA) Rules apply to disclosures of COVID-19 vaccination status information and requests from individuals about whether a person has been vaccinated against COVID-19. In the guidance, OCR confirmed that HIPAA only applies to HIPAA-regulated entities. HIPAA regulated entities are healthcare providers, health plans, and healthcare clearinghouses that conduct standard electronic transactions, and business associates of those entities that require access to or encounter protected health information (PHI). OCR reminded the public that the HIPAA Privacy Rule does not apply to employers or employment records. That includes information collected or stored by HIPAA-regulated entities in their capacity as an employer. OCR explained how HIPAA applies to COVID-19 vaccination information in certain situations through a website Q&A and states: The HIPAA Privacy Rule does not prohibit businesses or individuals from...

Read More
Is OneDrive HIPAA Compliant?
Sep30

Is OneDrive HIPAA Compliant?

Many covered entities want to take advantage of cloud storage services, but can Microsoft OneDrive be used? Is OneDrive HIPAA compliant? Many healthcare organizations are already using Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a convenient platform for storing and sharing files. Microsoft Supports HIPAA-Compliance There is certainly no problem with HIPAA-covered entities using OneDrive. Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be used without violating HIPAA Rules. That said, before OneDrive – or any cloud service – can be used to create, store, or send files containing the electronic protected health information of patients, HIPAA-covered entities must obtain and sign a HIPAA-compliant business associate agreement (BAA). Microsoft was one of the first cloud service providers to agree to sign a BAA with HIPAA-covered entities, and offers a BAA through the Online Services Terms. The BAA includes OneDrive for Business, as well...

Read More
What is a HIPAA Subpoena?
Sep28

What is a HIPAA Subpoena?

The U.S. Department of Justice has recently been cracking down on healthcare offenses, with investigations often involving a HIPAA subpoena being issued. The subpoena compels HIPAA-regulated entities to release information such as patient medical records that they would otherwise not be permitted to disclose due to Privacy Rule restrictions on uses and disclosures. The HIPAA Privacy Rule permits disclosures of protected health information (PHI) if compelled to do so by a valid subpoena. What is a HIPAA Subpoena? A HIPAA subpoena is an administrative subpoena which requires a HIPAA-regulated entity to release documents to support investigations of federal criminal healthcare offenses pursuant to 18 U.S.C. § 3486, and the use of these subpoenas is becoming more common. A HIPAA subpoena is similar to a federal grand jury subpoena, in that they both compel a HIPAA regulated entity to release specific information to assist with investigations into healthcare offenses. A HIPAA subpoena is an administrative subpoena, but they are not generally issued for investigations that are purely...

Read More
Lisa J. Pino Named New Director of HHS’ Office for Civil Rights
Sep27

Lisa J. Pino Named New Director of HHS’ Office for Civil Rights

Lisa J. Pino has been named Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) and replaces Robinsue Frohboese, who has served as acting OCR Director since President Trump-appointed Roger Severino resigned from the post in mid-January. OCR is the main enforcer of compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, the Patient Safety and Quality Improvement Act, and Patient Safety Rule, as well as enforcing federal civil rights, conscience and religious freedom laws. Pino is from New York City, a fluent Spanish speaker, and the first-generation daughter of immigrant parents. She completed a B.A., M.A., and J.D. at Arizona State University with honors, and Harvard Kennedy School leadership program as a National Hispana Leadership Institute Fellow. Pino has served as legal aid attorney in the Southwest, fighting to protect the rights of migrant farm workers. Her civil rights activities carried on while working for the United States Department of Agriculture (USDA) where...

Read More
Is FaceTime HIPAA Compliant?
Sep19

Is FaceTime HIPAA Compliant?

Is FaceTime HIPAA compliant? Can FaceTime be used by HIPAA covered entities to communicate electronic protected health information (ePHI) without violating HIPAA Rules? In this article we will examine the protections in place to keep transmitted information secure, whether Apple will sign a business associate agreement for FaceTime, and if a BAA is necessary. Will Apple Sign A BAA for FaceTime? An extensive search of the Apple website has revealed no indication that Apple will sign a business associate agreement with healthcare organizations for any of its services. The only mention of its services in relation to HIPAA-covered entities is in relation to iCloud, which Apple clearly states should not be used by healthcare providers or their business associates to create, receive, maintain or transmit PHI. Since Apple is not prepared to sign a business associate agreement for FaceTime, that would indicate FaceTime is not a HIPAA compliant service. However, business associate agreements only need to be signed by business associates. So, is Apple a business associate? The HIPAA Conduit...

Read More
OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative
Sep13

OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed its 20th financial penalty under the HIPAA Right of Access enforcement initiative that was launched in late 2019. Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, has been ordered to pay a penalty of $80,000 to resolve the alleged HIPAA Right of Access violation, is required to adopt a corrective action plan to address the noncompliance discovered by OCR, and will be monitored for compliance by OCR for a period of one year. The Privacy Rule of the Health Insurance Portability and Accountability Act gave individuals the right to obtain a copy of their protected health information held by a HIPAA covered entity, and for parents and legal guardians to obtain a copy of the medical records of their minor children. HIPAA covered entities must provide the requested records within 30 days and are only permitted to charge a reasonable cost-based fee for providing copies. In certain circumstances, covered entities can apply for a 30-day extension, making...

Read More
When Was HIPAA Enacted?
Sep09

When Was HIPAA Enacted?

The answer to the question when was HIPAA enacted is not straightforward. This is because, although the Health Insurance Portability and Accountability Act (HIPAA) was signed into law on August 21, 1996, different parts of the Act had different enactment dates. There are several reasons for there being different dates when HIPAA was enacted. The first is that HIPAA covered more than just the privacy and security of individually identifiable health information. It introduced measures to make health insurance more accessible, portable, and renewable, and enforced changes on the healthcare and health insurance industries to reduce fraud and abuse. Additionally, HIPAA was not an entirely new law. In order to (for example) make health insurance more accessible, portable, and renewable, it was necessary to amend existing laws such as the Employee Retirement Income Security Act (ERISA) and the Social Security Act. Some amendments to these laws were enacted immediately, while others took effect sixty or ninety days later. Most of the new provisions in HIPAA were enacted within a year; but,...

Read More
California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents
Aug25

California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to send notifications to the HHS’ Office for Civil Rights (OCR) about data breaches and healthcare organizations are also required to comply with state data breach notification laws. Many states have introduced their own data privacy laws, which typically require notifications to be sent to appropriate state Attorneys General if a data breach exceeds a certain threshold. States have the authority to bring civil actions against healthcare organizations that fail to issue breach notifications under both HIPAA and state laws. In California, the threshold for reporting breaches is in line with HIPAA. If a data breach is experienced that impacts 500 or more California residents, the California Department of Justice (DOJ) must be notified. Recently, there have been several instances where the California DOJ has not been notified about ransomware attacks on California healthcare facilities, even though the personal and protected health...

Read More
July 2021 Healthcare Data Breach Report
Aug23

July 2021 Healthcare Data Breach Report

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day. The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records. Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month! Largest Healthcare Data Breaches in July 2021 Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the...

Read More
Future of HIPAA: Reflections at the 25th Anniversary of HIPAA
Aug21

Future of HIPAA: Reflections at the 25th Anniversary of HIPAA

The Health Insurance Portability and Accountability Act is now 25 years old. How effective has this healthcare law been and what is the future of HIPAA? It is now exactly 25 years to the day since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton. On August 21, 1996, when President Clinton added his signature to the legislation, few people would have realized how HIPAA would evolve and grow into the comprehensive national health privacy law that it is today. It is difficult to argue that HIPAA has not been an overall success, but the legislation has attracted a fair amount of criticism over the years, especially due to the considerable administrative burden it initially placed on healthcare organizations. On balance, the improvements to healthcare that have come from compliance with HIPAA more than outweigh the negatives. The biggest successes are the improvements to patient privacy and data security, the rights given to patients with respect to their healthcare data, greater efficiency in the healthcare system, and changes...

Read More
Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case
Jul23

Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case

The Department of Justice has announced nine San Diego residents have been charged in two separate indictments in connection with the theft of patients’ protected information and the submission of fraudulent pandemic unemployment insurance claims. Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, new unemployment benefits were offered to individuals affected by the COVID-19 pandemic, who would not, under normal circumstances, qualify for payments. In one of the cases, Matthew Lombardo, a former Scripps Health employee, was charged with felony HIPAA violations for obtaining and disclosing the protected health information of patients to his alleged co-conspirators. Lombardo was also charged with conspiracy to commit wire fraud, along with three alleged co-conspirators – Konrad Piekos, Ryan Genetti, and Dobrila Milosavljevic. Piekos, Genetti, and Milosavljevic were also charged with aggravated identity theft and are alleged to have used the stolen information to submit fraudulent pandemic unemployment insurance claims. The San Diego Sheriff’s’...

Read More
Is Google Drive HIPAA Compliant?
Jul21

Is Google Drive HIPAA Compliant?

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant? Is Google Drive HIPAA Compliant? The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a manner that violates HIPAA Rules. G Suite – formerly Google Apps, of which Google Drive is a part – does support HIPAA compliance. The service does not violate HIPAA Rules provided HIPAA Rules are followed by users. G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied. The use of any software or cloud platform in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business...

Read More
Is Dropbox HIPAA Compliant?
Jul14

Is Dropbox HIPAA Compliant?

Healthcare organizations can benefit from using Dropbox, but is Dropbox HIPAA compliant? Can the service be used to store and share protected health information? Is Dropbox HIPAA Compliant? Dropbox is a popular file hosting service used by many organizations to share files, but what about protected health information? Is Dropbox HIPAA compliant? Dropbox claims it now supports HIPAA and HITECH Act compliance but that does not mean Dropbox is HIPAA compliant. No software or file sharing platform can be HIPAA compliant as it depends on how the software or platform is used. That said, healthcare organizations can use Dropbox to share or store files containing protected health information without violating HIPAA Rules. The Health Insurance Portability and Accountability Act requires covered entities to enter into a business associate agreement (BAA) with an entity before any protected health information (PHI) is shared. Dropbox is classed as a business associate so a BAA is required. Dropbox will sign a business associate agreement with HIPAA-covered entities. To avoid a HIPAA...

Read More
Is Google Voice HIPAA Compliant?
Jun30

Is Google Voice HIPAA Compliant?

Google Voice is a popular telephony service, but is Google Voice HIPAA compliant or can it be used in a HIPAA compliant way? Is it possible for healthcare organizations – or healthcare employees – to use the service without violating HIPAA Rules? Is Google Voice HIPAA Compliant? Google Voice is a popular and convenient telephony service that includes voicemail, voicemail transcription to text, the ability to send text messages free of charge, and many other useful features. It is therefore unsurprising that many healthcare professionals would like to use the service at work, as well as for personal use. In order for a service to be used in healthcare in conjunction with any protected health information (PHI) it must be possible to use it in a HIPAA compliant way. That means the service must be covered by the conduit exemption rule – which was introduced when the HIPAA Omnibus Final Rule came into effect – or it must incorporate a range of controls and safeguards to meet the requirements of the HIPAA Security Rule. As with SMS, faxing, and email, Google Voice is not...

Read More
No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation
Jun28

No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation

The U.S. Court of Appeals for the Fourth Circuit has ruled that there is no private cause of action in the Health Insurance Portability and Accountability Act (HIPAA) to address improper disclosures of protected health information; however, the ruling suggests there is potentially a cause of action under the 14th amendment when an individual’s privacy is violated. The case, Payne v. Taslimi, named Christopher N. Payne as plaintiff and Jahal Taslimi as the defendant. Payne was a Deep Meadow Correctional Center inmate and Taslimi a prison doctor. Payne took legal action against Taslimi over an alleged improper disclosure of his confidential medical information. Payne alleged Taslimi had approached his bed and stated in a voice loud enough for others to hear that the plaintiff had not taken his HIV medication. Payne alleged staff members, other inmates, and civilians had heard the doctor. In the lawsuit, Payne claimed his medical records were confidential and his HIPAA rights had been violated at Deep Meadow Correctional Center by Taslimi, as well as his right to privacy under the...

Read More
Former Mayo Clinic Doctor Charged Over Improper Medical Record Access
Jun28

Former Mayo Clinic Doctor Charged Over Improper Medical Record Access

In October 2020, Mayo Clinic announced a former employee was discovered to have impermissibly accessed the medical records of approximately 1,600 patients. According to a statement issued by the Mayo Clinic, the former employee viewed demographic information, date of birth, medical record number, clinical notes, and in some cases images. Mayo Clinic said its investigation uncovered no evidence to suggest any patient data was copied or retained. All affected patients were notified about the breach by mail. The employee in question was Ahmad Maher Abdel-Munim Alsughayer, 28, of Saginaw, MI, who was a doctor at Mayo Clinic. Alsughayer ended his employment with Mayo Clinic in August 2020, around the time that the privacy violation was discovered. A criminal case has now been opened by the Olmsted County Attorney’s Office. Alsughayer has been charged with gross misdemeanor unauthorized computer access and has been scheduled to appear in court on July 8, 2021. The criminal case stems from allegations that Alsughayer had abused his access rights to view medical records when there was no...

Read More