Author Archives: HIPAA Journal

Are Phone Calls HIPAA Compliant?

The answer to the question are phone calls HIPAA compliant can be dependent on who is making the call, what the call concerns and who the call is to.

Before discussing are phone calls HIPAA compliant, it is important to establish who HIPAA applies to. This is because almost two-thirds of complaints about HIPAA violations are rejected because they allege a violation has been committed by a business that is not subject to the HIPAA Rules. In such cases, HHS´ Office for Civil Rights has no jurisdiction to investigate complaints and so rejects them.

HIPAA applies to most health plans, health care clearinghouses, and healthcare providers (“Covered Entities”), and to Business Associates and subcontractors providing a service for on behalf of a Covered Entity. Healthcare-related calls from these sources to individuals are permissible provided the recipient has given their implied consent to receive a call and the call follows FTC guidelines.

Additionally, to make phone calls HIPAA compliant, Covered Entities and Business Associates are required to comply with the General Rules for Uses and Disclosures of PHI (§164.502 to §164.512), and the Minimum Necessary Standard when making phone calls to someone other than the individual which relate to the individual´s condition, treatment, or payment for treatment.

Implied Consent and FTC Guidelines

Phone calls to individuals from Covered Entities and Business Associates are permissible if the recipient of the phone call has given their implied consent by providing a contact telephone number to the Covered Entity or Business Associate. However, under HIPAA, individuals also have the right to revoke consent or request that communications are either made by voice or by text.

Healthcare-related – but not payment-related – phone calls and text messages from Covered Entities to individuals are FTC compliant if they are made for an allowable reason. Allowable reasons are limited to:

  • Appointments and reminders
  • Hospital pre-registration instructions
  • Health checkups
  • The provision of medical treatment
  • Lab test results
  • Notifications about prescriptions
  • Pre-operative instructions
  • Post-discharge follow-up calls
  • Home healthcare instructions

According to the FTC guidelines, calls to individuals should start with the Covered Entity stating their name and the reason for the call. Calls can last no longer than 60 seconds (text messages must be no longer than 160 characters), and Covered Entities cannot contact individuals more than three times per week. Any additional contact – by voice or by text – requires the individual´s authorization.

Making Other Phone Calls HIPAA Compliant

Other phone calls made by a Covered Entity or Business Associate (i.e., not to an individual for an allowable reason) are only subject to the General Rules for Uses and Disclosures and the Minimum Necessary Standard if the communication involves the disclosure of an individual´s PHI. Any phone calls that do not involve the disclosure of PHI are not subject to the Privacy Rule standards.

Nonetheless, there are many types of HIPAA-related phone calls that are subject to Privacy Rule standards. For example, a phone call made from one Covered Entity to another for treatment, payment, or healthcare operations purposes, a phone call made to local authorities to report a public health issue, or a phone call made to the police to report patient abuse or neglect.

Covered Entities can communicate PHI to a Business Associate in a phone call, but before doing so, a Business Associate Agreement must be in place to stipulate the allowable uses and disclosures of PHI. In states where more stringent privacy protections exist, it may also be necessary for a Covered Entity to enter into a contract with another Covered Entity before disclosing PHI for any reason.

Is PHI Disclosed in a Phone Call Subject to the Security Rule?

One final point about making phone calls HIPAA compliant concerns whether PHI disclosed during a phone call is subject to the Security Rule. According to the definition of electronic media in  §160.103 of the HIPAA General Provisions, PHI disclosed during a phone call is not considered to be subject to the Security Rule “if the information being exchanged did not exist in electronic form immediately before the transmission”.

However, if the PHI is subsequently recorded on electronic media, the stored PHI (now ePHI) becomes subject to Security Rule standards. Therefore, if PHI is disclosed during a permissible provider-to-provider phone call, and the information is entered into an EHR or other electronic database, the information has to be protected in the same way as any other PHI relating to the individual that is stored electronically.

Are Phone Calls HIPAA Compliant? FAQs

Can nurses give patient information over the phone?

As members of a Covered Entity´s workforce, nurses can give patient information over the phone for permissible uses and disclosures. However, before nurses give patient information over the phone, it is important they verify the identity of the person they are speaking with in order to prevent unauthorized disclosures or disclosing more than the minimum necessary patient information.

Is sharing patient information with family over the phone HIPAA compliant?

With regards to sharing patient information with family over the phone, patients should be given the opportunity to object to their information being shared with family members. Provided the patient has not objected, sharing patient information with family over the phone is HIPAA compliant. However, it is still necessary to comply with the Minimum Necessary Standard.

If a patient is incapacitated and unable to object to their information being shared, healthcare providers can share patient information over the phone with family members provided that the disclosure of PHI is considered to be in the patient´s best interests. Once the patient is no longer incapacitated, he or she must be given the opportunity to object as soon as possible.

Are cell phone calls HIPAA compliant?

As discussed above in “Implied Consent and FTC Guidelines”, calls to cell phones are HIPAA compliant if a patient has given their cell phone number to the Covered Entity as a point of contact. If a patient has given both a cell phone number and a landline number, Covered Entities can use either number to contact the patient up to the FTC- mandated limit of three calls/texts per week.

What information can hospitals give over the phone?

If they are responding to an enquiry about the well-being of a patient, hospitals can provide “directory information” such as the general condition of the patient and their location within the hospital provided the patient is asked for by name, the identity of the caller is verified, and the patient has not objected to the information being disclosed.

Is a landline HIPAA compliant?

Calling a patient´s landline for an allowable reason is HIPAA compliant provided the landline number has been provided to the Covered Entity by the patient or patient’s representative. However, Covered Entities must take care to verify that the person they are speaking with is the patient, as landlines can be shared among multiple occupiers or – in a business – multiple employees.

Is giving out a phone number a HIPAA violation?

Giving out a phone number can be a HIPAA violation, but only in certain circumstances. Generally, a phone number is an “identifier” that, when included in a patient´s “designated record set”, becomes Protected Health Information. Any protected identifier in a designated record set can be disclosed if the disclosure is permitted by the General Rules for Uses and Disclosures of PHI.

If a patient has objected to their phone number being given out, if the phone number is given out without authorization for a disclosure requiring an authorization, or if the phone number is given out in the course of an impermissible disclosure, these are examples of HIPAA violations – if the phone number is included in the patient´s designated record set. If it is not part of the patient´s designated record set, the phone number is not protected, and therefore no HIPAA violation has occurred.

The post Are Phone Calls HIPAA Compliant? appeared first on HIPAA Journal.

What is the Maximum Penalty for Violating HIPAA?

The maximum penalty for violating HIPAA is currently $1,919,173 (September 2022). However, this figure represents the maximum penalty per violation type, and Covered Entities and Business Associates found guilty of multiple violations can expect to pay much more.

When Congress passed HIPAA in 1996, it set the maximum penalty for violating HIPAA at $100 per violation with an annual cap of $25,000. These limits were applied when the Department of Health & Human Services (HHS) published the Enforcement Rule in 2006 and they stayed in force until the publication of the Final Omnibus Rule in 2013.

Among other changes to HIPAA, the Final Omnibus Rule introduced amendments to the Enforcement Rule attributable to passage of the HITECH Act in 2009. The HITECH Act mandated a four tier penalty structure for HIPAA violations and new minimum and maximum penalties for violating HIPAA. The four tiers were based on the level of culpability associated with the violation:

Tier 1 – Lack of Knowledge:  The person did not know (and, by exercising reasonable diligence, would not have known) that the event was a violation of HIPAA.

Tier 2 – Lack of Oversight: The violation was due to reasonable cause and not willful neglect to comply with the HIPAA regulations.

Tier 3 – Willful Neglect: The violation was due to the willful neglect of the Covered Entity or Business Associate but corrected within 30 days of discovery.

Tier 4 – Willful Neglect, Not Corrected: The violation was due to the willful neglect of the Covered Entity or Business Associate but not corrected within 30 days of discovery.

The Penalties for Violating HIPAA Change after Review

Originally, due to “inconsistent language” of the HITECH Act, HHS interpreted the new Enforcement Rule penalty structure as follows:

Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit
Lack of Knowledge $100 $50,000 $1,500,000
Lack of Oversight $1,000 $50,000 $1,500,000
Willful Neglect $10,000 $50,000 $1,500,000
Willful Neglect not Corrected within 30 days $50,000 $50,000 $1,500,000

 

However, following a review of the penalty tiers by HHS´ Office of General Counsel, the annual caps were amended in 2019 to align with those mandated by HITECH.

Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit
Reasonable Efforts $100 $50,000 $25,000
Reasonable Cause $1,000 $50,000 $100,000
Willful Neglect – Corrected $10,000 $50,000 $250,000
Willful Neglect – Not Corrected within 30 days $50,000 $50,000 $1,500,000

 

This resulted in the annual limit for a Tier 1 violation being less than the maximum penalty for violating HIPAA in Tier 1 – a situation that has continued as the penalties for violating HIPAA have been adjusted to account for inflation. Additionally, the maximum penalty for violating HIPAA in Tier 4 has also been increased. The current (September 2022) penalties for violating HIPAA are:

Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit
Lack of Knowledge $127 $60,973 $30,133
Lack of Oversight $1,280 $60,973 $121,946
Willful Neglect $12,794 $60,973 $304,865
Willful Neglect not Corrected within 30 days $60,973 $1,919,173 $1,919,173

The Maximum Penalty for Violating HIPAA is per Violation Type

It is important for Covered Entities and Business Associates to be aware that the maximum penalty for violating HIPAA is per violation type. This mean that (for example), if a Covered Entity fails to conduct a risk assessment, fails to implement measures to prevent a foreseeable breach, and fails to notify patients when a breach occurs, the Covered Entity could be issued the maximum penalty for violating HIPAA three times over.

It is also important to be aware that State Attorneys General have the authority to impose civil money penalties on Covered Entities and Business Associates found to have violated HIPPA. Consequently, what a Covered Entity or Business Associate pays in penalties to HHS´ Office for Civil Rights may be substantially increased – as Anthem Inc. found out following a breach of 78.8 million records in 2015.

In addition to reaching a $16 million settlement with HHS´ Office for Civil Rights, Anthem Inc. was also fined $48.2 million by State Attorneys General in two separate cases. Additionally, a class action was brought against Anthem Inc. by individuals whose data was breached – resulting in a further $115 million settlement. Consequently, if found guilty of a HIPAA violation, the maximum penalty for violating HIPAA could be much more then the figures published annually in the Federal Register.

The post What is the Maximum Penalty for Violating HIPAA? appeared first on HIPAA Journal.

Can Medical Records be Subpoenaed?

In answer to the question can medical records be subpoenaed; the answer is yes because every type of record can be subpoenaed. Possibly a more relevant question would be “how should healthcare providers respond to a subpoena for medical records”?

In most states, there are three types of subpoenas – a “witness subpoena” that requires an entity to appear in court to give evidence, a “deposition subpoena” that requires an entity to provide copies of records and/or attend a deposition hearing, and a “subpoena duces tecum” that requires an entity to provide copies of records and/or attend a court hearing.

All three types of subpoenas can be used to subpoena medical records or require a healthcare provider to answer questions/testify about a medical record. Although are not exclusive to any particular type of case, a witness subpoena will most likely be used in a legal action where both a patient and a healthcare provider are the parties in a case (i.e., a medical negligence claim).

The other two types of subpoenas will most commonly involve cases in which the healthcare provider is not a party in a civil or criminal action (i.e., an injury compensation claim), but the patient´s medical records are required to support discovery and/or resolve the action. In such cases, it is important to be aware can medical records be subpoenaed in compliance with HIPAA.

What HIPAA Says about Medical Records being Subpoenaed

The relevant parts of HIPAA relating to medical records being subpoenaed can be found in §164.512 of the Privacy Rule – “[Permissible] uses and disclosures for which an authorization [from the patient] or opportunity to agree or object is not required” – specifically the section relating to disclosures for judicial and administrative proceedings (Section C). This section states that healthcare providers can disclose PHI in response to a subpoena provided that:

  • Only PHI expressly requested by the subpoena is disclosed and de-identified information could not reasonably have been used.
  • The information requested is relevant to a legitimate proceeding and the request is specific and limited in scope.
  • The subject of the PHI has been informed about the subpoena or reasonable efforts have been made to notify the individual.
  • An objection has not been filed by the subject of the PHI and the time to file an objection has elapsed.
  • Any PHI disclosed in response to a subpoena is not used for any purpose other than the purpose for which it was requested.
  • The party seeking the disclosure has put in place or requested a protective order to prevent further disclosures.
  • Any PHI disclosed in response to the subpoena for medical records will be returned or disposed of at the end of the proceedings for which they were requested.

It is important to be aware that the provisions of Section C do not supersede other provisions of the Privacy Rule. Consequently, it is still necessary to obtain an authorization before disclosing psychotherapy notes or substance abuse disorder medical records, the Minimum Necessary Standard still applies, and Covered Entities have to comply with the provisions of any state laws that pre-empt HIPAA when more stringent privacy protections exist.

Responding to a Subpoena for Medical Records

There are different ways to respond to a subpoena for medical records depending on the type of subpoena (witness, deposition, or duces tecum) and the subpoena issuer. It is important to respond correctly when medical records are subpoenaed because incorrect responses can result in HIPAA violations. For this reason, healthcare providers and administrators should obtain legal advice to find out can medical records be subpoenaed in the specific circumstances of each subpoena.

The significance of the subpoena issuer is that it is not possible to object to a court order, a subpoena signed by a judge, magistrate, or administrative tribunal, or a grand jury subpoena. In such cases, it is necessary to comply with the subpoena for medical records and respond by disclosing the PHI expressly requested by the subpoena – notwithstanding that the content of the subpoena should cover the Privacy Rule provisions listed above (i.e., return or disposal of PHI, etc.).

If a subpoena is signed by a court clerk or attorney, additional assurances may be required by HIPAA. For example, a subpoena requesting medical records relating to substance abuse disorder medical records is invalid unless it is accompanied by a signed court order authorizing the disclosure. Similarly, if patient authorization is required to respond to a subpoena, healthcare providers should use their own authorization form rather than a waiver sent with the subpoena by an attorney.

Objecting to a Subpoena for Medical Records

Healthcare providers can object to a subpoena for medical records when it has been signed by a court clerk or attorney for a variety of reasons. These include (but are not limited to):

  • The subpoena does not allow the healthcare provider sufficient time to collate the information requested.
  • The subpoena requires the disclosure of PHI requiring an authorization and it has not been possible to obtain an authorization from the patient.
  • The subpoena imposes an undue burden on the healthcare provider – typically when the PHI of multiple patients is requested for a class action.
  • The subpoena is unreasonable or oppressive, or it is procedurally defective (i.e., no protective order has been requested to prevent further disclosures).

Usually there is a time period for filing an objection to a subpoena, and this can vary according to where the subpoena is issued. Similarly, there may be other reasons for objecting to a subpoena for medical records depending on state law. Consequently, expert and specialist legal advice is needed for the specific circumstances of each subpoena, and healthcare providers and administrators should always obtain legal advice before responding to a subpoena for medical records.

Can Medical Records be Subpoenaed? FAQs

Can courts subpoena medical records?

Yes, but as mentioned above, it is important to establish whether a court-issued subpoena is signed by a judge or a court clerk on behalf of an attorney as this affects the right to object to a subpoena for medical records.

Can an attorney subpoena medical records?

In most states, an attorney can subpoena medical records. However, in some states medical records obtained by an attorney via a deposition subpoena can only be used during the discovery process and are not admissible as evidence in court (also see the next FAQ).

Can a judge subpoena medical records?

Judges can subpoena medical records at any stage of proceedings. They can also subpoena medical records previously subpoenaed by an attorney if the medical records have been obtained via a deposition subpoena and are not admissible in court.

How far back can medical records be subpoenaed?

This depends on the purpose of the subpoena and the state in which the subpoena was issued. This is because statutes of limitations exist on certain legal proceedings (i.e., you cannot file a personal injury claim after x years), and because state-mandated retention periods differ from state-to-state.

What is a subpoena duces tecum for healthcare records?

A subpoena duces tecum for healthcare records is a court order requiring a healthcare provider to produce the requested medical records at a deposition or court hearing. Usually, the court order allows the healthcare provider to produce the medical records remotely without an in-person appearance being necessary.

The post Can Medical Records be Subpoenaed? appeared first on HIPAA Journal.

Lubbock Heart & Surgical Hospital and NorthStar Healthcare Consulting Disclose Cyberattacks

Lubbock Heart & Surgical Hospital in Texas has recently announced it was the victim of a hacking incident that resulted in disruption to the operations of some of its IT systems. The cyberattack was detected by the hospital on July 12, 2022, and immediate action was taken to contain the incident and prevent further unauthorized access, and forensics experts were engaged to determine the nature and scope of the attack. The investigation confirmed its systems were accessed by the attackers between July 11 and July 12, but it was not possible to determine if any files containing patient information had been accessed or copied from its systems.

The files potentially accessed included patient information such as names, contact information, demographic information, dates of birth, Social Security numbers, diagnosis and treatment information, prescription information, medical record numbers, provider names, dates of service, and health insurance information.

Lubbock Heart & Surgical Hospital said security safeguards and technical measures have been enhanced to prevent further security incidents. Notification letters were sent to the 23,379 affected individuals on September 9, 2022. Complimentary credit monitoring and identity theft protection services have been offered to individuals who had their Social Security numbers exposed.

NorthStar Healthcare Consulting Data Breach Affects 18,354 Patients

Alpharetta, GA-based NorthStar Healthcare Consulting, a business associate supporting Optum Rx, which provides pharmacy benefit management services to the Georgia Department of Community Health, Medical Assistance Plans Division, has reported a breach of an employee email account and the exposure of sensitive patient information.

According to the breach notice submitted to the Vermont Attorney General, suspicious activity was detected in the email account on April 20, 2022. Third-party forensic investigators were engaged to investigate the incident which confirmed the email account had been accessed by an unauthorized individual, but it was not possible to confirm which, if any, emails containing protected health information had been accessed, or if emails had been copied. The investigation concluded on July 15, 2022, and work began on obtaining up-to-date contact information to issue notifications.

NorthStar Healthcare Consulting said the emails contained names, addresses, birth dates, Medicaid numbers, medication names, prescriber names, and appeal numbers, and for a limited number of patients, brief notes on diagnosis and related symptoms. NorthStar Healthcare Consulting said steps have been taken to improve email security and complimentary credit monitoring and identity theft protection services have been offered to affected individuals.

The incident has been reported to the HHS’ Office for Civil Rights as affecting 18,354 individuals.

The post Lubbock Heart & Surgical Hospital and NorthStar Healthcare Consulting Disclose Cyberattacks appeared first on HIPAA Journal.

Is it Okay to Share ePHI via a Business Password Manager?

One of the capabilities of many business password managers is the ability to send encrypted messages to any recipient. Often this capability is used to securely share login credentials or other confidential data. But is it okay to share ePHI via a business password manager?

Over the past few years, the capabilities of business password managers – particularly vault-based password managers – have grown significantly. For example, whereas SSO integration was once big news, these days we are talking more about password-less logins and it has been estimated that biometric facial recognition hardware will be present in 90% of smartphones by 2024.

With regards to the ability to send encrypted messages, this first started as a means of sending passwords to users in the same business subscription. It evolved into sending notes, files, and other data to users in the same business subscription, and then further evolved to sending encrypted messages of any kind to any recipient regardless of whether they are using a password manager.

Why Share ePHI via a Business Password Manager?

There are many circumstances when healthcare providers or other members of a Covered Entity´s workforce need to send or request ePHI to or from a colleague or Business Associate. In many cases, the colleague or Business Associate may not be in the same communications network – raising the issue of how to transmit ePHI securely in compliance with the HIPAA Security Rule.

The most common forms of communication – such as SMS, IM, email, etc. – are not suitable because they lack the necessary features to fulfil the requirements of the Technical Safeguards – for example, access controls, automatic logoff, encryption, audit controls, etc. However, most business password managers do have the necessary features to send and receive ePHI compliantly.

These features enable users to share ePHI via a business password manager securely without risking an impermissible disclosure of ePHI and facilitate “the flow of health information needed to provide and promote high-quality healthcare” – a major goal of the HIPAA Privacy Rule. However, in order to share ePHI via a business password manager in full compliance with HIPAA, the vendor of the password manager must sign a Business Associate Agreement. Not all are willing to do so.

Is a Business Associate Agreement Necessary?

In 2016, the Department of Health & Human Services (HHS) published an FAQ regarding whether or not a Cloud Service Provider is excluded from the definition of a Business Associate if the Cloud Service Provider cannot access ePHI stored in the cloud because it is encrypted and the Cloud Service Provider does not have the decryption key.

The answer was that a Cloud Service Provider is not excluded under the “conduit exception rule” because conduits such as the U.S. Postal Service, Fed-Ex, and DHL are transmission services and the temporary storage of PHI while it is in the conduit´s possession is incident to the transmission, while the temporary storage of ePHI with a Cloud Service Provider is persistent.

HHS stated in the FAQ that “a Cloud Service Provider that maintains ePHI for the purpose of storing it will qualify as a Business Associate […] even if the Cloud Service Provider does not actually view the information”. Substitute password manager vendors for Cloud Service Providers, and it is clear a Business Associate Agreement is necessary to share ePHI via a business password manager.

Which Vendors will Sign a Business Associate Agreement?

Not many, despite claiming to have HIPAA-compliant password managers. 1Password and Keeper – the two most popular password managers in the U.S. – both state they do not qualify as Business Associates because of their zero knowledge architectures (which is incorrect). LastPass and NordPass have such incorrect information about HIPAA on their websites that we strongly suspect they don´t understand a Business Associate Agreement is necessary. Most others keep quiet about the issue.

Among those that do publicly state they are willing to sign a Business Associate Agreement, Bitwarden and Zoho Vault are the most well-known. Of the two, Zoho Vault is the most feature-rich; but at nearly 50% more expensive per user than Bitwarden, Zoho Vault could work out to be unnecessarily expensive if you are not going to use all the features you are paying for. Additionally, Bitwarden passed a HIPAA Security Rule Assessment Report conducted by AuditOne in 2020.

In conclusion, it is okay to share ePHI via a business password manager, provided that the password manager has been configured to comply with the Technical Safeguards of the Security Rule and the vendor of the password manager has signed a Business Associate Agreement. If the vendor is unwilling to sign a Business Associate Agreement, it is not possible to share ePHI via a business password manager without violating HIPAA.

The post Is it Okay to Share ePHI via a Business Password Manager? appeared first on HIPAA Journal.

Data Breaches Reported by Physicians’ Spine and Rehabilitation Specialists of Georgia and One Medical Inc.

The Physicians’ Spine and Rehabilitation Specialists of Georgia (PSRSG) has notified 38,765 patients that some of their protected health information has potentially been compromised in a cyberattack that occurred on or around July 11, 2022. A team of external cybersecurity experts was engaged to assist with the investigation and remediation efforts, and its systems were successfully restored within a few days without causing any material delays to clinical care.

PSRSG said numerous security measures had been implemented prior to the attack, but the attackers were able to circumvent those defenses. Steps have since been taken to enhance security to prevent similar breaches in the future. The forensic investigation confirmed the attacker had access to its systems for around a week before the intrusion was detected and blocked.

It was not possible to determine which files were accessed or if any sensitive information was stolen in the attack, but the attacker claimed to have stolen sensitive data from its systems and threatened to release that information publicly. A review of the files on the compromised systems confirmed they contained protected health information, which included names, birth dates, contact information, Social Security numbers, driver’s license numbers, treatment information, guarantor information, and insurance information. The types of data in the files varied from individual to individual. PSRSG said affected individuals have been notified and offered free credit monitoring and identity theft insurance through Experian, “solely to give patients peace of mind.”

One Medical, Inc. Confirms Hacking Incident and Potential Data Breach

The Sherman, TX-based healthcare provider, One Medical Inc., has recently confirmed that it was the victim of a cyberattack in which names, addresses, medical information, and Social Security numbers were potentially compromised. The data breach was reported to the Attorney General of Texas on September 9, 2022, as a hacking incident. Limited information is currently available, but the breach appears to have affected at least 964 Texas residents.

This is the second data breach to have hit the firm in the past year or so. In July 2021, One Medical reported an email error in which the PHI of 1,009 individuals was impermissibly disclosed.

The post Data Breaches Reported by Physicians’ Spine and Rehabilitation Specialists of Georgia and One Medical Inc. appeared first on HIPAA Journal.

What Happens after a HIPAA Complaint is Filed?

What happens after a HIPAA complaint is filed can vary according to who it is filed with, whether or not the complaint is justified, and the nature of the complaint.

When you register with a healthcare provider or become a member of a group health plan, you are given a Notice of Privacy Practices. The Notice of Privacy Practices explains how the healthcare provider or health plan can use or disclose your health information and also what rights you have to restrict specific uses and disclosures and request a copy of any health information held about you.

The Notice of Privacy Practices should also provide details of who you can complain to if you think a healthcare provider or health plan has used or disclosed your health information impermissibly, or if your rights have been violated. Usually, the contact details are those of the organization´s Privacy Office and the Department of Health & Human Services´ Office for Civil Rights.

It is also possible to file a complaint with your State Attorney General. However, the majority of states require that you complain to the organization before filing a complaint with the State Attorney General. For this reason, it is important to keep copies of any correspondence between you and the organization, and records of who you spoke with and when if complaining by phone.

What Happens after a HIPAA Complaint is Filed with an Organization?

There is no HIPAA-mandated process for what happens after a HIPAA complaint is filed with a healthcare provider or health plan, so the process is likely to vary from organization to organization. However, the Privacy Rule states that all complaints have to be documented, so the first thing that will happen is that you will receive an acknowledgement of your complaint.

Healthcare providers and health plans are aware that if they do not respond to your complaint satisfactorily and in a timely manner, you have the right to escalate the complaint to HHS´ Office for Civil Rights or your State Attorney General. Therefore, as regulatory investigations can be disruptive and attract indirect costs, your complaint will be reviewed as a matter of priority.

If the review identifies a potential HIPAA violation, it will be investigated further. An investigation can result in several outcomes.

  • If no violation is identified, you should receive a communication explaining why.
  • If a minor violation is identified, the organization will likely take steps to rectify it.
  • If a more serious violation is identified, the organization may escalate your complaint to HHS´ Office for Civil Rights for technical assistance or to report a data breach.

If you are dissatisfied with the response from your healthcare provider or health plan – or you fail to hear from them in a timely manner – you can escalate the complaint to HHS´ Office for Civil Rights or your State Attorney General. Unlike complaining to a State Attorney General, HHS´ Office for Civil Rights does not require you to have complained to the organization before complaining to them.

What Happens after a HIPAA Complaint is Filed with HHS´ Office for Civil Rights?

When a complaint is filed with HHS´ Office for Civil Rights, the complaint is reviewed to establish the agency has the authority to investigate, the complaint is made within 180 days of the alleged violation, and that the complaint relates to a violation of the Privacy, Security, or Breach Notification Rules. Around two-thirds of complaints are rejected at the review stage because the complaint is made against an organization not subject to HIPAA, is too late, or no violation has occurred.

If a complaint passes the review stage, HHS´ Office for Civil Rights will contact the healthcare provider or health plan to attempt an informal resolution to the complaint – for example, by providing technical assistance. If a more serious violation is identified, HHS´ Office for Civil Rights will conduct a full-scale investigation into the organization´s compliance, with the possible outcomes being technical assistance, a more formal corrective action plan, or a civil money penalty.

The process is much the same when a complaint is filed with a State Attorney General, and both the HHS´ Office for Civil Rights and State Attorneys General will inform a complainant of the outcome of their complaint once it is resolved. The only exception to this process is when a possible criminal violation of HIPAA is identified by either HHS´ Office for Civil Rights – in which case the complaint is escalated to the Department of Justice for investigation.

What Happens after a HIPAA Complaint is Filed?

The post What Happens after a HIPAA Complaint is Filed? appeared first on HIPAA Journal.

Minor Changes to ISO 27001 Password Management Controls Expected in Updated Standard

The ISO 27001 standard is currently being updated and the latest version is due for publication next month. The early indications are that, although the control domains will be significantly revised, there are only minor changes expected to the ISO 27001 password management controls.

The ISO 27001 standard is an international information security standard jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The aim of the standard is to help organizations better secure data by listing the necessary requirements for establishing an effective information security management system.

Organizations that meet the requirements of ISO 27001 can choose to be certified by an accredited certification body. Certification has the benefits of enhancing an organization´s reputation for data security (which can help attract new customers), reducing the number and length of security audits, and – in the healthcare industry – limiting enforcement action should a data breach occur.

Alternatively, organizations that do not want to commit to implementing a full information security management system can implement selected controls. Although this means the organizations will not qualify for ISO 27001 certification, the controls still help protect data from unauthorized access, raise awareness of data security among the workforce, and mitigate the risk of a data breach.

Existing ISO 27001 Password Management Controls

Currently, the existing ISO 27001 password management controls can be found in Subsection 9 of Annex A – The “Access Controls” domain. There are fourteen controls divided into four control groups in this domain:

9.1 Access Controls

  • 1.1 Access Control Policy
  • 1.2 Access to Networks and Network Services

9.2 User Access Management

  • 2.1 User Registration and Deregistration
  • 2.2 User Access Provisioning
  • 2.3 Management of Privileged Access Rights
  • 2.4 Management of Secret Authentication Information of Users
  • 2.5 Review of User Access Rights
  • 2.6 Removal or Adjustment of Access Rights

9.3 User Responsibilities

  • 3.1 Use of Secret Authentication Methods

9.4 Application Access Controls

  • 4.1 Information Access Restriction
  • 4.2 Secure Login Procedures
  • 4.3 Password Management System
  • 4.4 Use of Privileged Utility Programs
  • 4.5 Access Control to Program Source Code

Because of the complexity of provisioning, managing, reviewing, and adjusting users´ access rights, many organizations looking to comply with the ISO 27001 password management controls implement a vault-based password manager such as Bitwarden, whose “Security and Compliance Program” is itself based on the ISO 27001 standard.

The advantages of vault-based password managers are that they are effective across all devices and operating systems, password policies can be applied by universally, by group, or individually, and each vault can be secured with 2FA. Admins can add and remove users, apply and adjust RBACs, and share passwords among authorized users securely through the password manager.

Vault-based password managers are also zero-knowledge solutions. This means that, although it is still necessary to sign a Business Associate Agreement with the vendor if sharing ePHI through the password manager – nobody other than the authorized user(s) is able to access and view data stored in a vault without the master password and access to the 2FA authenticator method.

Anticipated Changes to the ISO 27001 Controls in 2022

In July 2022, an updated version of ISO 27001 – the “Final Draft International Standard” or “FDIS” was distributed among National Standards Bodies for formal approval. The National Standards Bodies will vote on the update version by the end of September; and provided the vote is in favor of the updates, ISO 27001:2022 will be published in October 2022.

Although the ten clauses of the standard only have language changes, Annex A – which contains the required controls – has been revised significantly. The fourteen control domains (A.5 to A.18) are being compressed into just four control domains, there are 11 new controls, 23 controls have been renamed, and 24 controls merged with other controls. The four new control domains will be:

A.5 Organizational Controls (37 Controls)

A.6 People Controls (8 Controls)

A.7 Physical Controls (14 Controls)

A.8 Technological Controls (34 Controls)

In the context of ISO 27001 password management controls, most of the existing controls in the former Access Controls domain (A.9) will be dispersed among the four new domains. However, some existing controls will be merged into new controls – for example, the content of A.9.2.4, A.9.3.1, and A.9.4.3 will be merged into a new control A.5.17 “Authentication Information”.

Other new controls that may apply to password management (depending on whether an organization saves data in the cloud or uses activity monitoring software) include A.5.23 “Info Security for Use of Cloud Services”, A.8.12 “Data Leakage Prevention”, and A.8.16 “Monitoring Activities”. A.8.32 “Change Management” may also be relevant to some organizations.

Be Sure to Adjust Your Password Management Controls as Necessary

When the new ISO 27001:2022 is published, certified organizations will have three years to make any necessary changes to their information security management system in order to maintain their accreditation. Non-certified organizations that have implemented selected controls can continue using the existing controls as best practices or adjust them as necessary.

Undoubtedly vendors of password managers will release information about how organizations can comply with the changes to the ISO 27001 password management controls; and, if your organization has already deployed a password manager, be sure to sign up to their newsletter, follow them on social media, or subscribe to their blog to keep up to date with the latest recommendations.

The post Minor Changes to ISO 27001 Password Management Controls Expected in Updated Standard appeared first on HIPAA Journal.

Understanding the HIPAA Medical Records Destruction Rules

Some of the biggest fines for HIPAA violations have been for failing to comply with the medical records destruction rules. Consequently, it is vital Covered Entities and Business Associates are aware how to destruct medical records compliantly.

Each state has its own requirements for retaining medical records; and, in some cases, certain types of medical records have to be retained for longer periods than others. Federal laws can also dictate how long specific records have to be retained (i.e., OSHA 1910.1200(g)), and if these records are maintained in a designated record set, they are considered to PHI and Covered Entities are required to keep them until the retention period expires.

Although HIPAA has document retention requirements, there are no minimum retention periods for medical records. However, the Privacy Rule does require that Covered Entities implement appropriate administrative, technical, and physical safeguards to protect the privacy of medical records for whatever period the records are maintained by the Covered Entity. This requirement also applies to the destruction of medical records.

The HIPAA Medical Records Destruction Rules

Although there are no specific HIPAA medical records destruction rules, the Privacy Rule requires Covered Entities to determine what steps are reasonable to safeguard medical records through the destruction process and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, Covered Entities should assess potential risks to patient privacy in the context of what form the information is in and how it is being destructed

Additionally, the Security Rule requires Covered Entities and Business Associates to develop and implement policies and procedures to facilitate the compliant destruction of electronic PHI and/or media on which it is stored. Any members of the workforce involved in the destruction process, or who supervise other members of the workforce responsible for destructing medical records in compliance with HIPAA must receive training on the PHI destruction policies and procedures.

Failing to implement reasonable safeguards to protect PHI in connection with its destruction could result in impermissible disclosures of PHI, and several Covered Entities have received substantial fines for failing to comply with the HIPAA medical records destruction rules:

  • In 2009, CVS Pharmacy Inc. was one of the first Covered Entities to reach a financial settlement for a HIPAA violation – the company agreeing to a $2.25 million settlement for the improper disposal of PHI.
  • The following year, the pharmacy chain Rite Aid agreed to pay $1 million to settle a similar HIPAA violation; and, a few years, the independent Cornell Prescription Pharmacy had to pay $125,000 for also disposing of PHI improperly.
  • It is not just pharmacies who fail to comply with the HIPAA medical records destruction rules. In 2013, the former owners of a medical billing practice were fined $140,000 for disposing of 67,000 medical records in a public dump.
  • More recently, the New England Dermatology and Laser Center agreed to settle an investigation into the improper destruction of medical records for $300,640 and implement a Corrective Action Plan for two years – which will incur further indirect costs.

How to Destruct Medical Records in Compliance with HIPAA

HHS´ Office for Civil Rights has previously released guidance on how to destruct medical records in compliance with HIPAA. With regards to paper records, the agency suggests “shredding or otherwise destroying PHI […]so the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle”.

With regards to the bulk destruction of PHI, the agency suggests depositing PHI in locked dumpsters that are only accessible by authorized persons or maintaining PHI in a secure area until such time as a disposal company removes it to destroy it professionally. In such circumstances, it will be necessary to enter into a Business Associate Agreement with the entity responsible for destructing the records.

With regards to ePHI stored electronically HHS´ Office for Civil Rights advocates clearing and purging electronic media, or destroying the media by disintegration, pulverization, melting, incinerating, or shredding. It is important to note that some clearing and purging techniques are not 100% effective on modern hard drives, and it may be possible to recover deleted data in some cases.

It is also important to note that some states have more stringent medical records destruction rules than HIPAA; and, in some states, any organization that creates, maintains, or transmits personal health information may be subject to medical records destruction rules – not just HIPAA Covered Entities and Business Associates. If you are unsure which medical records destruction rules apply to your organization, it is recommended you seek professional compliance advice.

The post Understanding the HIPAA Medical Records Destruction Rules appeared first on HIPAA Journal.