Editorial

What the US Healthcare IT Industry Can Learn from the EU Digital Services Act

Posted by Steve Alder

The EU Digital Services Act is due to come into force for most “intermediary” service providers that offer a service to EU citizens from February 17, 2024. The Act will impact a number of US-based healthcare IT companies and may influence future federal and state legislation in the United States.

The Digital Services Act is a new EU law that updates the existing EU Electronic Commerce Directive. Among its objectives, the Act aims to address illegal and misleading online content, better protect Internet users from fraud, and provide more control over what personal data is collected and how it is used. The Act also includes new legal requirements for Very Large Online Platforms (VLOPs – i.e., Amazon and eBay), and Very Large Online Search Engines (VLOSEs – i.e., Bing and Google).

The Act applies to all conduit, caching, and hosting services accessible by EU citizens regardless of where the service provider is based (similar to the General Data Protection Regulation). Therefore, US-based social media companies, e-commerce platforms, collaboration tools, content sharing platforms, messaging apps, and advertising networks (among others) will have to comply with the EU Digital Services Act if they provide a service to or for EU citizens.

The Issue of Provider Liability

Chapter 2 of the EU Digital Services Act is similar to §230 of the Communications Decency Act inasmuch it provides immunity for online service providers with respect to third party content generated by its users. However, unlike §230, if a service provider becomes aware of illegal activity or illegal content (Article 6) or is ordered to act against such activity or content (Article 9) and fails to remove or disable access to the activity or content, they are in violation of the Act.

With regards to the scope of provider liability, there is a question about whether a website that hosts chatrooms and forums, or allows users to add public comments, is covered by the Act. Strictly speaking, such a website fulfils the definition of an online platform because users can interact with it. However, in the definitions section of the Act (Article 3), an online platform is defined as:

“a hosting service that, at the request of a recipient of the service, stores and disseminates information to the public, unless that activity is a minor and purely ancillary feature of another service or a minor functionality of the principal service and, for objective and technical reasons, cannot be used without that other service, and the integration of the feature or functionality into the other service is not a means to circumvent the applicability of this Regulation”.

Because it is unclear how EU regulators will interpret “minor” and “ancillary”, it is advisable for US-based websites that support user interaction to comply with Chapter 2 of the Act and Article 18 of Chapter 3 – which requires providers that suspect criminal activity to report their suspicions to EU law enforcement authorities. It may also be necessary to comply with Chapter 3, Article 23, which requires providers to suspend users who frequently post illegal or misleading information.

Other Relevant Articles in the EU Digital Services Act

The EU Digital Services Act has a scale of compliance obligations depending on the nature of each organization’s qualifying activities. VLOPS and VLOSEs have to comply with all applicable Articles, while organizations that only provide (for example) an online platform do not have to comply with the risk management, audit, and data access requirements. In the context of what the US healthcare IT industry can learn from the EU Digital Services Act, the following Articles are the most relevant:

Point of Contact

Similar to the requirements of HIPAA and the FTC Act, healthcare IT companies in the US that provide any form of intermediary service for EU citizens must appoint a “point of contact” similar to a Data Protection Officer under the General Data Protection Regulation. This is a requirement of the EU Digital Services Act even if the company does not qualify as a covered entity under GDPR because it does not collect, process, or store personal information relating to an EU citizen.

The “point of contact” must be contactable in a user-friendly manner (Article 12) and how the appointed individual can be contacted must be publicly available (i.e., not an automated service) so they can be contacted by users of the service and by regulatory authorities. Additionally, the point of contact must be located in the EU; so, if a company does not have a physical presence in the EU, it must appoint a “legal representative” (Article 13).

Transparency Reporting Obligations

The transparency reporting obligations of the EU Digital Services Act cover everything from how the service has moderated content and what algorithms have been used to moderate content, to what complaints have been received and what content has been removed from the service as a result. Providers of intermediary services that do not qualify as a small or micro enterprise will be required to produce a report at least annually (Article 15).

Complaint and Redress Mechanisms

Each organization is required to develop and publicize complaint and redress mechanisms (Article 17). These not only apply to handling complaints from users about illegal and misleading content but also complaints from users who have had content removed by a provider. Member states have the authority to produce their own guidelines on how to deal with malicious, unfounded, or repeated complaints, and this will likely involve the documentation of such (unactioned) complaints.

Restrictions on Deceptive Designs

Article 25 of the EU Digital Services Act prohibits the design or operation of online interfaces that deceive users or manipulate them into making a decision. Examples of such practices include giving more prominence to one option over another and repeatedly requesting that a user make a decision via a pop-up that interferes with the user experience. Additionally, the procedure for terminating a service or subscription must be just as easy as signing up for the service or subscription.

Profiling and Targeted Advertising

Several Articles have restrictions or requirements for advertising. Article 26 includes rules for ensuring users are aware an advertisement is an advertisement (or a commercial communication of any sort) and prohibits user profiling and targeted advertising using certain categories of personal data. Article 28 further extends the prohibition of profiling and targeted advertising to all websites and online platforms that are accessible to minors.

The Traceability of Traders

To mitigate the risk of EU citizens being scammed by anonymous vendors, any website or online platform that offers goods or services supplied by a third party trader must obtain the trader’s name, physical address, phone number, email address, and a copy of their registration documents before advertising their goods or services (Article 30). Additionally, third party traders will only be allowed to advertise goods or services that comply with EU laws.

How Might the EU DSA Impact the US Healthcare IT Industry

The EU DSA is designed to modernize the digital space, create a safer online environment, and reign in the influence of large search engines, e-commerce websites, and social media platforms. The fundamental principles of accountability, transparency, and user protection will impact the US healthcare IT industry inasmuch as US healthcare IT companies provide services to European healthcare systems in the following areas:

  • Electronic Health Records Systems
  • Telehealth Solutions
  • Data Analytics
  • Interoperability Solutions
  • Medical Imaging Software
  • Cybersecurity Services
  • Cloud-Based Services
  • Billing and Revenue Cycle Management
  • Population Health Management

While many of these services may not be subject to the EU DSA because the service provider is not an “intermediary” between the healthcare system and the end user, any other services that qualify as “covered services” will have to comply with the regulations for data transparency and governance, algorithmic accountability, and vendor traceability. Additionally, companies will have to implement mechanisms for complaint handling and redress where required.

The penalties for violations of the EU DSA will be “proportionate to the nature and gravity of the infringement, yet dissuasive to ensure compliance”. Initially, the Digital Services Coordinator is likely to pursue a path similar to how the HHS Office for Civil Rights approaches HIPAA violations – technical assistance and corrective action plans. However, the Coordinator has the authority to fine companies up to 6% of their global turnover and suspend the service until it is compliant.

What the US Healthcare IT Industry Can Learn from EU DSA

EU data privacy legislation is often an influencing factor on federal and state legislation in the United States. California’s Consumer Privacy Act was the first of many state laws modeled on the EU’s General Data Protection Regulation, and the proposed American Data Protection and Privacy Act (ADPPA) further extends individuals’ rights and the data governance requirements of most state laws, plus provides for a conditional private right of action.

Some states have also borrowed from the EU Digital Services Act before the EU law becomes effective. The Indiana Data Privacy Law and the Montana Consumer Data Privacy Act (both passed this year) require covered organizations to conduct data impact assessments before using data for profiling or targeted advertising, while New York’s proposed Privacy Law gives Internet users the right to opt out of both profiling (for any reason) and targeted advertising.

Other Articles in the EU DSA have made appearances in federal legislation. The INFORM Consumers Act requires online marketplaces to collect, verify, and disclose (when required) the identities of certain vendors similar to the EU DSA’s Traceability of Traders Article, while the proposed American Innovation and Choice Online Act places similar restrictions on VLOPs and VLOSEs with regards to the order in which products or search results are displayed to users.

Possibly the most important thing the US healthcare IT industry can learn from EU DSA is the likelihood of §230 of the Communications Decency Act being amended or repealed and interactive online platforms becoming liable for user content posted on them. In 2020, the Department of Justice made four recommendations to Congress ranging from carving out exemptions for specific content to removing all protections for lawsuits brought by the federal government.

Although Congress has not yet acted on the recommendations, numerous legislative proposals (for example, the “Social Media NUDGE Act”) may make it necessary for healthcare IT companies to build content monitoring into interactive apps and – if necessary – develop complaint and redress mechanisms to explain removal decisions and resolve disputes. Due to the volume of legislation that proposes amendments to §230, this is likely to become a requirement sooner rather than later.

Why it is Important to Consider Future Changes Now

There is a great deal of legislative and regulatory activity in the healthcare sector at the minute. In addition to the proposed changes to HIPAA and the cyber incident reporting requirements of the 2022 Critical Infrastructure Act, healthcare IT companies may have to redesign apps and services to comply with the EU Digital Services Act as well as new domestic laws determining how personal health data is collected, retained, and used (i.e., “My Body, My Data Act”).

Because of the number of laws and regulations that may soon require priority attention, it is recommended compliance teams and engineering teams communicate about what changes may be required to existing apps and services, and how they can be planned for now in order to avoid future penalties for non-compliance. Any companies unsure of their compliance obligations under the EU Digital Services Act – or any domestic legislation – should seek professional compliance advice.

The post What the US Healthcare IT Industry Can Learn from the EU Digital Services Act appeared first on HIPAA Journal.

A Deeper Look at Data about Hackers and Medical Records

Posted by Steve Alder

HIPAAJournal.com provides a great deal of data about hackers and medical records, but sometimes it is only possible to scratch the surface of healthcare data breach statistics. This article takes a deeper look at the available information to identify common causes of hacking/IT incidents.

Like most sources, HIPAAJournal.com compiles healthcare data breach statistics from the information available on HHS Office for Civil Rights’ Breach Report. While a valuable source of information to identify trends in data breaches, the Breach Report is limited in its scope because it only lists data breaches affecting five hundred or more individuals.

Additionally, when covered entities and business associates use the Breach Portal to submit a breach notification, they can only select one “Type” of breach (i.e., Hacking/IT Incident, Improper Disposal, Loss, Theft, or Unauthorized Access/Disclosure). Occasionally, the “Types” do not accurately reflect the cause of the breach and the closest option is selected.

Consequently, statistics produced from the Breach Report tell most of the story, but not all of it. In some cases, this can lead to misinterpretations of the data, which – in turn – can lead to security teams allocating resources to the “wrong” security measure. This article aims to help security teams make the best possible use of their resources.

Why Focus on Hackers and Medical Records?

The reason for focusing on hackers and medical records is that, on the surface, the number of reported Hacking/IT Incidents affecting more than five hundred individuals has increased significantly over the past decade. This has led to some startling headlines on Health IT websites, which could influence how security resources are allocated.

A Deeper Look at Data about Hackers and Medical Records 1

There are several reasons for the increased number of reported Hacking/IT Incidents other than an actual increase in Hacking/IT Incidents. These include that security teams and technologies have got better at detecting hacking incidents and that ransomware attacks are included in the statistics even if no data breach has occurred (this is discussed in greater detail later).

However, one of the most likely reasons for the large increase in the number of reported Hacking/IT Incidents affecting more than five hundred individuals is that databases have grown in size as healthcare providers adopt the cloud and combine PHI from individual on-premises databases to a centralized database in the cloud. The next section further supports this theory.

How the Smaller Data Breaches Stack Up

Although HHS does not publish an online database of reported data breaches affecting fewer than five hundred individuals, the breaches are summarized in HHS’ Annual Reports to Congress. At present, the Annual Reports for 2018 to 2021 are available online, and it is from these reports we have extracted the reported Hacking/IT Incidents affecting fewer than five hundred individuals.

While it is important not to take this small sample of data out of context, and notwithstanding that 2018 may have been an exceptional year for reported Hacking/IT Incidents affecting fewer than five hundred individuals (*), it is worth noting that there were more Hacking/IT Incidents reported in total in 2018 than in 2021, and also more in total in 2019 than there were in 2020.

(*) Unfortunately, the Annual Reports prior to 2018 are no longer accessible via the HHS website; and, as the 2021 Annual Report to Congress was only delivered in February 2023, it will be some time before it is possible to tell whether the total number of reported Hacking/IT Incidents increases, falls, or remains consistent with those reported between 2018 and 2021.

Hackers and Medical Records Held to Ransom

In the context of taking a deeper look at data about hackers and medical records, it is important not to ignore how medical records held to ransom are accounted for in the HHS’ Breach Report. Generally, ransomware attacks are considered to be disclosures not permitted by the Privacy Rule due to “unauthorized individuals taking possession or control of the information”.

Whether or not a ransomware attack is a notifiable event is a “fact-specific determination” according to HHS’ Ransomware Fact Sheet. However, unless a covered entity or business associate can demonstrate a low probability that PHI has been acquired or viewed in accordance with 45 CFR §164.402(2), (which is hard to prove in most ransomware attacks), the event is notifiable.

When reporting a ransomware attack, the Help section of the Breach Portal states, “Only select Hacking/IT Incident if ePHI was impermissibly accessed through a technical intrusion.” Nonetheless, even though there may be no evidence to suggest PHI has been acquired or viewed – but the possibility cannot be ruled out – ransomware attacks are most often entered as Hacking/IT Incidents.

How Many Hacking Events are Attributable to Ransomware Attacks?

When reviewing the Breach Report, visitors have two options – view the cases currently under investigation or view an archive of closed cases. The archive provides a description of what happened for most of the closed cases, and by analyzing the descriptions, it is possible to establish how many events reported as Hacking/IT Incidents are attributable to ransomware attacks.

To get an idea of how many reported hacking events are attributable to ransomware attacks, the last two hundred closed cases in which the event “Type” was entered as a Hacking/IT Incident were analyzed. This is the result of the analysis:

  • 37.5% of Hacking/IT Incidents were attributable to unspecified cyberattacks
  • 33.5% of Hacking/IT Incidents were attributable to ransomware attacks
  • 29% of Hacking/IT Incidents were attributable to phishing emails

Unfortunately, the analysis is inconclusive because, while conducting the analysis, multiple mis-categorizations were identified – for example, ransomware attacks categorized as “Theft” and phishing emails categorized as “Unauthorized Disclosures”. Additionally, it is well chronicled that 91% of cyberattacks (including ransomware attacks) start with a phishing email.

Common Causes of Data Breaches in Healthcare

By further analyzing the archive database, it is possible to identify common causes of data breaches in healthcare that can help security teams better allocate resources. Therefore, it may not only be necessary to improve users’ resiliency to phishing emails, but also to better secure connected EMRs and implement measures to prevent the misconfiguration of cloud servers.

Returning specifically to hackers and medical records, it will soon be necessary for healthcare security teams to comply with CIRCIA (Cyber Incident Reporting for the Critical Infrastructure Act). The reporting requirements of CIRCIA mean that attempts to hack a database containing PHI will have to be reported to CISA regardless of whether the attempts are successful or not.

While the increased reporting requirements and the detail required will undoubtedly be burdensome, they should result in more accurate and complete data about hackers and medical record thefts – helping security teams better identify gaps in their security defenses and better allocate resources to address threats and vulnerabilities.

The post A Deeper Look at Data about Hackers and Medical Records appeared first on HIPAA Journal.

Views on FTC’s Proposed Health Breach Notification Rule Update

Posted by Steve Alder

In May 2023, the Federal Trade Commission (FTC) proposed changes to the Health Breach Notification Rule following a 10-year review of the rule. The proposed changes are intended to modernize the rule and make it fit for purpose in the digital age. A lot has changed since the Health Breach Notification Rule was introduced. Huge amounts of health data are now collected and shared by direct-to-consumer technologies such as health apps and wearable devices. These apps and devices can collect highly sensitive health data, yet the information collected is generally not protected by the HIPAA Rules.

The proposed update to the Health Breach Notification Rule includes changes to definitions to make it clear that vendors of personal health records (PHRs) and related entities that are not covered by HIPAA are required to issue notifications after an impermissible disclosure of their health data. The definition of a ‘breach of security’ has been changed to make it clear that a breach includes the unauthorized acquisition of identifiable health information, either by a security breach or an unauthorized disclosure. Changes have also been made to standardize consumer notifications and ensure sufficient information is provided to consumers to allow them to assess risk and require consumers to be advised about the potential for harm from a data breach.

Timely notifications must be issued to the FTC, the affected individuals, and in some cases, the media. Third-party service providers to vendors of PHRs and PHR-related entities must also issue notifications to the vendor in the event of a data breach. The deadline for providing notifications is 60 calendar days following the discovery of a data breach, although, like the HIPAA Breach Notification Rule, notifications should be issued without undue delay.

While the FTC’s Health Breach Notification Rule has been in effect for more than a decade, the FTC has only recently started enforcing the rule. The first enforcement action came in February this year against the digital health company, GoodRx Holdings, Inc, which was found to have disclosed uses’ health data to third-party advertising platforms such as Facebook (Meta) and Google. The FTC also took action against Easy Healthcare Corporation, which provides an ovulation and period tracking mobile application (Premom). In the case of Premom, health data was transferred to third parties such as Google and AppsFlyer. GoodRx agreed to settle the case and pay a $1.5 million civil monetary penalty and Easy Healthcare paid a $100,000 civil penalty.

Feedback on the Proposed Rule

The FTC provided 60 days from the date of publication in the Federal Register for the public to submit comments on the proposed changes to the Health Breach Notification Rule and the final date for submitting comments was August 8, 2023. 117 individuals and organizations submitted comments on the proposed changes, with the FTC broadly praised for updating the rule. Some of the key points from the submitted comments are detailed below.

User Consent and Transparency

Mozilla, the developer of the Firefox Internet browser, broadly supports the proposed changes. Mozilla expressed concern about the extent to which users are tracked online and how personally identifiable health information is already being transferred to third parties, often without the users’ knowledge or consent. Mozilla’s “Privacy Not Included” research team recently reviewed the practices of popular mental health and reproductive apps and found many indiscriminately collect and share intimate information for advertising purposes yet provide limited opportunities for consumers to object to those uses. The researchers found apps frequently made deceptive claims about data sharing, combined app user data with data collected from other sources such as social media profiles and data brokers, and oftentimes, the sensitive data collected by these apps was not appropriately secured.

Mozilla points out that its survey data revealed 55% of users said they did not understand when they had given their consent for apps to share their data, indicating either deceptive practices when obtaining consent or app developers are using unclear language when obtaining consent. Mozilla called for the FTC to clearly define authorization in the rule and to include the language that the FTC considered but did not include in the proposed rule and calls for the FTC to require user consent to be obtained before any personal information is collected.

Mozilla also suggested the FTC require companies to abide by browser-based opt-out signals when determining whether they have authorization to share data under the rule, such as the Global Privacy Control (GPC) as individuals are likely to want to make a simple and clear decision about the sharing of their health data. Mozilla, like several other commenters, suggested the need for a definition of acquisition, which Mozilla believes should involve any use or access by a third party of information derived from the health data, not just wholesale transfer, aligning the definition with the California Privacy Rights Act, although this appears to be something of a contentious point, not supported by the Consumer Technology Association, for example (see below).

Unintended Consequences of Electronic Breach Notifications

The Identity Theft Resource Center (ITRC), a national nonprofit organization established to minimize identity risk and mitigate the impact of identity compromise and crime, broadly praised the FTC’s efforts to update the rule but warned that allowing increased use of electronic notifications about data breaches could have a negative effect due to the potential for significant data breaches to escape public scrutiny. The ITRC suggested a change in the language of the rule to make it clear that organizations subject to the rule must comply with applicable state laws that require broader public notice.

As can be seen in data breach reporting by ITRC and The HIPAA Journal, consumers are often not provided with much information about the nature and root cause of a breach, such as if data was obtained by a ransomware group and posted on a dark net data leak site. Consumers are often told that an unauthorized third party may have viewed or obtained a user’s data when data theft and dark web publication have been confirmed. ITRC noticed this growing trend starting in late 2021 and the data breach notifications required under HIPAA increasingly see consumers provided with little or no actionable information. The FTC was praised for expanding the content requirements for notifications, which require consumers to be advised, in plain language, about the potential harms from a data breach.

Clearer Requirements for Sexual and Reproductive Health Information

The Planned Parenthood Federation of America is a trusted voice for sexual and reproductive health and a leading advocate for policies advancing access to sexual and reproductive health care. Planned Parenthood is a strong believer that data related to accessing health care should not be used by government entities or others hostile to sexual and reproductive health care. Following the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, this has become an even more pressing concern as there are genuine fears that health data will be sought to punish individuals for seeking or obtaining reproductive health care.

Planned Parenthood expressed concern that consumers may avoid using health apps out of fear that their privacy may be at risk, given the criminalization of abortion, gender-affirming care, and contraception in some states. This could create a culture of fear around using health applications when technology should be able to be used safely without fear that sensitive data is being moved or sold without knowledge or consent.

The efforts of the FTC to improve health information privacy were praised by Planned Parenthood, which made several recommendations to further improve privacy, specifically the privacy of reproductive health information. In addition to the FTC’s definitions for ‘healthcare provider’ and ‘health care services or supplies’ in the proposed rule, Planned Parenthood recommends the FTC include explicit language that protects people’s sexual and reproductive health care data.

Planned Parenthood suggests the FTC’s definition of ‘PHR identifiable information’ should include a more explicit reference to sexual and reproductive health due to the sensitivity of that information, such as “…relates to the past, present, or future physical, sexual, reproductive, or mental health or condition of an individual,” and also include broad definitions for “sexual” and “reproductive” health. By including these definitions, the FTC Health Breach Notification Rule would be consistent with OCR’s proposed changes to the HIPAA Privacy Rule for improving reproductive health information privacy relating to data collected by HIPAA-regulated entities.

Ensure Data Brokers are Covered by the Rule

The U.S. Public Interest Research Group, a public interest research and advocacy organization, has included a 9,659-signature petition from its members and the general public calling for stronger rules to protect digital health information.

U.S. PIRG broadly supports the proposed changes and believes it is appropriate for the rule to apply to the type of information that entities may process, regardless of whether they brand themselves as health-related companies or not. U.S. PIRG has called for the FTC to ensure that data brokers are included in the rule, as they can pull in large amounts of data about consumers and can aggregate health signals. The data broker and AdTech firm Tremor was offered as an example. Tremor offers over 400 standard health segments that may be used by its clients to deliver targeted advertising. U.S. PIRG also believes the definition of ‘breach of security’ should also include an entity that collects more information than necessary to serve the purpose for which it was collected.

Personal Health Record Should Align with Protected Health Information Definition

The Healthcare Information and Management Systems Society (HIMSS) praised the FTC for the update and clarification on how the rule applies to today’s technologies but points out that privacy and security is not only about avoiding breaches but also about ensuring information is private and secure in the first place. HIMSS encourages the FTC to explore and encourage proactive, rather than reactive, privacy and security practices in future rulemaking cycles.

HIMSS recommends the FTC align the proposed definition of PHR with the definition of protected health information in HIPAA. This would help to ensure that all health data is covered by the rule, regardless of how that information is transmitted. To make it easier for breaches to be reported without unnecessary delay, HIMSS suggests the FTC create an easily accessible, user-friendly, interactive form on its website for directly reporting breaches and other suspected violations of the Rule to the FTC.

Expansion of PHR and Breach of Security Definitions

The American Medical Informatics Association (AMIA) recommends the explicit inclusion of usernames/passwords maintained by non-HIPAA-regulated entities as being PHR identifiable health information, and for a breach of security to be presumed when a PHR or PHR-related entity failed to adequately disclose to individuals how their data will be accessed, processed, used, reused, or disclosed. AMIA also points out that for the rule to act as a deterrent to poor data management, it must be rigorously enforced, and enforcement must be sufficiently stringent and appropriate to compel the secure and responsible management of health data.

Abandon Health Care Provider Definition

While the FTC has been broadly praised for the proposed update, the FTC has been warned about some of the unintended consequences of some of the proposed changes. Multiple commenters, including the American Medical Association (AMA), take issue with the definition of ‘health care provider’ in the rule. The rule does not apply to HIPAA-covered entities, and to include a definition of ‘health care provider’ could easily result in confusion, since a health care provider is widely regarded by the public as an entity that provides medical care or health care. This issue was also raised by the Texas Medical Association (TMA) in its comments.

“The AMA strongly urges the Commission to abandon this highly ambiguous and potentially harmful definition. To lump together apps such as FitBit and Flo, in the same regulatory definition as physicians, is a disservice to consumers of public health and the industry as a whole.” The AMA suggests creating a more appropriate definition for apps, tracking devices, and other covered technologies, removing ‘health care provider’ and instead using a more appropriate descriptive term such as “health apps and diagnostic tool services.” Both the AMA and TMA also recommend removing ‘health care provider’ from the PHR identifiable health information definition, and instead using the term HIPAA-covered entity.

The AMA also makes a good point about the definition of a PHR which includes the phrase, “has the technical capacity to draw information from multiple sources.” The AMA suggests the definition be broadened to also include “when an app only draws health information from one place but extracts non-health information drawn from other sources, as well as when a PHR only draws identifiable health information from one place with non-identifiable health information coming from others.”

Such a change would give individuals more confidence in using PHRs and health apps without having to worry about making a change in the settings that could cause the app to no longer qualify as a PHR, which would remove protections under the rule.

The option of electronic notifications was praised as the aim should be to ensure notification as fast as possible. The AMA suggests that PHR users should be required to choose two methods of notification, in addition to postal notices, that best suit their lifestyle, as that will ensure notifications reach them quickly.

Proposed Rule Goes Too Far

The Consumer Technology Association (CTA) believes the proposed rule should be narrowed considerably and suggests the scope of the parties subject to the rule is not consistent with the HITECH Act. The CTA recommends that covered entities should be limited and should not include “merchants that may sell a variety of products that include health-related products, focusing on apps that actually gather health-related information from multiple sources, and excluding service providers such as cloud computing providers, analytics providers, and advertising providers, particularly when they do not target or are unaware of receiving covered health data.”

The CTA also recommends narrowing the scope of a ‘breach of security’ to the acquisition of covered health data, and not including inadvertent or good faith unauthorized access or disclosure when no data was actually obtained by a third party. The CTA also takes issue with the timescales and content of notifications. Rather than a notification period of 60 days from the date of discovery of a breach, the CTA recommends requiring a company to report the breach and issue notifications when it has been reasonably determined that a breach of security has occurred. This will help companies devote all their resources to investigating breaches and would harmonize the rule with state breach reporting laws.

The CTA also recommends simplifying consumer notice content and focusing on providing consumers with actionable information. Companies should not be required to speculate about the harms that could potentially result from a breach, nor should they be required to provide a list of entities that obtained health data. “Requiring an explanation of potential, speculative harm will create consumer confusion, further misinformation, and encourage unnecessary litigation,” wrote the CTA. Having to list companies that obtained a consumer’s PHR identifiable health information may interfere with investigatory efforts, including law enforcement inquiries or other internal investigations, and could also invite litigation against those entities. Since not all of the proposed content for notifications is actionable, including ‘speculative’ information may only serve to alarm and confuse consumers.

Viewpoints from The HIPAA Journal

The HIPAA Journal supports the FTC’s efforts to update the Health Breach Notification Rule to plug notification gaps and ensure that consumers are provided with timely notifications whenever their health data has been impermissibly disclosed. As various studies have demonstrated, companies not covered by HIPAA have not been adequately protecting health data and have been disclosing health information without the knowledge of the subjects of that data.

Once established, the updated rule – and the FTC Act – should be rigorously enforced to ensure they serve as a deterrent against the improper sharing of sensitive health data, whether deliberate or accidental. The FTC should also work closely with OCR to ensure that there are no regulatory gaps and that all health data is protected, no matter who collects the information. In the event of an impermissible disclosure of health information of any kind, consumers need to be informed as quickly as possible.

There has been a growing trend in breach notifications from HIPAA-regulated entities where the date of discovery of a breach is taken as the date when the forensic investigation confirms protected health information has been breached, which may be several months after the date that a security breach was discovered. The deadline for reporting should align with the HIPAA Breach Notification Rule, and allowing electronic notifications should speed up the notification process and help to ensure that timely notifications are issued. The FTC should ensure that that reporting deadline is enforced. The HIPAA Journal shares the view of the ITRC regarding the potential for serious data breaches to escape public scrutiny with electronic notifications. Maintaining a public record of data breaches as the Office for Civil Rights does with data breaches at HIPAA-regulated entities would solve this problem. The proposed rule rightly includes content requirements for notifications.

It is important to provide consumers with actionable information about a data breach and to clearly explain how risk can be reduced. In order for consumers to be able to make accurate decisions about the actions they should take in response to a breach, they should be advised about the potential harms. If companies are concerned about the potential for litigation from explaining the harms that can be caused by a data breach, they may be more inclined to implement appropriate data security measures to prevent data breaches from occurring in the first place.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Views on FTC’s Proposed Health Breach Notification Rule Update appeared first on HIPAA Journal.

What Are HIPAA Laws?

Posted by Ian

The main objective of HIPAA law is to protect the privacy of an individuals’ health information while at the same time permitting needed information to be disclosed for patient care and other purposes such as billing. This balance helps protect the rights of patients while ensuring smooth operation of the healthcare system.

HIPAA Law Checklist For HIPAA Law ComplianceHIPAA compliance laws set the standards for protecting sensitive patient data that healthcare providers, insurance companies, and other covered entities must adhere to. You can use our HIPAA Law Compliance Checklist to check your compliance requirements and avoid HIPAA violations.

What follows is an overview of the main components of HIPAA Law:

The HIPAA Law Privacy Rule

A key component of HIPAA compliance law is the Privacy Rule, which sets out national standards for when protected health information (PHI) may be used and disclosed.

PHI refers to any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This interpretation of PHI is broad and encompasses any part of a patient’s medical record or payment history.

Under the Privacy Rule, healthcare providers must implement necessary safeguards to protect the privacy of PHI. These safeguards are both physical (like locking filing cabinets) and technical (like password-protected electronic health records). Patients also have the right under the Privacy Rule to access, inspect, and obtain a copy of their PHI.

The HIPAA Law Security Rule

Another component of HIPAA compliance is the Security Rule. This rule applies specifically to electronic protected health information (ePHI), and covers the three types of security safeguards required: administrative, physical, and technical. These safeguards help to ensure that electronic patient data is secure from unauthorized access, loss, or damage.

Administrative safeguards focus on creating policies and procedures designed to clearly show how a Covered Entity must comply with HIPAA. Physical safeguards involve securing the physical facilities and equipment where data is stored and accessed. Technical safeguards refer to the technology and policy and procedures for its use that protect ePHI and control access to it.

HIPAA Privacy Officers

Under the HIPAA compliance laws, organizations are obligated to designate a privacy officer responsible for implementing and maintaining the policies. PHI access should be strictly limited on a “need-to-know” basis, thereby ensuring that only those who need this information to perform their job responsibilities can access it.

Who Is Subject To HIPAA?

The standards for electronic transactions which qualify an organization as a HIPAA-Covered Entity appears in CFR 45 Part 2. Generally, an organization is a HIPAA Covered Entity when it is:

  • A healthcare provider that conducts electronic transactions.
  • A health plan
  • A healthcare clearinghouse

Exceptions to this definition occur where an organization that does not qualify as a Covered Entity are somewhat involved in covered transactions.  For example, if they act as an intermediary between an employee, a healthcare provider, and a health plan.

Additionally, an organization that self-administers a health plan but has less than fifty participants is not considered to be a Covered Entity.

HIPAA Law For Business Associates

A vital aspect of compliance is the execution of Business Associate Agreements (BAAs) with any third-party vendors accessing PHI. These agreements set the standard for PHI use and disclosure by business associates, placing limits and conditions on their actions involving PHI.

Does HIPAA Apply To Employment Records?

One potentially confusing area of the Administrative Simplification Regulations relates to employment records, HIPAA law, and employers. This is because the definition of individually identifiable health information in §160.103 includes “information collected from an individual or created or received by a health care provider, health plan, employer, or health care clearinghouse.”

However, the definition of Protected Health Information (also in §160.103) excludes “employment records held by a Covered Entity in its role as an employer.” This exclusion applies to individually identifiable health information an employer might receive and maintain in an employment record to explain – for example – the reason for a leave of absence due to sickness or an injury.

HIPAA Law Enforcement and Penalties

Enforcement of HIPAA regulations is managed by the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS). If an entity is found to be non-compliant with HIPAA, they can face hefty fines and penalties. Fines are tiered based on the entity’s knowledge and handling of the breach.

The HIPAA Safe Harbor Law, introduced in January 2021, takes into account existing security practices when determining HIPAA violation penalties. For instance, if an entity didn’t know and, by exercising reasonable diligence, wouldn’t have known of a violation, the penalty may be less severe. However, if a violation is due to willful neglect and not corrected, the penalty can be very significant.

Summary: HIPAA Compliance Laws

HIPAA compliance laws are an essential aspect of healthcare, ensuring the protection and secure handling of sensitive patient health information. By establishing a framework of compliance through its Privacy and Security Rules, HIPAA has become a linchpin of patient rights and privacy within the healthcare sector.

As healthcare professionals, understanding and adhering to HIPAA regulations is not just a legal obligation but also a commitment to maintaining the trust and confidence of the patients they serve. The adherence to HIPAA compliance laws forms a crucial part of any covered entity’s operational framework.

The post What Are HIPAA Laws? appeared first on HIPAA Journal.

Editorial: The Importance of Identity and Access Management (IAM) in Healthcare

Posted by Steve Alder

Identity and access management in healthcare is a best practice for ensuring employees, vendors, contractors, and subcontractors are provided with appropriate access to the technology resources and data they need to perform their required duties and policies, procedures, and technology are in place to prevent unauthorized individuals from accessing resources and sensitive data.

Identity and access management consists of administrative, technical, and physical safeguards to keep resources and data locked down, with access to resources and data granted based on job role, authority, and responsibility. Identity and access management, in short, is about providing the right people with access to the right resources and data, at the right time, for the right reasons, while preventing unauthorized access at all times.

For a business with a small staff and few third-party vendors, identity and access management is straightforward. With few individuals requiring access to systems and data, ensuring everyone has access to the systems and data they need and nothing more is a relatively simple process. In healthcare, identity and access management is much more complicated. Access must be granted to a wide range of devices, including desktops, laptops, smartphones, routers, controllers, and a wide range of medical devices. Healthcare organizations typically use a wide variety of vendors, all of whom require access to systems and data, and there is often a high staff turnover, making it difficult to onboard and offboard in a timely manner.

To add to the problem, hackers are actively targeting healthcare organizations due to the value of the data they hold. Healthcare organizations are also heavily reliant on data and IT systems to support healthcare operations and ensure patient safety, making the sector an ideal target for ransomware gangs. The extent to which these attacks are succeeding highlights the difficulty healthcare organizations have with securing their systems and preventing unauthorized access.

The increase in data breaches due to hacking. Data Source: HHS’ OCR Breach Portal.

Overview of Identity and Access Management

Identity and access management covers five key areas: Policy, identity management, access management, security, and monitoring. An identity and access management policy is required which determines who has access to systems and data and who has the authority to alter the functionality of IT systems. The policy must also cover onboarding and offboarding employees, vendors, and applications, and the actions that must be logged and monitored.

Identity management is a set of processes for establishing the identity of a person or device when they first make contact and for any subsequent interactions. Access management involves authentication and dictates the actions that a user is permitted to perform, with security controls implemented to prevent unauthorized access. Finally, logging is required to record system activity and data interactions to allow investigations of unauthorized activity, with logs routinely monitored and alerts generated and investigated in response to anomalous behavior.

Principles of Identity and Access Management in Healthcare

There are five key principles of identity and access management: Identification, authentication, authorization, access governance, and logging/monitoring of access and user activity.

Identification

All users – employees, vendors, contractors & subcontractors – and devices and applications that require access to systems and data must be identified and their true identities established. Identification is concerned with establishing the digital identity of a user, device, or system, which is usually achieved with a unique username/IP address.

Authentication

When a user or device has been identified, it is necessary to authenticate to prove that the user or device is what it claims to be. This is commonly achieved with a unique password associated with the username or device. Since usernames and passwords can be guessed or obtained, additional forms of authentication are required.

Authorization

Once the identity of a user has been established and authentication has occurred, they will be provided with conditional access to systems and data. Each user and device will need to be authorized to perform certain actions, access data, or administer the system, with authorization based on the principle of least privilege. Permissions should be set to the minimum necessary level required by that user to perform their duties.

Access Governance

Access governance relates to the policies and procedures for assigning, managing, and revoking access and ensuring the correct permissions are set for each user, device, or application, with users managed through a central user repository.

Logging and Monitoring

Logs of access and system activity must be generated and monitored regularly to identify unauthorized access and anomalous behavior that could indicate compromise or unauthorized access.

Common Identity and Access Weaknesses in Healthcare

Malicious actors view the healthcare industry as an easy target and commonly exploit identity and access weaknesses to gain a foothold in healthcare networks, move laterally, steal data, and conduct highly damaging attacks that severely disrupt operations and put patient safety at risk. While many sectors face similar challenges with identity and access management, a combination of factors makes effective management particularly challenging in healthcare, and vulnerabilities are commonly introduced that can be easily exploited. Across the healthcare sector, there are common weaknesses that are frequently exploited by malicious insiders and cyber threat actors, the most common of which are highlighted below.

Poor identity and access management

There is a lack of assurance that an individual or entity that seeks access is who they claim to be at many healthcare organizations. In healthcare, employees, contractors, and others require access to networks, applications, and data, there are regular changes to roles and responsibilities, and often a high staff turnover, which makes identity and access management a significant challenge, and all too often there is a lack of monitoring resulting in compromises and unauthorized access going undetected.

Role-based access control (RBAC) is commonly used by healthcare organizations as it is easier to manage access rights when users are bundled together based on their roles. This reduces the number of access policies and makes management easier since different roles require access to similar resources; however, this approach can result in users being given access to resources that do not need, with controls far less stringent than they need to be. This is especially important regarding access to PHI. Each year, many snooping incidents are reported where employees have been able to access patient records when there is no legitimate work reason for the access, with investigations revealing unauthorized access has been occurring for months or years.

Healthcare organizations need to keep on top of access rights and ensure that permissions are appropriate to roles and responsibilities, with strong identity and access management, especially for privileged accounts. Access controls should be implemented based on the principle of least privilege and there should be consistent implementation of policies across the entire organization, with regular audits conducted to ensure employees and third-party vendors have the correct access rights. The failure to terminate access promptly when contracts end or employees change roles or find new employment puts healthcare data and systems at risk.

The annual HIMSS healthcare cybersecurity surveys have shown that a large percentage of healthcare organizations are not implementing identity and access management across the organization, resulting in security vulnerabilities that can easily be exploited to gain access to systems and data. Identity and access management (IAM) software eliminates the complexity of identity and access management and allows controls to be set to ensure secure access is granted to employees and devices while making it difficult for unauthorized individuals to gain access to sensitive resources.

Slow Migration to Zero Trust

Strong identity and access management is necessary to restrict access to systems and data; however, healthcare organizations should be working toward implementing a zero-trust security framework. The traditional security approach is based on protecting the perimeter, essentially trusting anyone or anything that is inside that perimeter; however, the increase in the use of cloud infrastructure means there is no longer a clearly defined perimeter to protect. A zero-trust approach assumes that the network has been compromised, and ensures that if there is a security breach, an attacker does not have free rein over everything inside the network perimeter.  Zero trust involves a constant process of authentication, authorization, and validation before access is granted to applications and data. There is no doubt that zero trust is the future of healthcare security and can prevent malicious actors from gaining access to healthcare networks and data and limit the harm that can be caused when attacks succeed; however, adoption of zero trust has been slow in the healthcare industry.

Poor password practices

HIPAA-covered entities should do more than comply with HIPAA password requirements, which only call for HIPAA-regulated entities to “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed,” along with procedures for monitoring login attempts, and procedures for creating, changing, and safeguarding passwords.

Many healthcare data breaches result from the failure of users to set strong, unique passwords for their accounts, password reuse across multiple platforms, and password sharing. User-generated passwords can often be brute forced with ease, password reuse exposes organizations to credential stuffing attacks, and password sharing violates HIPAA as it is not possible to track user activity.

Robust password policies should be set and enforced, but shortcuts can easily be taken by employees. One solution is to use a password manager, which solves the problem of creating strong passwords and employees having to remember them. Password managers have a secure password generator that can be used to generate truly random strings of characters that are resistant to brute force attacks and stores them securely in an encrypted vault.

One authentication solution that should be considered is single sign-on (SSO), which allows access to be carefully controlled without disrupting workflows, while helping to eliminate some of the security weaknesses associated with passwords. Rather than having to log in to multiple systems, each of which requires a different login, the user authenticates once, and all subsequent logins occur using a security token or a physical device. SSO solutions also offer centralized access logs that can help with monitoring for unauthorized access.

Reliance on single-factor rather than multifactor authentication

It is telling that one of the most commonly cited improvements to security following a healthcare data breach is the implementation of multi-factor authentication across the organization when the proactive implementation of MFA could have prevented the data breach. Multifactor authentication is one of the most important defenses against phishing, which continues to be a leading cause of healthcare data breaches, yet multifactor adoption in healthcare lags other sectors.

Multifactor authentication requires additional means of authentication other than a password for verifying a user’s identity. The authentication process requires something a person knows (a password) in combination with something a person has (a physical device or token) or something inherent to the user (a fingerprint, face recognition, or biometric data). While any type of multifactor authentication is better than single-factor authentication, an increasing number of phishing attacks are exploiting weak multifactor authentication controls. The gold standard is phishing-resistant MFA, such as FIDO/WebAuthn authentication. Regardless of which method is used, multifactor authentication needs to be implemented consistently across the entire organization.

Failure to secure third-party vendor access

Hackers may attack healthcare organizations directly but it is now increasingly common for malicious actors to exploit security weaknesses to gain access to vendor networks, through which they can abuse remote access tools to gain access to healthcare organizations’ networks. Supply chain attacks allow access to be gained to multiple healthcare networks via an attack on a single vendor. While it is important to restrict employee access using the principle of least privilege, the same applies to vendor access. Vendor access needs to be closely monitored, yet around half of healthcare organizations do not routinely monitor vendor access.

Insufficient logging and monitoring

Many healthcare organizations discover their systems have been breached several weeks or months after the network has been compromised, with the intrusion only detected when ransomware is used to encrypt files. Log management and intrusion detection solutions identify anomalies that could indicate a system compromise, and generate alerts when suspicious activity is detected, allowing investigations to be conducted to identify unauthorized access quickly, thus minimizing the harm that is caused.

I have already touched on insider breaches from an access rights perspective, which can be minimized with the right access policies and effective user management; however, one of the biggest failures comes from a lack of logging and monitoring of access. There have been insider breaches where employees have snooped on patient records for years before the unauthorized access is detected due to access logs not being routinely monitored. The key to effective monitoring is automation. IT solutions should be used that constantly monitor for unauthorized access, can distinguish between proper and improper access to ePHI, and generate alerts when suspicious activity is detected.

HIPAA and Identity and Access Management

Effective identity and access management is a fundamental part of healthcare cybersecurity and compliance with the HIPAA Rules. The HIPAA Privacy Rule – 45 C.F.R. § 164.514(h) – has a standard concerning the verification of identity and the authority of a person to have access to PHI, while the technical safeguards of the HIPAA Security Rule – 45 CFR 164.312(d) – require regulated entities to implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. The Security Rule also has a standard for access control and tracking user activity – 45 C.F.R § 164.312(a)(1), and 45 C.F.R § 164.312(b) requires audit controls for recording and monitoring activity in information systems.

The HIPAA Security Rule does not stipulate specific authentication solutions that should be used for identity and access management; instead, the measures should be informed by the entity’s risk analysis and should sufficiently reduce risks to the confidentiality, integrity, and availability of ePHI. The HHS’ Office for Civil Rights drew attention to authentication in its June 2023 Cybersecurity Newsletter and pointed out that authentication measures should reflect the level of risk. “Different touchpoints for authentication throughout a regulated entity’s organization may present different levels of risk, thus requiring the implementation of authentication solutions appropriate to sufficiently reduce risk at those various touchpoints,” explained OCR. “For example, remote access to a regulated entity’s information systems and ePHI may present a greater risk than access in person, thus stronger authentication processes (e.g., multi-factor authentication) may be necessary when permitting or expanding remote access to reduce such risks sufficiently.” OCR suggests following the advice of CISA, and implementing, as a minimum, multifactor authentication solutions on Internet-facing systems, such as email, remote desktop applications, and Virtual Private Networks (VPNs).

Conclusion

Healthcare cybersecurity starts with effective identity and access management. HIPAA-regulated entities should ensure they develop, implement, and maintain effective identity and access policies, implement strong authentication processes, and take steps to address password weaknesses, taking advantage of the latest cybersecurity solutions to automate authentication and access policies as far as possible. Proper access governance is essential, including monitoring logs to identify potential compromises and unauthorized access to PHI by insiders.

With so many competing priorities, investment in cybersecurity often falls far short of what is required; however, with hacking incidents continuing to increase and ransomware attacks impacting patient care, cybersecurity is at last being viewed as not just an IT issue, but a critical patient safety issue that warrants appropriate investment.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: The Importance of Identity and Access Management (IAM) in Healthcare appeared first on HIPAA Journal.

Cookies May be Bad for Your Health

Posted by Laura Clark Fey

OCR Warns Covered Entities and Business Associates of Its Broad View of HIPAA’s Applicability to Cookies, Pixels, and Other Tracking Technologies

On December 1, 2022 the Office of Civil Rights (“OCR”) at the U.S. Department of Health and Human Services issued a nonbinding guidance Bulletin on the use of online tracking technologies by covered entities and business associates (collectively, “regulated entities”) under the Health Insurance Portability and Accountability Act (“HIPAA”). The position taken by OCR in the Bulletin is further evidence of a continuing U.S. regulatory trend towards tighter regulation of online tracking technologies. Although the Bulletin does not have the full force and effect of law, it does demonstrate OCR’s perspective. And the broad view taken by OCR in this bulletin is highly likely to result in an increase in OCR complaints, OCR enforcement actions, and class action filings based on regulated entities’ use of online tracking technologies.

In this article, we (1) briefly describe the underlying online tracking technologies that have drawn regulatory attention; (2) explain the application of HIPAA to these technologies as outlined by OCR; (3) describe the obligations that result from that application; and (4) provide recommendations on addressing these risks in light of this new guidance.

Tracking Technologies of Interest to OCR

In this Bulletin, OCR focused on information captured through commonly used tracking technologies, such as cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts and, in the mobile context, embedded tracking codes within apps that capture information provided by users and users’ mobile device-related information, such as a unique device ID or advertising ID. According to OCR, these tracking technologies are generally developed and provided by third parties (e.g., tracking technology vendors) that receive information directly from these technologies and continue to capture information about users after they leave the website that embedded the tracking technology.

Applicability of HIPAA to Tracking Technologies

OCR addressed the wide range of information collected through online tracking technologies on websites and mobile applications, including an individual’s medical record number, home or email address, date of appointments, IP address or geographic location, medical device IDs, and other unique identifying codes. OCR stated that such information collected on a regulated entity’s website or mobile app generally is protected health information (“PHI”) because it is “indicative that the individual has received or will receive health care services or benefits from the covered entity.” Significantly, OCR asserted this is true even absent an existing relationship between the individual and the covered entity and absent the collection of specific treatment or billing information, such as dates and types of health care services.

Online Tracking Technology for Websites

User-Authenticated Webpages. In the Bulletin, OCR asserted that tracking technologies on user-
authenticated webpages generally have access to PHI, such as IP address, medical record
number, home or email address, appointment dates, and may also have access to individual
diagnoses and treatment information, prescription information, and billing information.

Unauthenticated Webpages. Although OCR stated that tracking technologies on unauthenticated
webpages generally will not provide tracking technologies with access to PHI, OCR asserts that, in
some instances, tracking technologies on unauthenticated webpages may have access to PHI.
OCR asserted that, in such cases, HIPAA Rules will apply. The specific examples OCR provided of
unauthenticated webpages in which HIPAA Rules may apply included:

-Login pages of patient portal;

-Registration webpages for patient portal;

-Appointment availability webpages;

-Doctor search webpages; and

-Informational webpages on specific symptoms or health conditions, such as pregnancy or
miscarriage.

Online Tracking Technology for Mobile Applications

Apps Developed or Offered by Regulated Entities

OCR stated that mobile app vendors, tracking technology vendors and other third parties to whom information is disclosed from mobile applications developed or offered by regulated entities will receive access to PHI (1) because of the nature of the information collected through such apps (e.g., health information, billing information, tracking of health-related variables); and (2) because the downloading and use of the mobile app is indicative that the individual has or will receive health care services or benefits. Per OCR, regulated entities that develop or offer mobile applications must comply with the HIPAA rules for the PHI the mobile app uses and discloses.

Apps Developed or Offered by Third Parties

OCR specified that the HIPAA Rules do not protect the privacy and security of information that users voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of regulated entities.

HIPAA Obligations for Regulated Entities Using Tracking Technologies

In the Bulletin, OCR stated that regulated entities are required to comply with HIPAA Rules when using tracking technologies that permit access to PHI by:

  • Ensuring Disclosures of PHI to Tracking Technology Vendors are Permitted, Required, or
    Authorized, and Are Limited to the Minimum Necessary (Unless an Exception Applies). OCR
    asserted that regulated entities must ensure all disclosures of PHI to tracking technology vendors
    are specifically permitted by the Privacy Rule. OCR further stated that, unless an exception
    applies, PHI disclosed must be limited to the “minimum necessary.” OCR stated that merely
    informing individuals through a privacy notice of disclosures of PHI to tracking technology
    vendors will not make that disclosure permissible. To make such disclosures, OCR asserts that
    regulated entities must:

– Enter into a Business Associate Agreement (“BAA”) with All Tracking Technology Vendors and
confirm an Applicable Permission for the Disclosure. Per OCR, prior to disclosing PHI to a
tracking technology vendor, regulated entities must have a signed BAA in place and there
must be an applicable Privacy Rule permission for the disclosure. See 45 C.F.R. 164.502(a). It is
highly likely that some key tracking technology vendors will refuse to enter a BAA. See, e.g.,
Google Analytics: Best Practices to Avoid Sending PII: HIPAA Disclaimer (“you may not use
Google Analytics for any purpose or in any manner involving Protected Health Information”).
– Obtain the Individual’s HIPAA-Compliant Authorization before the Disclosure if There is No
Applicable Privacy Rule Permission or if the Vendor is Not a Business Associate. OCR also
asserted that if there is not an applicable Privacy Rule permission or if the vendor does not
meet the definition of a “business associate”, HIPAA-compliant authorizations will be required
prior to the disclosure of PHI. OCR specifically advised that website banners asking users to
accept or reject the use of tracking technologies will not constitute a valid HIPAA
authorization.

  • Entering into BAAs with Tracking Technology Vendors that Meet the Definition of Business
    Associate. OCR further asserted that if a tracking technology vendor meets the definition of a
    “business associate” under HIPAA, the regulated entity must ensure that a HIPAA-compliant BAA
    is in place with the vendor. OCR advised that if a regulated entity does not want to create a
    business associate relationship with a vendor or if the vendor refuses to enter a BAA, then
    individual HIPAA-compliant authorizations will be required before any disclosures of PHI.
  • Addressing Tracking Technology in Risk Analysis and Risk Management Processes. OCR
    emphasized the obligation for regulated entities to account for the use of online and mobile app
    tracking technologies in their risk analysis and risk management processes. See 45 C.F.R. 164.308.
  •  Implementing Administrative, Physical, and Technical Safeguards. OCR also highlighted the
    requirement for regulated entities to implement appropriate administrative, physical, and
    technical safeguards to protect PHI and ePHI in the context of tracking technologies. See 45
    C.F.R. 306-316.
  • Providing Breach Notification. Finally, OCR asserted that regulated entities are required to provide
    appropriate breach notification to affected individuals, the regulator, and the media of
    impermissible disclosures of PHI to a tracking technology vendor that compromise the security or
    privacy of PHI when there is no Privacy Rule requirement or permission to disclose and there is no
    BAA in place with the vendor. In such circumstances, OCR asserted that there is a presumption of
    breach of unsecured PHI unless the regulated entity can demonstrate there is low probability that
    PHI has been compromised. See 45 C.F.R. 164.402(2)

Recommended Action Items

In light of the regulatory and litigation risk arising from this Bulletin, we recommend that companies consider taking the following actions to reduce their risk of being the subject of complaints to OCR, OCR investigations, and/or class action litigation:

  • Identify and evaluate current use of online tracking technologies in websites and mobile apps.
    Determine whether information disclosed through such online tracking technologies is likely to be
    deemed PHI based on the context of the collection.
  • Analyze current practices against OCR guidance in the Bulletin, and conduct a risk analysis (taking
    into account both regulatory and litigation risks) in furtherance of determining whether to
    discontinue, in whole or in part, use of online tracking technologies, particularly for authorized
    webpages and mobile apps.

If decision is made to continue, in whole or in part, the use of online tracking technologies
involving the disclosure of PHI, we recommend considering the following actions:

– Analyze opportunities to reconfigure such technologies to limit PHI disclosures through
tracking technologies on unauthenticated webpages.
– Enter into compliant BAAs with online tracking technology companies and mobile app
companies, including but not limited to BAAs with entities meeting the “business associate”
definition.
– Obtain HIPAA-compliant authorizations before individuals are set up to use authenticated
webpages or mobile apps.
– Implement required administrative, physical, and technical safeguards required by the Security
Rule, in accordance with OCR guidance in the Bulletin.
– Confirm that ongoing HIPAA security risk assessments and management accounts for online
tracking technology disclosures.
– Inform employees involved in selecting, entering into agreements with, and obtaining services
from online tracking technology providers and/or mobile app providers, as well as employees
with privacy and security-focused vendor oversight responsibilities, of HIPAA compliance risks
and obligations arising from online tracking technologies.

  • Evaluate obligations to provide breach notifications to individuals, regulators, and media in
    accordance with OCR guidance in the Bulletin.

Regulated entities should prioritize evaluating and updating their online tracking technology practices, as necessary, to address regulatory expectations for the use of such technologies set forth in OCR’s Bulletin. Taking prompt action will reduce the risk of entities becoming the target of complaints to OCR, an enforcement action, and/or class action litigation.

Co-authors: Eleazar Rundus, Associate Attorney at Fey LLC.  Will Davis, Associate Attorney at Fey LLC.

The post Cookies May be Bad for Your Health appeared first on HIPAA Journal.

State of HIPAA – May 2023 Report

Posted by Steve Alder

It has been 27 years since President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law, but compliance is still proving a challenge for many HIPAA-regulated entities. This article explores the current state of HIPAA and some of the main aspects of the HIPAA Rules that are proving difficult for HIPAA-regulated entities.

HIPAA Enforcement

The HHS’ Office for Civil Rights (OCR) has been enforcing HIPAA compliance more aggressively in recent years and 2022 was a record year, with 22 settlements and civil monetary penalties (CMPs) imposed to resolve violations of the HIPAA Rules. The majority of the financial penalties imposed in 2022 resolved violations of the HIPAA Right of Access, as has been the case for the past 3 years; however, OCR is now starting to impose more fines for other violations of the HIPAA Rules.

OCR has faced challenges with HIPAA enforcement due to a significant increase in its workload in recent years while its budget has remained flat. OCR investigates all data breaches of 500 or more records, and data breaches have been increasing at an alarming rate in recent years. OCR explained in its annual report to Congress that since fiscal year 2017, OCR has received a 100% increase in large breach reports as cybercriminals have stepped up their attacks on the healthcare sector. In 2021, 75% of breaches of 500 or more records were the result of hacking incidents and those breaches accounted for 95% of all breached records in 2021.

Over that same period, there was also a 28% increase in complaints about potential HIPAA violations, which also need to be investigated. OCR’s hands are somewhat tied as funding has remained flat for years and OCR is also having to cope with inflationary increases. OCR explained that it has been forced to decrease its enforcement staff by 45%, and with its resources under incredible strain, that naturally has an impact on the speed of investigations and the number of cases where financial penalties can be pursued.

OCR can increase funding through its enforcement actions, but despite OCR more than doubling the number of settlements and CMPs in 2022 compared to 2017-2019 levels, OCR had a 92.6% reduction in total penalties compared to 2018, falling from $28.7 million in 2018 to just $1.6 million in 2022. The average HIPAA penalty has fallen from $2.6 million in 2018 (median: $500,000) to just $407,000 in 2022 (median: $183,250).

The decrease in penalties is due to a reinterpretation of the language of the HITECH Act, which has seen the maximum penalties for HIPAA violations reduced in three of the four penalty tiers. OCR has asked Congress to increase the maximum penalties, but until those penalties are increased, OCR will continue to struggle to increase funds significantly through its enforcement actions. The budgetary pressures have forced OCR to look at other ways of increasing funding such as improving efficiency and productivity through restructuring and getting better use of its existing resources. The recent restructuring, which has seen OCR create a new enforcement division, will allow it to investigate data breaches faster, clear the current backlog of investigations, and impose more financial penalties. We can therefore expect this year to close with a high number of financial penalties, and 2024 may well see record numbers of fines issued to resolve compliance issues.

OCR Director, Melanie Fontes Rainer, has confirmed that OCR’s HIPAA Right of Access enforcement initiative will continue, and OCR is making compliance with HIPAA with respect to reproductive healthcare information an enforcement priority, as well as HIPAA Security Rule compliance to protect against the increasing numbers of hacking incidents. She has also confirmed that OCR will be actively investigating the use of website tracking technologies following OCR’s December 2022 release of new HIPAA guidance.

State attorneys general also enforce the HIPAA Rules and 2023 has already seen several enforcement actions over violations of HIPAA and state privacy laws. As of May 2023, state attorneys general in Florida, New York, New Jersey, Ohio, Oregon, and Pennsylvania have taken action against HIPAA-regulated entities for security failures that have led to data breaches.

The State of HIPAA Compliance

OCR has conducted two rounds of compliance audits to assess the state of HIPAA compliance since the HIPAA Privacy and Security Rules were enacted. The second phase of HIPAA audits was launched in 2016, and while OCR has announced its intention to conduct an ongoing program of compliance audits, they have failed to materialize due to budget constraints and it is unlikely that those plans will be resurrected until OCR’s funding issues have been resolved. The 2016-2017 HIPAA audit program identified many areas of noncompliance. Most covered entities were found to have failed to have achieved compliance in the following areas:

  • HIPAA Security Rule risk analysis and risk management requirements
  • Timely breach notifications and adequate content of breach notifications
  • Prominent posts of Notices of Privacy Practices on websites and insufficient content of those notices
  • Timely responses to individuals’ right of access requests and charges for copies of medical records

It has been 6 years since the second phase of the compliance audits came to an end and many of the compliance issues identified by OCR continue to pose problems for HIPAA-regulated entities, as can be seen in OCR’s enforcement actions, which give an indication of the current state of HIPAA compliance.

Most Common HIPAA Violations in OCR’s Enforcement Actions (2020-2023)

HIPAA Violation Number of Cases
HIPAA right of access 42
Risk analysis 10
Notice of Privacy Practices 4
Risk management 4
Reviews of system activity 3
Audit controls 3
Business associate agreements 3
Appointment of a HIPAA Privacy Officer 2
Impermissible disclosure on social media 2
Lack of technical safeguards 2
Technical and nontechnical evaluation 2
HIPAA Privacy Rule policies 2

Top HIPAA Security Rule Compliance Challenges in 2023

Complying with all HIPAA provisions and implementation specifications can be a challenge, especially for smaller healthcare providers and business associates that do not have extensive resources available to devote to HIPAA compliance. While there are many aspects of the HIPAA Security Rule that can prove challenging, there are some common areas of vulnerability that are identified time and again in OCR’s investigations.

Risk Analyses

The HIPAA Security Rule requires regulated entities to conduct a comprehensive and accurate organization-wide risk analysis to identify risks and vulnerabilities to electronic protected health information (ePHI). The risk analysis process needs to be ongoing, and the best practice is to conduct these at least annually or as needed, such as following any material change to policies and procedures or changes in technology. The risk analysis must be comprehensive, which means an organization must identify all ePHI within the organization, external ePHI created received, or maintained by business associates, and all threats to that information must be identified, including human, natural, and environmental threats to ePHI and the systems on which the information is stored. The HHS has developed a Security Risk Assessment Tool to help regulated entities with this vital process.

Risk Management Processes

Once risks and vulnerabilities have been identified they must be subjected to risk management processes and be reduced to a low and acceptable level in a timely manner. Risks must be assessed and remediations prioritized to ensure the risks that are most likely to be exploited are addressed first. Risk management processes also need to be extended to third parties – business associates – which means performing due diligence on vendors throughout the supply chain and implementing processes to identify, assess, and manage vendor risk at each stage of the vendor life cycle – onboarding, ongoing, and offboarding. Reducing risk exposure from vendor relationships is one of the biggest security challenges in healthcare in 2023 and a pressing issue, as hackers are actively targeting the supply chain.

Technical Security Controls

The HIPAA Security Rule does not specify the technical controls that should be implemented to secure systems containing ePHI, as these need to be based on the specific IT architectures of each regulated entity. It is the responsibility of each regulated entity to ensure that appropriate security controls are implemented and that they are effective at reducing risk. Security controls need to be regularly subjected to security assessments to make sure they have been implemented correctly, are operating as intended, and are achieving the desired outcome. HIPAA-regulated entities should conduct vulnerability scans and consider penetration testing to gain a better understanding of vulnerabilities to allow them to be properly managed.

Audit Controls and Information System Activity Reviews

All IT systems that contact ePHI must have audit controls and create logs of system activity and information system activity reviews should be conducted on audit logs, access reports, and security incident tracking reports. Despite information system activity reviews being a requirement of the HIPAA Security Rule, OCR’s investigations have revealed many organizations only conduct reviews on an ad-hoc basis in response to potential security incidents. Regular reviews allow HIPAA-regulated entities to rapidly identify unauthorized access to ePHI by malicious insiders and hackers. All too often, regulated entities discover unauthorized access by insiders and hackers has been ongoing for months or years.

Access Controls

Technical policies and procedures need to be developed, implemented, and maintained for all electronic information systems that contain or allow access to ePHI to only allow access to persons or software programs that have been granted access rights per the organization’s access management policies and procedures. Access controls need to be based on the principle of least privilege, and access must be promptly revoked when individuals leave employment or no longer require access to ePHI. Ineffective access controls can be exploited by malicious actors to move laterally within networks and gain access to huge volumes of ePHI.

Telehealth Services

In response to the pandemic, OCR introduced telehealth flexibilities to make it easier for HIPAA-regulated entities to provide virtual care to clients and exercised enforcement discretion with regard to the technologies that can be used to provide these services. Now that the COVID-19 Public Health Emergency has been declared over, that period of enforcement discretion is due to terminate. OCR’s notice of enforcement discretion for telehealth expired at 11:59 p.m. on May 11, 2023, but HIPAA-regulated entities have been given a 90-day transition period that comes to an end on August 9, 2023, by which time telehealth platforms must be compliant with the HIPAA Security Rule.

Challenges with HIPAA Privacy Rule Compliance in 2023

There are several aspects of HIPAA Privacy Rule compliance that are likely to prove challenging for HIPAA-regulated entities in 2023 and OCR has confirmed that these HIPAA Privacy Rule issues are still or will be enforcement priorities in 2023 and beyond.

Timely Access to Medical Records

The 2016 HIPAA compliance audits identified widespread noncompliance with the HIPAA Right of Access and increasing numbers of complaints were being received from individuals struggling to obtain copies of their medical records. OCR launched a new compliance initiative in 2019 targeting noncompliance with the HIPAA Right of Access, and the bulk of OCR’s subsequent enforcement actions to date have been for noncompliance with the HIPAA Right of Access. OCR is continuing with this enforcement initiative, and further, the proposed Privacy Rule changes that are expected to be finalized in 2023 will likely see the time frame for providing records decrease from 30 days to 15 days.

Tracking Technologies

In 2022, investigations into the use of tracking technologies on websites revealed the extent to which these third-party code snippets were being used by healthcare organizations. The code snippets collect valuable data on websites and web app user activity, which can be used to improve those services; however, the code can also collect identifiable health information and transmit that information to third parties. Those third parties typically do not sign business associate agreements, and using the code without a BAA in place or first obtaining consent from individuals to share that information is a HIPAA violation. Now that OCR has released guidance on HIPAA and tracking technologies, healthcare organizations must ensure that if the code is used, it is HIPAA compliant.

Disclosures of Reproductive Health Information

The decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization removed the federal right to abortion, leaving it to individual states to decide on the legality of abortions in their respective states. As of May 2023, 14 states have implemented near-total bans on abortions, a further 6 have implemented gestational limits, and a further 6 states have attempted to introduce bans but have faced legal challenges and there are fears that states may attempt to take legal action against residents who travel to other states to have legal abortions. OCR responded to the Supreme Court decision by making it clear that disclosures of reproductive health information to law enforcement are permitted by the HIPAA Privacy Rule but are not required, and has stated that HIPAA noncompliance with respect to impermissible disclosures of reproductive health information is now an enforcement priority for OCR. OCR has also moved to update the HIPAA Privacy Rule to prohibit disclosures of reproductive health information to facilitate prosecutions of patients or providers who have or assist people with having terminations in states where the procedures are legal.

Staff Training

The Verizon Data Breach Investigations Report highlighted the extent to which data breaches are caused by human error. Out of all data breaches analyzed by Verizon in 2022, 82% involved the human element. Those data breaches include misconfigurations, responses to phishing and social engineering attacks, failures to set strong passwords, and other mistakes. The only way of tackling human error is through education. The HIPAA Privacy Rule requires regulated entities to provide training on HIPAA policies relevant to each individual’s role, while the HIPAA Security Rule requires a security awareness training program. In the case of the latter, increasing the frequency of training can help to create a security culture and eradicate bad security practices.

Looking Forward – Pending Changes to the HIPAA Rules

While updates to the HIPAA Rules are made fairly infrequently, there are pending changes to the HIPAA Privacy Rule, due in 2023 along with updates to the Part 2 regulations to align them more closely with HIPAA. OCR has also recently announced its intention to improve privacy protections for reproductive health information through new HIPAA rulemaking, and the HHS’ Centers for Medicare and Medicaid Services (CMS) has proposed updates to transaction code sets to enable the electronic transmission of healthcare attachment transactions. States are also introducing new laws to better protect the privacy of state residents and ensure they are notified in the event of privacy breaches. Staying up to date with changes to state laws and ensuring compliance will be an ongoing challenge.

While the proposed HIPAA updates are intended to improve the privacy and security of personally identifiable information and reduce the administrative burden on HIPAA-regulated entities, they are a cause of concern for many HIPAA-regulated entities which will have to spend considerable time and effort implementing the changes and ensuring their employees are fully trained. The HHS will provide a grace period to allow the changes to be implemented before compliance becomes mandatory, but it is important to start updating policies and procedures as soon as possible to ensure compliance with these new requirements to ensure the deadlines are not missed.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post State of HIPAA – May 2023 Report appeared first on HIPAA Journal.

The Complicated Nature of BAA Compliance

Posted by Steve Alder

In the healthcare industry, the term BAA compliance refers to a Business Associate complying with the terms of a Business Associate Agreement entered into with a Covered Entity. While, in theory, BAA compliance should be straightforward, this is not always the case – and sometimes, noncompliance is not the fault of the Business Associate.

The HIPAA Administrative Simplification Regulations apply to group health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically in connection with a transaction for which the Department of Health and Human Services (HHS) has adopted standards (i.e., transactions covered in 45 CFR Part 162).

Many healthcare providers that qualify as “Covered Entities” are unable to manage every activity or function in-house and often subcontract some activities to third-party persons or organizations. When these activities involve the creation, receipt, storage, or transmission of PHI, third-party persons or organizations are classified as Business Associates.

Covered Entities are required to protect the privacy of individually identifiable health information, ensure the confidentiality, integrity, and availability of electronic PHI, and notify individuals and HHS’ Office for Civil Rights in the event of a data breach – exposure or unauthorized access to PHI. When PHI is disclosed to a Business Associate, the Business Associate assumes some compliance requirements concerning the PHI they are provided with, collect, store, or transmit.

Business Associates’ Compliance Requirements

Any third party or organization acting as a Business Associate of a Covered Entity is automatically required to comply with the HIPAA Security and Breach Notification Rules. Other compliance requirements are determined by the nature of the service being provided by the Business Associate for or on behalf of the Covered Entity.

For example, if a Business Associate is providing billing or claims management services for a Covered Entity, the Business Associate is required to comply with the transaction, code set, and operating rules of Part 162. If the Business Associate is providing outsourced medical services, the Business Associate is required to comply with certain Privacy Rule standards.

When a Business Associate is required to comply with certain Privacy Rule standards, these should be noted in the Business Associate Agreement – along with any restrictions on uses and disclosures that would normally be allowed by the Privacy Rule but are limited due to the content of the Covered Entity’s Notice of Privacy Practices or because one or more individuals have exercised the right to request privacy protections for PHI under §164.522 of the Privacy Rule.

The HIPAA Business Associate Agreement (BAA)

The HIPAA Business Associate Agreement (BAA) is a contract between a Covered Entity and a Business Associate that establishes the permitted uses and disclosures of PHI by the Business Associate. The BAA must stipulate that uses and disclosures beyond those included in the BAA are not permitted and will result in the termination of the BAA. Other clauses in the BAA should cover:

  • Making PHI available to individuals exercising their rights of access and amendment, and when requesting an accounting of disclosures.
  • Disclosures required by state or federal law, including (if applicable) to report child abuse or comply with “duty to warn” regulations.
  • Business Associate contracts with subcontractors when secondary services are required for the Business Associate to perform an activity.
  • The reporting of disclosures of PHI not permitted by the BAA and other security incidents – in addition to reporting breaches of unsecured PHI.
  • The term of the BAA (if applicable) and reasons why the BAA may be terminated before its recorded term – for example, a failure of BAA compliance, and the obligations of the Business associate when the contract is terminated or expires.
  • Making internal practices and records available to the Secretary of the HHS for determining compliance with the HIPAA Rules.

In most cases, BAAs are prepared by Covered Entities according to the services subcontracted to the Business Associate, but there are times when a Covered Entity must agree to a Business Associate’s BAA before it can use the Business Associate’s services. One of the best examples of this scenario is Microsoft – which refuses to sign Covered Entities’ BAAs on the grounds that it offers “hyperscale, multi-tenanted services that are standardized for all customers”.

Why BAA Compliance is Not Always Straightforward

It would be reasonable to assume that, if a contract states a Business Associate must comply with specific requirements to benefit from the Covered Entity’s business, the Business Associate would comply with the BAA – but that is not always the case. Some Business Associates take shortcuts with BAA compliance “to get the job done”, exposing themselves to cyberattacks, breaches due to training failures, and theft of PHI by external actors and malicious insiders.

However, BAA compliance failures are not always the fault of the Business Associate. HHS guidance implies Covered Entities need only obtain “satisfactory assurances” that Business Associates will use PHI for the purposes for which the Business Associate is engaged before entering into a BAA. There is no legal requirement for a Covered Entity to conduct due diligence on a Business Associate to ensure that satisfactory assurances are backed up with policies, safeguards, and procedures.

Additionally, Covered Entities’ BAAs may not always be entirely complete. Some may omit limitations to uses and disclosures of PHI, fail to insist on adequate training, or not require Business Associates to provide copies of contracts with subcontractors for review. In such cases, Business Associates may violate HIPAA through no fault of their own, yet be exposed to sanctions from HHS’ Office for Civil Rights and State Attorneys General – potentially resulting in civil monetary penalties.

What Business Associates Need to Know about BAA Compliance

Since the publication of the HIPAA Final Omnibus Rule, Business Associates have been liable for HIPAA violations of their own making. Unfortunately, a lack of knowledge is not a defense against a civil monetary penalty and/or costly corrective action plan. Therefore, before entering into a BAA with a Covered Entity, Business Associates are advised to thoroughly check the content of the BAA; and, if in doubt about their compliance requirements, query the issues with the Covered Entity and seek professional compliance advice.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post The Complicated Nature of BAA Compliance appeared first on HIPAA Journal.

Which Situations Allow a Medical Professional to Release Information?

Posted by HIPAA Journal

The situations when a medical professional can release information vary depending on who is releasing the information, what information is being released, when it is being released, and where it is being released. 

It is fair to say there is a fair amount of misunderstanding both within and outside the healthcare industry about which situations allow a medical professional to release information. To find evidence supporting this statement, you only have to look at stories covered by mainstream news channels in which patients and their families have been denied their HIPAA rights by medical professionals, or in which politicians have failed to grasp the basics of health information privacy.

To find further evidence supporting this statement, you need only visit the Enforcement Highlights page on the Department of Health and Human Services (HHS) website. The page reveals that, since 2003, the agency has received more than 300,000 complaints alleging violations of HIPAA. Of those 300,000 complaints, more than 200,000 have been rejected because “the complaint did not present an eligible case for enforcement”. The most common reasons for complaints being rejected were:

  • The alleged privacy violation was by an entity not covered by HIPAA.
  • The complaint was withdrawn, or submitted after the 180-day limit.
  • The activity described was not a health information privacy violation.

So, which situations allow a medical professional to release information? We look at the who, what, when, and where of health information privacy to not only establish which situations allow a medical professional to release information but also the situations where medical professionals are not allowed to release information. To do this, it is necessary to answer the questions who is releasing the information, what information is being released, when is information being released, and where?

Who is Releasing the Information?

In the context of which situations allow a medical professional to release information, there are three types of medical professionals to consider:

  • A solo practitioner that qualifies as a Covered Entity under HIPAA.
  • A solo practitioner that does not qualify as a HIPAA Covered Entity.
  • A medical professional that is employed by a Covered Entity.

The difference between the three is that a solo practitioner that qualifies as a Covered Entity is required to comply with the HIPAA Privacy, Security, and Breach Notification Rules and any state laws that preempt the HIPAA Rules because they provide more protection to individually identifiable health information or allow greater rights to patients.

A solo practitioner does not qualify as a HIPAA Covered Entity if they do not conduct electronic transactions for which HHS has published standards in 45 CFR Part 162. However, although they do not have to comply with the HIPAA Privacy, Security, and Breach Notification Rules, they do have to comply with state privacy and breach notification legislation.

A medical professional that is employed by a Covered Entity is required to comply with their employer’s employment policies. Therefore, although some releases of information may be permitted by HIPAA, the medical professional’s employer may have decided that the release of certain information cannot be adequately monitored and has prohibited its release.

The difference between the three types of medical professionals is not absolute. If a Covered Entity refers a patient to a solo practitioner who does not qualify as a HIPAA Covered Entity, the solo practitioner becomes a Business Associate of the Covered Entity and is required to comply with the HIPAA Rules. Therefore, a solo practitioner may be operating under one set of health information privacy regulations in the morning, and a different set of regulations in the afternoon.

What Information is Being Released?

The nature of information being released can also determine which situations allow a medical professional to release information. Generally, Covered Entities and employees of Covered Entities are permitted to release certain types of health information in the circumstances described below when the information being released is Protected Health Information or is individually identifiable (non-health) information maintained in the same record set as Protected Health Information.

The protection of non-health information maintained in the same record set as Protected Health Information is one of the primary reasons why misunderstandings exist about which situations allow a medical professional to release information. This is because information such as a patient’s name, address, and phone number are protected by the Privacy Rule all the time they are maintained in a record set with the patient’s health information, but not when they are maintained in a separate database for operational purposes (although state privacy regulations may apply).

It is also the case that any information can be released by a medical professional with the written authorization of the subject of the information (or their personal representative). Conditions apply to authorizations inasmuch as the subject of the information must be informed what information is being released, what it is being released for, who it is being released to, and for how long it is being released. Therefore, in terms of the nature of information being released, it could be:

  • Individually identifiable health information protected by the HIPAA Privacy Rule.
  • Individually identifiable non-health information maintained in the same record set.
  • Individually identifiable non-health information maintained in a separate database.
  • Any information – the release of which has been authorized by the subject.

The same distinctions in the nature of information can also apply to solo practitioners that do not qualify as a HIPAA Covered Entity depending on the content of state legislation. There are currently forty-four states with medical privacy statutes on their books (the remaining states include medical privacy in digital privacy legislation), and some states have multiple medical privacy statutes dealing with separate medical disciplines. Dissecting them all is beyond the scope of this article.

When is Information being Released?

The HIPAA Privacy Rule protects the privacy of individually identifiable health information by stipulating the permissible uses of Protected Health Information, disclosures of Protected Health Information that require authorization from the subject of the information, and disclosures for which the individual should be given the opportunity to agree or object if possible. These situations when information can be released by medical professionals include (but are not limited to):

  • To individuals exercising their rights to request copies of Protected Health Information.
  • To the HHS’ Office for Civil Rights in response to a patient complaint or compliance audit.
  • Internally or to other Covered Entities for treatment, payment, or healthcare operations.
  • To Business Associates for the purposes stipulated in a Business Associate Agreement.
  • To personal representatives of adult patients and unemancipated minor patients.
  • To authorized public health authorities to prevent or control disease, injury, or disability.
  • To the Federal Drug Administration to report adverse events and track FDA-regulated products.
  • To employers when the release of information is required to fulfill OSHA or state reporting requirements.

There is also a long list of scenarios when authorization or an opportunity to agree or object is not required (45 CFR §164.512). In these scenarios, it is often the case that the information that can be released is limited in content rather than limited to the minimum necessary amount to achieve the purpose of the use or disclosure. These too can create misunderstandings about which situations allow a medical professional to release information and what information can be released.

The misunderstandings can be amplified by state laws that preempt the HIPAA Rules because they provide more protection for individually identifiable health information. As demonstrated in the next section, state laws can limit what information is being released and when it is being released by both Covered Entities and solo practitioners that do not qualify as HIPAA Covered Entities. As mentioned previously, employees of Covered Entities may also be limited on what information can be released – and when – by their employer’s HIPAA policies.

Where is Information being Released?

To demonstrate the challenges of determining which situations allow a medical professional to release information, we have provided two examples that show why it matters who is releasing information (and who the information is being released to), what information is being released, and where the information is being released. Scenarios similar to these could apply anywhere in the country, regardless of whether a medical professional is a Covered Entity, does not qualify as a Covered Entity, or is an employee or a Business Associate of a Covered Entity.

Scenario A – Releasing Information to a Support Group

Patient A and Patient B have been receiving mental health treatment – Patient A from a hospital that qualifies as a Covered Entity and Patient B from a private counselor that does not qualify as a HIPAA Covered Entity. Both the hospital and the counselor are located in California.

The hospital and the private counselor agree it would benefit their respective patients if they were to join the same support group. There is no treatment relationship between either of the medical professionals and the support group. The support group is a voluntary organization that neither qualifies as a Covered Entity nor is part of an Organized Health Care Arrangement.

The hospital cannot disclose any information about Patient A to the support group without the patient´s authorization because there is no treatment relationship. If authorization is provided, the hospital can only provide the minimum necessary information about why the patient is joining the support group.

The private counselor is not subject to the same restrictions as the hospital but is subject to California’s Confidentiality of Medical Information Act (CMIA). Under §56.10 of the Act, the private counselor is allowed to release as much information as they feel is appropriate to benefit the patient without authorization.

Analysis of Scenario A

Although the private counselor has the option to provide more information about Patient B without the patient’s authorization, there is no accountability with regard to Patient B’s health information privacy. Patient B has not been advised there may be no control over what happens to the health information once it has been released to the support group and the private counselor could be held liable (under CMIA) if it is further disclosed.

Because of the requirements of the HIPAA Privacy Rule, only the minimum necessary health information about Patient A can be released by the hospital to the support group (with Patient A’s authorization). This not only limits how much health information is released but, because Patient A has been advised there is no control over what happens to the health information, the hospital is not liable if it is further disclosed.

Scenario B – Reporting Domestic Abuse to Authorities

One of the most complex situations in which medical professionals may – or may not – be permitted to release information relates to reporting domestic abuse and intimate partner violence (IPV).  HIPAA permits medical professionals to release information about an individual to agencies authorized by law to receive reports of abuse, neglect, or domestic violence, provided the information released is limited to the minimum necessary amount.

Whether or not a medical professional is allowed to report domestic violence to authorities – either with or without the patient’s authorization – is more often controlled by state regulations; and in some cases, these can be very different.

For example, in Georgia, medical professionals are required by OCGA §31-7-9 to report any non-accidental patient injuries. The state requires “all physicians, nurses, and other medical personnel [to] be supported and encouraged to assess, intervene, and refer in cases of alleged or suspected IPV” and provides immunity from any civil liability to “any person or persons participating in the making of a report or causing a report to be made to the appropriate police authority.”

In neighboring Florida, the situation is practically reversed. Medical professionals are only permitted to report domestic violence to authorities if the injuries suffered by the victim are life-threatening (Fla. Stat. §790.24) or consist of second- or third-degree burns (Fla. Stat. §877.155). Any other report of domestic violence without a patient’s authorization is a violation of the Florida Information Protection Act, which – because it has more stringent privacy protections in this scenario – preempts HIPAA.

Analysis of Scenario B

In this scenario, a medical professional working on one side of the border between Florida and Georgia will be in violation of state laws if they report domestic abuse that does not involve a life-threatening injury; while a medical professional working on the other side of the border will be in violation of state laws if they fail to report the same domestic abuse. In theory, the Floridian medical professional could be charged with a misdemeanor for something that is a legal requirement in the next town.

While this may be an extreme example of how difficult it can be to determine which situations allow a medical professional to release information, the preemption of HIPAA in this scenario is significant. Throughout the country, there will be laws such as the Florida Information Protection Act that apply in just one or two scenarios to Covered Entities and Business Associates, and it is important to know when these laws – or clauses within laws – apply to prevent unintentional health information privacy violations.

Conclusion

As can be seen from the above examples and the discussions that preceded them, there are no absolute rules about which situations allow a medical professional to release information. Medical professionals of all HIPAA statuses should identify which health information privacy regulations govern the release of information in their locations, what information can be released, and when.

While it is important to comply with state and federal health information privacy regulations, the risk exists that securing health information too rigidly can obstruct the flow of information required for operational efficiency. Additionally, securing health information too rigidly can delay responses to patient access requests – which can result in more stories being published by mainstream news channels. Therefore, if you are a medical professional or an employee of a Covered Entity with responsibility for compliance with health information privacy regulations, and you have any doubts about which situations allow a medical professional to release information in your location, you should seek professional compliance advice.

Steve Alder, Editor-in-Chief, The HIPAA Journal

The post Which Situations Allow a Medical Professional to Release Information? appeared first on HIPAA Journal.