Dedicated to providing the latest
HIPAA compliance news

Our HIPAA compliance news section keeps you up to date with HIPAA breaches, OCR updates and HITECH and GDPR compliance issues. Make sure you remain up to date with the latest HIPAA compliance news by subscribing to our newsletter or follow us on Twitter @HIPAAJournal.

Healthcare Compliance Programs Not In Line With Expectations of Regulators
Apr23

Healthcare Compliance Programs Not In Line With Expectations of Regulators

Healthcare compliance officers are prioritizing compliance with HIPAA Privacy and Security Rules, even though the majority of Department of Justice and the HHS Office of Inspector General enforcement actions are not for violations of HIPAA or security breaches, but corrupt arrangements with referral sources and false claims. There are more penalties issued by regulators for these two compliance failures than penalties for HIPAA violations. HIPAA enforcement by the HHS’ Office for Civil Rights has increased, yet the liabilities to healthcare organizations from corrupt arrangements with referral sources and false claims are far higher. Even so, these aspects of compliance are relatively low down the list of priorities, according to a recent survey of 388 healthcare professionals conducted by SAI Global and Strategic Management Services. The survey was conducted on compliance officers from healthcare organizations of all sizes, from small physician practices to large integrated hospital systems. The aim of the study was to identify the key issues faced by compliance officers and...

Read More
Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft
Apr17

Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft

In federal court on Monday, Chief U.S. District Judge Gina M. Groh sentenced a former Berkeley Medical Center worker to 5 years’ probation for her role in an identity theft scam. In addition to probation, Angela Dawn Roberts, 42, of Stephenson, VA, must pay $22,000 in restitution. Angela Dawn Roberts, also known as Angela Dawn Lee, had been working for WVU University Healthcare since 2014. Roberts was employed to schedule appointments for patients at two medical centers – Berkeley Medical Center and Jefferson Medical Center – which provided her with access to patients’ protected health information. Roberts copied sensitive information onto paper, including names, birth dates, and Social Security numbers, and in some cases printed copies of identity documents. On January 19, 2017, Roberts was suspended following an internal investigation into data theft which was alleged to have occurred on June 27, 2016. She was fired on January 27, 2017 and was prosecuted for stealing patient health information. Approximately 7,000 patients whose information was accessed by Roberts were...

Read More
Analysis of March 2018 Healthcare Data Breaches
Apr16

Analysis of March 2018 Healthcare Data Breaches

There has been a month-over-month increase in healthcare data breaches. In March 2018, 29 security incidents were reported by HIPAA covered entities compared to 25 incidents in February. Even though more data breaches were reported in March, there was a fall in the number of individuals impacted by breaches. March 2018 healthcare data breaches saw 268,210 healthcare records exposed – a 13.13% decrease from the 308,780 records exposed in incidents in February. Causes of March 2018 Healthcare Data Breaches March saw the publication of the Verizon Data Breach Investigations Report which confirmed the healthcare industry is the only vertical where more data breaches are caused by insiders than hackers. That trend continued in March. Unauthorized access/disclosures, loss of devices/records, and improper disposal incidents were behind 19 of the 29 incidents reported – 65.5% of all incidents reported in March. The main cause of healthcare data breaches in March 2018 was unauthorized access/disclosure incidents. 14 incidents were reported, with theft/loss incidents the second main cause...

Read More
2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office
Apr11

2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office

A former receptionist at a New York dental practice has been sentenced to serve 2 to 6 years in state penitentiary for stealing the protected health information of hundreds of patients. Annie Vuong, 31, was given access to the computer system and dental records of patients in order to complete her work duties. Vuong abused the access rights and stole the PHI of more than 650 patients. That information was passed to her co-defendants who used the data to steal identities and make fraudulent purchases of high value items. Vuong was arrested on February 2, 2015, following a two-and-a-half-year investigation into identity theft by the New York District Attorney’s Office. The theft of data occurred between May and November 2012, when the PHI of 653 patients was taken from the dental office. The types of information stolen included names, birth dates, and Social Security numbers. That information was shared with co-defendant Devin Bazile in an email. Bazile used the information to obtain credit lines from Barclaycard in the victims’ names. Credit ranged from $2,000 to $7,000 per...

Read More
HHS Files Motion to Dismiss Ciox Health Lawsuit
Apr10

HHS Files Motion to Dismiss Ciox Health Lawsuit

The Department of Health and Human Services has filed a motion to dismiss a lawsuit filed by the healthcare information management company Ciox Health claiming the lawsuit lacks standing. Early this year, Ciox Health filed a lawsuit challenging changes to HIPAA in 2013 and subsequent enforcement guidance issued by the HHS in 2016. The changes to the HIPAA Privacy Rule in 2013 in question placed a limit on the amount that could be charged by covered entities for providing patients with copies of their health records. The charges must be limited to a reasonable cost-based fee. In 2016, the HHS issued guidance for the public explaining the rulemaking and providing answers to commonly asked questions about medical record access. Ciox Health claims the changes threaten to upend the medical records industry and that the updates and guidance are ultra vires, arbitrary and capricious. Ciox Health is also seeking injunctive relief to stop the HHS from unlawfully enforcing the regulations. In its motion to dismiss the lawsuit, filed in the U.S. District Court in Washington, D.C., HHS...

Read More
Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks
Apr09

Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks

A recent study conducted by the Ponemon Institute on behalf of Merlin International has revealed healthcare organizations are failing to provide sufficient security awareness training to their employees, which is hampering efforts to improve their security posture. Phishing is a major security threat and the healthcare industry is being heavily targeted. Phishing offers threat actors an easy way to bypass healthcare organizations’ security defenses. Threat actors are now using sophisticated tactics to evade detection by security solutions and get their emails delivered. Social engineering techniques are used to fool employees into responding to phishing emails and disclose their login credentials or install malware. Phishing is used in a high percentage of cyberattacks on healthcare organizations. Research conducted by Cofense (formerly PhishMe) suggests as many as 91% of cyberattacks start with a phishing email. While security solutions can be implemented to block the majority of phishing emails from being delivered to end users’ inboxes, it is not possible to block 100% of...

Read More
HIPAA Compliance for Pharmacies
Apr06

HIPAA Compliance for Pharmacies

HIPAA is a federal law that establishes the acceptable uses and disclosures of protected health information (PHI), sets standards for the secure storage and transmission of PHI, and gives patients the right to obtain copies of their PHI. HIPAA compliance for pharmacies is not an option. The penalties for failing to comply with HIPAA can be severe. Key Elements of HIPAA Compliance for Pharmacies The combined text of HIPAA Rules published by the Department of Health and Human Services’ Office for Civil Rights is 115 pages, so covering all elements of HIPAA compliance for pharmacies is beyond the scope of this post; however, some of the key elements of HIPAA compliance for pharmacies have been outlined below. Conduct risk analyses – A comprehensive, organization wide risk analysis must be conducted to identify all risks to the confidentiality, integrity, and availability of ePHI. Any risks identified must be subjected to a HIPAA-compliant risk management process. A risk analysis is not a onetime checkbox item. Risk analyses must be conducted regularly, such as when there is a change...

Read More
Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law
Apr05

Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law

Virtua Medical Group – A network of physicians affiliated to over 50 medical practices in New Jersey – has been financially penalized by the New Jersey Attorney General’s Office for failing to protect the privacy of more than 1,650 patients whose medical information was accessible online without the need for any authentication. The electronic protected health information was exposed as a result of a misconfigured server. The error occurred at a business associate of the medical group – Best Medical Transcription – which had been provided with audio files to transcribe medical notes. Best Medical Transcription was contracted to transcribe dictations of medical notes, reports, and letters from three New Jersey medical practices: Virtua Pain and Spine Specialists in Voorhees, Virtua Gynecological Oncology Specialists, and Virtua Surgical Group in Hainesport. The transcribed notes were uploaded to a password-protected FTP website; however, in January 2016 during a software upgrade on the FTP server, the password protection was accidentally removed allowing patient...

Read More
What Happens if You Break HIPAA Rules?
Apr03

What Happens if You Break HIPAA Rules?

HIPAA requires covered entities to provide training to staff to ensure HIPAA Rules and regulations are understood Healthcare employees should be aware of the possible penalties for HIPAA violations, but what are those penalties and what happens if you break HIPAA Rules? What Happens if You Break HIPAA Rules? If you break HIPAA Rules there are four potential outcomes: The violation could be dealt with internally by an employer You could be terminated You could face sanctions from professional boards You could face criminal charges which include fines and imprisonment What happens if you break HIPAA Rules will depend on the severity of the violation. The actions of employers, professional boards, federal regulators, and the Department of Justice will depend on several factors: The nature of the violation Whether there was knowledge that HIPAA Rules were being violated, or by exercising due diligence, it should have been clear that HIPAA Rules were being violated Whether action was taken to correct the violation Whether there was malicious intent or HIPAA Rules were violated for...

Read More
What is Considered Protected Health Information Under HIPAA?
Apr02

What is Considered Protected Health Information Under HIPAA?

Protected health information – or PHI – is often mentioned in relation to HIPAA and healthcare, but what is considered protected health information under HIPAA? What is Considered Protected Health Information Under HIPAA Law? If you work in healthcare or are considering doing business with healthcare clients that requires access to health data, you will need to know what is considered protected health information under HIPAA law. The HIPAA Security Rule demands that safeguards be implemented to ensure the confidentiality, integrity, and availability of PHI, while the HIPAA Privacy Rule places limits the uses and disclosures of PHI. Violate any of the provisions in the HIPAA Privacy and Security Rules and you could be financially penalized. There are even criminal penalties for HIPAA violations. Claiming ignorance of HIPAA law is not a valid defense. Under HIPAA, protected health information is considered to be individually identifiable information relating to the health status of an individual, the provision of healthcare, or individually identifiable information that is created,...

Read More
What to Do if You Discover a HIPAA Violation in the Workplace
Apr02

What to Do if You Discover a HIPAA Violation in the Workplace

You suspect there has been a HIPAA violation in the workplace, should you report the violation? If so, how should you report the potential violation and who needs to be told? Is it Necessary to Report a HIPAA Violation in the Workplace? If you think you have accidentally violated HIPAA Rules or you believe a work colleague or your employer is failing to comply with HIPAA Rules, the potential violation(s) should be reported. Since the passing of the HIPAA Enforcement Rule, HIPAA-covered entities can be financially penalized for HIPAA violations. If an uncorrected HIPAA violation is discovered during an investigation of a complaint, a data breach or HIPAA audit, the HHS’ Office for Civil Rights may choose to pursue a financial settlement to resolve the violation. Such actions are far less likely when a violation has been discovered internally and corrected to prevent a recurrence. If a patient’s privacy has been violated, by reporting the violation internally you will allow your employer to take steps to reduce the potential for further harm and will be helping to ensure that similar...

Read More
What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?
Apr02

What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996, and was updated by the HIPAA Privacy Rule in 2003 and the HIPAA Security Rule in 2005, but how did the Health Information Technology for Economic and Clinical Health (HITECH) Act change HIPAA and what is the relationship between HITECH, HIPAA, and electronic health and medical records? What is the Relationship Between HITECH and HIPAA and Medical Records? Title I of HIPAA is concerned with the portability of health insurance and protecting the rights of workers between jobs to ensure health insurance coverage is maintained, which have nothing to do with the HITECH Act. However, there is a strong relationship between HITECH and HIPAA Title II. Title II of HIPAA includes the administrative provisions, patient privacy protections, and security controls for health and medical records and other forms of protected health information (PHI). One of the main aims of the HITECH Act was to encourage the adoption of electronic health and medical records by creating financial incentives for...

Read More
What is Protected by HIPAA?
Mar31

What is Protected by HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an important legislative Act that requires healthcare organizations that conduct transactions electronically to develop and implement controls to ensure the privacy of patients and security of healthcare data is safeguarded, but specifically, what is protected by HIPAA? What is Protected by HIPAA and How Must PHI be Safeguarded? All HIPAA covered entities should be well aware of the types of data that must be safeguarded in order to comply with HIPAA Rules, but many patients are unsure exactly what is protected by HIPAA. The HIPAA Privacy Rule requires HIPAA covered entities and their business associates to protect virtually all individually identifiable health information that is created, stored, maintained, or transmitted by HIPAA covered entities – typically healthcare providers, health plans and healthcare clearinghouses – and their business associates. The HIPAA Privacy Rule refers to individually identifiable health information as ‘Protected Health Information’ which includes past, present, and future...

Read More
Security Breaches in Healthcare in the Last Three Years
Mar30

Security Breaches in Healthcare in the Last Three Years

There have been 955 major security breaches in healthcare in the last three years that have resulted in the exposure/theft of 135,060,443 healthcare records. More than 41% of the population of the United States have had some of their protected health information exposed as a result of those breaches, which have been occurring at a rate of almost one a day over the past three years. There has been a steady rise in reported security beaches in healthcare in the last three years. In 2015 there were 270 data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. The figure rose to 327 security breaches in 2016, and 342 security breaches in 2017. More healthcare security breaches are being reported than at any other time since HIPAA required covered entities to disclose data breaches, although the number of individuals affected by healthcare data breaches has been declining year-over year for the past three years. In 2015, a particularly bad year for healthcare industry data breaches, 112,107,579 healthcare records were...

Read More
Is Uber Health HIPAA Compliant?
Mar29

Is Uber Health HIPAA Compliant?

This March, Uber officially launched Uber Health – A platform that makes arranging transport for patients more straightforward and cost effective. The service should benefit patients and providers alike, although questions have been raised about HIPAA and whether Uber Health is HIPAA compliant. What is Uber Health? Uber Health consists of an online dashboard that healthcare providers can use to schedule transport for their patients in advance. Provided the patient has a mobile phone, he/she will receive a notification about the collection and drop off location via text message. In contrast to the standard Uber service, Uber Health does not require the use of a smartphone app. By using Uber Health, healthcare providers can potentially reduce the number of no shows and ensure more patients turn up on time for their appointments. Rides can be scheduled when the patient is in a facility, ensuring they have transport arranged for follow up appointments. The service could also be used for caregivers and staff. The official launch of the platform comes after a trial on around 100...

Read More
Legislation Changes and New HIPAA Regulations in 2018
Mar29

Legislation Changes and New HIPAA Regulations in 2018

The policy of two out for every new regulation introduced means there are likely to be few, if any, new HIPAA regulations in 2018. However, that does not mean it will be all quiet on the HIPAA front. HHS’ Office for Civil Rights (OCR) director Roger Severino has indicated there are some HIPAA changes under consideration. OCR is planning on removing some of the outdated and labor-intensive elements of HIPAA that provide little benefit to patients, although before HIPAA changes are made, OCR will seek feedback from healthcare industry stakeholders. As with previous updates, OCR will submit notices of proposed rulemaking and will seek comment on the proposed changes. Those comments will be carefully considered before any HIPAA changes are made. The full list of proposed changes to the HIPAA Privacy Rule have not been made public, although Severino did provide some insight into what can be expected in 2018 at a recent HIPAA summit in Virginia. Severino explained there were three possible changes to HIPAA regulations in 2018, the first relates to enforcement of HIPAA Rules by OCR. Since...

Read More
Study Suggests Improper Disposal of PHI is Commonplace
Mar29

Study Suggests Improper Disposal of PHI is Commonplace

A recent study (published in JAMA) has highlighted just how frequently hospitals are disposing of PHI in an insecure manner. While the study was conducted in Canada, which is not covered by HIPAA, the results highlight an important area of PHI security that is often overlooked. Improper Disposal of PHI is More Common than Previously Thought Researchers at St. Michael’s Hospital in Toronto checked recycled paperwork at five teaching hospitals in Canada. Each of the five hospitals had policies covering the secure disposal of documents containing PHI and separate recycling bins were provided for general paperwork and documents containing sensitive information. The latter were shredded before disposal. Despite the document disposal policies, paperwork containing personally identifiable information (PII) and personal health information (PHI) were often incorrectly placed in the bins. The researchers identified 2,867 documents containing PII and 1,885 items containing personally identifiable health information in the standard recycling bins. 1,042 documents contained high sensitivity...

Read More
HIPAA Rules on Contingency Planning
Mar27

HIPAA Rules on Contingency Planning

In its March 2018 cybersecurity newsletter, OCR explained HIPAA Rules on contingency planning and urged healthcare organizations to plan for emergencies to ensure a return to normal operations can be achieved in the shortest possible time frame. A contingency plan is required to ensure that when disaster strikes, organizations know exactly what steps must be taken and in what order. Contingency plans should cover all types of emergencies, such as natural disasters, fires, vandalism, system failures, cyberattacks, and ransomware incidents. The steps that must be taken for each scenario could well be different, especially in the case of cyberattacks vs. natural disasters. The plan should incorporate procedures to follow for specific types of disasters. Contingency planning is not simply a best practice. It is a requirement of the HIPAA Security Rule. Contingency planning should not be considered a onetime checkbox item necessary for HIPAA compliance. It should be an ongoing process with plans regularly checked, updated, and tested to ensure any deficiencies are identified and...

Read More
Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach
Mar26

Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach

An alleged healthcare data breach that saw the protected health information of patients of CVS Caremark exposed has resulted in legal action against CVS, Caremark, and its mailing vendor, Fiserv. The lawsuit, which was filed in Ohio federal court on March 21, 2018, relates to an alleged privacy breach that occurred as a result of an error that affected a July/August 2017 mailing sent to approximately 6,000 patients. In July 2017, CVS Caremark was contracted to operate as the pharmacy benefits manager for the Ohio HIV Drug Assistance Program (PhDAP), and under that program, CVS Caremark provides eligible patients with HIV medications and communicates with them about prescriptions. In July/August 2017, CSV Caremark’s mailing vendor Fiserve sent letters to patients containing their membership cards and information about how they could obtain their HIV medications. In the lawsuit the complaint alleges HIV-related information was clearly visible through the plastic windows of the envelopes, allowing the information to be viewed by postal service workers, family members, and roommates....

Read More
What Does HIPAA Protect?
Mar26

What Does HIPAA Protect?

The Health Insurance Portability and Accountability Act of 1996 is a set of standards that healthcare organizations must comply with, but what does HIPAA protect? What Does HIPAA Protect? HIPAA introduced rules that govern the uses and disclosures of health information (the HIPAA Privacy Rule) and physical, technical, and administrative safeguards that must be implemented to ensure the confidentiality, integrity, and availability of health information (the HIPA Security Rule). Essentially, these two aspects of HIPAA protect the privacy of patients and health plan members. HIPAA also helps protect patients from harm. In the event that health information is exposed, stolen, or impermissibly disclosed, patients and health plan members must be informed of the breach to allow them to take action to protect themselves from harm, such as identity theft and fraud. What is Protected Under HIPAA Law? The types of information protected under HIPAA includes all health information created, used, maintained or transmitted by a HIPAA-covered entity or a business associate of a HIPAA-covered...

Read More
What is the Civil Penalty for Knowingly Violating HIPAA?
Mar26

What is the Civil Penalty for Knowingly Violating HIPAA?

What is the civil penalty for knowingly violating HIPAA Rules? What is the maximum financial penalty for a HIPAA violation and when are fines issued? In this post we answer these questions and explain about the penalties for violating HIPAA Rules What is HIPAA? The Health Insurance Portability and Accountability Act – HIPAA – is a federal law that applies to healthcare organizations and healthcare employees. HIPAA requires healthcare organizations to develop policies and procedures to protect the privacy of patients and implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). HIPAA places restrictions on the uses of health data, who can be provides with copies of health information, and gives patients the right to obtain copies of their health data. HIPAA covered entities are typically healthcare providers, health plans, and healthcare clearinghouses. HIPAA also applies to vendors and suppliers (business associates) that require access to PHI to perform their contracted duties. As with other federal laws, there are...

Read More
Can You Make WordPress HIPAA Compliant?
Mar23

Can You Make WordPress HIPAA Compliant?

WordPress is a convenient content management system that allows websites to be quickly and easily constructed. The platform is popular with businesses, but is it suitable for use in healthcare? Can you make WordPress HIPAA compliant? Before assessing whether it is possible to make WordPress HIPAA compliant, it is worthwhile covering how HIPAA applies to websites. HIPAA and Websites HIPAA does not specifically cover compliance with respect to websites, HIPAA requirements for websites are therefore a little vague. As with any other forms of electronic capture or transmission of ePHI, safeguards must be implemented in line with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of ePHI. Those requirements apply to all websites, including those developed from scratch or created using an off-the-shelf platform such as WordPress. Websites must incorporate administrative, physical, and technical controls to ensure the confidentiality of any protected health information uploaded to the website or made available through the site. HIPAA-covered entities must...

Read More
Banner Health Anticipates Potential Financial Penalty from OCR over 2016 Cyberattack
Mar22

Banner Health Anticipates Potential Financial Penalty from OCR over 2016 Cyberattack

According to a financial report issued by Banner Health, OCR is investigating the colossal 2016 Banner Health data breach which saw the protected health information of 3.7 million patients exposed. The breach involved Banner Health facilities at 27 locations in Alaska, Arizona, California, Colorado, Nebraska, Nevada, and Wyoming and resulted in the exposure of highly sensitive protected health information including names, dates of birth, Social Security numbers, and health insurance information. The attackers gained access to the payment processing system used in its food and beverage outlets with a view to obtaining credit card numbers. However, once access to the network was gained, they also accessed servers containing PHI. Banner Health reports that it has cooperated with OCR’s investigation into the breach and has supplied information as requested. However, OCR was not satisfied with its response and the evidence supplied on its HIPAA compliance efforts. Specifically, OCR was not satisfied with the documentation supplied to demonstrate “past security assessment activities”...

Read More
Jail Terms for HIPAA Violations by Employees
Mar22

Jail Terms for HIPAA Violations by Employees

The penalties for HIPAA violations by employees can be severe, especially those involving the theft of protected health information. HIPAA violations by employees can attract a fine of up to $250,000 with a maximum jail term of 10 years and a 2-year jail term for aggravated identity theft. This month there have been two notable cases of HIPAA violations by employees, one of which has resulted in a fine and imprisonment, with the other likely to result in a longer spell in prison when sentencing takes place in June. Jail Term for Former Transformations Autism Treatment Center Employee In February, a former behavioral analyst at the Transformations Autism Treatment Center (TACT) was discovered to have stolen the protected health information of patients following termination. Jeffrey Luke, 29, of Collierville, TN gained access to a TACT Google Drive account containing the PHI of patients following termination and downloaded the PHI of 300 current and former patients onto his personal computer. Approximately one month after Luke was terminated, TACT discovered patient information had...

Read More
How to Become HIPAA Compliant
Mar21

How to Become HIPAA Compliant

If you would like to start doing business with healthcare organizations you will need to know how to become HIPAA compliant, what HIPAA compliance entails, and how you can prove to healthcare organizations that you have implemented all the required safeguards and privacy controls to ensure the confidentiality, integrity, and availability of any protected health information you will be provided with or given access to. How to Become HIPAA Compliant There are no shortcuts if you want to become HIPAA compliant. HIPAA compliance means implementing controls and safeguards to ensure the confidentiality, integrity, and availability of protected health information and developing policies and procedures in line with the Healthcare Insurance Portability and Accountability Act (1996), the HIPAA Privacy Rule (2000), the HIPAA Security Rule (2003), the Health Information Technology for Economic and Clinical Health Act (2009), and the Omnibus Final Rule (2013). To become HIPAA compliant, you will need to study the full text of HIPAA (45 CFR Parts 160, 162, and 164) – which the Department...

Read More
Is Liquid Web HIPAA Compliant?
Mar20

Is Liquid Web HIPAA Compliant?

Healthcare organizations searching for a hosting solution may identify Liquid Web as a potential vendor, but is Liquid Web HIPAA compliant? Can its cloud services be used by HIPAA-covered entities for hosting applications and projects that include electronic protected health information? Any healthcare organization that wants to use the cloud to host applications that use the protected health information (PHI) of patients must select a vendor whose service includes safeguards to ensure the confidentiality, integrity, and availability of ePHI that meet the requirements of the HIPAA Security Rule. Cloud service providers, including hosting companies, are classed as business associates since they potentially have access to their clients’ data. While many cloud service providers claim they do not access customers’ data, they are still classed as business associates. HIPAA-covered entities and their business associates must therefore enter into a business associate agreement with the service provider before any ePHI is uploaded to the cloud. Liquid Web Business Associate Agreements...

Read More
Healthcare Data Breach Statistics
Mar20

Healthcare Data Breach Statistics

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website. The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR. Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2017 seeing more data breaches reported than any other year since records first started being published. There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches...

Read More
Is Zendesk HIPAA Compliant?
Mar16

Is Zendesk HIPAA Compliant?

Is Zendesk HIPAA compliant? Can Zendesk products be used by healthcare organizations in the United States for communicating with patients? In this post we explore the Zendesk platform and assess whether it has the necessary privacy and security controls to comply with HIPAA and if the company’s products can be used in connection with electronic protected health information. What is Zendesk? Zendesk is a San Francisco based customer service software and support ticketing system provider used by more than 200,000 companies for managing customer queries, providing support, and building customer relationships. The platform incudes Zendesk Support – a call center and ticketing system; Zendesk Chat – a web and mobile messaging system, and the customer service analytics solution Zendesk Insights. Zendesk Privacy and Security Controls Zendesk has implemented physical security controls at its facilities to prevent unauthorized data access and has round the clock surveillance and uses multi-factor authentication. Its network is protected by firewalls, with DoS and DDoS prevention solutions...

Read More
When Did HIPAA Take Effect?
Mar16

When Did HIPAA Take Effect?

The Health Insurance Portability and Accountability Act was a landmark piece of legislation that was originally intended to simplify the administration of healthcare, eliminate wastage and prevent healthcare fraud, and to ensure insurance coverage was not lost when employees were between jobs. When Did HIPAA Take Effect? HIPAA was signed into law by President Clinton on August 21, 1996, although HIPAA has been updated several times over the past 20 years and many new provisions have been incorporated to improve privacy protections and security to ensure health information remains confidential. The main updates to HIPAA are summarized below. The HIPAA Privacy Rule The HIPAA Privacy Rule was a major update to HIPAA and introduced many of the aspects for which HIPAA is known today. The HIPAA Privacy Rule defined ‘Protected Health Information (PHI), patients were given the right to obtain copies of their protected health information from HIPAA covered entities, and strict rules were introduced on the allowable uses and disclosures of PHI. When did the Privacy Rule of HIPAA Take...

Read More
What Information is Protected Under HIPAA Law?
Mar15

What Information is Protected Under HIPAA Law?

One of the main aims of HIPAA is to protect the privacy of patients by ensuring certain types of information are safeguarded and not disclosed to unauthorized individuals, but what information is protected under HIPAA law? What Information is Protected Under HIPAA Law? HIPAA laws protect all individually identifiable health information that is held by or transmitted by a HIPAA covered entity or business associate. According to the Department of Health and Human Services’ Office for Civil Rights there are 18 identifiers that make health information personally identifiable. When these data elements are included in a data set, the information is considered protected health information and subject to the requirements of the HIPAA Privacy, Security and Breach Notification Rules. The following information is protected under HIPAA law: Names Addresses (including subdivisions smaller than state such as street, city, county, and zip code) Dates (except years) directly related to an individual, such as birthdays, admission/discharge dates, death dates, and exact ages of individuals older...

Read More
Is Intercom HIPAA Compliant?
Mar15

Is Intercom HIPAA Compliant?

Intercom’s messaging software-as-a-service solutions are popular with businesses for chatting with potential customers. The solutions have potential for use in the healthcare industry for chatting with patients, but is Intercom HIPAA compliant? Can the company’s solutions be used in connection with electronic protected health information or would that constitute a violation of HIPAA Rules? Is Intercom Prepared to Sign a Business Associate Agreement? HIPAA covered entities and their businesses are only permitted to use software products and services in connection with electronic protected health information if there are safeguards in place to protect the confidentiality, integrity, and availability of ePHI. Any software platform must incorporate audit and access controls and data must be appropriately secured in transit and at rest. Before software-as-a-service can be used to send or store ePHI, a HIPAA covered entity must enter into a business associate agreement with the service provider in which the company’s responsibilities under HIPAA are explained. There are exceptions for...

Read More
What is a HIPAA Violation?
Mar14

What is a HIPAA Violation?

Barely a day goes by without a news report of a hospital, health plan, or healthcare professional violating HIPAA, but what is a HIPAA violation and what happens when a violation occurs? What is a HIPAA Violation? The Health Insurance Portability and Accountability Act of 1996 is a landmark piece of legislation that was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs. There have been notable updates to HIPAA to improve privacy protections for patients and health plan members over the years which help to ensure healthcare data is safeguarded and the privacy of patients is protected. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule. A HIPAA violation is a failure to comply with any aspect of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164. The combined text of all HIPAA regulations published by the Department of Health and Human Services...

Read More
Is it a HIPAA Violation to Email Patient Names?
Mar14

Is it a HIPAA Violation to Email Patient Names?

We have been asked is it a HIPAA violation to email patient names and other protected health information? In answer to this and similar questions, we will clarify how HIPAA relates to email and explain some of the precautions HIPAA covered entities and healthcare employees should take to ensure compliance when using email to send electronic protected health information. Is it a HIPAA Violation to Email Patient Names? Patient names (first and last name or last name and initial) are one of the 18 identifiers classed as protected health information (PHI) in the HIPAA Privacy Rule. HIPAA does not prohibit the electronic transmission of PHI. Electronic communications, including email, are permitted, although HIPAA-covered entities must apply reasonable safeguards when transmitting ePHI to ensure the confidentiality and integrity of data. It is not a HIPAA violation to email patient names per se, although patient names and other PHI should not be included in the subject lines of emails as the information could easily be viewed by unauthorized individuals. Even when messages are protected...

Read More
2018 HIPAA Changes and Enforcement Outlook
Mar13

2018 HIPAA Changes and Enforcement Outlook

Are there likely to be major 2018 HIPAA changes? What does this year have in store in terms of new HIPAA regulations? OCR Director Roger Severino has hinted there could be some 2018 HIPAA changes and that HIPAA enforcement in 2018 is unlikely to slowdown. Are Major 2018 HIPAA Changes Likely? The Trump administration has made it clear that there should be a decrease rather than an increase in regulation in the United States. In January 2017, Trump signed an executive order calling for a reduction in regulation, which was seen to be hampering America’s economic growth. At the time Trump said, “If there’s a new regulation, they have to knock out two. But it goes far beyond that, we’re cutting regulations massively for small business and for large business.” While Trump was not specifically referring to healthcare, it is clear we are currently in a period of deregulation. Trump’s words were recently echoed by Severino at the HIMSS conference who confirmed the HSS understands deregulation in some areas is required before further regulations can be introduced. Therefore, there are...

Read More
Is Zoho HIPAA Compliant?
Mar13

Is Zoho HIPAA Compliant?

Many healthcare organizations would like to use Zoho tools and applications, but is Zoho HIPAA compliant? Can its tools and applications be used by U.S. healthcare organizations in conjunction with protected health information? In this post we explore whether Zoho supports HIPAA compliance for any of its cloud-based services. What is Zoho? Zoho is a Pleasanton, CA-based developer of cloud applications and web-based tools that includes email (Zoho Mail), a document editor (Zoho Docs), a customer relationship management platform (Zoho CRM), a spreadsheet editor (Zoho Sheet), a presentation editor (Zoho Show), a custom application builder (Zoho Creator), a project management platform (Zoho projects), live chat software (Zoho Chat), a bookkeeping service (Zoho Books), app integration platform (Zoho Flow), and an IoT management platform (WebNMS). The company is focused on providing innovative cloud-based solutions for businesses and has been developing applications since 1996. Many of its solutions are broadly comparable to those provided by Google (G Suite) and Microsoft (Office 365)....

Read More
Is Office 365 HIPAA Compliant?
Mar12

Is Office 365 HIPAA Compliant?

Is Microsoft Office 365 HIPAA compliant? Can healthcare organizations use Office 365 and remain in compliance with HIPAA and HITECH Act Rules? What is Office 365? Office 365 is a suite of subscription products developed by Microsoft that includes Word, Excel, PowerPoint, OneNote, Outlook, Publisher, and Access. Office 365 for Healthcare Microsoft is willing to enter into a business associate agreement (BAA) with HIPAA covered entities for Office 365 and Microsoft Dynamics CRM Online, provided the latter is purchased through Volume Licensing Programs or the Dynamics CRM Online Portal. The Microsoft BAA also covers the use of the Microsoft Azure cloud platform. Microsoft does not demand that a BAA be obtained prior to use of Office 365, as the BAA is automatically made available to customers with an online service contract. However, HIPAA covered entities should obtain a BAA prior to use of Office 365 in conjunction with any electronic protected health information (ePHI). They should also specify an administrative contact. In the event of a security breach, the administrative contact...

Read More
HIPAA Social Media Rules
Mar12

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook were launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees. Healthcare organizations must therefore implement a HIPAA social media policy to reduce the risk of privacy violations. There are many benefits to be gained from using social media. Social media channels allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media websites. However, there is also considerable potential for HIPAA Rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules? HIPAA and Social Media The first rule of using social media in healthcare is to never disclose...

Read More
When Was HIPAA Enacted?
Mar09

When Was HIPAA Enacted?

How long has compliance with the Health Insurance Portability and Accountability Act (HIPAA) been necessary? When was HIPAA enacted and what were the compliance dates for the original act and its subsequent amendments? When was HIPAA Enacted? HIPAA was enacted on August 21, 1996 when President Bill Clinton added his signature and signed the legislation into law. One of the key aims of the legislation was to improve the portability and accountability of health insurance coverage – Ensuring employees retained health insurance coverage when between jobs. HIPAA combatted wastage in healthcare and helped to prevent fraud and abuse in healthcare delivery and health insurance. HIPAA also simplified the administration of healthcare. HIPAA was enacted and signed into law in 1996, but there have been major updates to HIPAA legislation over the years, notably the introduction of the HIPAA Privacy Rule, The HIPAA Security Rule, the incorporation of HITECH Act requirements and the HIPAA Omnibus Rule. These updates added many new provisions to HIPAA legislation and helped to ensure that patient...

Read More
Is a HIPAA Violation Grounds for Termination?
Mar07

Is a HIPAA Violation Grounds for Termination?

Is a HIPAA violation grounds for termination? What actions are healthcare organizations likely to take if they discover an employee has violated HIPAA Rules? Since the introduction of the HIPAA Enforcement Rule, the HHS’ Office for Civil Rights has been able to pursue financial penalties for HIPAA violations. Organizations discovered to have violated HIPAA Rules or failed to have implemented policies and procedures in line with HIPAA Rules can face severe financial penalties. But what about individual employees who accidentally or deliberately violate HIPAA and patient privacy? Do Most Healthcare Organizations Consider a HIPAA Violation Grounds for Termination? Not all HIPAA violations are equal, although any violation of HIPAA Rules is a serious matter that warrants investigation and action by healthcare organizations. When a HIPAA violation is reported – by an employee, colleague or patient – healthcare organizations will investigate the incident and will attempt to determine whether HIPAA laws were violated, and if so, how the violation occurred, the implications for...

Read More
What Happens if You Violate HIPAA?
Mar07

What Happens if You Violate HIPAA?

If you work in healthcare you should have a good working knowledge of HIPAA rules, exercise diligence, and ensure that HIPAA Rules are always followed, but what happens if you violate HIPAA? What are the likely repercussions for accidentally or knowingly violating HIPAA Rules? What happens if you violate HIPAA will depend on the type of violation, its severity, the harm caused to others, and the extent to which you knew that HIPAA Rules were being violated. Disciplinary Action and Termination If at the time of the violation you were unaware that you make a mistake, the violation was minor, and no harm has been caused, the violation may be dealt with internally. Verbal or written warnings may be issued and further training on HIPAA compliance would be appropriate. For more serious violations, especially in cases where HIPAA Rules have been knowingly violated, termination is likely. The violation may be reported to licensing boards who can place restrictions on licenses. Suspension and loss of license is a possibility. Civil Penalties The Department of Health and Human Services’...

Read More
Is Google Calendar HIPAA Compliant?
Mar07

Is Google Calendar HIPAA Compliant?

Is Google Calendar HIPAA compliant? Can the time management and calendar scheduling service be used by healthcare organizations or would use of the service be considered a violation of HIPAA Rules? This post explores whether Google supports HIPAA compliance for the Google Calendar service.   Google Calendar was launched in 2006 and is part of Google’s G Suite of products and services. Google Calendar could potentially be used for scheduling appointments, which may require protected health information to be added. Uploading any protected health information to the cloud is not permitted by the HIPAA Privacy Rule unless certain HIPAA requirements have first been satisfied. A risk analysis must be conducted to assess potential risks to the confidentiality, integrity, and availability of ePHI. Risks must be subjected to a HIPAA-compliant risk management process and reduced to an acceptable level. Access controls must be implemented to ensure that ePHI can only be viewed by authorized individuals, appropriate security controls must be in place to prevent unauthorized disclosures, and an...

Read More
EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach
Mar07

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General. While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members. Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information. The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law §...

Read More
What is HIPAA Certification?
Mar06

What is HIPAA Certification?

Many vendors would like HIPAA certification to confirm they are fully compliant with HIPAA Rules and understand all aspects of the Health Insurance Portability and Accountability Act (HIPAA), but is it possible to obtain HIPAA certification to confirm HIPAA compliance? What is HIPAA Certification? In an ideal world, HIPAA certification would confirm that all aspects of HIPAA Rules are understood and being followed. If a third-party vendor such as a transcription company was HIPAA certified, it would make it easier for healthcare organizations looking for such as service to select an appropriate vendor. Many companies claim they have been certified as HIPAA compliant or in some cases, that they are ‘HIPAA Certified’. However, ‘HIPAA Certified’ is a misnomer. There is no official, legally recognized HIPAA compliance certification process or accreditation. There is a good reason why this is the case. HIPAA compliance is an ongoing process. An organization may be determined to be in compliance with HIPAA Rules today, but that does not mean that they will be tomorrow or at some point in...

Read More
How to Report a HIPAA Violation Anonymously
Mar06

How to Report a HIPAA Violation Anonymously

In this post we explain how to report a HIPAA violation anonymously if you feel your (or someone else’s) privacy has been violated of if HIPAA Rules are not being followed in your organization. When Can an Alleged HIPAA Violation be Reported? Most healthcare organizations go to great lengths to ensure they are in compliance with HIPAA Rules, but occasionally HIPAA regulations are violated by management or employees. In such cases, a complaint can be lodged with the Department of Health and Human Services’ Office for Civil Rights (OCR) – the main enforcer of HIPAA Rules. However, complaints will only result in action being taken if the complaint is submitted within 180 days of the date of discovery that HIPAA Rules were violated. In limited cases, when there is ‘good cause’ that it was not possible to file a complaint within 180 days, an extension may be granted. Note that OCR cannot investigate any alleged violation of the HIPAA Privacy Rule that occurred before April 14, 2003 or Security Rule violations that occurred before April 20, 2005 because compliance with those...

Read More
Is Google Slides HIPAA Compliant?
Mar05

Is Google Slides HIPAA Compliant?

Is Google Slides HIPAA compliant? Can Google Slides be used by healthcare organizations without violating HIPAA Rules? This post explores whether Google Slides is HIPAA compliant and whether it is possible to use the presentation editor in connection with electronic protected health information. Google Slides is a presentation editor that allows users to create slide shows, training material, and project presentations. It is an ideal option for users who do not regularly create slide shows or presentations and do not have a software package that offers the same functionality. Google Slides is available free of charge for consumers to use and is equivalent to Microsoft’s PowerPoint. Healthcare organizations that are looking to create training courses and slideshows that involve the use of data protected by HIPAA need to exercise caution. Use of Google Slides with electronic protected health information could potentially violate HIPAA Rules and patient privacy. That could all too easily result in a financial penalty. Google Slides is a web-based presentation program that is not...

Read More
What Does HIPAA Cover?
Mar01

What Does HIPAA Cover?

It has been 22 years since the Health Insurance Portability and Accountability Act (HIPAA) was Introduced, but there is still some confusion about HIPAA, what the legislation does for patients, who is required to comply with HIPAA Rules, and what does HIPAA cover. Who Does HIPAA Cover? HIPAA is a federal law that introduced standards in healthcare relating to patient privacy and the protection of medical data. HIPAA covers healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities. HIPAA applies to most entities that fall into the above categories, except those that do not conduct transactions electronically. Healthcare providers include hospitals, clinics, physicians, nursing homes, pharmacies, chiropractors, dentists, and psychologists. Health plans include health insurers, company health plans, HMOs, and government programs that pay for healthcare such as Medicaid and Medicare. Healthcare clearinghouses are organizations that transform nonstandard health data into a standard format. A business associate is an individual or...

Read More
Is Google Forms HIPAA Compliant?
Feb27

Is Google Forms HIPAA Compliant?

Google Forms is a convenient tool for creating surveys and gaining feedback from customers, but is it suitable for use by healthcare organizations? Is Google Forms HIPAA compliant or is its use likely to be a violation of HIPAA Rules? Before any cloud-based service can be used by HIPAA covered entities or their business associates in connection with PHI, it is first necessary to enter into a business associate agreement with the service provider. Without a business associate agreement in place, use of the service would be considered a HIPAA violation. Google and Business Associate Agreements with HIPAA Covered Entities Google is prepared to enter into a business associate agreement with HIPAA covered entities and their business associates and offers its own BAA in which Google provides satisfactory assurances – as required by HIPAA – that the Privacy, Security, and Breach Notification Rule requirements will be followed. The BAA does not cover all Google services, but Google Drive – of which Google Forms is part – is covered by the BAA. Obtaining a BAA from a service provider is...

Read More
Is Google Sheets HIPAA Compliant?
Feb26

Is Google Sheets HIPAA Compliant?

Is Google Sheets HIPAA compliant? Can HIPAA-covered entities use Google Sheets to create, view, or share spreadsheets containing identifiable protected health information or would using Google Sheets violate HIPAA Rules? In this post we assess whether Google Sheets supports HIPAA compliance.  Under HIPAA Rules, healthcare organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of PHI. While it is straightforward to implement controls internally to keep data secure, oftentimes third parties are contracted to provide services that require access to PHI. They too must abide by HIPAA Rules covering privacy, security, and breach notifications. A third-party that requires access to PHI – or copies of health data – to perform services on behalf of a covered entity is considered a business associate. A covered entity and business associate must enter into a contract – a business associate agreement – in which the business associate agrees to comply with certain aspects of the HIPAA Privacy, Security, and Breach Notification...

Read More
Is IBM Cloud HIPAA Compliant?
Feb23

Is IBM Cloud HIPAA Compliant?

Is IBM Cloud HIPAA compliant? Is the cloud platform suitable for healthcare organizations in the United States to host infrastructure, develop health applications and store files? In this post we assess whether the IBM Cloud supports HIPAA compliance and the platform’s suitability for use by healthcare organizations. IBM offers a cloud platform to help organizations develop their mobile and web services, build native cloud apps, and host their infrastructure along with a wide range of cloud-based services for the capture, analysis, and processing of data. The platform has already been adopted by many healthcare providers, payers, and health plans, and applications and portals have been developed to provide patients with better access to their health information. IBM Cloud Security IBM is a leader in the field of network and data security, and its expertise has meant its cloud platform is highly secure. Security is built into the core of all of the firm’s software and services to ensure that sensitive data remains confidential and cannot be accessed by unauthorized individuals. Its...

Read More
Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days
Feb22

Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days

In January, a new data breach notification bill was introduced in Colorado that proposed updates to state laws to improve protections for residents affected by data breaches. The bill introduced a maximum time frame of 45 days for companies to notify individuals whose personal information was exposed or stolen as a result of a data breach. The definition of personal information was also updated to include a much wider range of information including data covered by HIPAA – medical information, health insurance information, and biometric data. Last week, Colorado’s House Committee on State, Veterans, and Military Affairs unanimously passed an updated version of the bill, which has now been passed to the Committee on Appropriations for consideration. The updated bill includes further new additions to the list of data elements classed as personal information – passport numbers, military, and student IDs. There has also been a shortening of the time frame organizations have to issue notifications. Instead of the 45 days proposed in the original bill, the time frame has been cut to just...

Read More
Is the Google Cloud Platform HIPAA Compliant?
Feb22

Is the Google Cloud Platform HIPAA Compliant?

Is the Google Cloud Platform HIPAA compliant?  Is the Google Cloud Platform a suitable alternative to Azure and AWS for healthcare organizations? In this post we determine whether the Google Cloud platform is HIPAA compliant and if it can be used by healthcare organizations to build applications, host infrastructure, and store files containing protected health information. Healthcare organizations are increasingly taking advantage of cloud platforms. The healthcare cloud computing market was valued at $4.65 billion in 2016 and is expected to increase to more than $14.76 billion by 2022. Amazon AWS is still the leading platform with a market share of 62% according to KeyBlanc, with Microsoft Azure second on 20%, but Google is gaining ground, with a market share of around 12%. Amazon and Microsoft both offering platforms that support HIPAA compliance, but what about Google? Is the Google Cloud Platform HIPAA compliant? Will Google Sign a Business Associate Agreement Covering its Cloud Platform? Since the Omnibus Rule came into effect in September 2013, Google has been signing...

Read More
Research Institutions Given Additional 6 Months to Comply with Updated Common Rule
Feb21

Research Institutions Given Additional 6 Months to Comply with Updated Common Rule

Updates to the Common Rule – The Federal Policy for the Protection of Human Subjects – that were initially due to come into effect on January 19, 2018 have been delayed by 6 months, giving research organizations more time to comply with the new provisions. The new compliance date is July 19, 2018, although the provision covering cooperative research still has a compliance date of Jan 20, 2020. Several healthcare organizations, including the American Medical Informatics Association (AMIA), the Associated of American Medical Colleges (AAMC), and the Association of American Universities (AAU), called for the compliance date to be pushed back due to uncertainty surrounding the final rule. A delay would allow institutions additional time to ensure compliance and would allow federal agencies more time to issue guidance to researchers to help them implement the updated regulations. 16 federal departments, including the Department of Health and Human Services, made revisions to the Common Rule. In a notice of proposed Rulemaking, the need for the delay to the compliance date was...

Read More
Is SharePoint HIPAA Compliant?
Feb21

Is SharePoint HIPAA Compliant?

Is SharePoint HIPAA compliant? Does the platform incorporate all the required administrative and technical controls to meet HIPAA requirements? This post explores whether SharePoint supports HIPAA compliance and its suitability for use in the healthcare industry. What is SharePoint? SharePoint is a web-based document management and storage system and one of the leading collaborative platforms on the market, used by 78% of Fortune 500 companies. The platform is based on Microsoft’s OpenXML document standard and therefore integrates seamlessly with Microsoft Office. SharePoint offers many of the same functions as Google Drive and Dropbox, although SharePoint is a much more powerful platform and can also be used for internet portals, intranet sites and can form the basis of a CRM system. With such a wide range of functions it is naturally a good fit for healthcare organizations, but is SharePoint HIPAA compliant? Does the platform incorporate all the necessary functions and security controls required by HIPAA? Is SharePoint Covered by Microsoft’s Business Associate Agreement?...

Read More
Is Yammer HIPAA Compliant?
Feb20

Is Yammer HIPAA Compliant?

Is Yammer HIPAA compliant? Does the platform incorporate all the necessary administrative and technical controls to meet HIPAA requirements? This post explores whether Yammer supports HIPAA compliance and assesses whether the platform can be used by healthcare organizations without violating HIPAA Rules. What is Yammer? Yammer has been a standalone social networking and collaboration platform since 2008. Its popularity and potential were noticed by Microsoft, which purchased the company in 2012. Today the platform is used by 85% of Fortune 500 companies. The freemium platform allows company employees to communicate with each other, collaborate on projects, share knowledge, and ask and get quick answers from co-workers.  Due to similarities in its architecture and functionality, it is often referred to as ‘Twitter for companies’. In contrast to other social media platforms, communications are private and are not published online. The platform can be kept as a strictly internal communication and collaboration tool, although it is also possible to use the platform to communicate with...

Read More
What Covered Entities Should Know About Cloud Computing and HIPAA Compliance
Feb19

What Covered Entities Should Know About Cloud Computing and HIPAA Compliance

Healthcare organizations can benefit greatly from transitioning to the cloud, but it is essential to understand the requirements for cloud computing to ensure HIPAA compliance. In this post we explain some important considerations for healthcare organizations looking to take advantage of the cloud, HIPAA compliance considerations when using cloud services for storing, processing, and sharing ePHI, and we will dispel some of the myths about cloud computing and HIPAA compliance. Myths About Cloud Computing and HIPAA Compliance There are many common misconceptions about the cloud and HIPAA compliance, which in some cases prevent healthcare organizations from taking full advantage of the cloud, and in others could result in violations of HIPAA Rules. Some of the common myths about cloud computing and HIPAA compliance are detailed below: Use of a ‘HIPAA compliant’ cloud service provider will ensure HIPAA Rules are not violated False: A cloud service provider can incorporate all the necessary safeguards to ensure the service or platform can be used in a HIPAA compliant manner, but it is...

Read More
Is Zoom a HIPAA Compliant Video and Web Conferencing Platform?
Feb19

Is Zoom a HIPAA Compliant Video and Web Conferencing Platform?

Zoom is a popular video and web conferencing platform that has been adopted by more than 750,000 businesses, but is the service suitable for use by healthcare organizations for sharing PHI. Is Zoom HIPAA compliant?   What is Zoom? Zoom is a cloud-based video and web conferencing platform that allows workers across multiple locations to take part in meetings, share files, and collaborate. The platform supports webinars and includes a business IM service. Zoom has already been adopted by many healthcare organizations around the globe who use the platform to consult with other providers and communicate with patients. However, in the United States, healthcare providers must comply with HIPAA Rules. Any software solution must incorporate a host of security protections to ensure protected health information (PHI) is safeguarded. Further, cloud-based platform providers are classed as a business associates and are also required to comply with HIPAA Rules if their platforms are to be used in conjunction with PHI. Zoom and HIPAA Compliance As a business associate, Zoom would be required to...

Read More
Is WebEx HIPAA Compliant?
Feb18

Is WebEx HIPAA Compliant?

Is WebEx HIPAA compliant? Is the online meeting and web conferencing platform suitable for use by healthcare organizations or should the service be avoided? In this post we assess the security controls and features of the platform and determine whether use of WebEx could be considered a HIPAA violation. What is WebEx? WebEx is a web and video conferencing and collaboration platform that helps businesses connect with remote workers and partners as if they are in the same room. With tools such as WebEx, healthcare organizations can communicate quickly and easily with the workforce, no matter where employees are located. Regional operational meetings can be conducted, medical education can take place online, and healthcare employees can be trained on new processes and procedures. These platforms can also potentially be used for communicating with patients. However, before any collaboration tools can be used in connection with protected health information (PHI), healthcare organizations must be certain that the tools support HIPAA compliance. So how does WebEx fare in this regard? Is...

Read More
Is Amazon CloudFront HIPAA Compliant?
Feb16

Is Amazon CloudFront HIPAA Compliant?

Is Amazon CloudFront HIPAA compliant and can the web service be used by HIPAA covered entities without violating HIPAA Rules? In this post we determine whether Amazon CloudFront supports HIPAA compliance or if it should be avoided by HIPAA-covered entities. What is Amazon CloudFront? Amazon CloudFront is a web service that allows users to speed up web content delivery over the Internet. Typically, when a website is accessed, the visitor experiences some latency accessing static and dynamic content. The reason for this is visitors will not make a direct connection to the content, instead they will be routed through a path to reach the server where the content can be accessed. The path can involve many routing points, will inevitably have an impact on the speed at which content can be accessed. By using a content delivery network such as Amazon CloudFront, it is possible to reduce latency and improve reliability and availability of web content. By delivering content via a network of data centers (edge locations), users are routed to the nearest location with the least latency, thus...

Read More
Is Citrix ShareFile HIPAA Compliant?
Feb15

Is Citrix ShareFile HIPAA Compliant?

ShareFile was bought by Citrix Systems in 2011 and the platform is marketed as a suitable data sync, file sharing, and collaboration tool for the healthcare industry, but is Citrix ShareFile HIPAA compliant? What is Citrix ShareFile? Citrix ShareFile is a secure file sharing, data storage and collaboration tool that allows large files to be easily shared within a company, with remote workers, and with external partners. The solution allows any authorized individual to instantly access stored documents via desktops and mobile devices. For healthcare organizations this means the solution can be used to share large files such as DICOM images with researchers, remote healthcare workers, and business associates. The ShareFile patient portal can also be used to share PHI with patients. Is Citrix ShareFile HIPAA Compliant? Citrix will sign a business associate agreement with HIPAA covered entities and their business associates that covers the use of FileShare, although it is the responsibility of the covered entity to ensure that the solution is configured correctly and is used in a...

Read More
Is eFileCabinet HIPAA Compliant?
Feb14

Is eFileCabinet HIPAA Compliant?

eFileCabinet is a document management and storage solution for businesses that offers on-site and cloud storage, but is the service suitable for the healthcare industry? Is eFileCabinet HIPAA compliant or will using the platform be considered a violation of HIPAA Rules? What are Document Management Systems? Document management systems allow organizations to carefully manage electronic documents and store them securely in one location. With huge volumes of documents being created, such systems take the stress out of document management and can help HIPAA covered entities share documents containing ePHI securely and avoid HIPAA violations. There are many document management systems on the market, but not all support HIPAA compliance, so what about eFileCabinet? Is eFileCabinet HIPAA compliant? eFileCabinet Security and Privacy Controls Security controls include the encryption of data in transit and at rest with 256-bit encryption. Sensitive data can be securely shared with third-parties and remote employees via the company’s SecureDrawer feature. SecureDrawer allows files to be...

Read More
$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes
Feb14

$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes

HIPAA covered entities and their business associates must abide by HIPAA Rules, yet when businesses close the HIPAA obligations do not end. The HHS’ Office for Civil Rights (OCR) has made this clear with a $100,000 penalty for FileFax Inc., for violations that occurred after the business had ceased trading. FileFax is a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities. The firm ceased trading during the course of OCRs investigation into potential HIPAA violations. An investigation was launched following an anonymous tip – received on February 10, 2015 – about an individual that had taken documents containing protected health information to a recycling facility and sold the paperwork. That individual was a “dumpster diver”, not an employee of FileFax. OCR determined that the woman had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for cash. The paperwork, which included patients’ medical records, was left unsecured at the recycling facility. In...

Read More
Is Box HIPAA Compliant?
Feb13

Is Box HIPAA Compliant?

Is Box HIPAA compliant? Can Box be used by healthcare organizations for the storage of documents containing protected health information or would doing so be a violation of HIPAA Rules? An assessment of the security controls of the Box cloud storage and content management service and its suitability for use in healthcare. What is Box? Box is a cloud storage and content management service that supports collaboration and file-sharing. Users can share files, invite others to view, edit or upload content. Box can be used for personal use; however, businesses need to sign up for either a business, enterprise, or elite account. Is Box Covered by the Conduit Exception Rule? The HIPAA conduit exception rule was introduced to allow HIPAA covered entities to use certain communications channels without having to obtain a business associate agreement. The conduit exception rule applies to telecoms companies and Internet service providers that act as conduits through which data flows. Cloud storage services are not covered under the HIPAA conduit exception rule, even if those entities claim...

Read More
Timothy Noonan Becomes OCR’s Top HIPAA Enforcer, Replacing Deputy Director Iliana Peters
Feb12

Timothy Noonan Becomes OCR’s Top HIPAA Enforcer, Replacing Deputy Director Iliana Peters

After just 4 months in the position of deputy director for health information privacy at the Department of Health and Human Services’ Office for Civil Rights, Iliana Peters has departed for the private sector. Peters took over as deputy director following the departure of acting deputy director Deven McGraw in November, only to leave the post on February 2 to join the healthcare team at law firm Polsinelli. This is the third major change of staff at the Department of Health and Human Services in a little over four months. First, there was the departure of HHS Secretary Tom Price in late September, McGraw left in October to join health tech startup Citizen, and now Iliana Peters has similarly quit for the private sector. Peters has been working at the Office for Civil Rights for the past 12 years, including 5 years as a senior advisor. During her time at OCR Peters has worked closely with regional offices helping them enforce HIPAA Rules and has been instrumental in building up OCR’s HIPAA enforcement program. Peters has trained regional OCR staff on HIPAA enforcement and the...

Read More
Is Ademero HIPAA Compliant?
Feb12

Is Ademero HIPAA Compliant?

Ademero is a document management software (DMS) provider whose platform helps businesses keep track of large quantities of documents and transition to a paperless environment, but is Ademero HIPAA compliant? Can its DMS be used by healthcare organizations without violating HIPAA Rules? Ademero and HIPAA The HIPAA Security Rule includes required and addressable implementation specifications. Any implementation specification that is required must be implemented to comply with HIPAA Rules. Addressable implementation specifications are not required, strictly speaking. Those implementation specifications include some flexibility. For instance, data encryption is not a required element, but that does not mean it can be ignored. If the decision is taken not to encrypt data that is acceptable provided that decision was based on a risk analysis and the decision not to use encryption is documented. Alternative controls must also be put in place that provide an equivalent level of protection. Software solutions that support HIPAA compliance will have appropriate controls in place to satisfy...

Read More
Texas HB300 Compliance
Feb10

Texas HB300 Compliance

Texas HB300 (Texas House Bill 300) was signed into law by State governor Rick Perry in June 2011. The Bill made significant changes to state laws covering the privacy and security of protected health information (PHI) for individuals and organizations that assemble, collect, analyze, store, or transmit PHI. The Texas HB300 compliance date was September 1, 2012. Texas HB300 Introduced Stricter Privacy and Security Protections than HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) already requires covered entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates of HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of PHI and protect the privacy of patients and health plan members. Texas HB300 takes those requirements a step further, introducing even stricter requirements for covered entities, which under the new laws, also includes individuals and organizations not covered by HIPAA Rules. The existing laws updated by Texas HB300 were: Texas Health Code,...

Read More
What is HIPAA Authorization?
Feb09

What is HIPAA Authorization?

We are often asked to clarify certain elements of HIPAA Rules. One recent question relates to disclosures of protected health information (PHI) and medical records – ‘What is HIPAA authorization?’ What is HIPAA Authorization? The HIPAA Privacy Rule (effective since April 14, 2003) introduced standards covering allowable uses and disclosures of health information, including to whom information can be disclosed and under what circumstances protected health information can be shared. The HIPAA Privacy Rule permits the sharing of health information by healthcare providers, health plans, healthcare clearinghouses, business associates of HIPAA-covered entities, and other entities covered by HIPAA Rules under certain circumstances. In general terms, permitted uses and disclosures are for treatment, payment, or health care operations. HIPAA authorization is consent obtained from a patient or health plan member that permits a covered entity or business associate to use or disclose PHI to an individual/entity for a purpose that would otherwise not be permitted by the HIPAA Privacy Rule....

Read More
Is HelloFax HIPAA Compliant?
Feb08

Is HelloFax HIPAA Compliant?

Is HelloFax HIPAA compliant? Can HelloFax be used by healthcare organizations to send files containing protected health information, or would doing so be considered a violation of HIPAA Rules? In this post we explore the protections in place and attempt to determine whether HelloFax can be considered a HIPAA compliant fax service. The HIPAA Conduit Exception and Fax Transmissions It is important to make a distinction between standard faxes and digital faxing services. Standard fax machines, those which are used to transmit a physical document from one fax machine to another, have long been used by healthcare organizations, and in many cases, to transmit documents containing protected health information. Transmissions are sent without first entering into a business associate agreement – or BAA – with telecommunications companies. That is because telecoms firms, such as AT&T, are covered by the HIPAA conduit exception rule. The HIPAA conduit exception is covered in more detail here, although in short, it details the types of communications services do not require a business...

Read More
Is iCloud HIPAA Compliant?
Feb06

Is iCloud HIPAA Compliant?

Is iCloud HIPAA compliant? Can healthcare organizations use iCloud for storing files containing electronic protected health information (ePHI) or sharing ePHI with third-parties? This article assesses whether iCloud is a HIPAA compliant cloud service. Cloud storage services are a convenient way of sharing and storing data. Since files uploaded to the cloud can be accessed from multiple devices in any location with an Internet connection, information is always at hand when it is needed. There are many cloud storage services to choose from, many of which are suitable for use by healthcare providers for storing and sharing ePHI. They include robust access and authentication controls and data uploaded to and stored in the cloud is encrypted. Logs are also maintained so it is possible to tell who accessed data, when access occurred, and what users did with the data once access was granted. iCloud is a cloud storage service that owners of Apple devices can easily access through their iPhones, iPads, and Macs. iCloud has robust authentication and access controls, and data is encrypted in...

Read More
Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss
Feb02

Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss

A mail service – Press America, Inc – used by a pharmacy benefit manager – CVS Pharmacy – is being sued over an accidental disclosure of 41 individuals’ protected health information. CVS Pharmacy is a business associate of a health plan and is contracted to provide a mail-order pharmacy service for the health plan. The mail service is a subcontractor of CVS Pharmacy, and both entities are bound by HIPAA Rules. CVS Pharmacy signed a business associate agreement with the health plan, and Press America did likewise with CVS Pharmacy as PHI was required in order to perform the mailings. CVS Pharmacy alleges the HIPAA Privacy Rule was violated by Press America when it inadvertently disclosed PHI to unauthorized individuals due to a mismailing incident. The disclosure of some plan members’ PHI was accidental, but the privacy breach violated a performance standard in the CVS Pharmacy’s contract with the health plan. By violating the performance standard, the CVS Pharmacy was required to pay the health plan $1.8 million. A lawsuit was filed by the CVS Pharmacy seeking...

Read More
$3.5 Million Settlement to Resolve HIPAA Violations That Contributed to Five Data Breaches
Feb01

$3.5 Million Settlement to Resolve HIPAA Violations That Contributed to Five Data Breaches

The first HIPAA settlement of 2018 has been announced by the Department of Health and Human Services’ Office for Civil Rights (OCR). Fresenius Medical Care North America (FMCNA) has agreed to pay OCR $3.5 million to resolve multiple potential HIPAA violations that contributed to five separate data breaches in 2012. The breaches were experienced at five separate covered entities, each of which was owned by FMCNA. Those breached entities were: Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility in Jacksonville, Florida (FMC Duval) Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove in Semmes, Alabama (FMC Magnolia Grove) Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin in Maricopa, Arizona (FMC Ak-Chin) Fresenius Vascular Care Augusta, LLC (FVC Augusta) WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (FMC Blue Island) Breaches Experienced by FMCNA HIPAA Covered Entities The five security breaches were experienced by the FMCNA covered entities over a period of four months...

Read More
Aetna Agrees to Pay $1.15 Million Settlement to Resolve NY Attorney General Data Breach Case
Jan25

Aetna Agrees to Pay $1.15 Million Settlement to Resolve NY Attorney General Data Breach Case

Last July, Aetna sent a mailing to members in which details of HIV medications were clearly visible through the plastic windows of envelopes, inadvertently disclosing highly sensitive HIV information to individuals’ house mates, friends, families, and loved ones. Two months later, a similar privacy breach occurred. This time the mailing related to a research study regarding atrial fibrillation (AFib) in which the term IMACT-AFIB was visible through the window of the envelope. Anyone who saw the envelope could have deduced the intended recipient had an AFib diagnosis. The July breach triggered a class action lawsuit which was recently settled by Aetna for $17.2 million. Aetna must now also cover a $1.15 million settlement with the New York Attorney General to resolve violations of federal and state laws. Attorney General Schneiderman launched an investigation following the breach of HIV information in July, which violated the privacy of 2,460 Aetna members in New York. The September privacy breach was discovered during the course of that investigation. 163 New York Aetna members had...

Read More
Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records
Jan25

Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records

The Topeka, KS-based healthcare company Pearlie Mae’s Compassion and Care LLC and its owners have been fined by the Kansas Attorney General for failing to protect patient and employee records. The owners have agreed to pay a civil monetary penalty of $8,750. The HITECH Act gave attorneys general the authority to enforce HIPAA rules and take action against HIPAA-covered entities and business associates that are discovered not to be in compliance with HIPAA regulations. Only a handful of state attorneys general have exercised those rights, with many opting to pursue privacy violations under state laws. In this case, Attorney General Derek Schmidt issued the civil monetary penalty for violations of the Wayne Owen Act, which is part of the Kansas Consumer Protection Act. Special agents of the Kansas attorney general’s office were assisting the Topeka Police Department execute a search warrant in June 2017 at the home of Ann Marie Kaiser, one of the owners of Pearlie Mae’s Compassion and Care. Kaiser’s home was used as an office location for the company. While at the property, the...

Read More
Is Google Docs HIPAA Compliant?
Jan23

Is Google Docs HIPAA Compliant?

Is Google Docs HIPAA compliant? Is it permitted to upload documents containing protected health information to Google Docs, or would that violate HIPAA Rules? In this post we will assess Google Docs and determine whether Google is a HIPAA compliant and whether it can be used safely and securely by HIPAA-covered entities and business associates for sharing PHI. Does Google Docs Encrypt Data? In order for Google Docs to be HIPAA compliant, stored data must be encrypted. Data must also be encrypted during uploading and downloading. We can confirm that Google uses 128-bit or stronger Advanced Encryption Standard (AES) to protect data in transit to the platform, and between and in its data centers. Is Google Considered a Conduit? The Department of Health and Human Services has made it clear in recent guidance that cloud service providers are not – in the vast majority of cases – considered conduits, so the HIPAA Conduit Exception Rule does not apply. Instead, cloud service providers are classed as business associates, even if the service provider does not access data stored in customer...

Read More
Is FaceTime HIPAA Compliant?
Jan19

Is FaceTime HIPAA Compliant?

Is FaceTime HIPAA compliant? Can FaceTime be used by HIPAA covered entities to communicate protected health information (PHI) without violating HIPAA Rules? In this article we will examine the protections in place to keep transmitted information secure, whether Apple will sign a business associate agreement for FaceTime, and if a BAA is necessary. Will Apple Sign A BAA for FaceTime? An extensive search of the Apple website has revealed no sign that Apple will sign a business associate agreement with healthcare organizations for any of its services. The only mention of its services in relation to HIPAA-covered entities is in relation to iCloud, which Apple clearly states should not be used by healthcare providers or their business associates to create, receive, maintain or transmit PHI. Since Apple is not prepared to sign a business associate agreement for FaceTime, that would indicate FaceTime is not a HIPAA compliant service. However, business associate agreements only need to be signed by business associates. So, is Apple a business associate? The HIPAA Conduit Exception Rule The...

Read More
The HIPAA Conduit Exception Rule and Transmission of PHI
Jan19

The HIPAA Conduit Exception Rule and Transmission of PHI

The HIPAA Conduit Exception Rule is a source of confusion for many HIPAA covered entities, but it is essential that this aspect of HIPAA is understood. Failure to correctly classify a service provider as a conduit or a business associate could see HIPAA Rules violated and a significant financial penalty issued for noncompliance. The HIPAA Omnibus Final Rule and Business Associates On January 25, 2013, the HIPAA Omnibus Final Rule was issued. The HIPAA Omnibus Final Rule introduced a swathe of updates to HIPAA Rules, including the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA Omnibus Final Rule included an update to the definition of a business associate. Prior to January 25, 2013, a business associate was a person or entity that creates, receives, or transmits protected health information (PHI) on behalf of a covered entity. The Omnibus rule added ‘maintains’ to that definition. That meant companies that store electronic information – or physical records – are considered business associates. The Omnibus Rule also...

Read More
Deadline for Reporting 2017 HIPAA Data Breaches Approaches
Jan17

Deadline for Reporting 2017 HIPAA Data Breaches Approaches

The deadline for reporting 2017 HIPAA data breaches to the Department of Health and Human Services’ Office for Civil Rights is fast approaching. HIPAA-covered entities have a maximum of 60 days from the discovery of a data breach to report security incidents to OCR and notify affected patients. Smaller breaches of PHI do not need to be reported to OCR within this time frame, instead covered entities can delay reporting those breaches to OCR until the end of the calendar year. The maximum allowable time for reporting breaches impacting fewer than 500 individuals is 60 days from the end of the year in which the breach was experienced. The final day for reporting 2017 HIPAA data breaches to OCR is therefore March 1, 2018. A HIPAA data breach is defined as an “acquisition, access, use, or disclosure” of unsecured protected health information (PHI) that is not permitted by the HIPAA Privacy Rule. Unsecured PHI is defined as PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology,”...

Read More
HHS Sued by CIOX Health Over Unlawful HIPAA Regulations
Jan16

HHS Sued by CIOX Health Over Unlawful HIPAA Regulations

The Department of Health and Human Services is being sued by CIOX Health, a medical record retrieval company, over updates to HIPAA laws that place restrictions on the amount that can be charged to patients for providing them with copies of their medical records. CIOX Health claims the HIPAA Omnibus Rule updates in 2013, “unlawfully, unreasonably, arbitrarily and capriciously,” restrict the fees that can be charged by providers and their business associates for providing copies of the health information stored on patients. Changes to HIPAA Rules not only placed a limit on the fees, but also expanded the types of information that must be provided to patients, on request. Accessing some of that information, in particular health information that is not stored in electronic medical records, is costly. Yet, even though the costs of processing some requests are high, HIPAA limits charges to $6.50 according to the lawsuit. CIOX Health argues that this flat rate fee is an arbitrary figure that bears no relation to the actual cost of honoring patient requests for copies of their...

Read More
Achieving HIPAA Compliant File Sharing In and Outside the Cloud
Jan12

Achieving HIPAA Compliant File Sharing In and Outside the Cloud

HIPAA compliant file sharing consists of more than selecting the right technology to ensure the security, integrity and confidentiality of PHI at rest or in transit. Indeed, you could implement the most HIPAA compliant file sharing technology available and still be a long way short of achieving HIPAA compliance. It is not the technology that is at fault. Many Covered Entities and Business Associates fail to configure the technology properly or train employees how to use the technology in compliance with HIPAA. According to a recent IBM X-Force Threat Intelligence Report, 46% of data breaches in the healthcare industry are attributable to “inadvertent actors”. Of the remaining 54% of data breaches in the healthcare industry, 29% are attributable to “outsiders”, while the remaining 25% are the work of “malicious insiders”. Therefore, if a Covered Entity implements HIPAA compliant file sharing technology, but fails to configure it properly, train employees how to use it compliantly, or introduce mechanisms to monitor access to PHI, it may only be 29% of the way towards achieving HIPAA...

Read More
What is Individually Identifiable Health Information?
Jan11

What is Individually Identifiable Health Information?

What is individually identifiable health information and what must HIPAA-covered entities do to the information before it can be shared for reasons not detailed in the permitted uses and disclosures of the HIPAA Privacy Rule? What is Individually Identifiable Health Information? Before answering the question, what is individually identifiable health information, it is necessary to define health information. HIPAA defines health information as any information created or received by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or business associate of a HIPAA-covered entity. Health information includes past, present, and future information about mental and physical health and the condition of an individual, the provision of healthcare to an individual, and information related to payment for healthcare, again in the past, present, or future. Health information also includes demographic information about an individual. Individually identifiable health information is a subset of health information, and as the name suggests, is health information...

Read More
What is Protected Health Information?
Jan10

What is Protected Health Information?

The latest article in our HIPAA basics series answers the question what is protected health information? The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information, but what is protected health information? First, it is worthwhile explaining two other important terms detailed in HIPAA regulations: A covered entity and a business associate. A covered entity is a healthcare provider, health plan, or healthcare clearinghouse which transmits health data electronically for transactions that the U.S. Department of Health and Human Services has adopted standards. A business associate is an organization or individual who performs services on behalf of a HIPAA-covered entity that requires access to, or the use of, protected health information. What is Protected Health Information? Protected health information is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in...

Read More
Is Azure HIPAA Compliant?
Jan05

Is Azure HIPAA Compliant?

Is Azure HIPAA compliant? Can Microsoft’s cloud services be used by HIPAA covered entities without violating HIPAA Rules? Many healthcare organizations are considering moving some of their services to the cloud, and a large percentage already have. The cloud offers considerable benefits and can help healthcare organizations lower their IT costs, but what about HIPAA? HIPAA does not prohibit healthcare organizations from taking advantage of cloud services; however, it does place certain restrictions on the services that can be used, at least as far as protected health information is concerned. Most healthcare organizations will consider the three main providers of cloud services. Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. We have already covered AWS HIPAA compliance here, but what about Azure? Is Azure HIPAA compliant? Is Azure HIPAA Compliant? Before any cloud service can be used by healthcare organizations, they must first enter into a business associate agreement with the service provider. Under HIPAA Rules, cloud service providers are considered...

Read More
Largest Healthcare Data Breaches of 2017
Jan04

Largest Healthcare Data Breaches of 2017

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches. 2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen. 2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations...

Read More
HHS Publishes Final Rule on Confidentiality of Substance Use Disorder Patient Records
Jan03

HHS Publishes Final Rule on Confidentiality of Substance Use Disorder Patient Records

The Department of Health and Human Services has published its final rule on the Confidentiality of Substance Use Disorder Patient Records, altering Substance Abuse and Mental Health Services Administration (SAMHSA) regulations. The aim of the update is to better align regulations with advances in healthcare delivery in the United States, while ensuring patient’s privacy is protected when treatment for substance abuse disorders is sought. The final rule addresses the permitted uses and disclosures of patient identifying information for healthcare operations, payment, audits and evaluations. The last substantial changes to the Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR part 2) regulations were in 1987. In 2016, SAMHSA submitted a Notice of Proposed Rulemaking in the Federal Register proposing updates to 42 CFR part 2. The proposed updates reflected the development of integrated health care models and the use of electronic exchange of patient information, while still ensuring patient privacy was protected to prevent improper disclosures. After considering public...

Read More
CMS Clarifies Position on Use of Text Messages in Healthcare
Jan03

CMS Clarifies Position on Use of Text Messages in Healthcare

In November, the Centers for Medicare and Medicaid Services (CMS) explained in emails to healthcare providers that the use of text messages in healthcare is prohibited due to concerns about security and patient privacy. SMS messages are not secure. The CMS was concerned that the use of text messages in healthcare will lead to the exposure of sensitive patient data and could threaten the integrity of medical records. While this is understandable as far as SMS messages are concerned, many secure messaging applications satisfy all the requirements of HIPAA – e.g. transmission security, access and authentication controls, audit controls, and safeguards to ensure the integrity of PHI. The use of secure messaging platforms was raised with the CMS by some hospitals; however, the position of the CMS, based on the emails, appeared to be a total ban on the use of text messages in healthcare, even the use of secure messaging platforms. In the emails, the CMS said, “After meeting with vendors regarding these [secure messaging] products, it was determined they cannot always ensure the privacy...

Read More
2017 HIPAA Enforcement Summary
Dec28

2017 HIPAA Enforcement Summary

Our 2017 HIPAA enforcement summary details the financial penalties paid by healthcare organizations to resolve HIPAA violation cases investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. 2017 saw OCR continue its aggressive pursuit of financial settlements for serious violations of HIPAA Rules. There have been 9 HIPAA settlements and one civil monetary penalty in 2017. In total, OCR received $19,393,000 in financial settlements and civil monetary penalties from covered entities and business associates to resolve HIPAA violations discovered during the investigations of data breaches and complaints. Last year, there were 12 settlements reached with HIPAA-covered entities and business associates, and one civil monetary penalty issued. In 2016, OCR received $25,505,300 from covered entities to resolve HIPAA violation cases. Summary of 2017 HIPAA Enforcement by OCR Listed below are the 2017 HIPAA enforcement activities of OCR that resulted in financial penalties for HIPAA-covered entities and their business associates....

Read More
What is Considered PHI Under HIPAA?
Dec28

What is Considered PHI Under HIPAA?

In a healthcare environment, you are likely to hear health information referred to as protected health information or PHI, but what is considered PHI under HIPAA? What is Considered PHI Under HIPAA Rules? Under HIPAA Rules, PHI is considered to be any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity – A healthcare provider, health plan or health insurer, or a healthcare clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services. It is not only past and current health information that is considered PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health related to the provision of care or payment for care. PHI is health information in any form, including physical records, electronic records, or spoken information. Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual...

Read More
Is Google Voice HIPAA Compliant?
Dec28

Is Google Voice HIPAA Compliant?

Google Voice is a popular telephony service, but is Google Voice HIPAA compliant or can it be used in a HIPAA compliant way? Is it possible for healthcare organizations – or healthcare employees – to use the service without violating HIPAA Rules? Is Google Voice HIPAA Compliant? Google Voice is a popular and convenient telephony service that includes voicemail, voicemail transcription to text, the ability to send text messages free of charge, and many other useful features. It is therefore unsurprising that many healthcare professionals would like to use the service at work, as well as for personal use. In order for a service to be used in healthcare in conjunction with any protected health information (PHI) it must be possible to use it in a HIPAA compliant way. That means the service must be covered by the conduit exemption rule – which was introduced when the HIPAA Omnibus Final Rule came into effect – or it must incorporate a range of controls and safeguards to meet the requirements of the HIPAA Security Rule. As with SMS, faxing and email, Google Voice is not...

Read More
Scrub Nurse Fired for Photographing Employee-Patient’s Genitals
Dec28

Scrub Nurse Fired for Photographing Employee-Patient’s Genitals

A scrub nurse who took photographs of a patient’s genitals and shared the images with colleagues has been fired, while the patient, who is also an employee at the same hospital, has filed a lawsuit seeking damages for the harm caused by the incident. The employee-patient was undergoing incisional hernia surgery at Washington Hospital. She alleges in a complaint filed in Washington County Court, that while she was unconscious, a scrub nurse took photographs of her genitals on a mobile phone and shared the photographs with co-workers. Photographing patients without their consent is a violation of HIPAA Rules, and one that can attract a significant financial penalty. Last Year, New York Hospital settled a HIPAA violation case with the Department of Health and Human Services’ Office for Rights and paid a financial penalty of $2.2 million. In that case, a television crew had been authorized to film in the hospital, but consent from the patients in the footage had not been obtained. In the Washington Hospital HIPAA breach, the patient, identified in the lawsuit only as Jane Doe, claims...

Read More
New Bill Aims to Change HIPAA Rules for Healthcare Clearinghouses
Dec27

New Bill Aims to Change HIPAA Rules for Healthcare Clearinghouses

A new bill (H.R. 4613) has been introduced to the U.S House of Representatives by Congresswoman Cathy McMorris Rodgers (R-Washington) that proposes changes to the Health Information Technology for Economic and Clinical Health (HITECH) Act and HIPAA Rules for healthcare clearinghouses. The Ensuring Patient Access to Healthcare Records Act of 2017 is intended to modernize the role of healthcare clearinghouses in healthcare, promote access to and the leveraging of health information, and enhance treatment, quality improvement, research, public health and other functions. Healthcare clearinghouses are entities that transform data from one format to another, converting non-standard data to standard data elements or vice versa. Healthcare clearinghouses are considered HIPAA-covered entities, although in some cases they can be business associates. The bill – Ensuring Patient Access to Healthcare Records Act of 2017 – would see all healthcare clearinghouses treated as covered entities. Healthcare clearinghouses gather health data from a wide range of sources, therefore they...

Read More
What Does PHI Stand For?
Dec23

What Does PHI Stand For?

The term PHI is commonly used in connection with health data, but what does PHI stand for, and what information is included in the definition of PHI? What Does PHI Stand For? PHI is an acronym of Protected Health Information. The term is commonly referred to in the Health Insurance Portability and Accountability Act (HIPAA) and associated legislation such as the Health Information Technology for Economic and Clinical Health Act (HITECH), and refers to any data relating to a patient, a patient´s healthcare or the payment for that healthcare that is created, received, stored, or transmitted by HIPAA-covered entities. HIPAA-covered entities are mostly healthcare providers, health plans, healthcare clearinghouses and their business associates or third-party service providers who have access to Protected Health Information. These entities must implement measures to protect against the unauthorized disclosure, amendment or destruction of Protected Health Information as stipulated by the HIPAA Privacy Rule. The Department of Health & Human Services´ Office for Civil Rights has...

Read More
Is Facebook Messenger HIPAA Compliant?
Dec22

Is Facebook Messenger HIPAA Compliant?

Is Facebook Messenger HIPAA compliant? Is it OK to use the messaging service to send protected health information without violating HIPAA Rules? Many doctors and nurses communicate using chat platforms, but is it acceptable to use the platforms for sending PHI? One of the most popular chat platforms is Facebook Messenger. To help clear up confusion we will assess whether Facebook Messenger is HIPAA compliant and if the platform can be used to send PHI. In order to use any service to send PHI, it must incorporate security controls to ensure information cannot be intercepted in transit. In sort, messages need to be encrypted. Many chat platforms, including Facebook Messenger, do encrypt data in transit, so this aspect of HIPAA is satisfied. However, with Facebook Messenger, encryption is optional and users have to opt in. Provided that setting has been activated, only the sender and the receiver will be able to view the messages. However, there is more to HIPAA compliance than simply encrypting data in transit. There must be access and authentication controls to ensure only...

Read More
HIPAA Compliant Email Providers
Dec22

HIPAA Compliant Email Providers

HIPAA-covered entities must ensure protected health information (PHI) transmitted by email is secured to prevent unauthorized individuals from intercepting messages, and many choose to use HIPAA compliant email providers to ensure appropriate controls are applied to ensure the confidentiality, integrity, and availability of PHI. There are many HIPAA compliant email providers to choose from that provide end-to-end encryption for messages. Some of the solutions require software to be hosted on your own infrastructure; others take care of everything. Changing email provider does not necessarily mean you have to change your email addresses. Many services allow you to keep your existing email addresses and send messages as you normally would from your desktop. All HIPAA compliant email providers must ensure their solution incorporates all of the safeguards required by the HIPAA Security Rule. The solutions need to have access controls 164.312(a)(1), audit controls 164.312(b), integrity controls 164.312(c)(1), authentication 164.312(d), and PHI must be secured in transit 164.312(e)(1)....

Read More
OCR Launches New Tools to Help Address the Opioid Crisis
Dec19

OCR Launches New Tools to Help Address the Opioid Crisis

OCR has launched new tools and initiatives as part of its efforts to help address the opioid crisis in the U.S., and fulfil its obligations under the 21st Century Cures Act. Two new webpages have been released – one for consumers and one for healthcare professionals – that make information relating to mental/behavioral health and HIPAA more easily accessible. OCR resources have been reorganized to make the HHS website more user-friendly, and the new webpages serve as a one-stop resource explaining when, and under what circumstances, health information can be shared with friends, families, and loved ones to help them deal with, and prevent, emergency situations such as an opioid overdose or a mental health crisis. OCR has also released new guidance on sharing information related to substance abuse disorder and mental health with individuals involved in the provision of care to patients. The new resources include fact sheets, decision charts, an infographic, and various scenarios that address the sharing of information when an individual has an opioid overdose.  Some of the materials...

Read More
Is Hotmail HIPAA Compliant?
Dec15

Is Hotmail HIPAA Compliant?

Many healthcare organizations are unsure whether Hotmail is HIPAA compliant and whether sending protected health information via a Hotmail account can be considered a HIPAA compliant method of communication. In this post we answer the question is Hotmail HIPAA compliant, and whether the webmail service can be used to send PHI. Hotmail is a free webmail service from Microsoft that has been around since 1996. Hotmail has now been replaced with Outlook.com. In this post we will determine if Hotmail is HIPAA-complaint, but the same will apply to Outlook.com. For the purposes of this article, Hotmail and Outlook.com will be considered one and the same. HIPAA, Email and Encryption There is a common misconception that all email is HIPAA compliant. In order for any email service to be HIPAA compliant, it must incorporate security controls to prevent unauthorized individuals from gaining access to accounts and for any information sent via the email service to be secured to prevent messages from being intercepted. There must be access controls, integrity controls, and transmission security...

Read More
$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR
Dec15

$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR

A 21st Century Oncology HIPAA settlement has been agreed with the Department of Health and Human Services’ Office for Civil Rights (OCR) to resolve potential HIPAA violations discovered during the investigation of a 2015 breach of 2.2 million patients’ PHI. The breach in question was discovered by the Federal Bureau of Investigation (FBI) in 2015. The FBI informed 21st Century Oncology on November 13 and December 13, 2015, that an unauthorized individual accessed and stole information from one of its patient databases. 21st Century Oncology conducted an investigation with the assistance of a third-party computer forensics company and discovered the network SQL database was potentially first accessed on October 3, 2015. The database was accessed through Remote Desktop Protocol from an Exchange Server within 21st Century Oncology’s network. The database contained the protected health information of 2,213,597 individuals. As occurs after all data breaches that impact more than 500 individuals, OCR conducted an investigation into the 21st Century Oncology data breach. That...

Read More
Noncompliance with HIPAA Costs Healthcare Organizations Dearly
Dec13

Noncompliance with HIPAA Costs Healthcare Organizations Dearly

Noncompliance with HIPAA can carry a significant cost for healthcare organizations, yet even though the penalties for HIPAA violations can be considerable, many healthcare organizations have substandard compliance programs and are violating multiple aspects of HIPAA Rules. The Department of Health and Human Services’ Office for Civil Rights (OCR) commenced the much delayed second phase of HIPAA compliance audits last year with a round of desk audits, first on healthcare organizations and secondly on business associates of covered entities. Those desk audits revealed many healthcare organizations are either struggling with HIPAA compliance, or are simply not doing enough to ensure HIPAA Rules are followed. The preliminary results of the desk audits, released by OCR in September, showed healthcare organizations’ compliance efforts were largely inadequate. 94% of organizations had inadequate risk management plans, 89% were rated as inadequate on patients’ right to access their PHI, and 83% had performed inadequate risk analyses. It would appear that for many healthcare organizations,...

Read More
AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack
Dec13

AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack

Following the HIMSS Analytics/Mimecast survey that revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, comes a new report on healthcare cybersecurity from the American Medical Association (AMA) and Accenture. The Accenture/AMA survey was conducted on 1,300 physicians across the United States and aimed to take the ‘physician’s pulse on cybersecurity.’ The survey confirmed that it is no longer a case of whether a cyberattack will be experienced, it is just a matter of when cyberattacks will occur and how frequently. 83% of physicians who took part in the survey said they had previously experienced a cyberattack. When asked about the nature of the cyberattacks, the most common type was phishing. 55% of physicians who had experienced a cyberattack said the incident involved phishing – A similar finding to the HIMSS Analytics survey which revealed email was the top attack vector in healthcare. 48% of physicians who experienced a cyberattack said computer viruses such as malware and ransomware were involved. Physicians at medium...

Read More
What is Considered PHI?
Dec13

What is Considered PHI?

In response to questions sent to HIPAA Journal, we have written a series of posts answering some of the most basic elements of HIPAA, the latest being what is considered PHI? What is PHI, PII, and IIHA? Terms such as PHI and PII are commonly referred to in healthcare, but what do they mean and what information do they include? PHI is an acronym of Protected Health Information, while PII is an acronym of Personally Identifiable Information. Before explaining these terms, it is useful to first explain what is meant by health information, of which protected health information is a subset. Health information is information related to the provision of healthcare or payment for healthcare services that is created or received by a healthcare provider, public health authority, healthcare clearinghouse, health plan, business associate of a HIPAA-covered entity, or a school/university or employer. Health information relates to past, present, and future health conditions or physical/mental health that is related to the provision of healthcare services or payment for those services. Personally...

Read More
City of Portland Apologizes for Sharing PHI of HIV Positive Patients Without Prior Consent
Dec12

City of Portland Apologizes for Sharing PHI of HIV Positive Patients Without Prior Consent

The Health Insurance Portability and Accountability Act (HIPAA) prohibits the sharing of protected health information with third parties without first obtaining consent from patients. That has led some patients and healthcare officials to believe the City of Portland violated HIPAA by sharing information on HIV-positive patients with the University of Southern Maine without first obtaining consent. Portland runs a HIV-positive health program and individuals enrolled in that program were not informed that some of their information – their name, address, phone number and HIV positive status – would be shared with USM’s Muskie School of Public Service (MSPS). The information was shared in order for MSPS to conduct a survey on behalf of the city.  When that survey was conducted, it became clear to patients that some of their PHI had been shared without their knowledge. Two patients complained that their privacy had been violated.  Following receipt of the complaints, the city suspended its survey and conducted an investigation into the alleged privacy violation. While the HIPAA Privacy...

Read More
Oklahoma Health Department Re-Notifies 47,000 of 2016 Data Breach
Dec11

Oklahoma Health Department Re-Notifies 47,000 of 2016 Data Breach

In April 2016, the Oklahoma Department of Human Services experienced a data breach, and while notifications were sent to affected individuals and the DHS’ Office of Inspector General shortly after the breach was detected, a breach notice was not submitted to the HHS’ Office for Civil Rights – A breach of HIPAA Rules. Now, more than 18 months after the 60-day reporting window stipulated in the HIPAA Breach Notification Rule has passed, OCR has been notified. OCR has instructed the Oklahoma Department of Human Services to re-notify the 47,000 Temporary Assistance for Needy Families clients that were impacted by the breach to meet the requirements of HIPAA. The breach in question occurred in April 2016 when an unauthorized individual gained access to a computer at Carl Albert State College in Poteau, Oklahoma. The computer contained records of current and former Temporary Assistance for Needy Families clients. The data on the server included names, addresses, dates of birth, and Social Security numbers. Once the breach was identified, Carl Albert State College secured its systems to...

Read More
Is GoToMeeting HIPAA Compliant?
Dec08

Is GoToMeeting HIPAA Compliant?

Is GoToMeeting HIPAA complaint? Can GoToMeeting be used by HIPAA-covered entities and their business associates for communicating protected health information without violating HIPAA Rules? GoToMeeting is an online meeting and video conferencing solution offered by LogMeIn. The service is one of many conferencing and desktop sharing solutions that can improve communication and collaboration, with many benefits for healthcare organizations. In order for collaboration tools to be used by healthcare organizations that are required to comply with Health Insurance Portability and Accountability Act Rules, tools must a subject to a risk analysis and determined to meet the security standards demanded by HIPAA. Fail to ensure that a particular service is HIPAA compliant and you could violate the privacy of patients, breach HIPAA Rules, and potentially have to cover a sizable financial penalty for non-compliance. It should be pointed out that no software or communications platform can be truly HIPAA-compliant. Even if appropriate safeguards are incorporated to ensure the confidentiality,...

Read More
How to Make Your Email HIPAA Compliant
Dec07

How to Make Your Email HIPAA Compliant

Many healthcare organizations would like to be able to send protected health information via email, but how do you make your email HIPAA compliant? What must be done before electronic PHI (ePHI) can be sent via email to patients and other healthcare organizations? How to Make Your Email HIPAA Compliant Whether you need to make your email HIPAA compliant will depend on how you plan to use email with ePHI. If you will only ever send emails internally, it may not be necessary to make your email HIPAA compliant. If your email network is behind a firewall, it is not necessary to encrypt your emails.  Encryption is only required when your emails are sent beyond your firewall. However, access controls to email accounts are required, as it is important to ensure that only authorized individuals can access email accounts that contain ePHI. If you want to use email to send ePHI externally – beyond your firewall – you will need to make your email HIPAA-compliant. There are many email service providers that offer an encrypted email service, but not all are HIPAA compliant and incorporate all...

Read More
HHS Seeks Volunteers for HIPAA Administrative Simplification Optimization Project Pilot
Dec05

HHS Seeks Volunteers for HIPAA Administrative Simplification Optimization Project Pilot

The Department of Health and Human Services is running a HIPAA Administrative Simplification Optimization Project Pilot and is currently seeking volunteers to have compliance reviews. The aim of the pilot is to streamline HIPAA compliance reviews for health plans and healthcare clearinghouses. Currently, a variety of different data formats are used for conducting electronic transitions. That variety can cause problems when transferring and sharing data. If communications about billing and insurance related matters are streamlined and healthcare organizations comply with the HIPAA Administrative Simplification transaction standards, providers and health plans can devote fewer resources to these tasks. Compliance with the Administrative Simplification transaction standards will also reduce the burden on compliant entities having to exchange healthcare data with trading partners that are not compliant. According to the 2016 CAQH Index, industry-wide compliance with the HIPAA Administrative Simplification transaction standards could result in savings of almost $9 billion each year for...

Read More
Effective Identity and Access Management Policies Help Prevent Insider Data Breaches
Dec01

Effective Identity and Access Management Policies Help Prevent Insider Data Breaches

The HIPAA Security Rule administrative safeguards require information access to be effectively managed. Only employees that require access to protected health information to conduct their work duties should be granted access to PHI. When employees voluntarily or involuntarily leave the organization, PHI access privileges must be terminated. The failure to implement procedures to terminate access to PHI immediately could all too easily result in a data breach. Each year there are many examples of organizations that fail to terminate access promptly, only to discover former employees have continued to login to systems remotely after their employment has come to an end. If HIPAA-covered entities and business associates do not have effective identity and access management policies and controls, there is a significant risk of PHI being accessed by former employees after employment has terminated. Data could be copied and taken to a new employer, or used for malicious purposes. The Department of Health and Human Services’ Office for Civil Rights’ breach portal includes many examples of...

Read More
Cottage Health Fined $2 Million By California Attorney General’s Office
Nov28

Cottage Health Fined $2 Million By California Attorney General’s Office

Santa Barbara-based Cottage Health has agreed to settle a data breach case with the California attorney general’s office. Cottage Health will pay $2 million to resolve multiple violations of state and federal laws. Cottage Health was investigated by the California attorney general’s office over a breach of confidential patient data in 2013. The breach was discovered by Cottage Health on December 2, 2013, when someone contacted the healthcare network and left a message on its voicemail system warning that sensitive patient information had been indexed by the search engines and was freely available via Google. The sensitive information of more than 50,000 patients was available online, without any need for authentication such as a password and the server on which the information was stored was not protected by a firewall. The types of information exposed included names, medical histories, diagnoses, prescriptions, and lab test results. In addition to the individual who alerted Cottage Health to the breach, the server had been accessed by other individuals during the time that it was...

Read More
Is Slack HIPAA Compliant?
Nov17

Is Slack HIPAA Compliant?

Slack is a powerful communication tool for improving collaboration, but is Slack HIPAA compliant? Can Slack be used by healthcare organizations for sharing protected health information without risking a HIPAA violation? Is Slack HIPAA Compliant? There has been considerable confusion about the use of Slack in healthcare and whether Slack is HIPAA compliant. Since its launch, Slack has not been HIPAA compliant, although steps have been taken to develop a version of the platform that can be used by healthcare organizations. That version is called Slack Enterprise Grid. Earlier this year, Geoff Belknap, Chief Security Officer at Slack, said “our team has spent over a year investing our time and effort into meeting the rigorous security needs of our customers who work in highly regulated industries.” Slack Enterprise Grid was announced at the start of 2017. Slack Enterprise Grid is not the same as Slack. It has been built on different code, and has been developed specifically for use by companies with more than 500 employees. Slack Enterprise Grid incorporates several security features...

Read More
October 2017 Healthcare Data Breaches
Nov16

October 2017 Healthcare Data Breaches

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed. October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months. Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities. October 2017 Healthcare Data Breaches by Covered Entity Type Main Causes of October 2017 Healthcare Data Breaches Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8...

Read More
5 Year Jail Term Upheld for Clinic Worker Who Stole PHI
Nov15

5 Year Jail Term Upheld for Clinic Worker Who Stole PHI

A clinic worker who stole the protected health information of mentally ill patients and sold the data to identity thieves has failed to get his 5-year jail term reduced. Jean Baptiste Alvarez, 43, of Aldan, PA, stole daily census sheets from the Kirkbride Center, a 267-bed behavioral health care facility in Philadelphia. The census sheets contained all the information needed to steal the identities of patients and submit fraudulent tax returns in their names – Names, Social Security numbers, dates of birth and other personally identifiable information. Alvarez had the opportunity to steal the data undetected, as the floor where the sheets were kept did not have security cameras. Alvarez was paid $1,000 per census sheet by his to-co-conspirators, who used the information to submit 164 fraudulent tax returns in the names of the patients, resulting in a loss of $232,612 in tax revenue for the IRS. In early 2016, Alvarez was found guilty of conspiracy to defraud, misuse of Social Security numbers, and aggravated identity theft. The latter carried a minimum sentence of 2 years. The...

Read More
How to Handle A HIPAA Privacy Complaint
Nov14

How to Handle A HIPAA Privacy Complaint

Healthcare providers need to be prepared to deal with a HIPAA privacy complaint from a patient. In order for an efficient response to be conducted, policies should be developed covering the complaints procedure and staff must be trained to handle HIPAA privacy complaints correctly. Patients must also be clearly informed how they can make a HIPAA privacy complaint if they feel that their privacy has been violated or HIPAA Rules have been breached. This should be clearly stated in your Notice of Privacy Practices. A HIPAA Privacy Complaint Should be Taken Seriously When a HIPAA privacy complaint is filed, it is important that it is dealt with quickly and efficiently. Fast action will help to reassure patients that that you treat all potential privacy and security violations seriously. While patients may be annoyed or upset that an error has been made, in many cases, patients are not looking to cause trouble. They want the issue to be investigated, any risks to be mitigated, the problem to be addressed to ensure it does not happen again, and in many cases, they seek an apology. If the...

Read More
Is Google Hangouts HIPAA Compliant?
Nov14

Is Google Hangouts HIPAA Compliant?

Is Google Hangouts HIPAA compliant? Can Google Hangouts be used by healthcare professionals to transmit and receive protected health information (PHI)? Is Google Hangouts HIPAA Compliant? Healthcare organizations frequently ask about Google services and HIPAA compliance, and one product in particular has caused some confusion is Google Hangouts. Google Hangouts is the latest incarnation of the Hangouts video chat system, and has taken the place of Huddle (Google+ Messenger). Google Hangouts is a cloud-based communication platform that incorporates four different elements: Video chat, SMS, VOIP, and an instant messaging service. Google will sign a business associate agreement for G Suite, which currently covers the following Google core services Gmail Calendar Google Drive (Includes Google Docs, Google Sheets, Google Slides, and Google Forms) Apps Script Keep Sites Jamboard Google Cloud Search Vault (If applicable) Google Hangouts (Chat messaging) Hangouts Meet The Business Associate Agreement does not cover Google Groups, Google Contacts, and Google+, none of which can be used in...

Read More
President Trump Nominates Alex Azar for HHS Secretary
Nov13

President Trump Nominates Alex Azar for HHS Secretary

Former Deputy Secretary of the Department of Health and Human Services, Alex Azar, is tipped to take over from former Secretary Tom Price after receiving the presidential nomination for the role. Azar previously served as general counsel to the HHS and Deputy Secretary during the George W. Bush administration. President Trump confirmed on Twitter that he believes Azar is the man for the job, tweeting “Happy to announce, I am nominating Alex Azar to be the next HHS Secretary. He will be a star for better healthcare and lower drug prices!” The position of Secretary of the Department of Health and Human Services was vacated by former Secretary Tom Price in September, following revelations about his controversial use of military aircraft and expensive charter flights to travel around the country. While there were several potential candidates tipped to receive the nomination, including commissioner of the Food and Drug Administration, Scott Gottlieb, and administrator of the Centers for Medicare and Medicaid Services, Seema Verma, President Trump has made a controversial choice. Alex...

Read More
In What Year Was HIPAA Passed into Legislature?
Nov13

In What Year Was HIPAA Passed into Legislature?

The Health Insurance Portability and Accountability Act or HIPAA was passed into legislature on August 21, 1996, when Bill Clinton added his signature to the bill. Initially, the purpose of HIPAA was to improve portability and continuity of health insurance coverage, especially for employees that were between jobs. HIPAA also standardized amounts that could be saved in pre-tax medical savings accounts, prohibited tax-deduction of interest on life insurance loans, enforced group health plan requirements, simplified the administration of healthcare with standard codes and practices, and introduced measures to prevent healthcare fraud. Many of the details of the five titles of HIPAA took some time to be developed, and several years passed before HIPAA Rules became enforceable. The HIPAA Enforcement Rule, which allows the Department of Health and Human Services’ Office for Civil Rights to impose financial penalties for noncompliance with HIPAA Rules, was not passed until February 16, 2006 – A decade after HIPAA was first introduced. There have been several important dates in the past...

Read More
What is a Limited Data Set Under HIPAA?
Nov07

What is a Limited Data Set Under HIPAA?

A limited data set under HIPAA is a set of identifiable healthcare information that the HIPAA Privacy Rule permits covered entities to share with certain entities for research purposes, public health activities, and healthcare operations without obtaining prior authorization from patients, if certain conditions are met. In contrast to de-identified protected health information, which is no longer classed as PHI under HIPAA Rules, a limited data set under HIPAA is still identifiable protected information. Therefore it is still subject to HIPAA Privacy Rule regulations. A HIPAA limited data set can only be shared with entities that have signed a data use agreement with the covered entity. The data use agreement allows the covered entity to obtain satisfactory assurances that the PHI will only be used for specific purposes, that the PHI will not be disclosed by the entity with which it is shared, and that the requirements of the HIPAA Privacy Rule will be followed. The data use agreement, which must be accepted prior to the limited data set being shared, should outline the following:...

Read More
Can A Patient Sue for A HIPAA Violation?
Nov07

Can A Patient Sue for A HIPAA Violation?

Can a patient sue for a HIPAA violation? There is no private cause of action in HIPAA, so it is not possible for a patient to sue for a HIPAA violation. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Rules. So, if it is not possible for a patient to sue for a HIPAA violation, does that mean legal action cannot be taken against a covered entity when HIPAA has clearly been violated? While HIPAA does not have a private cause of action, it is possible for patients to take legal action against healthcare providers and obtain damages for violations of state laws. In some states, it is possible to file a lawsuit against a HIPAA covered entity on the grounds of negligence or for a breach of an implied contract, such as if a covered entity has failed to protect medical records. In such cases, it will be necessary to prove that damage or harm has been caused as a result of negligence or the theft of unsecured personal information....

Read More
When Should You Promote HIPAA Awareness?
Nov06

When Should You Promote HIPAA Awareness?

All employees must receive training on HIPAA Rules, but when should you promote HIPAA awareness? How often should HIPAA retraining take place? HIPAA-covered entities, business associates and subcontractors are all required to comply with HIPAA Rules, and all workers must receive training on HIPAA. HIPAA training should ideally be provided before any employee is given access to PHI. Training should cover the allowable uses and disclosures of PHI, patient privacy, data security, job-specific information, internal policies covering privacy & security, and HIPAA best practices. The penalties for HIPAA violations, and the consequences for individuals discovered to have violated HIPAA Rules, must also be explained. If employees do not receive training, they will not be aware of their responsibilities and privacy violations are likely to occur. Additional training must also be provided whenever there is a material change to HIPAA Rules or internal policies with respect to PHI, following the release of new guidance, or implementation of new technology. HIPAA Training Cannot be a...

Read More
Is G Suite HIPAA Compliant?
Nov03

Is G Suite HIPAA Compliant?

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules? Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider. Making G Suite HIPAA Compliant (by default it isn’t) As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules. Obtain a BAA from Google One important requirement of HIPAA is to obtain a signed, HIPAA-compliant...

Read More
What Happens if a Nurse Violates HIPAA?
Nov03

What Happens if a Nurse Violates HIPAA?

What happens if a nurse violates HIPAA Rules? How are HIPAA violations dealt with and what are the penalties for individuals that accidentally or deliberately violate HIPAA and access, disclose, or share protected health information (PHI) without authorization?   The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be followed by all covered entities and their business associates. The failure to comply with HIPAA Rules can result in significant penalties for HIPAA covered entities. Business associates of covered entities can also be fined directly for HIPAA violations, but what about individual healthcare workers such as nurses? What happens if a nurse violates HIPAA Rules? What are the Penalties if a Nurse Violates HIPAA? Accidental HIPAA violations by nurses happen, even when care is taken to follow HIPAA Rules. While all HIPAA violations can potentially result in disciplinary action, most employers would accept that accidental violations are bound to occur from time to time. In many cases, minor violations of HIPAA...

Read More
Survey Reveals Sharing EHR Passwords is Commonplace
Nov02

Survey Reveals Sharing EHR Passwords is Commonplace

While data on the practice of password sharing in healthcare is limited, one survey suggests the practice of sharing EHR passwords is commonplace, especially with interns, medical students, and nurses. The research was conducted by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also involved researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center. The study was conducted on 299 medical students, nurses, medical residents, and interns and the results of the survey were recently published in Healthcare Informatics Research. The information stored in EHRs is sensitive and must be protected. Regulations such as HIPAA control access to that information. All individuals that require access to the information in EHR systems must be issued with a unique user ID and password. Any attempts to access protected health information must be logged to allow healthcare organizations to monitor for unauthorized access. If login credentials are shared with other individuals, it is...

Read More
Tips for Reducing Mobile Device Security Risks
Nov01

Tips for Reducing Mobile Device Security Risks

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level. As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI). As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records. 17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand...

Read More
Who Do You Report HIPAA Violations To?
Nov01

Who Do You Report HIPAA Violations To?

The Health Insurance Portability and Accountability Act (HIPAA) requires HIPAA-covered entities and their business associates to implement safeguards to ensure the privacy of patients is protected and protected health information (PHI) is secured, but what happens when those rules are violated? Who do you report HIPAA violations to? Who do You Report HIPAA Violations To? If you suspect that HIPAA Rules have been violated by a HIPAA covered entity – Healthcare providers, health plans, healthcare clearinghouses, business associates of covered entities and their subcontractors – it is important for the violation to be reported to allow an investigation to take place. HIPAA violations frequently occur as a result of human error, a misunderstanding of HIPAA regulations, or in some cases, deliberate or willful violations of HIPAA Rules occur. A covered entity or business associate may not be aware that a HIPAA violation has occurred, and should be given the opportunity to correct errors and prevent similar violations from occurring in the future. How Can Healthcare Employees Report...

Read More
HHS Privacy Chief Deven McGraw Departs OCR: Iliana Peters Now Acting Deputy
Oct31

HHS Privacy Chief Deven McGraw Departs OCR: Iliana Peters Now Acting Deputy

Deven McGraw, the Deputy Director for Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR) has stepped down and left OCR. McGraw vacated the position on October 19, 2017. McGraw has served as Deputy Director for Health Information Privacy since July 2015, replacing Susan McAndrew. McGraw joined OCR from Manatt, Phelps & Phillips, LLP where she co-chaired the company’s privacy and data security practice. McGraw also served as Acting Chief Privacy Officer at the Office of the National Coordinator for Health IT (ONC) since the departure of Lucia Savage earlier this year. In July, ONC National Coordinator Donald Rucker announced that following cuts to the ONC budget, the Office of the Chief Privacy Officer would be closed out, with the Chief Privacy Officer receiving only limited support. It therefore seems an opportune moment for Deven McGraw to move onto pastures new. OCR’s Iliana Peters has stepped in to replace McGraw in the interim and will serve as Acting Deputy Director until a suitable replacement for McGraw can be found....

Read More
Who Does HIPAA Apply To?
Oct31

Who Does HIPAA Apply To?

Health Insurance Portability and Accountability Act (HIPAA) Rules cover the allowable uses and disclosures of protected health information secure and data security, but who does HIPAA apply to? Which types of organizations must implement HIPAA compliance programs? Who Does HIPAA Apply to? HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses if those organizations transmit health data electronically in connection with transactions for which the Department of Health and Human Services has adopted standards. Healthcare providers that are typically required to comply with HIPAA Rules includes hospitals, health clinics, nursing homes, doctors, dentists, pharmacies, chiropractors, and psychologists. Health plans include HMO’s, health insurance providers, company health plans, government programs that pay for health care such as Medicaid and Medicare, and veterans’ health programs. Self-insured companies that provide health coverage to their employees are also required to comply with HIPAA Rules. Healthcare clearinghouses include entities that process...

Read More
OCR Clarifies HIPAA Rules on Sharing Patient Information on Opioid Overdoses
Oct28

OCR Clarifies HIPAA Rules on Sharing Patient Information on Opioid Overdoses

The U.S. Department of Health and Human Services’ Office for Civil Rights has cleared confusion about HIPAA Rules on sharing patient information on opioid overdoses. The HIPAA Privacy Rule permits healthcare providers to share limited PHI in certain emergency and dangerous situations. Those situations include natural disasters and during drug overdoses, if sharing information can prevent or lessen a serious and imminent threat to a patient’s health or safety. Some healthcare providers have misunderstood the HIPAA Privacy Rule provisions, and believe permission to disclose information to the patient’s loved ones or caregivers must be obtained from the patient before any PHI can be disclosed. In an emergency or crisis situation, such as during a drug overdose, healthcare providers are permitted to share limited PHI with a patient’s loved ones and caregivers without permission first having been obtained from the patient. During an opioid overdose, healthcare providers can share health information with the patient’s family members, close friends, and caregivers if: The healthcare...

Read More
Is AWS HIPAA Compliant?
Oct27

Is AWS HIPAA Compliant?

Is AWS HIPAA compliant? Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes. And No. AWS can be HIPAA compliant, but it is also easy to make configuration mistakes that will leave protected health information (PHI) unprotected and accessible by unauthorized individuals, violating HIPAA Rules. Amazon Will Sign a Business Associate Agreement for AWS Amazon is keen for healthcare organizations to use AWS, and as such, a business associate agreement will be signed. Under that agreement, Amazon will support the security, control, and administrative processes required under HIPAA. Previous, under the terms of the AWS BAA, the AWS HIPAA compliance program required covered entities and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer the case. As part of its efforts to help healthcare organizations use AWS safely and securely without violating...

Read More
How to Report a HIPAA Violation
Oct26

How to Report a HIPAA Violation

It is important for all employees in the healthcare and healthcare insurance industries to understand what constitutes a HIPAA violation and how to report a HIPAA violation. Understanding what constitutes a HIPAA violation should be included in the Covered Entity´s HIPAA training, as should the correct person to direct the report to – who then has the responsibility to determine whether ot not the HIPAA violation should be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Potential HIPAA violations must be investigated internally by HIPAA Covered Entities and – where applicable – their Business Associates to determine the severity of the breach, the risk to individuals impacted by the incident, and to ensure action is taken promptly to correct the violation and mitigate risk. The sooner a potential HIPAA violation is reported, the easier it will be to limit the potential harm that may be caused and to prevent further violations of HIPAA Rules. Reporting HIPAA Violations Internally When healthcare or insurance professionals...

Read More
The Most Common HIPAA Violations You Should Be Aware Of
Oct26

The Most Common HIPAA Violations You Should Be Aware Of

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
New Tool Helps Healthcare Organizations Find HIPAA Compliant Business Associates
Oct25

New Tool Helps Healthcare Organizations Find HIPAA Compliant Business Associates

Healthcare organizations are only permitted to use business associates that agree to comply with HIPAA Rules and sign a business associate agreement, but finding HIPAA compliant business associates can be a challenge. Searching for HIPAA compliant business associates is time consuming, although identifying vendors willing to follow HIPAA Rules is only part of the process. Business associate agreements must then be assessed, often incurring legal fees, and healthcare organizations must obtain assurances from new business associate that appropriate safeguards have been implemented to ensure the confidentiality, integrity, and availability of any PHI they provide. It is also challenging for vendors that wish to take advantage of the opportunities in the healthcare industry. They must be able to demonstrate they have implemented appropriate safeguards and need to provide reassurances that their products and services support HIPAA-compliance. A solution has now been developed that resolves the issues for both parties and streamlines the process of finding HIPAA compliant business...

Read More
Who Enforces HIPAA?
Oct25

Who Enforces HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) introduced many new rules for healthcare organizations, but who enforces HIPAA? Which federal departments are responsible for ensuring HIPAA Rules are followed by covered entities and their business associates? Who Enforces HIPAA? The primary enforcer of HIPAA Rules is the Department of Health and Human Services’ Office for Civil Rights (OCR). However, since the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009, state attorneys general were also given the power to enforce HIPAA Rules. The Centers for Medicare and Medicaid Services (CMS) also have some powers, and are primarily responsible for enforcing the HIPAA administrative simplification regulations. The U.S. Food and Drug Administration (FDA) can also enforce HIPAA with respect to medical devices and may take action against healthcare organizations in certain situations. HIPAA Enforcement by the HHS’ Office for Civil Rights As the main enforcer of HIPAA Rules, the Office for Civil Rights...

Read More
Who Should HIPAA Complaints be Directed to Within the Covered Entity?
Oct23

Who Should HIPAA Complaints be Directed to Within the Covered Entity?

Who should HIPAA complaints be directed to within the covered entity? Any healthcare employee who believes they have witnessed a HIPAA violation should report the incident internally. Typically, the person to report the violation to is your Privacy Officer, if your organization has appointed one. Reporting Potential HIPAA Violations Internally During your HIPAA training, you should have been told who should HIPAA complaints be directed to within the covered entity, and the procedures to follow for making complaints about potential HIPAA violations. Generally speaking, the HIPAA violation should be reported to the person in your organization who is responsible for HIPAA compliance, which is typically your Privacy Officer or CISO. You may feel more comfortable reporting the incident to your supervisor. All HIPAA violations, even HIPAA violations that seem relatively minor, should be reported. They could be indicative of a wider problem, so it is important they are investigated internally. Accidental HIPAA violations should also be reported. It is better to own up to a minor HIPAA...

Read More
Is Microsoft Outlook HIPAA Compliant?
Oct20

Is Microsoft Outlook HIPAA Compliant?

The latest in our series of posts on HIPAA compliant software and email services for healthcare organizations explores whether Microsoft Outlook is HIPAA compliant. Is Microsoft Outlook HIPAA Compliant? Software or an email platform can never be fully HIPAA compliant, as compliance is not so much about the technology but how it is used. That said, software and email services can support HIPAA compliance. In order for an email service to support HIPAA compliance, it must include a range of security features to ensure that any information uploaded to and transmitted through the service can be done so securely, without risking the exposure or the interception of sensitive data. The platform provider must also be prepared to sign a business associate agreement with HIPAA-covered entities, and by doing so, agree to comply with the requirements of the HIPAA, Privacy, Security, and Breach Notification Rules. Microsoft has already taken steps toward making many of its services suitable for healthcare providers by agreeing to enter into a business associate agreement. Crucially for...

Read More
What are the HIPAA Administrative Simplification Regulations?
Oct20

What are the HIPAA Administrative Simplification Regulations?

The HIPAA Administrative Simplification Regulations – detailed in 45 CFR Part 160, Part 162, and Part 164 – require healthcare organizations to adopt national standards, often referred to as electronic data interchange or EDI standards. The purpose of these regulations is to save time and costs by streamlining the paperwork required for processes such as billing, verifying patient eligibility, and sending and receiving payments. HIPAA Administrative Simplification Standards The HIPAA Administrative Simplification Regulations include four standards covering transactions, identifiers, code sets, and operating rules. By adopting these standards and switching from paperwork to electronic transactions, healthcare organizations can reduce the paperwork burden, receive payments faster, obtain information more rapidly, and easily check the status of claims. The regulations require HIPAA covered entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities – to adopt standards for transactions involving the electronic exchange of...

Read More
Termination for Nurse HIPAA Violation Upheld by Court
Oct19

Termination for Nurse HIPAA Violation Upheld by Court

A nurse HIPAA violation alleged by a patient of Norton Audubon Hospital culminated in the termination of the registered nurse’s employment contract. The nurse, Dianna Hereford, filed an action in the Jefferson Circuit Court alleging her employer wrongfully terminated her contract on the grounds that a HIPAA violation had occurred, when she claims she had always ‘strictly complied with HIPAA regulations.’ The incident that resulted in her dismissal was an alleged impermissible disclosure of PHI. Hereford had been assigned to the Post Anesthesia Care Unit at Norton Audubon Hospital and was assisting with a transesophageal echocardiogram. At the time of the alleged HIPAA violation, the patient was in an examination area that was closed off with a curtain. Hereford was present along with a physician and an echocardiogram technician. Alleged Improper Disclosure of Sensitive Health Information Before the procedure took place, Hereford performed a ‘Time-Out’ to ensure the patient understood what the procedure would entail, checked to make sure the site of the procedure was clearly marked...

Read More
Healthcare Data Breaches in September Saw Almost 500K Records Exposed
Oct19

Healthcare Data Breaches in September Saw Almost 500K Records Exposed

Protenus has released its Breach Barometer report which shows there was a significant increase in healthcare data breaches in September. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and security incidents tracked by databreaches.net. The latter have yet to appear on the OCR ‘Wall of Shame.’ In total, Protenus/databreaches.net tracked 46 healthcare data breaches in September. While the total number of breach victims has not been confirmed for all incidents, at least 499,144 healthcare records are known to have been exposed or stolen. The number of records exposed or stolen in four of the month’s breaches has yet to be disclosed. The high number of incidents makes September the second worst month of 2017 for healthcare industry data breaches. Only June was worse, when 52 data breaches were reported. In August, 33 data breaches were reported by healthcare organizations. The report confirms the worst incident of the month was a ransomware attack that saw the records of 128,000 individuals made...

Read More
De-identification of Protected Health Information: How to Anonymize PHI
Oct18

De-identification of Protected Health Information: How to Anonymize PHI

Healthcare organizations and their business associates that want to share protected health information must do so in accordance with the HIPAA Privacy Rule, which limits the possible uses and disclosures of PHI, but de-identification of protected health information means HIPAA Privacy Rule restrictions no longer apply. HIPAA Privacy Rule restrictions only covers individually identifiable protected health information. If you de-identify PHI so that the identity of individuals cannot be determined, and re-identification of individuals is not possible, PHI can be freely shared. The de-identification of protected health information enables HIPAA covered entities to share health data for large-scale medical research studies, policy assessments, comparative effectiveness studies, and other studies and assessments without violating the privacy of patients or requiring authorizations to be obtained from each patient prior to data being disclosed. HIPAA-Compliant De-identification of Protected Health Information HIPAA-compliant de-identification of protected health information is possible...

Read More
What Are Covered Entities Under HIPAA?
Oct18

What Are Covered Entities Under HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) applies to HIPAA-covered entities and their business associates, but what are covered entities under HIPAA, and what sort of companies are classed as business associates? Covered Entities Under HIPAA Covered entities under HIPAA are individuals or entities that transmit protected health information for transactions for which the Department of Health and Human Services has adopted standards (see 45 CFR 160.103). Transactions include transmission of healthcare claims, payment and remittance advice, healthcare status, coordination of benefits, enrollment and disenrollment, eligibility checks, healthcare electronic fund transfers, and referral certification and authorization. Covered entities under HIPAA include health plans, healthcare providers, and healthcare clearinghouses. Health plans include health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare for example), and military and veterans’ health programs. Healthcare clearinghouses are organizations that...

Read More
What is the Purpose of HIPAA?
Oct18

What is the Purpose of HIPAA?

The Health Insurance Portability and Accountability Act – or HIPAA as it is better known – is an important legislative Act affecting the U.S. healthcare industry, but what is the purpose of HIPAA? Healthcare professionals often complain about the restrictions of HIPAA – Are the benefits of the legislation worth the extra workload? What is the Purpose of HIPAA? HIPAA was first introduced in 1996. In its earliest form, the legislation helped to ensure that employees would continue to receive health insurance coverage when they were between jobs. The legislation also required healthcare organizations to implement controls to secure patient data to prevent healthcare fraud, although it took several years for the rules for doing so to be penned. HIPAA also introduced several new standards that were intended to improve efficiency in the healthcare industry, requiring healthcare organizations to adopt the standards to reduce the paperwork burden. Code sets had to be used along with patient identifiers, which helped pave the way for the efficient transfer of healthcare data between...

Read More
Q3, 2017 Healthcare Data Breach Report
Oct16

Q3, 2017 Healthcare Data Breach Report

In Q3, 2017, there were 99 breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), bringing the total number of data breaches reported in 2017 up to 272 incidents. The 99 data breaches in Q3, 2017 saw 1,767,717 individuals’ PHI exposed or stolen. So far in 2017, the records of 4,601,097 Americans have been exposed or stolen as a result of healthcare data breaches. Q3 Data Breaches by Covered Entity Healthcare providers were the worst hit in Q3, reporting a total of 76 PHI breaches. Health plans reported 17 breaches and there were 6 data breaches experienced by business associates of covered entities. There were 31 data breaches reported in July, 29 in August, and 39 in September. While September was the worst month for data breaches, August saw the most records exposed – 695,228. The Ten Largest Healthcare Data Breaches in Q3, 2017 The ten largest healthcare data breaches reported to OCR in Q3, 2017 were all the result of hacking/IT incidents. In fact, 36 out of the 50 largest healthcare data breaches in...

Read More
What Federal Department Regulates HIPAA?
Oct16

What Federal Department Regulates HIPAA?

Healthcare providers, health plans, healthcare clearinghouses, and business associates of those organizations must comply with the Health Insurance Portability and Accountability Act (HIPAA), but what federal department regulates HIPAA and takes action against organizations that fail to comply with HIPAA Rules? What Federal Department Regulates HIPAA? HIPAA is regulated by the Department of Health and Human Services’ Office for Civil Rights (OCR). Since the introduction of the HIPAA Enforcement Rule in March 2006, OCR was given the power to investigate complaints about HIPAA violations. OCR was also given the right to issue civil monetary penalties if HIPAA-covered entities were found to have violated HIPAA Rules. While OCR had the power to issue financial penalties, it is relatively rare for HIPAA violations to result in financial penalties. Over the years since the Enforcement Rule was passed, OCR has steadily increased enforcement of HIPAA Rules, although it has only been in the past four years that financial penalties for HIPAA violations have become more common. Since the...

Read More
Is Skype HIPAA Compliant?
Oct13

Is Skype HIPAA Compliant?

Text messaging platforms such as Skype are a convenient way of quickly communicating information, but is Skype HIPAA compliant? Can Skype be used to send text messages containing electronic protected health information (ePHI) without risking violating HIPAA Rules? There is currently some debate surrounding Skype and HIPAA compliance. Skype includes security features to prevent unauthorized access of information transmitted via the platform and messages are encrypted. But does Skype satisfy all requirements of HIPAA Rules? This article will attempt to answer the question, Is Skype HIPAA compliant? Is Skype a Business Associate? Is Skype a HIPAA business associate? That is a matter that has been much debated. Skype could be considered an exception under the Conduit Rule – being merely a conduit through which information flows. If that is the case, a business associate agreement would not be necessary. However, a business associate agreement is necessary if a vendor creates, receives, maintains, or transmits PHI on behalf of a HIPAA-covered entity or one of its business associates....

Read More
How to Secure Patient Information (PHI)
Oct13

How to Secure Patient Information (PHI)

HIPAA requires healthcare organizations of all sizes to secure protected health information (PHI), but how can covered entities secure patient information? If you are asked how you secure patient information, could you provide an answer? How Can You Secure Patient Information? HIPAA requires healthcare organizations and their business associates to implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although there is little detail provided on how to secure patient information in HIPAA regulations. This is intentional, as the pace that technology is advancing is far greater than the speed at which HIPAA can be updated. If details were included, they would soon be out of date. Technology is constantly changing and new vulnerabilities are being discovered in systems and software previously thought to be secure. Securing patient information is therefore not about implementing security solutions and forgetting about them. To truly secure patient information you must regularly review your security controls, update policies and procedures, maintain...

Read More
How Should You Respond to an Accidental HIPAA Violation?
Oct12

How Should You Respond to an Accidental HIPAA Violation?

The majority of HIPAA covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond? How Should Employees Report an Accidental HIPAA Violation? Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, an email containing PHI is sent to the wrong person, or any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer. Your Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR). You should explain that a mistake was made and what has happened. You will need to explain which patient’s...

Read More
Why is HIPAA Important?
Oct12

Why is HIPAA Important?

The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of legislation, but why is HIPAA important? What changes did HIPAA introduce and what are the benefits to the healthcare industry and patients? HIPAA was introduced in 1996, primarily to address one particular issue: Insurance coverage for individuals that are between jobs. Without HIPAA, employees faced a loss of insurance coverage when they were between jobs. A second goal of HIPAA was to prevent healthcare fraud and ensure that all ‘protected health information’ was appropriately secured and to restrict access to health data to authorized individuals. Why is HIPAA Important for Healthcare Organizations? HIPAA introduced a number of important benefits for the healthcare industry to help with the transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely. The standards for recording health data and electronic...

Read More
Do Medical Practices Need to Monitor Business Associates for HIPAA Compliance?
Oct11

Do Medical Practices Need to Monitor Business Associates for HIPAA Compliance?

Should covered entities monitor business associates for HIPAA compliance or is it sufficient just obtain a signed, HIPAA-compliant business associate agreement? If a business associate provides reasonable assurances to a covered entity that HIPAA Rules are being followed, and errors are made by the BA that result in the exposure, theft, or accidental disclosure of PHI, the covered entity will not be liable for the BA’s HIPAA violations – provided the covered entity has entered into a business associate agreement with its business associate. It is the responsibility of the business associate to ensure compliance with HIPAA Rules. The failure of a business associate to comply with HIPAA Rules can result in financial penalties for HIPAA violations for the business associate, not the covered entity. A covered entity should ‘obtain satisfactory assurances’ that HIPAA Rules will be followed prior to disclosing PHI. While covered entities are not required by HIPAA to monitor business associates for HIPAA compliance, they should obtain proof that their business associate has performed an...

Read More
Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS
Oct10

Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS

In January 2014, the HHS proposed a new rule for certification of compliance for health plans. The rule would have required all controlling health plans (CHPs) to submit a range of documentation to HHS to demonstrate compliance with electronic transaction standards set by the HHS under HIPAA Rules. The main aim of the proposed rule – Administrative Simplification: Certification of Compliance for Health Plans – was to promote more consistent testing processes for CHPs. The HHS has now announced that the proposed rule has now been withdrawn. Had the proposed rule made it to the final rule stage, CHPs would have been required to demonstrate compliance with HIPAA administration simplification standards for three electronic transactions: Eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice. The failure to comply with the new rule would have resulted in financial penalties for CHPs. Most employers’ health plans were handled by their insurance carriers, so the proposed rule would not have affected them...

Read More
53% of Businesses Have Misconfigured Secure Cloud Storage Services
Oct09

53% of Businesses Have Misconfigured Secure Cloud Storage Services

The healthcare industry has embraced the cloud. Many healthcare organizations now use secure cloud storage services to host web applications or store files containing electronic protected health information (ePHI). However, just because secure cloud storage services are used, it does not mean data breaches will not occur, and neither does it guarantee compliance with HIPAA. Misconfigured secure cloud storage services are leaking sensitive data and many organizations are unaware sensitive information is exposed. A Business Associate Agreement Does Not Guarantee HIPAA Compliance Prior to using any cloud storage service, HIPAA-covered entities must obtain a signed business associate agreement from their service providers. Obtaining a signed, HIPAA-compliant business associate agreement prior to the uploading any ePHI to the cloud is an important element of HIPAA compliance, but a BAA alone will not guarantee compliance. ePHI can easily be exposed if cloud storage services are not configured correctly. As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA...

Read More
Is WhatsApp HIPAA Compliant?
Oct06

Is WhatsApp HIPAA Compliant?

When WhatsApp announced it was introducing end-to-end encryption, it opened up the prospect of healthcare organizations using the platform as an almost free secure messaging app, but is WhatsApp HIPAA compliant? Many healthcare employees have been asking if WhatsApp is HIPAA compliant, and some healthcare professionals are already using the text messaging app to send protected health information (PHI). However, while WhatsApp does offer far greater protection than SMS messages and some other text messaging platforms, we believe WhatsApp is not a HIPAA compliant messaging platform. Why Isn’t WhatsApp HIPAA Compliant? First, it is important to point out that no software platform or messaging app can be truly HIPAA compliant, because HIPAA compliance is not about software. It is about users. Software can support HIPAA compliance and incorporate all the necessary safeguards to ensure the confidentiality, integrity, and availability of ePHI, but those controls can easily be undone by users. HIPAA does not demand that encryption is used. Provided an alternate, equivalent measure is...

Read More
Does HIPAA Require Identity Theft Protection Services to Be Offered to Data Breach Victims?
Oct06

Does HIPAA Require Identity Theft Protection Services to Be Offered to Data Breach Victims?

The HIPAA Breach Notification Rule requires covered entities to issue notifications to individuals after their ePHI has been exposed or stolen, but what about credit monitoring and identity theft protection services? Must they be offered? HIPAA does not stipulate whether credit monitoring and identity theft protection services should be provided to individuals impacted by a data breach. The decision whether or not to provide those services is left to the discretion of the covered entity. However, following a breach of unsecured protected health information, HIPAA-covered entities are required to provide breach victims with details of the steps that should be taken to mitigate risk and protect themselves from harm. Those steps include obtaining a credit report from credit reporting agencies – Equifax, Experian, and TransUnion. The credit reporting bureaus must provide consumers with a free credit report once every 12 months if requested. Breach victims should be instructed to monitor their accounts for any sign of fraudulent activity and should be told what to do if suspicious...

Read More
OCR Clarifies HIPAA Rules on Disclosures to Family, Friends and Other Individuals
Oct05

OCR Clarifies HIPAA Rules on Disclosures to Family, Friends and Other Individuals

The recent attack in Las Vegas has prompted the Department of Health and Human Services’ Office for Civil Rights to clarify HIPAA Rules on disclosures to family, friends and other individuals. Following Hurricane Irma and Hurricane Maria, OCR issued a partial waiver of certain provisions of the HIPAA Privacy Rule in the disaster areas of both hurricanes. OCR sometimes, but not always, issued such a waiver after a natural disaster when a public health emergency has been declared. However, OCR did not issue a HIPAA Privacy Rule waiver after the attack in Las Vegas, and neither was a waiver issued following the Orlando nightclub shootings in 2016. OCR does not usually issue waivers of HIPAA Rules following shootings and other man-made disasters. Healthcare organizations involved in the treatment of victims of the Las Vegas shootings were required to continue to follow the provisions of the HIPAA Privacy Rule. In its reminder about HIPAA Rules on disclosures to family, friends and other individuals, OCR explained that the HIPAA Privacy Rule allows healthcare organizations to disclose...

Read More
What are the HIPAA Breach Notification Requirements?
Oct04

What are the HIPAA Breach Notification Requirements?

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information is discovered. While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started serving healthcare clients may similarly be unsure of the reporting requirements and actions that must be taken following a breach. The issuing of notifications following a breach of unencrypted protected health information is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty. With this in mind, we have compiled a summary of the HIPAA breach notification requirements for covered entities and their business associates. Summary of the HIPAA Breach Notification Requirements...

Read More
How Employees Can Help Prevent HIPAA Violations
Oct03

How Employees Can Help Prevent HIPAA Violations

Healthcare organizations and their business associates must comply with the HIPAA Privacy, Security, and Breach Notifications Rules and implement safeguards to prevent HIPAA violations. However, even with controls in place to reduce the risk of HIPAA violations, data breaches still occur. In most industries, it is hackers and other cybercriminals that are responsible for the majority of security breaches, but in healthcare it is insiders. While healthcare organizations can take steps to improve their defenses and implement technologies to identify breaches rapidly when they occur, healthcare employees also need to help prevent HIPAA violations. Employees Can Help to Prevent HIPAA Violations Healthcare privacy breaches often occur as a result of carelessness or a lack of understanding of HIPAA Rules. Healthcare organizations should therefore ensure employees receive full training on HIPAA and know the allowable uses and disclosures of PHI and to secure ePHI at all times. Refresher training sessions should also be provided regularly to ensure HIPAA Rules are not forgotten. Employees...

Read More