Author Archives: HIPAA Journal

Is Amazon CloudFront HIPAA Compliant?

Is Amazon CloudFront HIPAA compliant and can the web service be used by HIPAA covered entities without violating HIPAA Rules? In this post we determine whether Amazon CloudFront supports HIPAA compliance or if it should be avoided by HIPAA-covered entities.

What is Amazon CloudFront?

Amazon CloudFront is a web service that allows users to speed up web content delivery over the Internet. Typically, when a website is accessed, the visitor experiences some latency accessing static and dynamic content.

The reason for this is visitors will not make a direct connection to the content, instead they will be routed through a path to reach the server where the content can be accessed. The path can involve many routing points, will inevitably have an impact on the speed at which content can be accessed. By using a content delivery network such as Amazon CloudFront, it is possible to reduce latency and improve reliability and availability of web content.

By delivering content via a network of data centers (edge locations), users are routed to the nearest location with the least latency, thus speeding up their connection. The service also offers a level of protection against DDoS attacks and other cyberthreats that can be harmful to web services.

Is Amazon CloudFront HIPAA Compliant?

In order for any cloud service to be used in conjunction with protected health information, HIPAA-covered entities must enter into a business associate agreement with the service provider. Therefore, before Amazon CloudFront can be deployed, a HIPAA-compliant business associate agreement must be obtained.

Recently, Amazon has updated its HIPAA compliance program and CloudFront has now been included as a HIPAA-eligible service. CloudFront is now included in the list of services covered by the business associate agreement provided for AWS. If you have already executed a BAA for AWS, it is possible to use CloudFront to deliver content containing PHI. However, make sure you check that your BAA specifically states CloudFront is covered.

The service should also be configured to log CloudFront usage data for auditing purposes for HIPAA-compliant workloads. Access logs should be enabled on the platform and requests sent to the CloudFront API should be captured.

Provided a BAA has been obtained for AWS – that includes CloudFront – and the solution is configured correctly, Amazon CloudFront is HIPAA compliant and can be used by healthcare organizations without violating HIPAA Rules.

The post Is Amazon CloudFront HIPAA Compliant? appeared first on HIPAA Journal.

Another Major Triple-S Advantage Data Breach Has Occurred: 36,000 Affected

The Puerto Rico Health Plan Triple-S Advantage has experienced a privacy breach that has impacted 36,000 plan members. The breach was the result of a mailing error which saw sensitive information of plan members disclosed to incorrect individuals.

The protected health information exposed as a result of the mailing was limited and did not include Social Security numbers or financial information; however, plan members’ ID numbers were impermissibly disclosed along with names, dates of service, and treatment codes.

The mailing error occurred in November but was not discovered by Triple-S until December 5, 2017. An extensive investigation was launched to determine how the error occurred and action has now been taken to ensure that similar errors do not occur in future mailings to plan members and healthcare providers.

Triple-S said in its substitute breach notice that its mailing processes have been changed and that those processes have now been tested. Another mailing run has been conducted and copies of the original letters have now been sent to the correct addresses. Affected plan members have also been notified of the exposure of their PHI by first class mail.

Since plan member ID numbers have been exposed, affected individuals have been advised to check their Explanation of Benefits statements carefully to make sure only services that have been received are listed. Since there is potential for malicious actors to change addresses, plan members have been told to check to make sure regular correspondence from Triple S is still being received.

Triple S notes that it has not received any notifications to suggest that any PHI has been accessed or misused by unauthorized individuals.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 36,305 plan members were affected by the mailing error.

While all privacy breaches are bad news, this incident will be especially concerning for Triple-S. In 2015, following an investigation into data breaches by the HHS’ Office for Civil Rights, Triple S Management Corporation – the parent company of Triple-S Advantage – settled multiple HIPAA violations with OCR for $3.5 million. Triple S was also fined $1.5 million by the Puerto Rico Health Insurance Administration.

The multi-million dollar settlement with OCR resolved serial violations of HIPAA Rules and multiple compliance failures that contributed to eight data breaches by Triple S Management Corporation subsidiaries between 2010 and 2014.

The company will still be on OCR’s radar and the latest breach is certain to be very carefully scrutinized for any sign of noncompliance with HIPAA Rules.

The post Another Major Triple-S Advantage Data Breach Has Occurred: 36,000 Affected appeared first on HIPAA Journal.

Is Citrix ShareFile HIPAA Compliant?

ShareFile was bought by Citrix Systems in 2011 and the platform is marketed as a suitable data sync, file sharing, and collaboration tool for the healthcare industry, but is Citrix ShareFile HIPAA compliant?

What is Citrix ShareFile?

Citrix ShareFile is a secure file sharing, data storage and collaboration tool that allows large files to be easily shared within a company, with remote workers, and with external partners. The solution allows any authorized individual to instantly access stored documents via desktops and mobile devices.

For healthcare organizations this means the solution can be used to share large files such as DICOM images with researchers, remote healthcare workers, and business associates. The ShareFile patient portal can also be used to share PHI with patients.

Is Citrix ShareFile HIPAA Compliant?

Citrix will sign a business associate agreement with HIPAA covered entities and their business associates that covers the use of FileShare, although it is the responsibility of the covered entity to ensure that the solution is configured correctly and is used in a manner that does not violate HIPAA Rules.

The solution satisfies HIPAA requirements for data security, with appropriate access and authentication controls. Users connect to the solution via an encrypted secure SSL/TLS connection and data is protected at rest with AES 256-bit encryption. The solution also supports encryption on mobile devices. An audit trail is maintained with access logs recording who accessed files, when, and for how long and application errors and events are also logged.

So is Citrix ShareFile HIPAA compliant? The safeguards incorporated into the solution mean the solution does supports HIPAA compliance.

Where HIPAA Covered Entities Must Exercise Caution

Many firms advertise their platforms and software as HIPAA compliant, but that does not mean use does not carry risks. Software solution providers can only build in security and administrative controls that allow their solution to be used in a HIPAA compliant manner. It is the responsibility of users to make sure the solution is configured correctly and HIPAA Rules are not violated.

To avoid HIPAA violations:

  • Ensure a business associate agreement has been obtained prior to the solution being used for storing, syncing, or sharing ePHI
  • Covered entities must perform a risk analysis to determine any potential risks to the confidentiality, integrity, and availability of PHI
  • Ensure encryption is used when sending files to third parties
  • Policies and procedures (administrative safeguards) must be developed covering the use of the solution and staff must be trained
  • Access and authentication controls must be set to restrict access to PHI to only those individuals who are authorized to access information
  • Any PHI shared with third parties must be limited to the minimum necessary data for tasks to be performed
  • Appropriate security controls should be implemented on devices to ensure that in case of theft or loss, the devices cannot be used to gain access to PHI

Citrix offers guidance for covered entities on aspects of HIPAA Rules, how they apply to FileShare, and assistance to ensure HIPAA compliance while using the platform. The information can be accessed on this link.

The post Is Citrix ShareFile HIPAA Compliant? appeared first on HIPAA Journal.

January 2018 Healthcare Data Breach Report

Our January 2018 Healthcare Data Breach Report details the healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights in January 2018. There were 21 security breaches reported to OCR in January which is a considerable improvement on the 39 incidents reported in December 2017.

Healthcare data breaches by Month (August 2017-January 2018)

Last month saw 428,643 healthcare records exposed. While there was a 46.15% drop in the number of healthcare data breaches reported in January month over month, 87,022 more records were exposed or stolen than in December. January was the third consecutive month where the number of breached records increased month over month.

records exposed in January 2018 Healthcare Data Breaches

The mean breach size in January was 20,412 records – very similar to the mean breach size in December 2017 (20,487 records). However, the high mean value was due to a particularly large breach of 279,865 records reported by Oklahoma State University Center for Health Sciences. In January, the healthcare data breaches reported were far less severe than in December. In January the median breach size was 1,500 records. In December it was 15,857 records.

Largest Healthcare Data Breaches in January 2018

In January there were only four breaches reported that impacted more than 10,000 individuals, compared to nine such incidents in December 2017. Hacking incidents continue to result in the largest data breaches with five of the top six breaches the result of hacking/IT incidents, which includes hacks, malware infections and ransomware attacks.

 

Covered Entity Entity Type Individuals Affected Type of Breach
Oklahoma State University Center for Health Sciences Healthcare Provider 279865 Hacking/IT Incident
Onco360 and CareMed Specialty Pharmacy Healthcare Provider 53173 Hacking/IT Incident
Agency for Health Care Administration Health Plan 30000 Hacking/IT Incident
Decatur County General Hospital Healthcare Provider 24000 Hacking/IT Incident
Charles River Medical Associates, pc Healthcare Provider 9387 Loss
Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc. Healthcare Provider 5228 Hacking/IT Incident
RGH Enterprises, Inc. Healthcare Provider 4586 Unauthorized Access/Disclosure
Gillette Medical Imaging Healthcare Provider 4476 Unauthorized Access/Disclosure
Zachary E. Adkins, DDS Healthcare Provider 3677 Theft
Steven Yang, D.D.S., INC. Healthcare Provider 3202 Theft

Main Causes of Healthcare Data Breaches in January 2018

While hacking/IT incidents and unauthorized access/disclosures shared top spot in January, the biggest cause of breaches was actually errors made by employees and insider wrongdoing. Insiders were behind at least 11 of the 21 breaches reported in January.  Four of the five loss/theft incidents involved portable electronic devices. Those incidents could have been avoided if encryption had been used.

Main Causes of January 2018 Data Breaches

  • Hacking/IT Incidents: 7 breaches
  • Unauthorized Access/Disclosure: 7 breaches
  • Loss/theft of physical records and portable devices: 5 breaches

January 2018 Healthcare Data Breaches by Incident Type

 

Records Exposed by Breach Type

The vast majority of individuals impacted by healthcare data breaches in January 2018 had their health data accessed or stolen in hacking/IT incidents. January saw a significant reduction in records exposed due to loss or theft – In December, incidents involving the loss or theft of devices and physical records impacted 122,921 individuals.

Main Causes of Exposed Healthcare Records in January 2018

  • Hacking/IT Incidents: 394,787 healthcare records exposed in 7 security incidents
  • Loss/theft of physical records and portable devices: 18,519 records exposed in 5 incidents
  • Unauthorized Access/Disclosure: 13,329 healthcare records exposed in 7 incidents

Main Causes of Healthcare Data Breaches in January 2018 - Records by breach type

Location of Data Breaches in January 2018

Overall, more incidents were reported involving electronic copies of health data in January, but covered entities must ensure that appropriate physical security and access controls are in place to prevent unauthorized accessing and theft of paper records. Training must also be provided to staff on disposing of physical records. Two improper disposal incidents were reported in January involving physical records.

Main Locations of Exposed Healthcare Records in January 2018

  • Paper/Films: 13,514 records exposed in 7 incidents: 4 unauthorized access/disclosures; 2 improper disposal incidents, and one incident involving the loss of records
  • Network Servers: 310,593 healthcare records exposed in 4 hacking/IT incidents involving network servers: 1 Hack, 2 malware incidents and one incident for which the cause is unknown
  • Laptop computers: 3 incidents involving laptop computers: 2 stolen devices and one hack/IT incident
  • Email: Three incidents involving unauthorized access/disclosure due to phishing and two hacking incidents
  • EMRs:  3 incidents involving EMRs: 2 unauthorized access incidents (Physician/nurse) and 1 hacking incident

January 2018 Healthcare Data Breaches - Location of breached PHI

January 2018 Healthcare Data Breaches by Covered Entity

In January, no business associates of HIPAA covered entities reported data breaches, and according to the OCR breach summaries, none of the 21 security breaches had any business associate involvement. Healthcare providers were the worst affected with 19 breaches reported.

Healthcare Records Breached

  • Healthcare providers: 398,009 healthcare records exposed in 19 incidents
  • Health plans: 30,634 healthcare records exposed in 2 incidents

January 2018 Healthcare Data Breaches by Entity Type

January Healthcare Data Breaches by State

In January, covered entities based in 15 states reported data breaches that impacted more than 500 individuals.

California was the worst hit state by some distance with 5 covered entities reporting breaches. Tennessee and Wyoming had two breaches apiece, with one incident reported by organizations based in Florida, Illinois, Kentucky, Massachusetts, Maryland, New Mexico, Nevada, Ohio, Oklahoma, Pennsylvania, Utah, and Washington.

Financial Penalties for HIPAA Covered Entities in January

There were no OCR HIPAA fines or settlements announced in January to resolve violations of HIPAA Rules, although the New York Attorney General did settle a case with health insurer Aetna.

Aetna was required to pay the NY AG’s office $1.15 million to resolve violations of HIPAA Rules and state laws. The violations were discovered during an investigation into a serious privacy breach experienced in July 2017. A mailing was sent to approximately 12,000 members in which details of HIV medications were visible through the clear plastic windows of the envelopes – An unauthorized disclosure of PHI. The mailing was sent on behalf of Aetna by a settlement administrator.

Further, it was alleged that Aetna provided PHI to its outside counsel, who in turn provided that information to the settlement administrator – a subcontractor – yet no business associate agreement was in place prior to that disclosure.

Aetna also settled a class action lawsuit in January over the breach. The lawsuit was filed by HIV/AIDS organizations on behalf of the victims of the breach. Aetna settled the lawsuit for $17,161,200.

That is unlikely to be the end of the fines. OCR may decide to take action over the breach and alleged HIPAA violations, and other state attorneys general have opened investigations. Aetna is also embroiled in costly legal action with its settlement administrator.

Data source for breaches: Department of Health and Human Services’ Office for Civil Rights.

The post January 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Coastal Cape Fear Eye Associates Ransomware Attack Impacts 925 Patients

A Coastal Cape Fear Eye Associates ransomware attack has seen the protected health information of 925 patients compromised.

North Carolina’s Coastal Cape Fear Eye Associates, P.A., discovered its systems had been breached on December 5. 2017. Upon discovery of the ransomware attack, Coastal Cape Fear Eye Associates brought in external IT professionals to contain the attack and remove the ransomware. The IT consultants were able to limit the harm caused and the malware was removed, although some files remained locked and inaccessible for some time.

According to a substitute breach notice uploaded to the healthcare provider’s website on February 1, 2018, the delay in issuing notifications to affected patients was because it was not possible to access certain files to determine what information was involved and which patients were affected. Coastal Cape Fear Eye Associates has only recently been able to access all encrypted files.

Under HIPAA Rules, healthcare organizations are required to report ransomware attacks unless the attacked entity establishes there was a low probability of PHI being compromised. Ransomware typically blindly encrypts files and file access is not normally involved, even so, the Department of Health and Human Services’ Office for Civil Rights has released guidance on ransomware attacks that indicate – in most cases – ransomware attacks should be reported and patients notified.

In this case, the investigation into the attack revealed that data access was likely to have occurred, although no evidence was uncovered to suggest any information had been stolen by the attacker.

The files contained a wide range of highly sensitive information including names, dates of birth, addresses, phone numbers, email addresses, Social Security numbers, insurance card numbers, driver’s license numbers, emergency contact details, ethnicities, medications, medical histories, diagnosis records, physician notes, billing and payment histories, legal documents, and scanned copies of driver’s licenses, insurance cards and Medicare cards.

Coastal Cape Fear Eye Associates and its IT consultants are continuing to investigate the attack and will be implementing additional security controls to prevent future security breaches of this nature.

The post Coastal Cape Fear Eye Associates Ransomware Attack Impacts 925 Patients appeared first on HIPAA Journal.

Is eFileCabinet HIPAA Compliant?

eFileCabinet is a document management and storage solution for businesses that offers on-site and cloud storage, but is the service suitable for the healthcare industry? Is eFileCabinet HIPAA compliant or will using the platform be considered a violation of HIPAA Rules?

What are Document Management Systems?

Document management systems allow organizations to carefully manage electronic documents and store them securely in one location. With huge volumes of documents being created, such systems take the stress out of document management and can help HIPAA covered entities share documents containing ePHI securely and avoid HIPAA violations.

There are many document management systems on the market, but not all support HIPAA compliance, so what about eFileCabinet? Is eFileCabinet HIPAA compliant?

eFileCabinet Security and Privacy Controls

Security controls include the encryption of data in transit and at rest with 256-bit encryption. Sensitive data can be securely shared with third-parties and remote employees via the company’s SecureDrawer feature. SecureDrawer allows files to be shared without having to send documents beyond the protection of the firewall. The files remain in the eFileCabinet system and are accessed through a secure, encrypted portal.

eFileCabinet allows user and role-based permissions to be set to limit access to sensitive information as well as restrict what users and user groups can do with documents containing ePHI. Controls can be set with varying levels of user authentication, from simple passwords to voice prints and facial recognition. Users are also automatically logged off after a period of inactivity.

Automated file retention satisfies HIPAA integrity control requirements, data backups are performed, and an audit trail is maintained with records kept of user access, what users have done with documents, and whether documents have been copied or downloaded.

Will eFileCabinet Sign a BAA with HIPAA Covered Entities and their Business Associates?

Privacy and security controls are only one part of HIPAA compliance. Even with all appropriate controls in place, a document management system is not a ‘HIPAA compliant’ service unless a business associate agreement (BAA) has entered into with the service provider. By providing a BAA, the service provider is confirming they have implemented all appropriate controls to ensure data security and are aware of their responsibilities with respect to HIPAA.  eFileCabinet is prepared to sign a BAA with HIPAA covered entities and their business associates.

However, it is up to the covered entity to ensure that all controls made available through eFileCabinet to support HIPAA compliance are configured correctly. Fail to set access controls appropriately, for example, and HIPAA Rules would be violated.

Is eFileCabinet HIPAA Compliant?

In our opinion, eFileCabinet has all the necessary security, access, and audit controls to ensure it can be used by healthcare organizations in a manner compliant with HIPAA Rules. eFileCabinet will also sign a business associate agreement with HIPAA covered entities and their business associates.

So, is eFileCabinet HIPAA compliant? Provided a business associate agreement has been entered into prior to the platform being used for storing or sharing ePHI, eFileCabinet can be considered a HIPAA compliant document management system.

The post Is eFileCabinet HIPAA Compliant? appeared first on HIPAA Journal.

$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes

HIPAA covered entities and their business associates must abide by HIPAA Rules, yet when businesses closes the HIPAA obligations do not end. The HHS’ Office for Civil Rights (OCR) has made this clear with a $100,000 penalty for FileFax Inc., for violations that occurred after the business had ceased trading.

FileFax is a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities. The firm ceased trading during the course of OCRs investigation into potential HIPAA violations.

An investigation was launched following an anonymous tip – received on February 10, 2015 – about an individual that had taken documents containing protected health information to a recycling facility and sold the paperwork.

That individual was a “dumpster diver”, not an employee of FileFax. OCR determined that the woman had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for cash. The paperwork, which included patients’ medical records, was left unsecured at the recycling facility. In total, the records of 2,150 patients were included in the paperwork.

OCR determined that between January 28, 2015 and February 14, 2015, FileFax had impermissibly disclosed the PHI of 2,150 patients as a result of either: A) Leaving the records in an unlocked truck where they could be accessed by individuals unauthorized to view the information or; B) By granting permission to an individual to remove the PHI and leaving the unsecured paperwork outside its facility for the woman to collect.

Since FileFax is no longer in business – the firm was involuntarily dissolved by the Illinois Secretary of State on August 11, 2017 – the HIPAA penalty will be covered by the court appointed receiver, who liquidated the assets of FileFax and is holding the proceeds of that liquidation.

A corrective action plan has also been issued that requires the receiver to catalogue all remaining medical records and ensure the records are stored securely for the remainder of the retention period. Once that time period has elapsed, the receiver must ensure the records are securely and permanently destroyed in accordance with HIPAA Rules.

The settlement has been agreed with no admission of liability.

HIPAA Retention Requirements and Disposal of PHI

There are no HIPAA retention requirements – Covered entities and their business associates are not required to keep medical records after their business has ceased trading. However, that does not mean medical records and PHI can be disposed of immediately. Businesses are bound by state laws, which do require documents to be retained for a set period of time. For instance, in Florida, physicians must maintain medical records for 5 years after the last patient contact and in North Carolina hospitals must maintain records for 11 years following the last date of discharge.

During that time, HIPAA requires appropriate administrative, technical, and physical safeguards to be implemented to ensure those records are secure and remain confidential. After the retention period is over, all PHI must be disposed of in a compliant manner.

In the case of paper records, disposal typically means shredding, burning, pulping, or pulverization. Whatever method chosen must render the documents indecipherable and incapable of reconstruction.

This HIPAA breach is similar to several others that have occurred over the past few years. Businesses have ceased trading and paper records containing the protected health information of patients have been dumped, abandoned, or left unsecured. There have also been cases where businesses have moved location and left paperwork behind, only for contractors performing a cleanup or refurb of the property to find the paperwork and dispose of it with regular trash.

The failure to secure PHI during the retention period and the incorrect disposal of records after that retention period is over are violations of HIPAA Rules that can attract a significant financial penalty.

“The careless handling of PHI is never acceptable,” said OCR Director Roger Severino in a press release about the latest HIPAA settlement. “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”

The post $100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes appeared first on HIPAA Journal.

Trump Administration Budget Proposal Slashes HHS, ONC, and OCR Funding

On Monday, the Trump Administration released its 2019 fiscal budget which includes major cuts to funding for the Department of Health and Human Services (HHS), Office of the National Coordinator for Health IT (ONC), and the Office for Civil Rights (OCR).

The HHS has had a 21% cut to its budget from 2017 levels which means the Medicare and Medicaid programs will lose billions of dollars in funding. The ONC will lose a third of its funding and will be forced to cut its staff by 22. OCR will have 20% less to fund its extensive activities and will be forced to lose 5 members of staff.

While HHS funding is being cut, additional funding has made available for the HHS to tackle the opioid crisis and improve services for individuals suffering from severe mental illness. $10 billion has been made available in discretionary funding for tackling the opioid crisis and to help individuals with serious mental illness.

The HHS is required to expand existing activities to combat the opioid crisis and new initiatives should be launched to help individuals addicted to opioids have better access to treatment and support services. The budget requests an additional $5 billion for the HHS to combat the opioid epidemic and prevent abuse, including $1 billion in 2019, with the remainder spread over the next five years.

In the budget, the Trump Administration proposes the HHS secretary should work closely with the Drug Enforcement Agency (DEA) to bar providers from billing Medicare when they have been found to have abusive prescribing patterns. The budget says, “Cutting off Medicare funding for abusive prescription practices not only helps bring premiums down for seniors, it promotes sound public health policy.”

HHS Secretary Alex Azar praised the proposed budget, in spite of the cuts to his department’s funding saying, “The president’s budget makes investments and reforms that are vital to making our health and human services programs work for Americans and to sustaining them for future generations.”

When Azar took up the position, one of his main priorities was to take steps to reduce the high prices of many prescription medications. The budget proposes several new strategies to address the problem, including “addressing perverse payment incentives and exposing drug companies to more aggressive competition.”

Cuts have also been made to funding for graduate medical education spending. The budget consolidates GME spending in Medicare, Medicaid, and the Children’s Hospital GME Payment Program into a new mandatory GME capped grant program, while $451 million currently being spent on other health professions and training programs will be lost, as they “lack evidence that they significantly improve the nation’s health workforce.” Kenneth Raske, president of the New York Hospital Association, says the budget changes would result in a $48 billion reduction in GME funding over the next 10 years, and that would seriously affect the ability of teaching hospitals in New York to train the next generation of world class doctors.

The Centers for Disease Control and Prevention will have its budget cut by approximately $900 million, although two winners in the budget are the Food and Drug Administration (FDA) and National institutes of Health (NIH) which have been penned to have increases to their operational budgets. NIH has been allocated a $1.4 billion increase in funding, although $750 million of that will come from the $10 billion discretionary funding for the HHS.  The FDA will get an additional $190 million for new user fee funding and a further $10 million out of the HHS discretionary budget for the opioid crisis.

The Trump Administration is also committed to repealing and replacing the Affordable Care Act (ACA), including “enactment of legislation modeled closely after the Graham-Cassidy-Heller-Johnson (GCHJ) bill as soon as possible, followed by enactment of additional reforms to help set Government healthcare spending on a sustainable fiscal path that leads to higher value spending.” The proposed budget explains, “The president is committed to rescuing states, consumers, and taxpayers from the failures of Obamacare, and supporting states as they transition to more sustainable healthcare programs that provide appropriate choices for their citizens.”

While the 2019 fiscal budget has been proposed, it must still be passed by Congress and that looks unlikely given last week’s 2-year budget deal.

Image source: Sarah Stierch (CC BY 4.0)

The post Trump Administration Budget Proposal Slashes HHS, ONC, and OCR Funding appeared first on HIPAA Journal.

Is Box HIPAA Compliant?

Is Box HIPAA compliant? Can Box be used by healthcare organizations for the storage of documents containing protected health information or would doing so be a violation of HIPAA Rules? An assessment of the security controls of the Box cloud storage and content management service and its suitability for use in healthcare.

What is Box?

Box is a cloud storage and content management service that supports collaboration and file-sharing. Users can share files, invite others to view, edit or upload content. Box can be used for personal use; however, businesses need to sign up for either a business, enterprise, or elite account.

Is Box Covered by the Conduit Exception Rule?

The HIPAA conduit exception rule was introduced to allow HIPAA covered entities to use certain communications channels without having to obtain a business associate agreement. The conduit exception rule applies to telecoms companies and Internet service providers that act as conduits through which data flows. Cloud storage services are not covered under the HIPAA conduit exception rule, even if those entities claim they never access any data uploaded to their cloud service. Therefore, cloud storage services can only be used if a business associate agreement is entered into with the service provider.

Box and the HIPAA Business Associate Agreement

Box is confident it has put appropriate security controls in place to ensure all customers’ data is secured, both in transit to Box and while stored in the cloud. The company was formed in 2004, although it took nine years for the company to make its move into the healthcare sphere. In April 2013, Box started signing business associate agreements with HIPAA covered entities and their business associates. Box only offers a BAA to HIPAA covered entities if they have an enterprise or elite account.

Box for Healthcare Launched

In addition to agreeing to sign a BAA and having its service verified as supporting HIPAA compliance by an independent auditor, the company has now launched its Box for Healthcare service. The Box for Healthcare service has been developed to integrate seamlessly with top healthcare vendors such as IBM, Microsoft, Apple, TigerText, eHealth Technologies, and EDCO Health apps. The service helps healthcare organizations coordinate care, collaborate with research organizations, and share information securely with third parties outside the protection of the firewall.

The service includes all the necessary security controls to comply with the HIPAA Security Rule including data encryption at rest and in transit, audit controls, and configurable administrative controls that allow customers to monitor access, usage and document edits by employees and third parties, and set appropriate access and authentication controls.

Is Box HIPAA Compliant?

Any cloud service can be used in a manner that violates HIPAA Rules, as HIPAA compliance is more about the people that use a product or service rather than the product or service itself. That said, Box has implemented a wide range of safeguards and controls to ensure data privacy and security. So, is Box HIPAA compliant?

Provided a BAA has been obtained before the platform is used to store documents containing PHI, Box can be considered a HIPAA compliant cloud storage provider. However, it is the responsibility of the covered entity to ensure that the service is configured correctly and HIPAA Rules are followed.

The post Is Box HIPAA Compliant? appeared first on HIPAA Journal.