HIPAA Updates

Senator Seeks Information on How to Improve Health Data Privacy

Senator Bill Cassidy (R-LA), ranking member of the U.S. Senate Committee on Health, Education, Labor, and Pensions (HELP), is seeking feedback on how health data privacy can be improved while also supporting the need for medical research.

Over the past few years there has been a proliferation of new technologies that collect, store, and transmit health information, including wearable devices, smart devices, and health and wellness apps. These technologies have enabled better care and greater patient access to health information, but the health data collected, stored, and transmitted via these technologies largely falls outside the protection of HIPAA.

Senator Cassidy’s request for information seeks feedback from stakeholders on ways of improving health data privacy, especially data collected using technologies that were not in use in 1996 when the Health Insurance Portability and Accountability Act (HIPAA) was signed into law, and whether HIPAA needs to be modernized and expanded to cover data collected by non-HIPAA-regulated entities.

Senator Cassidy asks general privacy questions, such as what should be considered as health data and whether the term should only apply only to data covered by HIPAA, whether other types of health data should be treated differently, and which entities that are not currently classed as HIPAA-regulated entities should be accountable for handling health data and whether they should have a duty of loyalty to consumers/patients.

Senator Cassidy acknowledges that new regulations are likely to have implementation challenges and seeks feedback on ways that health data privacy can be improved without creating too great a burden, such as restricting the duty of loyalty based on the sensitivity of the collected data. He also seeks information from stakeholders on how well the HIPAA framework is currently working, whether HIPAA should be updated, the challenges legislative reforms of HIPAA would create, and how health data sharing can be structured, given the current patchwork of legal frameworks in different states.

Information is requested on biometric data, genetic information, and location data, and whether these types of information should be included in a new definition of health data, and what the obligations should be for collecting and safeguarding these types of data.

Consent should be obtained from consumers before health data is collected and data minimization is necessary to limit the information collected to what is reasonably necessary. Feedback is requested on how this can be achieved, how data practices should be communicated to consumers, whether consumers should have the right to request non-HIPAA-covered data be deleted, and if there should be an opt-in or opt-out method of data collection for health data not covered by HIPAA.

Feedback is also sought on the challenges that have been experienced in complying with the data privacy frameworks that have been implemented in 9 states since 2018, and whether any lessons have been learned as states have implemented these frameworks for the governance of health data.

Any new regulations or updates to HIPAA will need to be enforced, and that is also likely to create challenges. Currently, the HHS’ Office for Civil Rights is the main enforcer of HIPAA and has made it clear that it is operating under severe financial restraints and has a large backlog of investigations. The Federal Trade Commission has oversight of health data collected by non-HIPAA-covered entities and has recently taken action over breaches of health data. Suggestions are sought on how updates to HIPAA and new health data regulations should be enforced, and the role different agencies should have in enforcement.

Stakeholders have been given until September 28, 2023, to submit their responses.

The post Senator Seeks Information on How to Improve Health Data Privacy appeared first on HIPAA Journal.

HIPAA Continuity of Care

Under HIPAA, continuity of care is not always as straightforward as it could be due to seemingly contradictory guidance issued by HHS’ Office of Civil Rights. Whereas the Privacy Rule would appear to allow disclosures of PHI for continuity of care and care coordination, the HHS’ guidance states disclosures of PHI between Covered Entities must be kept to the minimum necessary amount.  

The term “continuity of care” has various definitions. Some definitions imply care is continuous within the same healthcare organization (or Organized Health Care Arrangement), while others extend the definition to multiple healthcare settings. An example of this is a patient’s journey from a physician’s office to a hospital, then to a care home, then to a home health service.

With regards to HIPAA and continuity of care in a single healthcare setting – or within an Organized Health Care Arrangement – the Privacy Rule allows disclosures of Protected Health Information (PHI) for healthcare operations without patient consent or authorization. One of the permissible disclosures of PHI in this category is for “case management and care coordination”.

However, when continuity of care involves multiple providers in a linear process, some transfers of information can be incomplete due to the complicated language of the Privacy Rule and seemingly conflicting guidance issued by HHS’ Office for Civil Rights in 2019 with regard to HIPAA care coordination and HIPAA continuity of care.

Continuation of Care, HIPAA, and What the Privacy Rule Says

In the context of continuation of care, HIPAA §164.506(c)(4) states a Covered Entity may disclose PHI to another Covered Entity for health care operations if either Covered Entity has or had a relationship with the individual who is the subject of the PHI being disclosed, if the PHI being disclosed pertains to such relationship, and if it is for a purpose allowed by the definition of health care operations.

The Privacy Rule (HIPAA §164.502(b)(2)) also states the minimum necessary standard does not apply to disclosures to or requests by a health care provider for treatment. Therefore, in the example given above of a patient’s journey from a physician’s office to a home health service, there should be no problem with the home health service obtaining PHI from the physician to provide treatment.

However, in guidance issued by HHS’ Office for Civil Rights, several examples are given in which it is permissible to transfer PHI between Covered Entities to support care coordination and continuity of care under HIPAA. However, the HHS guidance concludes with a reminder that “although such disclosures are permitted, they are subject to the minimum necessary standard”.

Office for Civil Rights Guidance for HIPAA Coordination of Care

The conclusion to the guidance can appear to contradict the Privacy Rule – particularly the clause stating the minimum necessary standard does not apply to disclosures for treatment. However, when the examples in the guidance are more closely examined, they relate to disclosures of PHI between health plans – rather than healthcare providers – which are not for treatment purposes.

Nonetheless, because the term Covered Entity is used in the guidance, some providers have applied the guidance to their healthcare operations and only provide the minimum necessary PHI to the next provider “up the continuity line”.  Provider B then has an incomplete medical history to transfer to Provider C, who also limits disclosures to the minimum necessary when handing off to Provider D.

Provider D (in our example, the home health service) can acquire the PHI they need from Provider A (the physician) to ensure continuity of care under HIPAA; but, because Provider A believes they have to obtain an authorization from the patient before disclosing more than the minimum necessary PHI, there is an avoidable delay in Provider D receiving potentially vital healthcare data – which can impact patient care.

Proposed Changes to Clarify HIPAA Care Coordination Rules

To clarify the position between HIPAA and care coordination, several Rule changes have been proposed. The proposed changes – if finalized – will not only impact HIPAA compliance, but other federal Rules that govern uses and disclosures of PHI (i.e., 42 CFR Part 2). The key Notices of Proposed Rule Making (NPRMs) that will clarify the care coordination HIPAA rules are:

The Office of Civil Rights’ Proposed Modifications to the Privacy Rule

This NPRM published in January 2021 proposes multiple HIPAA updates to “support, and remove barriers to, coordinated care and individual engagement”. Among the proposed changes to the Privacy Rule:

  • Disclosures of PHI will be permitted without the need to obtain consent or authorization to help individuals with a substance use disorder in emergency circumstances.
  • Disclosures of PHI for continuity of care and individual-level care coordination will be specifically permitted to avoid misunderstanding about when consent is required.
  • An exception to the Minimum Necessary Standard will be created for disclosures of PHI relating to individual-level HIPAA care coordination and case management.

Update to CMS Interoperability and Patient Access Final Rule

In 2020, the Centers for Medicare and Medicaid Services (CMS) published the Interoperability and Patient Access Final Rule. As the title suggests, the Rule has the primary objectives of improving interoperability between Medicare Covered Entities and enabling better patient access to PHI. Among other measures, a proposed update to the Rule published in December 2022 seeks stakeholder comments on how best to enable data exchanges via a Trusted Exchange Framework.

Closer Alignment of 42 CFR Part 2 and  the HIPAA Privacy Rule

Also at the end of 2022, the Office for Civil Rights and the Substance Abuse and Mental Health Services Administration (SAMHSA) jointly published an NPRM that more closely aligns the Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2) with the uses and disclosures of PHI permitted by the HIPAA Privacy Rule. If finalized in its current format, the NPRM will better support compliance with HIPAA and care coordination for SUD and mental health patients.

The post HIPAA Continuity of Care appeared first on HIPAA Journal.

HIPAA Continuity of Care

Under HIPAA, continuity of care is not always as straightforward as it could be due to seemingly contradictory guidance issued by HHS’ Office of Civil Rights. Whereas the Privacy Rule would appear to allow disclosures of PHI for continuity of care and care coordination, the HHS’ guidance states disclosures of PHI between Covered Entities must be kept to the minimum necessary amount.  

The term “continuity of care” has various definitions. Some definitions imply care is continuous within the same healthcare organization (or Organized Health Care Arrangement), while others extend the definition to multiple healthcare settings. An example of this is a patient’s journey from a physician’s office to a hospital, then to a care home, then to a home health service.

With regards to HIPAA and continuity of care in a single healthcare setting – or within an Organized Health Care Arrangement – the Privacy Rule allows disclosures of Protected Health Information (PHI) for healthcare operations without patient consent or authorization. One of the permissible disclosures of PHI in this category is for “case management and care coordination”.

However, when continuity of care involves multiple providers in a linear process, some transfers of information can be incomplete due to the complicated language of the Privacy Rule and seemingly conflicting guidance issued by HHS’ Office for Civil Rights in 2019 with regard to HIPAA care coordination and HIPAA continuity of care.

Continuation of Care, HIPAA, and What the Privacy Rule Says

In the context of continuation of care, HIPAA §164.506(c)(4) states a Covered Entity may disclose PHI to another Covered Entity for health care operations if either Covered Entity has or had a relationship with the individual who is the subject of the PHI being disclosed, if the PHI being disclosed pertains to such relationship, and if it is for a purpose allowed by the definition of health care operations.

The Privacy Rule (HIPAA §164.502(b)(2)) also states the minimum necessary standard does not apply to disclosures to or requests by a health care provider for treatment. Therefore, in the example given above of a patient’s journey from a physician’s office to a home health service, there should be no problem with the home health service obtaining PHI from the physician to provide treatment.

However, in guidance issued by HHS’ Office for Civil Rights, several examples are given in which it is permissible to transfer PHI between Covered Entities to support care coordination and continuity of care under HIPAA. However, the HHS guidance concludes with a reminder that “although such disclosures are permitted, they are subject to the minimum necessary standard”.

Office for Civil Rights Guidance for HIPAA Coordination of Care

The conclusion to the guidance can appear to contradict the Privacy Rule – particularly the clause stating the minimum necessary standard does not apply to disclosures for treatment. However, when the examples in the guidance are more closely examined, they relate to disclosures of PHI between health plans – rather than healthcare providers – which are not for treatment purposes.

Nonetheless, because the term Covered Entity is used in the guidance, some providers have applied the guidance to their healthcare operations and only provide the minimum necessary PHI to the next provider “up the continuity line”.  Provider B then has an incomplete medical history to transfer to Provider C, who also limits disclosures to the minimum necessary when handing off to Provider D.

Provider D (in our example, the home health service) can acquire the PHI they need from Provider A (the physician) to ensure continuity of care under HIPAA; but, because Provider A believes they have to obtain an authorization from the patient before disclosing more than the minimum necessary PHI, there is an avoidable delay in Provider D receiving potentially vital healthcare data – which can impact patient care.

Proposed Changes to Clarify HIPAA Care Coordination Rules

To clarify the position between HIPAA and care coordination, several Rule changes have been proposed. The proposed changes – if finalized – will not only impact HIPAA compliance, but other federal Rules that govern uses and disclosures of PHI (i.e., 42 CFR Part 2). The key Notices of Proposed Rule Making (NPRMs) that will clarify the care coordination HIPAA rules are:

The Office of Civil Rights’ Proposed Modifications to the Privacy Rule

This NPRM published in January 2021 proposes multiple HIPAA updates to “support, and remove barriers to, coordinated care and individual engagement”. Among the proposed changes to the Privacy Rule:

  • Disclosures of PHI will be permitted without the need to obtain consent or authorization to help individuals with a substance use disorder in emergency circumstances.
  • Disclosures of PHI for continuity of care and individual-level care coordination will be specifically permitted to avoid misunderstanding about when consent is required.
  • An exception to the Minimum Necessary Standard will be created for disclosures of PHI relating to individual-level HIPAA care coordination and case management.

Update to CMS Interoperability and Patient Access Final Rule

In 2020, the Centers for Medicare and Medicaid Services (CMS) published the Interoperability and Patient Access Final Rule. As the title suggests, the Rule has the primary objectives of improving interoperability between Medicare Covered Entities and enabling better patient access to PHI. Among other measures, a proposed update to the Rule published in December 2022 seeks stakeholder comments on how best to enable data exchanges via a Trusted Exchange Framework.

Closer Alignment of 42 CFR Part 2 and  the HIPAA Privacy Rule

Also at the end of 2022, the Office for Civil Rights and the Substance Abuse and Mental Health Services Administration (SAMHSA) jointly published an NPRM that more closely aligns the Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2) with the uses and disclosures of PHI permitted by the HIPAA Privacy Rule. If finalized in its current format, the NPRM will better support compliance with HIPAA and care coordination for SUD and mental health patients.

The post HIPAA Continuity of Care appeared first on HIPAA Journal.

HHS Proposes New Rule to Implement HIPAA Standards for Healthcare Attachments and Electronic Signatures

The Secretary of the Department of Health and Human Services (HHS) has proposed a new rule that will require the adoption of standards for healthcare attachments transactions and electronic signatures used in conjunction with those transactions to support healthcare claims and prior authorization transactions. The new rule will implement the requirements of the Administrative Simplification Requirements of HIPAA and the Affordable Care Act and will apply to all health plans, healthcare clearinghouses, and healthcare providers that currently lack an efficient, uniform method of sending attachments.

Currently, when making coverage decisions about healthcare services, health plans often require additional information that cannot be added to the specified fields or data elements of the adopted prior authorization request or healthcare claims transaction. Currently, this information is sent through the mail or by fax and is subject to manual processes that consume considerable time and resources. At present, there are no adopted HIPAA standards, implementation guides, or operating rules covering healthcare attachments or electronic signatures. The proposed rule will support electronic transmissions of this type of information.

“We believe that the health care industry has long anticipated the adoption of a set of HIPAA standards for the electronic exchange of clinical and administrative data to support electronic health care transactions, such as prior authorization of services and claims adjudication, and the standards we are proposing to adopt are an important step in reducing provider burden,” explained the HHS.

The Administrative Simplification Rules of HIPAA called for standard-setting organizations (SSOs) to develop standard code sets for electronic healthcare transactions, and some of these have previously been implemented as part of the Transactions and Code Sets final rule. A rule was also proposed in 2005 – The HIPAA Administrative Simplification: Standards for Electronic Health Care Claims Attachments; Proposed Rule – that required the adoption of standards for health care claims attachment standards for specific service areas, including ambulance services, clinical reports, emergency department, laboratory results, medications, and rehabilitation services; however, based on the comments received, the HHS chose not to finalize that rule.

The American Hospital Association (AHA) has announced its support for the proposed rule and the adoption of a new HIPAA standard for attachments and electronic signatures, as this will ease the burden on providers,/ Currently, the lack of a HIPAA standard for attachment transactions slows down claims processing, leading to delays to payments and patient care, and contributes to provider burnout. “The AHA supports establishing a standard for attachments to reduce the administrative burdens facing clinicians, and we look forward to providing robust commentary after analyzing the rule’s specifics,” said Terrence Cunningham, AHA director of administrative simplification policy.

The proposed rule is scheduled to be published in the Federal Register on December 21, 2022. Comments on the proposed rule must be submitted by March 21, 2022.

The post HHS Proposes New Rule to Implement HIPAA Standards for Healthcare Attachments and Electronic Signatures appeared first on HIPAA Journal.

OCR Confirms Use of Website and Other Tracking Technologies Without a BAA is a HIPAA Violation

The HHS’ Office for Civil Rights has issued a bulletin confirming that the use of third-party tracking technologies on websites, web applications, and mobile apps without a business associate agreement (BAA) is a HIPAA violation if the tracking technology collects and transmits individually identifiable health information. Even with a BAA in place, the use of the tracking technology may still violate the HIPAA Rules

The bulletin has been issued in response to the discovery earlier this year that Meta Pixel tracking code was being extensively used on the websites of hospitals and that the code snippet transferred data to Meta, including sensitive patient data. These privacy breaches came to light during an investigation by The Markup and STAT, which found Meta Pixel had been added to the websites of one-third of the top 100 hospitals in the United States and, in 7 cases, the code had been added to password-protected patient portals. The study was limited to the top 100 hospitals, so it is likely that hundreds of hospitals have used the code and have – in all likelihood unwittingly – transferred sensitive data to Meta/Facebook without a business associate agreement in place and without obtaining patient consent.

Following the publication of the report, several lawsuits were filed against healthcare providers over these impermissible disclosures, with some plaintiffs claiming the information disclosed on the websites of their healthcare providers had been transferred to Meta and was used to serve them targeted advertisements related to their medical conditions. The news came as a shock to healthcare providers, triggering investigations and recent data breach notifications; however, despite so the widespread use of the tracking code, only a handful of hospitals and health systems have reported the breach and have sent notifications so far. The bulletin from the HHS is likely to trigger a flurry of breach notifications as providers realize that the use of Meta Pixel and other tracking code constitutes a HIPAA violation.

What are Tracking Technologies?

Tracking technologies are commonly snippets of code that are added to websites, web applications, and mobile apps for tracking user activity, typically for determining the journeys of users while using websites and monitoring their on-site interactions. The data collected by these technologies can be analyzed and used to improve the services provided through the websites and applications and enhance the user experience, which benefits patients. While there are benefits to individuals from the use of this code, there is also considerable potential for harm to be caused, as in addition to providing a HIPAA-regulated entity with useful information, the data collected through these technologies is usually transmitted to the vendor.

For instance, if a female patient arranged an appointment on the website of a healthcare provider to discuss the termination of a pregnancy, the tracking technology on the site could be transmitted to the vendor, and subsequently disclosed to other third parties. That information could be provided to law enforcement or other third parties. Information disclosed in confidence by a patient of a website or web application could be transferred to a third party and be used for fraud, identity theft, extortion, stalking, harassment, or to promote misinformation.

In many cases, these tracking technologies are added to websites and applications without the knowledge of users, and it is often unclear how any disclosed information will be used by a vendor and to whom that transmitted information will be disclosed. These tracking technologies often use cookies and web beacons that allow individuals to be tracked across the Internet, allowing even more information to be collected about them to form detailed profiles. When tracking technologies are included in web applications, they can collect device-related information, including location data which is tied to a unique identifier for that device, through which a user could be identified.

All Tracking Technologies Must be HIPAA Compliant

There is nothing in HIPAA that prohibits the use of these tracking technologies, but the HIPAA Rules apply when third-party tracking technologies are used, if the tracking technology collects individually identifiable information that is protected under HIPAA and if it transmits that information to a third party, be that the vendor of the tracking technology or any other third-party. If the tracking technology collects any identifiers, they are classed as protected health information because the information connects the individual to the regulated entity, indicating the individual has received or will receive health care services or benefits from the regulated entity, and that relates to the individual’s past, present, or future health or health care or payment for care.

There is an elevated risk of an impermissible disclosure of PHI when tracking technology is used on patient portals or any other pages that require authentication as these pages usually have access to PHI. If tracking code is added to these pages it must be configured in a way to ensure that the code only uses and discloses PHI in compliance with the HIPAA Privacy Rule, and that any information collected is secured in a manner compliant with the HIPAA Security Rule. Tracking code on unauthenticated pages also has the potential to have access to PHI. The same applies to tracking technologies within a HIPAA-regulated entity’s mobile apps, if it collects and transmits PHI. OCR confirmed that only mobile apps offered by healthcare organizations are covered by HIPAA. HIPAA does not apply to third-party apps that are voluntarily downloaded by individuals, even if the apps collect and transmit health information.

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules,” explained OCR in the bulletin.

The OCR bulleting confirms that if tracking technologies are used, the provider of that code – which includes Meta Platforms (Meta Pixel) and Google (Google Analytics) – would be classed as a business associate and must enter into a business associate agreement (BAA) with the HIPAA-regulated entity before the code can be added to a website or application. The BAA must state the responsibilities of the vendor with respect to the PHI and specify the permitted uses and disclosures of that information. If the vendor will not sign a BAA, PHI cannot legally be provided to that vendor, therefore the code cannot be used or must be configured in a way that it does not collect or transmit PHI. OCR also confirmed that if a vendor states that they will strip out any identifiable information prior to saving or using the transferred data, such a disclosure to the vendor would still only be permitted if a BAA was signed and if the HIPAA Privacy Rule permits such a disclosure.

Other potential violations of HIPAA could occur. If any PHI is disclosed to a vendor, it must be in line with the organization’s privacy policy and be detailed in their Notice of Privacy Practices. It is important to note that simply stating that tracking technology is used in a notice of privacy practices is not sufficient by itself to ensure compliance. In addition to a BAA, any disclosure of PHI for a purpose not expressly permitted by the HIPAA Privacy Rule requires a HIPAA-compliant authorization from a patient, giving their consent to disclose that information. Website banners that ask a website visitor to consent to cookies and the use of web tracking technologies do not constitute valid HIPAA authorizations.

Actions HIPAA-Regulated Entities Should Take Immediately

In light of the bulletin, HIPAA-regulated entities should read it carefully to make sure they understand how HIPAA applies to tracking technologies. They should also conduct a review of any tracking technologies that they are using on their websites, web applications, or mobile apps to ensure those technologies are being used in a manner compliant with the HIPAA Rules. If they are not already, website tracking technologies must be included in a HIPAA-regulated entity’s risk analysis and risk management processes.

It is important to state that a tracking technology vendor is classed as a business associate under HIPAA, even if a BAA is not signed. As such, any disclosures to that vendor would be classed as an impermissible disclosure of PHI without a BAA in place, and the HIPAA-regulated entity would be at risk of fines and other sanctions if PHI is transmitted without a signed BAA.

If during the review a HIPAA-regulated entity discovers tracking technologies are being used in a manner not compliant with the HIPAA Rules, or have been in the past, then the HIPAA Breach Notification Rule applies. Notifications will need to be sent to OCR and the individuals whose PHI has been impermissibly disclosed.

The post OCR Confirms Use of Website and Other Tracking Technologies Without a BAA is a HIPAA Violation appeared first on HIPAA Journal.

Cybersecurity is Now a Patient Safety Issue, Suggests Sen. Warner In Congressional Report

Senator Mark Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, has recently published a white paper – Cybersecurity is Patient Safety – that highlights the current cybersecurity challenges facing the healthcare industry and suggests several potential policy changes that could help to improve healthcare cybersecurity and better protect all health information, including health data not currently protected under the HIPAA Rules.

Sen. Warner suggests the only way to improve healthcare cybersecurity rapidly is through a collaborative effort involving the public and private sectors, with the federal government providing overall leadership. While further regulation may be necessary, the overall consensus of healthcare industry stakeholders is the best approach is to introduce incentives for improving cybersecurity, rather than mandating cybersecurity improvements with a threat of financial penalties for noncompliance.

The healthcare industry is under attack from cybercriminals and nation-state threat actors and cyberattacks and data breaches are increasing at unacceptable levels. In 2021, 45 million Americans had their sensitive personal and healthcare exposed or stolen in healthcare industry cyberattacks. More must be done to improve resilience and deal with the increasing threats. “Unfortunately, the healthcare sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate,” said Senator Warner. “Cybersecurity can no longer be viewed as a secondary concern; it must become incorporated into every organization’s – from equipment manufacturers to health care providers – core business models.”

The white paper suggests several areas where policies could be changed to improve cybersecurity in the healthcare industry.

Improve Federal Leadership

The Department of Health and Human Services (HHS) is the Sector Risk Management Agency (SRMA) for the healthcare industry, but within the HHS agencies such as the Office for Civil Rights (OCR), Centers for Medicare and Medicaid Services (CMS), and the Food and Drug Administration (FDA) have their own jurisdictions and cybersecurity policies. The white paper explains that there is a lack of overall leadership and suggests a senior leader should be appointed, who should be “empowered—both operationally and politically—to ensure HHS speaks with one voice regarding cybersecurity in health care, including expectations of external stakeholders and the government’s role.”

Modernize HIPAA

HIPAA was enacted in 1996, and the HIPAA Privacy and Security Rules have been in place for two decades, and while updates have been made to the HIPAA Rules, they fail to fully address emerging threats to the confidentiality, integrity, and availability of healthcare data. The current focus is on protecting the healthcare data collected, stored, and transmitted by HIPAA-regulated entities, but the same information is collected, stored, and transmitted by entities that are not bound by the HIPAA Rules. It has been suggested that more sensitive healthcare data is now being collected by health apps than is collected and stored by HIPAA-regulated entities, yet this data is largely unregulated. The white paper suggests Congress should direct the HHS to update HIPAA and expand the definition of covered entities and stipulate the allowable uses and disclosures of health data by entities that are not currently classed as HIPAA-regulated entities, to address the gap between HIPAA and the FTC Health Breach Notification Rule.

Develop a Healthcare-Specific Cybersecurity Framework

The National Institute of Standards and Technology (NIST) has released its Framework for Improving Critical Infrastructure Cybersecurity, and while that work has been commended, many healthcare industry stakeholders want more detailed guidance from NIST that is specific to the healthcare industry and have called for NIST develop a consensus-based healthcare-specific cybersecurity framework.

Improve Security Incident Preparedness and Response

The HHS recently stressed in its October Cybersecurity newsletter the importance of security incident preparedness and planning, as cyberattacks are inevitable in the lifespan of a healthcare organization. More needs to be done to encourage healthcare organizations to prepare for attacks. The HHS could direct healthcare facilities to consider cyberattacks to be equivalent to natural disasters such as hurricanes and earthquakes, including mandating training of hospital staff to use analog equipment and legacy systems, and to establish a disaster relief program for victims of cyberattacks.

Incentivize Healthcare Providers to Replace Legacy Systems

Legacy systems are still extensively used in the healthcare industry, despite software and operating systems reaching end-of-life and having support withdrawn. Legacy systems are a security risk, yet healthcare organizations continue to use them as they continue to function and the cost of replacing them is too high. Incentives should be offered to phase out these legacy systems, such as a program similar to the 2009 Car Allowance Rebate System (CARS) that encouraged people to trade in their old vehicles.

Improve Medical Device Cybersecurity

There is considerable concern about the cybersecurity of medical devices and a need for minimum standards of security to be maintained and good cyber hygiene practices followed. There is a need for all software and devices to be supplied with a software bill of materials (SBOMs), and for security requirements to be required during pre-market approval, as proposed by the PATCH Act. The white paper also suggests restrictions could be imposed on the sale of medical devices that have software that has reached end-of-life and is no longer supported, and for healthcare organizations to be incentivized to invest in systems for tracking medical equipment.

Address the Current Cybersecurity Talent Shortage

There is currently a global shortage of cybersecurity professionals that is unlikely to be resolved in the short to medium term. Healthcare organizations struggle to recruit the necessary talent and many cybersecurity positions in healthcare remain unfilled. The white paper suggests one way to address the shortage would be for Congress to create a workforce development program and to incentivize individuals to take on cybersecurity positions in healthcare, such as offering student loan forgiveness for cybersecurity professionals who commit to serving in rural communities, similar to the National Health Service Corps Loan Repayment Program.

Reduce the Cost of Cyber Insurance

Cyber insurance is becoming increasingly expensive and there is an extensive and burdensome application process. The white paper suggests a federal reinsurance program could be introduced to cover plans that require minimum cyber hygiene standards to be maintained, which could help the industry achieve minimum cyber hygiene standards without government mandates. The program would standardize coverage elements and provide incentives for insurance companies to adopt them. This could lower overall risks, which could help to reduce the cost of insurance.

Senator Warner is seeking feedback on the white paper from businesses, advocacy groups, researchers, and individuals. Comments should be submitted no later than December 1, 2022.

The post Cybersecurity is Now a Patient Safety Issue, Suggests Sen. Warner In Congressional Report appeared first on HIPAA Journal.

30 Senators Call for HIPAA Privacy Rule Update to Better Protect Women’s Privacy

A group of 30 senators is urging the Department of Health and Human Services to update the Health Insurance Portability and Accountability Act (HIPAA) to better protect the privacy of patients’ reproductive health information in the wake of the Supreme Court decision on Dobbs v. Jackson Women’s Health Organization and the overturning of Roe Vs Wade, which removed the Federal right to an abortion that had existed for almost 50 years. Following the decision, several states have either banned abortion for state residents or implemented restrictions, with some already seeking to investigate and punish women for seeking abortion care.

The senators, led by Senate Committee on Health, Education, Labor and Pensions (HELP) Chair Patty Murray (D-Wa.), wrote to HHS Secretary, Xavier Becerra, calling for further rulemaking to update the HIPAA Privacy Rule to broadly restrict HIPAA-regulated entities from sharing individuals’ reproductive health information without explicit consent, specifically the sharing of that information with law enforcement, or related to civil or criminal proceedings premised on the provision of abortion care. The senators are calling for the update “to protect patients, and their providers, from having their health information weaponized against them.”

This is the second such request to be sent to Becerra to update the HIPAA Privacy Rule with respect to reproductive healthcare information following the Supreme Court decision. In July 2022, Sens Michael Bennet (D-CO) and Catherine Cortez Masto (D-NV) wrote to Secretary Becerra requesting a HIPAA Privacy Rule update to improve patients’ reproductive healthcare rights.

Confusion About Permitted and Required Disclosures of PHI to Law Enforcement

HIPAA was passed by Congress in 1996, with the legislation calling for the HHS to issue regulations that ensured the privacy of personal health information, which led to the HIPAA Privacy Rule being penned in 2000 to limit uses and disclosures of protected health information unless consent is obtained. The HIPAA Privacy Rule has been updated several times since, with the senators now calling for a further update. “In order for patients to feel comfortable seeking care, and for health care personnel to provide this care, patients and providers must know that their personal health information, including information about their medical decisions, will be protected,” wrote the senators.

They explained that since the Dobbs decision, there has been widespread confusion among healthcare providers about when they are required to provide patients’ health information to state and local law enforcement. Some healthcare providers felt they were legally required to hand over that information when the HIPAA Privacy Rule only permits information to be provided to law enforcement. There have also been cases of healthcare providers being unaware that certain disclosures of reproductive health information are not permitted under HIPAA. “Stakeholders have even described clashes between providers and health care system administrators on whether certain information must be shared. Many of these issues seem to arise from misunderstandings of what the HIPAA Privacy Rule requires of regulated entities and their employees,” wrote the senators.

As more states introduce bans on abortions or implement laws that severely restrict access to abortion care, the confusion is likely to grow. Some states have implemented laws that criminalize abortion providers and also make it illegal for anyone to aid or abet an abortion, which means that any healthcare professional could be exposed to legal liability, from a referring provider to a receptionist. Some state legislators are proposing laws that will ban state residents from visiting another state to have an abortion. “In many cases, these laws have been used to disproportionately criminalize or surveil women of color for their pregnancy loss,” warn the senators.

The senators warn that prohibiting access to abortions and undermining health information privacy will likely have devastating consequences for women’s health. If there is a threat of legal action, many women may delay or avoid disclosing a pregnancy or avoid seeing prenatal care. They may also avoid seeking care for medical conditions such as arthritis or cancer, where the treatment could impact their pregnancy, and healthcare providers may hesitate to provide certain treatments. There are fears that women who are experiencing complications from pregnancy or abortion may avoid seeking essential emergency care, which could have profound health consequences.

Prompt Rulemaking Requested to Update the HIPAA Privacy Rule

The senators explained that HIPAA has protected patient privacy for more than 20 years and recognized the need for stronger protections to be in place for highly sensitive information such as psychotherapy notes, and suggest similar restrictions are required for reproductive health information. The senators praised the efforts of the HHS after the Dobbs decision, which included issuing guidance on the requirements of the HIPAA Privacy Rule with respect to information related to reproductive care, but have called for further proactive steps to be taken to strengthen patient privacy protections.

In addition to broadly restricting HIPAA-regulated entities from sharing reproductive health information without explicit consent for law enforcement, civil, or criminal proceedings premised on the provision of abortion care, the senators have called for the HHS to increase its efforts to engage and educate the healthcare community about the obligations of HIPAA-regulated entities under the HIPAA Privacy Rule, including explaining the difference between permitted and required disclosures of PHI, best practices for educating patients and health plan enrollees on their privacy rights, and how HIPAA interacts with state laws.

They have called for the HHS to expand its efforts to educate patients about their rights under the HIPAA Privacy Rule and to ensure cases involving reproductive health information receive timely, appropriate attention for compliance and enforcement activities.

The post 30 Senators Call for HIPAA Privacy Rule Update to Better Protect Women’s Privacy appeared first on HIPAA Journal.

OCR Issues Guidance for Providers and Individuals Following Supreme Court Decision on Roe v. Wade

President Biden and U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra recently called on HHS agencies to take action to protect access to sexual and reproductive health care, which includes abortion, pregnancy complications, and other related care, following the decision of the Supreme Court in Dobbs vs. Jackson Women’s Health Organization. The Supreme Court overruled Roe v. Wade and Planned Parenthood v. Casey and took away the right of women to have a safe and legal abortion.

Yesterday, the HHS Office for Civil Rights (OCR) issued new guidance for healthcare providers and patients seeking access to reproductive health care services to ensure patient privacy is protected. The guidance explains that the federal Health Insurance Portability and Accountability Act (HIPAA) requires individuals’ private medical information, which includes information about abortion and other sexual and reproductive health care, is required to be kept private and confidential. That information is classed as protected health information (PHI) under HIPAA and healthcare providers are not required to disclose PHI to third parties.

The guidance also explains the extent to which private medical information is protected on personal cell phones and tablets and includes advice for protecting individuals’ privacy when using period trackers and other health information apps. Concern has been raised by women that health apps on smartphones, such as period trackers, threaten privacy as they disclose geolocation data. That information could potentially be abused by individuals seeking to deny them access to medical care.

“How you access health care should not make you a target for discrimination,” explained HHS Secretary Xavier Becerra. “HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information.” Becerra is encouraging anyone who believes their privacy rights have been violated to file a complaint with OCR and explained that protecting access to health care, which includes abortion care and other forms of sexual and reproductive health care, is now an enforcement priority for OCR.

The guidance for healthcare providers explains that the HIPAA Privacy Rule allows HIPAA-covered entities, which includes healthcare providers, to disclose an individual’s PHI without obtaining authorization from that individual for the purposes of healthcare, payment, and healthcare operations, but other disclosures – to law enforcement officials for example – are only permitted in narrow circumstances, tailored to protect the individual’s privacy and support their access to health care, which includes abortion care. HIPAA-covered entities and their business associates are reminded that they can use and disclose PHI without an individual’s signed authorization, but only for reasons expressly permitted or required by the Privacy Rule. The guidance also explains the restrictions on disclosures of PHI under the HIPAA Privacy Rule when required by law, for law enforcement purposes, and to avert a serious threat to health or safety.

Separate guidance has been issued for individuals about protecting the privacy and security of their health information when using their personal cell phones or tablets. It is important for individuals to understand that most health apps, including period trackers, are not covered by the HIPAA Privacy or Security Rules. That means any personal healthcare data entered, collected, or transmitted by those apps or is stored on smartphones or tablets, is not protected and there are no restrictions on disclosures of that information.

The guidance explains best practices to adopt when using these health apps that will decrease the personal information collected by the apps and limit the potential for disclosures of personal information – including geolocation data – without the individual’s knowledge. The guidance explains how to turn off the location services on Apple and Android devices, and offers advice on selecting apps, browsers, and search engines that prioritize privacy and security.

Information on individuals’ rights to reproductive healthcare is available here.

The post OCR Issues Guidance for Providers and Individuals Following Supreme Court Decision on Roe v. Wade appeared first on HIPAA Journal.

OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends

Start preparing now and get your telehealth services HIPAA compliant as when the COVID-19 Public Health Emergency (PHE) ends, the telehealth HIPAA flexibilities stop. That is the advice of the Department of Health and Human Services’ Office for Civil Rights, which released new guidance this week on HIPAA and audio-only telehealth services.

The Period of Enforcement Discretion Will End

In March 2020, the HHS’ Office for Civil Rights issued a Telehealth Notification and said it would be exercising enforcement discretion and would not be imposing sanctions and penalties for HIPAA violations with respect to the good faith provision of telehealth services. The move was intended to make it easier for healthcare organizations to offer telehealth services to patients to help prevent the spread of COVID-19.

OCR permitted healthcare organizations to use remote communication tools for telehealth, which included apps and platforms that would not normally be considered ‘HIPAA-compliant,’ and did not require HIPAA-covered entities to enter into a business associate agreement with the providers of remote communication tools. The notice of enforcement discretion stated that it lasted for the duration of the PHE. When the Secretary of the HHS declares that the COVID-19 PHE no longer exists, or upon the expiration date of the declared PHE, whichever comes sooner, the period of enforcement discretion will end. That means that the continued use of remote communication technologies could potentially violate the HIPAA Rules and could lead to financial penalties and other remedies to resolve the HIPAA violations.

In the new guidance on HIPAA and audio-only telehealth, OCR explains when, and under what circumstances, audio-only telehealth is permitted under HIPAA. OCR confirmed that telehealth services are permitted under HIPAA, but HIPAA-regulated entities should apply reasonable safeguards to protect the privacy of protected health information (PHI), such as ensuring telehealth services are provided in private settings, as far as is possible, and using lowered voices to reduce the potential for incidental disclosures of PHI. It is also necessary to verify the identity of the patient, orally or in writing.

The HIPAA Security Rule May Apply to Telehealth

The HIPAA Security Rule may apply to telehealth. When audio-only telehealth services are provided over standard telephone lines – landlines – the HIPAA Security Rule does not apply, as the information transmitted is not electronic. However, if electronic communication technologies are used, the HIPAA Security Rule does apply, which includes “Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, such as the Internet, intra-, and extranets, cellular, and Wi-Fi.”

When these technologies are used, the HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI), and risks and vulnerabilities must be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes. OCR suggests that due to the speed at which communication technologies evolve, a robust inventory and asset management process is recommended to identify such technologies and the information systems that use them, as this will help to ensure an accurate and thorough risk analysis.

Business Associate Agreements May be Required

Any vendor that is provided with access to ePHI, or comes into contact with ePHI, is required to enter into a business associate agreement (BAA) with a HIPAA-covered entity. BAAs may be required with vendors providing platforms to support telehealth. A BAA is only required when a telecommunication service provider (TSP) is acting as a business associate. The HIPAA conduit exception applies if the TSP has only transient access to the PHI it transmits. “If the TSP is not also creating, receiving, or maintaining PHI on behalf of the covered entity, and the TSP does not require access on a routine basis to the PHI it transmits in the call, no business associate relationship has been created.  Therefore, a BAA is not needed,” explained OCR in the guidance.

A BAA is required when a TSP is more than a conduit and is not just providing data transmission services, and is either creating, receiving, or maintaining ePHI. In such cases, a BAA is required before the service is used. That applies to remote communication technologies, mobile apps, and Internet and cloud services.

“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance [Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth] explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino.

The post OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends appeared first on HIPAA Journal.