Editorial

Which Situations Allow a Medical Professional to Release Information?

The situations when a medical professional can release information vary depending on who is releasing the information, what information is being released, when it is being released, and where it is being released. 

It is fair to say there is a fair amount of misunderstanding both within and outside the healthcare industry about which situations allow a medical professional to release information. To find evidence supporting this statement, you only have to look at stories covered by mainstream news channels in which patients and their families have been denied their HIPAA rights by medical professionals, or in which politicians have failed to grasp the basics of health information privacy.

To find further evidence supporting this statement, you need only visit the Enforcement Highlights page on the Department of Health and Human Services (HHS) website. The page reveals that, since 2003, the agency has received more than 300,000 complaints alleging violations of HIPAA. Of those 300,000 complaints, more than 200,000 have been rejected because “the complaint did not present an eligible case for enforcement”. The most common reasons for complaints being rejected were:

  • The alleged privacy violation was by an entity not covered by HIPAA.
  • The complaint was withdrawn, or submitted after the 180-day limit.
  • The activity described was not a health information privacy violation.

So, which situations allow a medical professional to release information? We look at the who, what, when, and where of health information privacy to not only establish which situations allow a medical professional to release information but also the situations where medical professionals are not allowed to release information. To do this, it is necessary to answer the questions who is releasing the information, what information is being released, when is information being released, and where?

Who is Releasing the Information?

In the context of which situations allow a medical professional to release information, there are three types of medical professionals to consider:

  • A solo practitioner that qualifies as a Covered Entity under HIPAA.
  • A solo practitioner that does not qualify as a HIPAA Covered Entity.
  • A medical professional that is employed by a Covered Entity.

The difference between the three is that a solo practitioner that qualifies as a Covered Entity is required to comply with the HIPAA Privacy, Security, and Breach Notification Rules and any state laws that preempt the HIPAA Rules because they provide more protection to individually identifiable health information or allow greater rights to patients.

A solo practitioner does not qualify as a HIPAA Covered Entity if they do not conduct electronic transactions for which HHS has published standards in 45 CFR Part 162. However, although they do not have to comply with the HIPAA Privacy, Security, and Breach Notification Rules, they do have to comply with state privacy and breach notification legislation.

A medical professional that is employed by a Covered Entity is required to comply with their employer’s employment policies. Therefore, although some releases of information may be permitted by HIPAA, the medical professional’s employer may have decided that the release of certain information cannot be adequately monitored and has prohibited its release.

The difference between the three types of medical professionals is not absolute. If a Covered Entity refers a patient to a solo practitioner who does not qualify as a HIPAA Covered Entity, the solo practitioner becomes a Business Associate of the Covered Entity and is required to comply with the HIPAA Rules. Therefore, a solo practitioner may be operating under one set of health information privacy regulations in the morning, and a different set of regulations in the afternoon.

What Information is Being Released?

The nature of information being released can also determine which situations allow a medical professional to release information. Generally, Covered Entities and employees of Covered Entities are permitted to release certain types of health information in the circumstances described below when the information being released is Protected Health Information or is individually identifiable (non-health) information maintained in the same record set as Protected Health Information.

The protection of non-health information maintained in the same record set as Protected Health Information is one of the primary reasons why misunderstandings exist about which situations allow a medical professional to release information. This is because information such as a patient’s name, address, and phone number are protected by the Privacy Rule all the time they are maintained in a record set with the patient’s health information, but not when they are maintained in a separate database for operational purposes (although state privacy regulations may apply).

It is also the case that any information can be released by a medical professional with the written authorization of the subject of the information (or their personal representative). Conditions apply to authorizations inasmuch as the subject of the information must be informed what information is being released, what it is being released for, who it is being released to, and for how long it is being released. Therefore, in terms of the nature of information being released, it could be:

  • Individually identifiable health information protected by the HIPAA Privacy Rule.
  • Individually identifiable non-health information maintained in the same record set.
  • Individually identifiable non-health information maintained in a separate database.
  • Any information – the release of which has been authorized by the subject.

The same distinctions in the nature of information can also apply to solo practitioners that do not qualify as a HIPAA Covered Entity depending on the content of state legislation. There are currently forty-four states with medical privacy statutes on their books (the remaining states include medical privacy in digital privacy legislation), and some states have multiple medical privacy statutes dealing with separate medical disciplines. Dissecting them all is beyond the scope of this article.

When is Information being Released?

The HIPAA Privacy Rule protects the privacy of individually identifiable health information by stipulating the permissible uses of Protected Health Information, disclosures of Protected Health Information that require authorization from the subject of the information, and disclosures for which the individual should be given the opportunity to agree or object if possible. These situations when information can be released by medical professionals include (but are not limited to):

  • To individuals exercising their rights to request copies of Protected Health Information.
  • To the HHS’ Office for Civil Rights in response to a patient complaint or compliance audit.
  • Internally or to other Covered Entities for treatment, payment, or healthcare operations.
  • To Business Associates for the purposes stipulated in a Business Associate Agreement.
  • To personal representatives of adult patients and unemancipated minor patients.
  • To authorized public health authorities to prevent or control disease, injury, or disability.
  • To the Federal Drug Administration to report adverse events and track FDA-regulated products.
  • To employers when the release of information is required to fulfill OSHA or state reporting requirements.

There is also a long list of scenarios when authorization or an opportunity to agree or object is not required (45 CFR §164.512). In these scenarios, it is often the case that the information that can be released is limited in content rather than limited to the minimum necessary amount to achieve the purpose of the use or disclosure. These too can create misunderstandings about which situations allow a medical professional to release information and what information can be released.

The misunderstandings can be amplified by state laws that preempt the HIPAA Rules because they provide more protection for individually identifiable health information. As demonstrated in the next section, state laws can limit what information is being released and when it is being released by both Covered Entities and solo practitioners that do not qualify as HIPAA Covered Entities. As mentioned previously, employees of Covered Entities may also be limited on what information can be released – and when – by their employer’s HIPAA policies.

Where is Information being Released?

To demonstrate the challenges of determining which situations allow a medical professional to release information, we have provided two examples that show why it matters who is releasing information (and who the information is being released to), what information is being released, and where the information is being released. Scenarios similar to these could apply anywhere in the country, regardless of whether a medical professional is a Covered Entity, does not qualify as a Covered Entity, or is an employee or a Business Associate of a Covered Entity.

Scenario A – Releasing Information to a Support Group

Patient A and Patient B have been receiving mental health treatment – Patient A from a hospital that qualifies as a Covered Entity and Patient B from a private counselor that does not qualify as a HIPAA Covered Entity. Both the hospital and the counselor are located in California.

The hospital and the private counselor agree it would benefit their respective patients if they were to join the same support group. There is no treatment relationship between either of the medical professionals and the support group. The support group is a voluntary organization that neither qualifies as a Covered Entity nor is part of an Organized Health Care Arrangement.

The hospital cannot disclose any information about Patient A to the support group without the patient´s authorization because there is no treatment relationship. If authorization is provided, the hospital can only provide the minimum necessary information about why the patient is joining the support group.

The private counselor is not subject to the same restrictions as the hospital but is subject to California’s Confidentiality of Medical Information Act (CMIA). Under §56.10 of the Act, the private counselor is allowed to release as much information as they feel is appropriate to benefit the patient without authorization.

Analysis of Scenario A

Although the private counselor has the option to provide more information about Patient B without the patient’s authorization, there is no accountability with regard to Patient B’s health information privacy. Patient B has not been advised there may be no control over what happens to the health information once it has been released to the support group and the private counselor could be held liable (under CMIA) if it is further disclosed.

Because of the requirements of the HIPAA Privacy Rule, only the minimum necessary health information about Patient A can be released by the hospital to the support group (with Patient A’s authorization). This not only limits how much health information is released but, because Patient A has been advised there is no control over what happens to the health information, the hospital is not liable if it is further disclosed.

Scenario B – Reporting Domestic Abuse to Authorities

One of the most complex situations in which medical professionals may – or may not – be permitted to release information relates to reporting domestic abuse and intimate partner violence (IPV).  HIPAA permits medical professionals to release information about an individual to agencies authorized by law to receive reports of abuse, neglect, or domestic violence, provided the information released is limited to the minimum necessary amount.

Whether or not a medical professional is allowed to report domestic violence to authorities – either with or without the patient’s authorization – is more often controlled by state regulations; and in some cases, these can be very different.

For example, in Georgia, medical professionals are required by OCGA §31-7-9 to report any non-accidental patient injuries. The state requires “all physicians, nurses, and other medical personnel [to] be supported and encouraged to assess, intervene, and refer in cases of alleged or suspected IPV” and provides immunity from any civil liability to “any person or persons participating in the making of a report or causing a report to be made to the appropriate police authority.”

In neighboring Florida, the situation is practically reversed. Medical professionals are only permitted to report domestic violence to authorities if the injuries suffered by the victim are life-threatening (Fla. Stat. §790.24) or consist of second- or third-degree burns (Fla. Stat. §877.155). Any other report of domestic violence without a patient’s authorization is a violation of the Florida Information Protection Act, which – because it has more stringent privacy protections in this scenario – preempts HIPAA.

Analysis of Scenario B

In this scenario, a medical professional working on one side of the border between Florida and Georgia will be in violation of state laws if they report domestic abuse that does not involve a life-threatening injury; while a medical professional working on the other side of the border will be in violation of state laws if they fail to report the same domestic abuse. In theory, the Floridian medical professional could be charged with a misdemeanor for something that is a legal requirement in the next town.

While this may be an extreme example of how difficult it can be to determine which situations allow a medical professional to release information, the preemption of HIPAA in this scenario is significant. Throughout the country, there will be laws such as the Florida Information Protection Act that apply in just one or two scenarios to Covered Entities and Business Associates, and it is important to know when these laws – or clauses within laws – apply to prevent unintentional health information privacy violations.

Conclusion

As can be seen from the above examples and the discussions that preceded them, there are no absolute rules about which situations allow a medical professional to release information. Medical professionals of all HIPAA statuses should identify which health information privacy regulations govern the release of information in their locations, what information can be released, and when.

While it is important to comply with state and federal health information privacy regulations, the risk exists that securing health information too rigidly can obstruct the flow of information required for operational efficiency. Additionally, securing health information too rigidly can delay responses to patient access requests – which can result in more stories being published by mainstream news channels. Therefore, if you are a medical professional or an employee of a Covered Entity with responsibility for compliance with health information privacy regulations, and you have any doubts about which situations allow a medical professional to release information in your location, you should seek professional compliance advice.

Steve Alder, Editor-in-Chief, The HIPAA Journal

The post Which Situations Allow a Medical Professional to Release Information? appeared first on HIPAA Journal.

Seven Elements of a Compliance Program

The seven elements of a compliance program are integrated processes organizations in all industries can adopt to help them develop a culture of compliance in the workplace. When applied effectively, the seven elements can also be used to streamline operational processes, optimize organizational performance, and reduce overall costs.

While the seven elements of a compliance program apply to all industries, they originated in the healthcare industry in the 1990s. This was in response to the growing level of healthcare fraud and abuse and an alleged “compliance disconnect” at the executive level in many hospitals and health systems. However, despite being more than twenty-five years old – and not necessarily having been adopted to tackle the same issues – many organizations still use the seven elements in their original format.

The Background to the Seven Elements

In 1991, the Department of Health and Human Services (HHS) launched the Workgroup for Electronic Data Interchange (WEDI). WEDI had the objective of reducing administrative costs in the healthcare system by promoting electronic claims submission. It achieved its objective by requiring insurance carriers to reimburse healthcare providers more quickly for electronic claims than for paper claims, thus encouraging providers to submit more claims electronically.

As a result, the percentage of claims submitted electronically over the next five years more than doubled – making it harder for adjudicators to identify fraud and abuse attributable to unbundling, duplication, and global service violations. According to a Congressional Report published by the General Accounting Office in 1995, it was estimated that as much as 10 percent of national healthcare spending was attributable to waste, fraud, and abuse (around $98 billion at the time).

The following year, the long-running Caremark Derivative Litigation case concluded – a case in which it was claimed the company’s board of directors had failed in their fiduciary duty of care to ensure the company’s compliance program was enforced. Although cleared of “lacking good faith in the exercise of monitoring duties or conscientiously permitting a known violation to occur”, the company settled multiple felony charges against it by paying $250 million in civil and criminal fines.

The relevance of this case is that Caremark’s primary operations were providing patient care and managed care services; and, although the company had implemented compliance policies to prevent breaches of Anti-Referral Payments Laws, a series of violations resulted in shareholders claiming the board of directors had failed to adequately enforce the policies and consequently exposed the company to regulatory fines. This accusation was not lost on the HHS’ Office of Inspector General (OIG).

OIG Publishes First Model Compliance Plan

The year after the conclusion of the Caremark Derivative Litigation case, OIG published its first model compliance plan (62 FR 9435-9441). Although aimed at clinical laboratories, the model compliance plan consisted of seven “compliance plan elements” that subsequently evolved into “the seven fundamental elements of an effective compliance program” in later compliance plans for hospitals, home health agencies, hospices, and nursing facilities.

The primary objective of the plan is fairly transparent. In the preamble to each of the plans, OIG states “many providers and provider organizations have expressed an interest in better protecting their operations from fraud and abuse through the adoption of voluntary compliance programs.” The word “fraud” is repeated a further twenty-eight times in the compliance plan for hospitals (63 FR 8987) and the compliance plan for nursing facilities (65 FR 14289).

It is also noticeable that, from the second plan onward, each plan includes a footnote stating “recent case law suggests that the failure of a corporate Director to attempt in good faith to institute a compliance program in certain situations may be a breach of a Director’s fiduciary obligations” – referencing the Caremark Derivative Litigation case. Clearly, OIG wanted to send the message that, if a voluntary compliance plan was implemented, oversight of the plan was expected.

The biggest influence for the creation of the seven elements of a compliance program (fraud prevention) is sometimes overlooked. This is not necessarily a bad thing because – around the same time – the passage of HIPAA introduced fraud controls and transaction standards that made it harder for healthcare providers to defraud or abuse the system. Consequently, the seven elements can be adapted for more positive purposes than preventing, detecting, and responding to fraud.

What are the Seven Elements of a Compliance Program?

Since the first appearance of the seven elements, some versions have been amended or extended to meet organizational or regulatory requirements. For example, when the Affordable Care Act made a compliance program a requirement of Medicare participation for some healthcare providers (42 CFR §483.85), an element was added that prohibits organizations from delegating discretionary authority to individuals who “the organization knew, or should have known through the exercise of due diligence, had the propensity to engage in criminal, civil, and administrative violations of the Social Security Act.”

However, as mentioned in the introduction to this article, many organizations that have implemented a compliance plan voluntarily still use the seven elements of a compliance program in their original format:

#1 Implement written policies, procedures, and standards of conduct

The seven elements of a compliance program are often depicted as a linear “start-to-finish” program or as a wheel that starts revolving again when it is completed its first cycle. Neither depiction is entirely accurate, as the seven elements of a compliance program have to integrate with each other at all times to make the program work effectively and facilitate improvements to the program.

The first of the seven elements of a compliance program is a suitable example of why it is important to view a compliance program holistically because it calls for the development of standards (etc.) under the direction of a compliance officer. Yet organizations are not advised to designate a compliance office until element #2:

“Every compliance program should develop and distribute written compliance standards, procedures, and practices that guide the facility and the conduct of its employees throughout day-to-day operations. These policies and procedures should be developed under the direction and supervision of the compliance officer, the compliance committee, and operational managers.”

If you view the seven elements of a compliance program as a linear program, you could be confused when the second element instructs you to designate the compliance officer you need to complete the first element. You might also be confused if you view the compliance program as a wheel, because it means you will need to rotate the wheel counterclockwise from #2 to #1.

#2 Designate a compliance officer and compliance committee

The temptation with element #2 is to delegate the role of compliance officer and the membership of a compliance committee to members of the same HR, legal, or operations teams or department heads of these teams. This can be a mistake if (for example) the legal team does not understand the real-life challenges of compliance in the workplace.

While it is a good idea to head the compliance committee with a person of authority, it is beneficial to include personnel with public-facing roles (i.e., healthcare professionals) and a mixture of personnel from IT, security, and administration who can provide insights on which policies will work and which won’t without changes to working practices.

#3 Conduct effective training and education

Integrating training and education into a compliance program should not be difficult for most organizations in the healthcare industry, as the majority are required to comply with the HIPAA training requirements, while some are also required to provide annual compliance training as a condition of participation in the Medicare program.

Importantly, in the original seven elements of a compliance program, OIG notes that the continual retraining of personnel at all levels (emphasis added) is a significant element of an effective compliance training program. Along the same lines, OIG adds that adherence to the elements of the compliance program should be a factor in evaluating the performance of managers and supervisors.

#4 Develop effective lines of communication

The development of effective lines of communication is pivotal to the seven elements of a compliance program because effective lines of communication are necessary for members of the workforce to raise questions, report violations, and provide feedback on corrective action plans that may necessitate amendments to policies and procedures and further training.

Therefore, the creation and maintenance of effective lines of communication between the compliance officer/committee and the workforce should include a hotline or anonymous reporting system to receive questions, reports, and feedback. Organizations should also adopt procedures to protect the anonymity of complainants and to protect whistleblowers from retaliation.

#5 Conduct internal monitoring and auditing

This element of an effective compliance program provides an opportunity for executive officers to demonstrate oversight by requesting compliance reports and audits from the compliance officer. In healthcare environments, these reports and audits should be conducted regularly to comply with the HIPAA requirement for regular risk analyses and be available at all times for executive review.

If executive officers participate in this element, it also provides an opportunity to extend lines of communication “from the top to the bottom”. Although it is not always practical to have members of the workforce communicate directly with executive officers (and vice versa), the involvement of executive officers demonstrates a commitment to compliance throughout the entire organization.

#6 Enforce standards through well-publicized disciplinary guidelines

Most organizations distribute disciplinary guidelines at the point of training. Indeed, in the healthcare industry, the standards relating to training and sanctions are almost adjacent to the Administrative Requirements of the Privacy Rule – so it is rare that an explanation of the organization’s sanctions policy is not included in initial HIPAA training.

With regard to enforcing standards, it is important that sanctions are applied fairly. If one group of the workforce is sanctioned more often or more harshly than another group for no justifiable reason, executive officers need to find out why. While it may be the case that one manager is enforcing standards over-zealously, it may equally be the case that another manager is allowing the workforce to take shortcuts with compliance “to get the job done”.

#7 Respond promptly to detected offenses and undertake corrective action

When the seven elements of a compliance plan were originally published in the 1990s, this element focused almost entirely on detecting fraud, reporting it, and enforcing sanctions or implementing measures to prevent it from happening again. With fraud prevention being a less important objective of a compliance plan than it was twenty-five years ago, this element can be used to monitor the effectiveness of the compliance program and improve it where necessary.

For example, if an offense has occurred due to a loophole in a policy (element #1), a lack of training (#3), a communication failure (#4), or a monitoring issue (#5), the compliance officer (#2) can evaluate the existing policies, procedures, and standards, and adjust them as necessary (#7). If the offense has occurred due to the actions of a non-compliant member of the workforce, it may be necessary to increase the penalties in the sanctions policy (#6) to be more of a deterrent.

The Challenges and Benefits of Adopting a Compliance Plan

Adopting the seven elements of a compliance plan can be challenging for an organization starting from scratch. It can be difficult to get leadership buy-in because compliance is not perceived as a revenue generator, it can be difficult to define compliance roles in a complex regulatory environment, and it can be difficult to pull everything together with limited resources.

In healthcare environments, these challenges are mitigated by the fact that many of the elements are – or should be – already in place. HIPAA-covered entities should have developed policies and procedures to comply with the Privacy Rule, have a training and sanctions program up and running, and have procedures for conducting internal audits and responding to data breaches.

Therefore, all that needs to be done in many healthcare environments is for the compliance officer to bring together the seven elements of a compliance plan into one integrated plan. When managed effectively, the plan will help organizations develop a culture of compliance that can help to reduce costs (i.e., regulatory fines), enhance the organization’s operations (i.e., through improved communication), and advance the quality of healthcare.

This final benefit of adopting a compliance plan is one many organizations are only starting to realize as it has only recently been demonstrated that, when patients believe PHI will remain confidential, they tend to be more forthcoming about healthcare issues. This enables healthcare professionals to make better-informed diagnoses and prescribe more effective courses of treatment, which results in better patient outcomes, satisfaction scores, workplace morale, and staff retention.

Get Help Developing Your Compliance Plan

Multiple sources on the Internet offer help with developing a compliance plan. One of the best is the HHS’ Office of Inspector General compliance guidance web page which includes updated versions of the model compliance plans published in the 1990s. However, if your organization is a multi-disciplined Covered Entity or Business Associate, and you need more granular help developing a compliance plan, it may be worthwhile reviewing our HIPAA compliance checklist.

Steve Alder, Editor-in-Chief, The HIPAA Journal

The post Seven Elements of a Compliance Program appeared first on HIPAA Journal.

Editorial: HIPAA Enforcement Trends and Outlook

Considering the Health Insurance Portability and Accountability Act (HIPAA) is now in its third decade, the Privacy Rule took effect 20 years ago, and compliance with the HIPAA Security Rule has been mandatory for 18 years, there have been relatively few financial penalties over the years, with just 130 imposed by OCR to resolve HIPAA violations. There have been changing HIPAA enforcement trends over the years and a shifting of enforcement priorities at OCR. Today, OCR is having to pick and choose the cases where financial penalties are pursued, and while more financial penalties are now being imposed, the penalty amounts are a fraction of the level that they were just a few years ago.

A Brief History of HIPAA Enforcement

The HIPAA Enforcement Rule – Final Rule was issued on February 16, 2006, and took effect on March 16, 2026. The Enforcement Rule gave the U.S. Department of Health and Human Services the authority to investigate HIPAA-regulated entities to determine whether they are in compliance with the HIPAA Rules and impose financial penalties if noncompliance is discovered. The HITECH Act, which took effect on February 18, 2009, established four categories of HIPAA violations based on the level of culpability and set minimum/maximum penalty amounts and penalty caps in each of the four penalty tiers, increasing the maximum penalty amount to $1.5 million for violations of an identical provision in a calendar year.

Then in FY 2020, the HHS reassessed the language of the HITECH Act and determined that the penalty amounts stipulated in the HITECH Act had been misinterpreted, and reduced the penalty amounts in three of the four tiers, only keeping the maximum penalty of $1.5 million for the most serious violations when there is determined to have been willful neglect of the HIPAA Rules with no attempt to correct violations.

Since the effective date of the HIPAA Enforcement Rule (up to and including February 2023), the HHS’ Office for Civil Rights has imposed 130 penalties for HIPAA violations, including violations of a single provision of the HIPAA Privacy Rule such as the failure to provide individuals with timely access to their medical records to egregious violations and widespread noncompliance with the HIPAA Rules. The penalties imposed so far range from $3,500 to $16,000,000.

Financial Penalties for HIPAA Violations are Relatively Rare

While OCR has the authority to impose financial penalties for HIPAA violations, the vast majority of investigations have not resulted in financial penalties. OCR investigates all large data breaches of 500 or more records and more than 5,000 such breaches have been reported since 2009, yet only 130 financial penalties have been imposed. OCR has stated that in the majority of cases, HIPAA violations are resolved through voluntary compliance and technical assistance, where OCR helps regulated entities address the violation to avoid further compliance issues.

In a February 28, 2023, update on its HIPAA enforcement actions, OCR explained that it has received more than 322,579 complaints about potential HIPAA violations. 14,355 cases were investigated and no violation was identified, and OCR failed to establish a case for enforcement in 215,125 cases. Technical assistance was provided in 53,661 cases.

From those cases, OCR has initiated more than 1,160 compliance reviews and said 97% of all cases have been successfully resolved. More than 30,013 cases have required changes to be made to privacy practices or corrective actions to be implemented by HIPAA-covered entities and business associates.  The 130 cases that warranted financial penalties have resulted in $134,828,772 being paid to OCR in civil monetary penalties and settlements.

HIPAA Audits Identified Widespread Noncompliance

In addition to the investigations of complaints and data breaches, OCR has conducted two phases of HIPAA audits. These audits were not conducted from a HIPAA enforcement perspective, rather the primary goal was to identify the areas where HIPAA-regulated entities were struggling with compliance. The audits have helped OCR to develop pertinent guidance to address the most common HIPAA violations. The first round of audits identified widespread HIPAA violations as covered entities struggled to get to grips with what was required, but more than a decade after the HIPAA Privacy and Security Rules were enacted, noncompliance was still common.

In the second round of compliance audits, the most common violations identified were related to Notices of Privacy Practices, a lack of information in breach notifications, HIPAA Right of Access failures, business associate breach notifications to covered entities, and risk analysis and risk management failures, with the latter common with covered entities and business associates.

According to OCR, the same areas of noncompliance are identified frequently in its investigations, along with impermissible uses and disclosures of protected health information, a lack of safeguards for protected health information, a lack of patient access to their protected health information, a lack of administrative safeguards for electronic protected health information, and the use or disclosure of more than the minimum necessary protected health information.

HIPAA Enforcement Trends

In the early years after the HIPAA Enforcement Rule was enacted, OCR showed a reluctance to resort to financial penalties for HIPAA violations, typically only pursuing financial penalties in the most egregious cases when widespread noncompliance was identified and for the most serious compliance failures.  In the 29 enforcement actions from 2008 to 2015, 9 penalties were imposed for risk analysis/risk management failures, 9 for the failure to safeguard PHI, 6 for widespread non-compliance with the HIPAA Rules, and one each for denying access to medical records, disclosing PHI without consent, the failure to encrypt PHI, improper disposal of PHI, and the failure to permanently erase PHI.

There was an uptick in HIPAA penalties in 2016, 10 years after the Enforcement Rule was published. Since then, the enforcement actions have addressed a much broader range of HIPAA violations. Risk analysis and risk management failures are still one of the most common HIPAA failures cited in its enforcement actions, along with other HIPAA Security Rule violations and impermissible disclosures of PHI.

In the fall of 2019, OCR launched a new enforcement initiative launched targeting organizations that were not compliant with the HIPAA Right of Access, with the penalties arising from complaints rather than data breaches. Since then, 65 penalties have been imposed to resolve HIPAA violations, 43 of which have been for HIPAA Right of Access violations. The main reason for this HIPAA enforcement trend has been a massive increase in OCR’s workload and extremely limited resources for HIPAA investigations.

Lack of Funding Hampering HIPAA Enforcement

OCR has been struggling with a lack of funding for several years as its budget has remained flat despite a significant increase in its workload. OCR has made multiple requests to Congress for additional funds, but those requests have been denied. Since fiscal year 2017, complaints about potential HIPAA violations have increased by 28% and reports of large data breaches – more than 500 records – have increased by 100%. All complaints must be assessed and when the allegations are substantiated, the violations must be investigated. OCR also investigates all large healthcare data breaches to determine if they are the result of non-compliance with the HIPAA Rules. As such, OCR’s limited budget and resources have been squeezed and that is limiting the ability of OCR to enforce compliance. OCR also has an increasing workload in other areas – OCR enforces 55 statutory authorities including civil rights and non-discrimination statutes in addition to HIPAA and for several years the small HHS department has not been given adequate resources to do its job.

To help address the budgetary shortfall, the HHS has undertaken a restructuring of OCR which has seen the creation of three new divisions to get more from its limited budget and resources, including a new enforcement division. The HHS hopes the restructuring will improve efficiency, which will help OCR deal with its increased caseload and reduce its backlog of investigations. It is worth noting that OCR’s enforcement staff has been reduced by 45% due to flat budgets and inflation increases, so while the restructuring will help, restructuring alone is unlikely to solve the problem.

OCR could use funds from its enforcement actions to address the budgetary shortfall; however, civil monetary collections have declined since 2019, despite an increase in enforcement actions. This is due to the reinterpretation of the language of the HITECH Act and the reduction in minimum and maximum penalty amounts and the annual penalty caps. In 2019, OCR raised almost $23 million in fines and settlements, but following the reassessment, the total fell to just over $2 million in 2022, even though a new record was set that year for the number of financial penalties imposed. The number of penalties has increased, but there has been a notable shift from imposing penalties on large HIPAA-covered entities for egregious violations of the HIPAA Rules to enforcement actions against small healthcare providers for HIPAA Right of Access violations.

This year, the HHS requested an additional $78 million in funding for FY 2024, which almost doubles its FY 2023 budget, with a requested increase of $38 million from the $40 million received in 2023. OCR Director, Melanie Fontes Rainer, said OCR now has to pick and choose its battles carefully, as it is forced to operate under incredible resource constraints and its staff is incredibly overworked. Data from 2020 indicates OCR has just 77 investigators, and they are not all investigating HIPAA violations. Some are investigating violations of other statutes such as anti-discrimination and civil rights violations. For FY 2023, the HHS requested a 58% increase to its budget to $60 million, which would have allowed OCR to hire a further 37 investigators. The HHS was unable to get a budget increase when Democrats had a majority in the House and Senate, so it seems even more unlikely now.

This year, in addition to the sizeable budget increase, OCR has submitted a proposal to get the authority to work with the Department of Justice and seek injunctive relief, which will improve OCR’s ability to prevent additional or future harm to individuals from non-compliance. OCR is also seeking help from Congress to increase the caps for financial penalties for HIPAA violations to provide additional funding for its enforcement activities.

The Future of HIPAA Enforcement

OCR is continuing with its enforcement initiative targeting HIPAA Right of Access violations and has already announced one settlement this year due to untimely breach notifications. These enforcement actions are relatively cut and dry. A patient complains that they have not been provided with their records, can provide proof that the request has been sent, and the healthcare provider must provide proof that the requested records have been provided and evidence of staff training.  It is difficult for covered entities to contest the findings when records have not been provided in a set time frame, so legal disputes are unlikely, especially considering the penalties imposed are relatively small. These enforcement actions are therefore a good use of OCR’s limited resources.

What is needed, however, is investigations of hacking incidents, which are behind the massive increase in large data breaches. OCr needs additional funding for these investigations to determine if they have been caused by noncompliance with the HIPAA Security Rule. These investigations are, however, much more complex, time-consuming, and resource-intensive. OCR faces a potential problem. The approach taken in the past in its enforcement actions has been called into question when the $4.3 million penalty for University of Texas MD Anderson Cancer Center was overturned on appeal.

OCR’s enforcement actions were deemed to be “‘arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law,” and the penalty was reduced by a factor of 10. That case could embolden other HIPAA-regulated entities to challenge penalties, further draining OCR’s resources and its ability to enforce HIPAA. While it is unclear exactly how much impact the overturning of the MD Anderson Cancer Center penalty has had, OCR has only fined four entities for Security Rule failures related to data breaches since that decision out of 37 enforcement actions – Excellus Health Plan, AEON Clinical Laboratories (Peachstate), Oklahoma State University – Center for Health Sciences (OSU-CHS), and Banner Health.

OCR also needs to start sharing a percentage of the settlements and civil monetary penalties it collects with victims of HIPAA violations, which is likely to reduce the funds OCR can use from those enforcement actions further still. Without an increase in its budget – which appears likely – the future of HIPAA enforcement is likely to depend in a large part on an increase to the penalty caps and improvements to efficiency from its restructuring.

A reduction in data breaches would certainly help ease OCR’s caseload, but with a relative lack of enforcement of noncompliance and extensive targeting of the healthcare industry by malicious actors, that seems somewhat unlikely. OCR is now considering the recognized security practices that have been implemented when making determinations about fines and penalties which could encourage healthcare organizations to improve security, but for many smaller healthcare organizations, budgets are already limited and there is a global shortage of skilled cybersecurity professionals. Regulatory moves by the government could help to address this by providing incentives for healthcare organizations to make further investments in security and to deal with the staff shortage by introducing incentives for cybersecurity professionals to take on roles in healthcare.

The HHS has also increased the guidance issued to help healthcare organizations improve their defenses. The Health Sector Cybersecurity Coordination Center (HC3) is now issuing more threat advisories specific to the healthcare sector along with recommendations and resources to help healthcare organizations improve their defenses by focusing their efforts on the most pertinent threats. That help has been welcomed, and while more healthcare-specific threat intelligence would be of great help to the sector, HC3 also has considerable budget constraints and also requires additional funding to increase its output.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: HIPAA Enforcement Trends and Outlook appeared first on HIPAA Journal.

Editorial: Time to Stop Blocking a National Patient Identifier System

In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was signed into law and one of its requirements was for the Department of Health and Human Services (HHS) to develop a national patient identifier system. Under such a system, every person in the United States would be provided with a unique permanent ID number that would allow them to be tracked across the entire U.S. health system, not for any form of control, government interference in healthcare, or any other nefarious purpose, but to address a pressing public health and safety issue: To ensure patients can be reliably and accurately connected with their health information. 27 years later and we are no closer to a national patient identifier than we were in 1996.

The reason for the lack of action goes back to 1998, when Representative Ron Paul (R-TX) introduced a ban on the HHS developing a national patient identifier system by ensuring no funding was provided by Congress for that purpose. Language has been included in every appropriation bill since then that prevents any funding from being given to the HHS to use for that purpose. In 2019, Senator Rand Paul (R-KY), son of Rep. Ron Paul, tried to take this a step further by introducing a bill that sought to remove the national patient identifier provision from HIPAA entirely, although the effort did not succeed. Then in 2021, House and Senate appropriators removed the language from the appropriations bill – a move widely applauded by many healthcare stakeholder groups – to allow this long-standing issue to be addressed and permit the HHS to start exploring potential methodologies for introducing a national patient identifier.

Later that year, Sen. Rand Paul wrote to Senate appropriators requesting the reintroduction of the language into the appropriations bill, then – along with Senator Marsha Blackburn (R-TN) – introduced the National Patient ID Repeal Act; standalone legislation calling once again for the provision to be stripped from HIPAA. The bill was not passed, but Sen. Rand Paul’s advocacy helped ensure that the funding ban was reintroduced.

The Mismatching of Patient Records is a Common and Serious Patient Safety Issue

The primary reason for introducing a national patient identifier system was to ensure patients could be accurately matched with their healthcare information, no matter where in the country they sought healthcare. Such a system would ensure an individual’s healthcare data could not be mismatched with another individual, which was a problem in 1996 and remains a serious patient safety issue today. Each year, the Joint Commission publishes a list of National Patient Safety Goals. and top of the list for 2023, as has been the case for several years, is the correct identification of patients. A national patient identifier could solve this important patient safety issue.

The lack of a universal patient identifier results in duplicated medical records. If a patient visits a healthcare provider and their records cannot be found, a new medical record is created, resulting in the patient’s records being split between two different records. Important information about the patient will be missing from their records, which could include information vital to ensuring that patient’s safety. Patient mismatching often results in repeated, medical tests, which can delay care and cause patients to incur unnecessary costs. There can, of course, be far more serious consequences from the mismatching of patient records, such as medication mix-ups, transplant errors, and catastrophic delays to care resulting in loss of life. These are not uncommon events and occur repeatedly throughout the healthcare system.

The problem of incorrectly identifying patients and mismatching records was exacerbated during the pandemic when thousands of duplicate records were created in the rush to get the population vaccinated. There were many cases of patients being unable to get COVID vaccines as their medical records stated – through mismatching with similarly named patients – that they had already received the vaccine. Misidentification and duplicate health records also caused disruptions to the registration process and vaccine availability at provider sites, hampering efforts to ensure rapid vaccination of the population. When the next pandemic hits, the same problems will likely be experienced again.

In 2020, the Patient ID Now Coalition was founded, an advocacy group whose founding members include the American College of Surgeons, AHIMA, CHIME, HMMS, Intermountain Healthcare, and Premier Healthcare Alliance. Patient ID Now is attempting to build bipartisan momentum to support accurate patient identification by removing the legislative barriers that are preventing the development of a national patient identifier system. Patient ID Now believes the creation of a national patient identifier is one of the most important patient safety issues to address.

Patient ID Now provided an example of the devastating consequences of mismating patient records. A woman visited her physician who arranged for her to have a mammogram; however, she never received the results. She mistakenly assumed that she was not contacted about the results because nothing bad was found, when the reality was the mammogram results had been mismatched with a patient who shared the same name. The mismatching was only identified when she mentioned the mammogram to her physician during an annual check-up. The mammogram showed she had cancer, and the one-year delay in receiving treatment had allowed the cancer to progress to the point where it was terminal.

This is far from an isolated example. A January 2019 Government Accountability Office Report found that matching patients with the right records was an incredibly common problem. 45% of large hospitals reported experiencing difficulty with accurately identifying patients. CHIME estimates that matching records within hospitals can be as low as 80%, which means 1 in 5 patients may not be matched with their entire medical records. Further, the matching rate may be even lower between organizations that share the same EHR vendor, dropping to just 50%. AHIMA reports that inaccurate patient identification results in $1,950 in duplicative medical care costs per inpatient and causes $1.5 million in denied claims each year.

Why Does the Funding Ban Continue?

A national patient identifier can help to prevent medical errors, save lives, and cut costs, and also has other benefits. A national patient identifier would support clinical and public health research and population health initiatives, which would help with the transition from fee-for-service to value-based care, and that would benefit patients, providers, payers, and the country as a whole. So, what are the main reasons why the funding ban continues?

One of the most commonly cited arguments against the introduction of a National Patient Identifier, and one that has been often stated by Sen. Rand Paul, is to stop government involvement in an individual’s healthcare. “As a physician, I know firsthand how much the doctor-patient relationship relies on trust and privacy, which would be undermined by a National Patient ID,” said Sen. Rand Paul when introducing the National Patient ID Repeal Act in 2021. He explained that the move to strip this provision from HIPAA was to “prevent the government from centralizing patients’ personal health records or interfering with their medical decisions,” and warned that removing the ban “would open the floodgates for a government-issued ID to be linked with the private medical history of every man, woman, and child in America.”

Sen. Blackburn, who supported the bill, said, “The federal government has no right to dictate individual medical decisions or gain access to your private medical records. The existing National Patient ID sets a dangerous precedent for Big Brother to exert even more control over your life, and it is paramount that we prevent the Biden administration from creating it.” It has also been suggested that creating a “cradle-to-grave medical record” would allow individuals’ entire medical records to be used to conduct medical research without consent, although the HIPAA Privacy Rule prevents such uses and disclosures without consent, and there is no reason why additional safeguards could not be introduced with a National Patient Identifier system.

Another argument often put forward is a national patient identifier would make it easier for nation-state actors to steal patient data. “Now, more than ever, it is crucial to protect Americans’ genetic information from theft by foreign actors like China,” said Sen. Rand Paul when introducing the National Patient ID Repeal Act. While these are valid concerns, it is worth bearing in mind that big tech companies and data brokers are already compiling huge amounts of incredibly personal data on individuals, including health information, and are using and selling that information without restriction. Companies such as AncestryDNA and 23andMe (and many others) provide hugely popular services to the public that involve sequencing DNA, and these companies are not even bound by the protections of HIPAA.

It is also important to point out that healthcare data theft is a problem without a national patient identifier. As of January 31, 2023, more than 383 million healthcare records have already been stolen along with identifiers such as Social Security numbers. If a healthcare-only identifier was introduced, patients would not have to disclose their Social Security numbers to their healthcare providers, thus helping them to protect themselves against identity theft and fraud. While it has been suggested that patient trust could be lost due to a national patient identifier, a system could be set up akin to the credit monitoring system, and patients would be able to monitor access to their healthcare data and see exactly who accesses it and for what reason.

National Patient Identifiers Have Been Successfully Introduced in Many Developed Countries

A national patient identifier has been introduced in many developed countries with great success and has helped to eliminate patient misidentification. For instance, in the United Kingdom, all patients are issued with a unique National Health System ID number, which allows patients to be matched with their medical records no matter where they receive healthcare through the NHS system. Sure, if the NHS is hacked, then entire medical records could be stolen, but in the UK, it is seen as far more important to ensure patient safety by correctly matching patients with their entire medical records than any potential risks of worries about government control.

While there are clear benefits to a national patient identifier – which I feel far outweigh any negatives – introducing such a system is not without problems, one of the biggest is the cost. which has been estimated to be in the region of $1.5 billion and $11.1 billion, and there will undoubtedly be challenges in implementing any such system.

Removing the appropriations bill language will at least allow the HHS to start exploring how a national standards-based system could be introduced to ensure patients can be accurately matched with their medical records and start obtaining feedback from stakeholders on potential methodologies. Surely, it would be better to actively address the pressing public health and safety issue of mismatched patient records, than to keep rejecting the idea due to outdated fears about the government controlling individuals’ healthcare decisions.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: Time to Stop Blocking a National Patient Identifier System appeared first on HIPAA Journal.

Editorial: The Three Pillars of HIPAA Compliance

Achieving compliance with the Rules of the Health Insurance Portability and Accountability Act (HIPAA) can be a challenge for healthcare organizations and their business associates. The HIPAA Rules were developed to cover healthcare organizations of different types and sizes, so the Rules needed to be flexible to accommodate this diversity. They also needed to be capable of standing the test of time without requiring regular updates in response to changing technology and operating practices.

While HIPAA sets standards for privacy, security, and administrative processes, the Rules can seem complex and often lack important details and they do not include an easy-to-follow HIPAA compliance checklist, so it’s no surprise that achieving and maintaining HIPAA compliance can be a daunting prospect. One of the biggest challenges for compliance professionals is interpreting the HIPAA Rules and applying those requirements to their organization. For smaller healthcare organizations with limited resources, achieving and maintaining compliance can be harder still.

If HIPAA compliance is causing you headaches or keeping you up at night, it is worthwhile considering partnering with a compliance company and getting advice on how to achieve and maintain compliance for peace of mind. For those considering going it alone, there are three pillars of HIPAA compliance that you need to get right.

Pillar 1: Implement a HIPAA Compliance Program

HIPAA-regulated entities need to implement an effective HIPAA compliance program, covering all standards and implementation specifications of the HIPAA Rules. HIPAA-compliant policies and procedures must be developed and implemented, and staff trained on those policies. While compliance responsibilities can be split between multiple individuals – such as a Privacy and Security Officer – one individual should have overall responsibility for compliance throughout the entire organization. You should also consider forming a compliance committee that meets regularly to discuss the state of compliance with HIPAA and other federal and state regulations.

One of the first things the Department of Health and Human Services’ Office for Civil Rights (OCR) will seek to establish when investigating complaints and data breaches is whether the entity has implemented a formal HIPAA compliance program and is taking its HIPAA compliance obligations seriously. Proving your organization takes HIPAA compliance seriously and has not ignored its obligations means compliance efforts must be thoroughly documented.

The first stage of an OCR investigation involves a document request. OCR will contact a covered entity and ask for specific documentation relative to the complaint or data breach, and that information needs to be provided promptly. If there a HIPAA-regulated entity is unable to prove they have a HIPAA compliance program in place, then a financial penalty is all but guaranteed. If you have invested time and effort into complying with the HIPAA Rules and can provide documentation demonstrating your good faith effort, the HHS is more likely to provide technical assistance than impose a financial penalty. OCR says the vast majority of investigations are resolved through voluntary compliance or technical assistance, and financial penalties will be avoided if entities can demonstrate satisfactory compliance.

When investigating data breaches, organizations will be asked to provide evidence that comprehensive, accurate risk analyses have been conducted. You may be asked to provide evidence of risk analyses for the past 5 or 6 years. If you can’t provide that documentation, it doesn’t matter whether those risk analyses have been conducted or not, from OCR’s perspective, at best they were incomplete and at worst were not conducted at all. Both are likely to result in a fine.

If a complaint is investigated about an alleged employee HIPAA violation, OCR will want to see evidence that a HIPAA training program is in place and proof that employees have received appropriate training. The sanctions policy may be requested, along with evidence of any ongoing corrective actions and sanctions, further training that has been provided to the workforce in response to discovered violations, and samples of breach notifications.

It is therefore imperative that you maintain accurate, detailed records of all of your compliance efforts and store that documentation in a central data repository with your policies and procedures. That will ensure that you can respond quickly to any request and provide evidence of compliance. The failure to provide the requested documentation could trigger a much more extensive review of your compliance program.

Pillar 2: Develop a Security Awareness and HIPAA Training Program

Policies and procedures must be developed on all aspects of HIPAA but not just to allow boxes to be ticked in a HIPAA compliance checklist. That may be sufficient to pass a very basic document review, but policies alone will not make an organization HIPAA compliant. All members of the workforce must be provided with the policies and must receive training relevant to their role. Every individual in a healthcare organization has a role to play in making their organization HIPAA compliant and must be trained to allow them to perform their duties in a HIPAA-compliant way.

Employees should not have to guess how HIPAA applies. In addition to training, employees must be made aware of the sanctions policy and the repercussions of HIPAA violations and the sanctions policy must be enforced.

HIPAA calls for training to be provided during the onboarding process, regardless of whether a new hire is a seasoned healthcare professional or is new to the industry. It is the responsibility of the compliance officer to ensure that appropriate training programs are developed and that all members of the workforce receive adequate training. While HIPAA violations can take many different forms, most HIPAA violations are due to mistakes by employees and a lack of appropriate training is often the cause.

It is unreasonable to expect employees to gain the knowledge of a compliance professional from HIPAA training provided during the onboarding process. The goal is to ensure that everyone is aware of how HIPAA applies to their role, the rules regarding uses and disclosures, and how to protect patient data. Training needs to be an ongoing process, so refresher training should be provided annually to ensure standards do not slip. HIPAA calls for the staff to be trained on internal policies relative to their role and for all members of the workforce to receive security awareness training.

The importance of the latter was highlighted in the 2022 Verizon Data Breach Investigations Report, which revealed the human factor was involved in 82 percent of data breaches. Security awareness training is concerned with teaching security best practices, making the workforce aware of security threats, and training employees on how to recognize and report those threats. Through training, organizations can eradicate risky practices and significantly reduce the risk of a successful cyberattack and data breach.

Training programs should be tailored to each role and include the specific threats those individuals are likely to encounter. Given the extent to which healthcare employees are targeted with phishing attempts and BEC attacks, there needs to be a particular focus on identifying, avoiding, and reporting these threats to the security team.

Security awareness training is a requirement of the HIPAA Security Rule but the frequency of training is left to the discretion of each regulated entity. HIPAA-regulated entities should go above and beyond the minimum requirements for training and should implement an ongoing security awareness training program, with training delivered throughout the year. The goal should be the creation of a security culture, which is unlikely to happen with infrequent training. As with all aspects of HIPAA compliance, training must be documented. One of the first things OCR will seek to establish when investigating data breaches is whether a security awareness training program is in place.

Pillar 3: Develop, Implement, and Continuously Improve an Information Technology Security Program

There are 20 standards in the HIPAA Security Rule, but within each standard are many more implementation specifications. There are more than 60 implementation specifications that must be considered and implemented, including required and addressable specifications.

HIPAA Security Rule compliance primarily involves developing and implementing a comprehensive information security program that incorporates administrative, technical, and physical safeguards to protect against reasonably anticipated threats and hazards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). The information security program must incorporate access controls to protect against internal and external unauthorized access to ePHI, continuous evaluation of security controls, monitoring information systems for unauthorized activity, security awareness training, and developing and implementing contingency and incident response plans.

The risk analysis is one of the fundamental implementation specifications of the HIPAA Security Rule, and one of the main areas where mistakes are made. Risk analyses must be accurate, comprehensive, and organization-wide, and should identify all potential risks and vulnerabilities to ePHI. Those risks must then be subjected to a risk management process and be reduced to a low and acceptable level. Risks must be documented, assessed for criticality, prioritized, and managed, and the process must be fully documented, including how the risks were addressed, when they were resolved, ongoing unresolved issues, and the time frames and steps for addressing any unresolved issues. Risk analyses should be conducted annually and in response to any material change in policies, procedures, or new technology.

When investigating data breaches, OCR seeks to establish the underlying cause of a data breach and will require evidence of risk analyses and risk management. OCR will look for the mitigations in response to a data breach, the actions taken to prevent further incidents, and the entity’s compliance prior to the breach. Recognized security practices will also be considered as a mitigating factor, so these must be thoroughly documented.

HIPAA Security Rule compliance will ensure a baseline level of security is achieved but given the extent to which the healthcare industry is targeted, organizations should look beyond HIPAA Security Rule compliance and should continue to develop the information security program. Adopting a cybersecurity framework such as the NIST Cybersecurity Framework or HITRUST CSF will greatly improve an organization’s security posture and will be considered a mitigating factor by OCR when investigating data breaches and HIPAA Security Rule violations.

Organizations unable to take this step should consider adopting the HHS 405(d) Program, which serves as a stepping stone between HIPAA Security Rule compliance and the full implementation of a cybersecurity framework. The HHS 405(d) Program documentation outlines the main current cybersecurity threats to the sector, offers best practices for mitigating those threats, and technical assistance tailored to the size and capabilities of small, medium, and lar-sized healthcare organizations.

HIPAA Compliance is a Continuous Process

There is much more to HIPAA compliance than developing and documenting policies, training staff, and developing an effective information security program, but if you get the basic structure in place, achieving HIPAA compliance will be much more straightforward and you will be able to demonstrate that you are taking your obligations seriously.

Adopting a methodical checklist-style approach to HIPAA compliance will help to ensure compliance with all HIPAA standards, but becoming compliant is just the start. Maintaining compliance requires regular internal audits, updates to policies and procedures to account for new HIPAA requirements and changing technology, and ensuring that safeguards remain effective in a rapidly changing threat landscape.

Signing up to receive updates from the HHS 405d Program is a good place to start, a plan should be developed for adopting a cybersecurity framework to improve the maturity of your cybersecurity program, and there are advantages to be gained from using HIPAA compliance software, especially for healthcare organizations and business associates that feel a little overwhelmed about HIPAA compliance.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: The Three Pillars of HIPAA Compliance appeared first on HIPAA Journal.

Editoirial: Benefits of HIPAA for Patients

This is the third article in the ‘Benefits of HIPAA’ series, this time around exploring how the Health Insurance Portability and Accountability Act (HIPAA) and its subsequent amendments have benefited patients. The first article in the series explored how HIPAA has benefited healthcare organizations and the second covered the key benefits of HIPAA for healthcare professionals.

A World of Change for Patients

It has now been 27 years since HIPAA was signed into law by President Clinton. Memories of what the healthcare industry was like before that time may be starting to fade, but it should not be forgotten just how important HIPAA was at that time and has continued to be for more than a quarter of a century since. The initial Act introduced standards in healthcare to improve efficiency and make sure that healthcare providers, health plans, and healthcare clearinghouses followed standard practices and used the same code sets.

No system can function efficiently if the different components do not speak the same language, yet this was essentially how the healthcare system operated at the time. That system worked well when healthcare was provided on a one-to-one basis between a clinician and a patient, but as the healthcare ecosystem was becoming more complex, change was desperately needed to ensure healthcare information could be easily transferred to where it was needed, without requiring time-consuming and costly manual processes to convert the data into a usable form. In addition to helping clinicians have access to the data they need, HIPAA has also helped health plans process claims more efficiently and ensures funds are rapidly transferred to pay for healthcare services.

HIPAA made it easier for healthcare providers and health plans to share data electronically and that has helped patients by improving the continuity of care. Recent rules introduced by the HHS have helped to remove some of the barriers to information sharing and ensure that healthcare organizations and electronic health record providers do not engage in practices that could block or hamper the sharing of patient data. That is helping to prevent patients from incurring unnecessary costs, such as having to redo medical tests when they change healthcare providers.

HIPAA has helped to improve the accuracy of record keeping, making it easier to match medical records with the right patients, thus preventing medical errors. HIPAA has also played an important role in reducing healthcare fraud, which was forcing health insurance providers to massively increase their premiums to cover the losses.

One of the initial aims of HIPAA was to improve the portability of health insurance and help to prevent Americans from falling into a job lock situation, where they felt unable to change jobs due to the fear of losing health insurance coverage. While HIPAA has not solved the problem of job lock, it has certainly helped. HIPAA also helped to expand health insurance coverage and prevent discrimination, by ensuring individuals could not be denied health insurance due to pre-existing medical conditions.

Privacy and Security of Healthcare Data

HIPAA called for the Secretary of the Department of Health and Human Services to adopt standards to ensure patient privacy and data security, which were added a few years later in the Privacy and Security Rules. Before the HIPAA Privacy Rule was signed into law, patients did not have a federal right to healthcare data privacy and there were no federal restrictions on disclosures of that data or how healthcare data could be used. A patient’s healthcare information could be used for marketing purposes without restriction, and before the HIPAA Privacy Rule, healthcare providers were not required by law to provide a patient with a copy of their medical records.

The HIPAA Privacy Rule introduced standards for privacy, stipulating exactly when healthcare data could be disclosed and required patients to provide their authorization before their healthcare information could be used for most purposes other than the provision of healthcare, payment for healthcare, and other essential uses necessary for healthcare organizations to provide their services. HIPAA ensured that disclosures of healthcare data were limited to the minimum necessary amount, prohibiting a patient’s entire medical records from being disclosed when the entire record was not required. HIPAA has ensured that, in general, healthcare information cannot be provided to an employer, be used for marketing or advertising purposes, or be sold without written authorization from the individual.

These privacy protections and the need to keep healthcare data secure seem like basic rights today, yet before the HIPAA Privacy and Security Rules were signed into law, there wasn’t a legal requirement to ensure the privacy and security of healthcare data, and healthcare providers and health plans were not accountable for privacy violations and security failures.

HIPAA Gave Patients New Rights

In addition to benefitting patients in these ways, HIPAA gave patients several new rights over their healthcare data. One of the most important rights is the ability to inspect healthcare data. Healthcare providers accurately record patient information, but errors can be made. The Privacy Rule gave patients the right to check their medical records for errors and have those errors corrected. Before the Privacy Rule was introduced, those errors would likely have remained, threatening patient safety. Patients were also given the right to obtain a copy of their healthcare data, which allows them to take it to a new healthcare provider and disclose that information to whomever they wish, be that a friend, family member, or a medical research institution. Recent changes have also allowed patients to have their healthcare information sent to the health app of their choosing.

The HIPAA Privacy Rule ensured transparency of privacy practices, ensuring patients are enforced about how their healthcare data will be used – through Notices of Privacy Practices – and to whom the information has been disclosed – Accounting of Disclosures, a copy of which can be obtained on request. Patients were also given the right to request restrictions on disclosures of their healthcare information, putting them in control of who is provided with their sensitive healthcare information.

HIPAA does not have a private cause of action, which means a patient can’t sue for a HIPAA violation; however, patients do have the right to file a complaint about a HIPAA violation with a healthcare provider or health plan and can submit a complaint to the HHS’ Office for Civil Rights, which will investigate and take action. Further, when there is an unauthorized disclosure of healthcare information, or when that information has been exposed, patients need to be notified, which allows them to take action to protect against identity theft and fraud.

How the Pending HIPAA Privacy Rule Update Will Benefit Patients

It has been two decades since the HIPAA Privacy Rule was signed into law and a lot has changed in that time. Certain aspects of the Privacy Rule have proven to be cumbersome for HIPAA-covered entities, and there are several areas where improvements are required for patients. Fortunately, some important updates are about to be made that will deliver even more benefits for patients and will improve access to medical records.

Obtaining a copy of medical records is a fundamental right of HIPAA, but the timescale for providing those records is hardly appropriate in the digital age. The latest update will see the time shortened for providing a copy of a patient’s records from 30 days to 15 days, and if an extension is permitted, that time frame has similarly been reduced to 15 days. That means a maximum of 30 days to obtain a copy of the requested records. To further improve access, patients will also be allowed to take notes and photographs of their records, should they so wish. The burden of identity verification when requesting access to records has also been reduced and it has been made easier for patients to direct their healthcare providers to transfer their records to another healthcare provider.

Patients can be charged for copies of their medical records, and while there are restrictions on what can be charged, the update will help to prevent patients from incurring unnecessary or unexpected costs. There has been clarification on when copies of electronic medical records must be provided free of charge, and healthcare providers are required to publish how much patients will typically be charged if they want paper copies of their records.

Another important change will help to improve patient safety, as the ability of healthcare providers to disclose patient information to avert a threat to health or safety has been expanded. They will be able to disclose patient information when harm is “serious and reasonably foreseeable,” instead of a “serious and imminent” threat to health or safety. The changes will also facilitate the sharing of patient information to improve care coordination and case management for individuals, which is intended to improve family and caregiver involvement in the care individuals need when experiencing emergencies or health crises.

Moving Forward – Where HIPAA Needs to Change

The updates to the Privacy Rule will certainly benefit patients, but there is one area where HIPAA lets patients down. HIPAA only applies to healthcare data when it is collected, maintained, stored, or transmitted by a HIPAA-regulated entity. The same healthcare data could be collected, maintained, stored, or transmitted by another entity, and would not be protected by HIPAA. For instance, healthcare information could be stored in a health app, and that information would fall outside the protections of HIPAA. What is now needed is an expansion of HIPAA to cover all healthcare data or new HIPAA-like regulations to be introduced to cover healthcare data when the information is collected by an entity not covered by HIPAA.

One common criticism of HIPAA is the lack of a private cause of action, which prevents patients from suing for HIPAA violations. While this is unlikely to change, there is some good news for patients. The HHS’ Office for Civil Rights will soon be distributing a percentage of the funds raised from its enforcement actions to victims of HIPAA violations, as soon as a suitable methodology for doing so is developed. OCR recently sought information from industry stakeholders and the public on how best to implement this requirement and ensure the funds are fairly distributed.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editoirial: Benefits of HIPAA for Patients appeared first on HIPAA Journal.

Editorial: Benefits of HIPAA for Healthcare Professionals

It has been almost 27 years since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law, more than 2 decades since the Privacy Rule was enacted, and this February will be the 20th anniversary of the HIPAA Security Rule. This article is the second in a series that explores the benefits of HIPAA, focusing on some of the ways that HIPAA has benefited healthcare professionals. The first article in the series covered the benefits of HIPAA for healthcare organizations.

HIPAA was signed into law in 1996 by President Clinton and introduced standards in healthcare to improve efficiency, eliminate waste, combat fraud, and ensure that Americans could retain health insurance coverage when they are between jobs. When penning the legislation, Congress recognized the importance of the confidentiality of healthcare data and included provisions requiring the Secretary of the Department of Health and Human Services to establish standards for patient privacy and the transmission of electronic health information. Today, HIPAA is best known for these Rules, which restrict the uses and disclosures of protected health information and require HIPAA-covered entities to keep health information secure and protected against unauthorized access. HIPAA also helped the healthcare industry move into the digital age by encouraging the adoption of electronic health records, stipulating the controls that must be implemented to secure healthcare data.

There was considerable resistance to legislation introducing standards for the entire healthcare industry, despite a clear need for change. HIPAA gave healthcare organizations the prod they needed to implement those changes, which have improved efficiency, profitability, and helped healthcare providers deliver better patient care. Before the Privacy Rule was introduced there was a cavalier attitude to patient privacy. Patient records were often left unsecured, and before access controls were a legal requirement, huge numbers of healthcare professionals could view sensitive patient data. The American Health Information Management Association determined that, on average, around 150 individuals in a hospital could access a patient’s medical records during a typical hospitalization and there were no restrictions on the amount of information those individuals could view. There were also no restrictions on disclosures of patient information, and disclosures often occurred without the knowledge of patients. Prior to HIPAA, any information disclosed to a healthcare provider by a patient essentially became the property of the healthcare provider and there was no obligation to share that information with the patient.

HIPAA Ushered in Much-Needed Change

The Administrative Simplification Regulations of HIPAA had three main aims: To protect and enhance the rights of consumers by providing them with access to their health information and preventing inappropriate uses; to improve the quality of healthcare by restoring trust in the healthcare system; and improve the efficiency and effectiveness of healthcare delivery through a national framework of health privacy protection. HIPAA built on the privacy legislation introduced by individual states and ensured privacy protections were in place across the entire country.

Congress understood that it was not possible to achieve administrative simplification without also protecting the privacy and confidentiality of personal health information. High-quality healthcare can only be delivered if patients trust that their sensitive, private health information will be protected and kept confidential, and with healthcare delivery becoming more complex, privacy and security were becoming even more important.

The Benefits of HIPAA for Healthcare Professionals

Healthcare organizations have benefited greatly from HIPAA through the standardization of healthcare transactions, which has improved efficiency and profitability. Patients have benefited by being given rights over their personal health information and transparency over how their health information is used, and HIPAA has also delivered many benefits to healthcare professionals.

A Clear Set of Rules to Follow

One of the most important benefits of HIPAA for healthcare professionals is being provided with a clear set of rules to follow with respect to healthcare data. HIPAA is often criticized for being vague in certain areas, but the rules covering allowable uses and disclosures are clear about how to protect patient privacy. Having clear rules to follow makes it easier for healthcare professionals to work efficiently and concentrate on providing care. HIPAA has also helped improve patient safety by encouraging the adoption of electronic health records, which makes it easier to match medical records with the right patients and ensure patient information is accurately recorded and always available.

HIPAA Has Improved Trust and Helped Healthcare Professionals Deliver Better Care

HIPAA has provided all Americans with a basic level of protection for their healthcare data, giving them peace of mind about disclosing their most personal information, which is critical to ensuring their full participation in their own healthcare. The relationship between a clinician and a patient is built on trust. A clinician must trust the patient to provide honest information about their symptoms and the patient must trust the clinician to keep sensitive information confidential or that information will not be disclosed.

The restrictions on the uses and disclosures of health information introduced by HIPAA have helped to build trust, which in turn helps clinicians make correct diagnoses and develop effective treatment plans. Studies have shown that patients who do not believe their privacy will be protected are much less likely to fully participate in the diagnosis and treatment of medical conditions.

Keeping healthcare data private and confidential is an important part of improving patient well-being. Disclosures of private health information, whether through careless discussions in non-private settings or cyberattacks through noncompliance with the HIPAA Security Rule, can greatly affect a patient’s mental health. Invasions of privacy are a major source of stress, potentially resulting in stigma, discrimination, loss of opportunity, and an increased risk of identity theft and fraud, all of which can have a profound impact on patient well-being.

HIPAA Helps Providers Deliver Patient-Centric Care

Providing the best quality care possible is essential to the success of a healthcare organization, but healthcare providers need to also provide a quality patient experience, which involves more than delivering high-quality care. Delivering patient-centric care is key to improving the patient experience and satisfaction metrics such as HCAHPS scores, which are vital to the long-term success of a healthcare organization. The cost of healthcare is increasing, insurance premiums are rising, and so are the deductibles. If patients do not get the service they need and feel they are getting value for money, they will simply switch providers.

HIPAA has helped the healthcare industry transition into patient-centric care by empowering patients to participate more actively in their own healthcare. By taking a more active role in their healthcare, patients are more likely to comply with the advice their healthcare providers give them and make healthier lifestyle choices, which improves patient outcomes. Healthcare providers need to continue to find new ways to improve patient engagement, and HIPAA compliance helps them to do so while ensuring patient privacy is protected. In today’s digital world, information security is essential as cyberattacks have the potential to expose patients’ highly sensitive data. With the number of attacks now being conducted, HIPAA Security Rule compliance has never been more important and is critical to achieving patient-centric objectives. Further, when patient satisfaction improves, so does employee morale, as healthcare professionals get more job satisfaction.

HIPAA Compliance Helps Increase Profits

HIPAA has standardized healthcare, improved efficiency, and helped to eliminate waste and fraud, which has been key to improving the profitability of the healthcare industry and job security for healthcare professionals. Through HIPAA compliance, healthcare organizations can improve patient loyalty, which means fewer resources need to be invested into attracting new patients and more money can be directed into improving healthcare services and giving healthcare professionals the resources they need to deliver high-quality care.

HIPAA Compliance Makes You a Better Healthcare Professional

HIPAA is a work in progress, far from perfect, and compliance may be cumbersome at times, but the legislation has delivered many benefits to healthcare organizations, healthcare professionals, and patients. HIPAA has helped transform the healthcare industry, and through continued compliance, healthcare professionals can deliver high-quality care, improve relationships with patients, and get more job satisfaction.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: Benefits of HIPAA for Healthcare Professionals appeared first on HIPAA Journal.

Editorial: Benefits of HIPAA for Healthcare Organizations

One of the problems with developing legislation for the entire healthcare industry is rules must be written for organizations of different sizes, with vastly different business models, budgets, staffing levels, and capabilities. Rules need to be written that are sufficiently flexible to accommodate this variety and be appropriate for all organizations and their unique operating structures.

One of the challenges with developing HIPAA was to create rules that would correct inefficiencies and get the healthcare system working more harmoniously. They also needed to stand the test of time and be flexible enough to accommodate changes that could not be envisaged when the legislation was signed into law. When the Privacy and Security requirements were introduced, they needed to be specific enough to serve as a practical framework for healthcare organizations to follow yet be flexible enough to account for changes in technology and operating practices over time.

This was vital as the process of updating legislation is simply too slow to allow for regular changes to be made. The HHS needs to issue a request for information to find out what needs to change, process the feedback, then a notice of proposed rulemaking, review the comments on the proposed changes, pen the final rule, issue that rule, and provide sufficient time for healthcare organizations to comply with the changes. That process spans several years, yet working practices evolve and new technology is constantly being introduced.

The way that HIPAA needed to be written has naturally led to the legislation receiving a lot of criticism. HIPAA has been criticized for having too many requirements and also not enough in certain areas, and for being too inflexible and difficult to interpret, and challenging to comply with. Despite the challenges of compliance and the gaps in HIPAA, the legislation has provided many benefits for healthcare organizations, healthcare professionals, patients, and health plan members. The legislation is far from perfect and HIPAA is in desperate need of updating – new HIPAA regulations will soon be introduced – but in its current form, the benefits of this important legislative act far outweigh any disadvantages.

In this article – and the next two in the series – I will explain the benefits of HIPAA and how the proposed Privacy Rule changes will help to address some of the current pain points and should significantly improve HIPAA for healthcare organizations, their employees, patients and members. You can read about the benefits of HIPAA for healthcare professionals here.

How HIPAA has Benefited Healthcare Organizations

HIPAA was signed into law more than 25 years ago in 1996 before many current healthcare workers had even been born. For those in the industry old enough to remember, at that time there was a desperate need to improve efficiency in the healthcare industry, as a huge amount of time and effort was wasted on inefficient manual processes, the cost of which was driving up the cost of healthcare at an unsustainable level.

HIPAA improved efficiency by standardizing healthcare transactions across the industry, including requiring all healthcare organizations to use the same standard code sets and follow standard administrative practices. Not only did the standards introduced by the HIPAA Administrative Simplification Rules help to eliminate waste and reduce the administrative burden on healthcare organizations, they have also helped to improve patient safety by reducing the potential for medical errors by making it easier to match records with the right patients. Before the introduction of HIPAA, healthcare fraud was rife and was costing the healthcare industry around $7 billion a year. The standardization of healthcare transactions has helped to reduce significantly reduce fraud.

The introduction of the HIPAA Privacy, Security, and Breach Notification Rules brought many benefits to healthcare organizations, but also some of the biggest pain points for HIPAA-covered entities. These updates required considerable changes to working practices and came with a significant administrative burden. HIPAA set clear – and sometimes not so clear – rules on how health information can be used and disclosed, how health information must be handled, and the policies and procedures that need to be implemented to ensure the confidentiality, integrity, and availability of protected health information. The HIPAA Privacy Rule has empowered patients to take a much more active role in their healthcare, allowing them to check their medical records for errors and get any errors corrected, which has helped to reduce the risk of medical errors and improve patient outcomes, which naturally has many benefits for healthcare organizations. By having standard rules in place, patients have the same rights no matter where they obtain care, and the safeguards to ensure the confidentiality of health information have helped to build trust between patients and their healthcare providers.

The HIPAA Security Rule set standards for all covered entities to follow to ensure the confidentiality, integrity, and availability of electronic health information and helped healthcare providers successfully transition from paper records and charts to electronic health records and encouraged the adoption of new technologies for improving efficiency and the quality of care in a safe and secure way. The HIPAA Security Rule was not meant to be a comprehensive checklist of every security measure that should be considered or implemented, rather it is a set of minimum standards for security that must be achieved. By adopting those standards, healthcare organizations have prevented many data breaches and avoided the considerable costs of those breaches. Many of the data breaches now being reported are due to employee errors and non-compliance with the HIPAA Security Rule.

The HIPAA Breach Notification Rule provides important benefits to patients, but there are also benefits for healthcare organizations. Compliance with this aspect of HIPAA ensures transparency about unauthorized access and disclosures of protected health information and promptly notifying patients about data breaches – which are often out of the control of healthcare organizations –can improve trust in healthcare organizations and reduce the reputational damage caused by data breaches. Importantly, HIPAA lacks a private cause of action, which helps HIPAA-covered entities avoid the considerable legal costs of defending lawsuits from patients who believe their privacy has been violated.

How the Proposed Updates to the HIPAA Privacy Rule will Benefit Healthcare Organizations

While the HIPAA Rules lack specificity in certain areas and incorporate flexibilities to avoid the need for regular updates, updates to HIPAA are required to accommodate changes in working practices and advances in technology, and to correct the elements that are either not achieving the purpose they were intended to or are no longer important. There has also been considerable criticism over the years that HIPAA continues to place an unnecessary administrative burden on healthcare organizations. After issuing an RFI, OCR published a Notice of Proposed Rulemaking in 2021 to update the HIPAA Privacy Rule, mostly to strengthen individuals’ rights to access their own health information and to reduce the administrative burden on healthcare organizations.

These Privacy Rule changes should help to improve information sharing, which will make patient care coordination and case management easier, including the coordination and management of care through social and community services. The updates will also facilitate family and caregiver involvement in the care of individuals that are experiencing emergencies or health crises. The restrictions of HIPAA have been clear became clear throughout the opioid and COVID-19 public health emergencies. The update helps to address this by incorporating flexibilities to permit disclosures in emergencies and threatening circumstances. These updates will help healthcare providers deliver better care and improve patient outcomes.

The amount of paperwork involved in providing healthcare also needed to be addressed. Finally, some of the time-consuming tasks that healthcare organizations still need to perform manually are being eliminated, such as the requirement for a covered entity to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices and retain copies of that documentation for 6 years.

Any update to HIPAA comes with a considerable workload initially but the benefits should be felt quickly. OCR believes the efficiencies introduced by the Privacy Rule changes will help to save $3.2 billion over five years, thus limiting the increase in the cost of healthcare. The Final Rule has yet to be published in the Federal Register, but that should finally happen in 2023.

Healthcare Organizations are Still Struggling with HIPAA Compliance After 26 Years

HIPAA has been in effect for 26 years, the Privacy and Security Rules for two decades, and the Omnibus Rule and Breach Notification Rules for 14 years, yet HIPAA compliance is still proving to be a challenge for many healthcare organizations.

One of the common complaints about HIPAA that makes compliance complicated is the frequent use of terms use as reasonable… exercise reasonable diligence, implement reasonable and appropriate policies and procedures, reduce risks and vulnerabilities to a reasonable and appropriate level. There are also ‘required’ and ‘addressable’ provisions, where addressable provisions are still required elements of compliance, in some form. These flexibilities are what make HIPAA workable for such a wide range of healthcare organizations and stay relevant, but they can present significant challenges for healthcare organizations, especially smaller practices that lack the staff and resources to devote to compliance.

One of the ways that many smaller healthcare organizations have simplified compliance and ensured all the i’s are dotted and t’s are crossed is by using HIPAA compliance software. These software solutions guide healthcare organizations through compliance with all aspects of the HIPAA Rules, eliminating the guesswork and making sure that no provisions are overlooked. The software can be used to achieve compliance and maintain the compliance program, prompting risk analyses, updates, and training, and ensuring compliance efforts are fully documented to ensure painless audits and investigations.

Security Rule compliance can be particularly challenging, as the Security Rule does not provide specifics about technologies that should be used to protect healthcare data. Many healthcare organizations have simplified compliance and gone above and beyond the requirements of HIPAA by adopting a cybersecurity framework. Frameworks such as the NIST Framework for Improving Critical Infrastructure Cybersecurity and the HITRUST Cybersecurity Framework provide structure, transparency, and guidance for achieving compliance with HIPAA and other privacy and security regulations and provide clarity and consistency while reducing the burden of compliance.

In 2021, the HITECH Act received an update to encourage the adoption of recognized security practices such as those developed under section 405(d) of the Cybersecurity Act of 2015 and covered by these cybersecurity frameworks to improve cybersecurity across the healthcare industry. The update provides incentives in the form of reduced penalties and sanctions and shorter audits and investigations by OCR, which considers the adoption of recognized security practices as a mitigating factor when making determinations about HIPAA Security Rule violations and data breaches.

HIPAA is Only the First Step

The main benefits of HIPAA for healthcare organizations are improvements in efficiency through standardized working practices which eliminate waste, improve patient safety, and boost profits. HIPAA compliance fosters trust between providers and patients and health plans and their members and helps to improve patient outcomes, increase patient and client loyalty, and improve retention.

However, HIPAA is just a set of minimum standards for privacy and security, so HIPAA compliance can be viewed as only the first step. Adopting a cybersecurity framework and implementing recognized security practices will further strengthen an organization’s security posture, and thanks to the HITECH Act update, there is now an added incentive for doing this.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: Benefits of HIPAA for Healthcare Organizations appeared first on HIPAA Journal.

Editorial: Lessons from Biggest HIPAA Breaches of 2022

It has been another bad year for healthcare data breaches, with some of the biggest HIPAA breaches of 2022 resulting in the impermissible disclosure of well over a million records. While it does not currently look like last year’s record of 714 data breaches of 500+ records will be exceeded this year, with 674 data breaches reported up until December 22, 2022, any reduction is likely to be minimal. In addition to the high number of data breaches, 2022 stands out for the sheer number of healthcare records breached, which currently stands at 49.8 million records. That’s more than any other year to date apart from 2015 when Anthem Inc reported its 78.8 million-record data breach. In 2022, 12 data breaches were reported that exposed more than 1 million records, and a further 13 data breaches exposed between 500,000 and 1 million records.

The Biggest HIPAA Breaches of 2022

One notable observation from the biggest HIPAA breaches of 2022 is the number that occurred at business associates of HIPAA-covered entities. Many of these business associate data breaches affected dozens of healthcare clients, with one notable branch in the list below affecting 657 HIPAA-covered entities. Out of the 25 data breaches of 500,000 or more records, 52% occurred at business associates, including 60% of the 10 largest data breaches. The 12 biggest HIPAA breaches of 2022 affected almost 22.66 million patients and health plan members.

OneTouch Point – Ransomware Attack Involving 4.11 Million Records

On July 27, the mailing and printing vendor, OneTouchPoint (OTP), reported a hacking incident to the HHS’ Office for Civil Rights that affected more than one million individuals; however, as the investigation progressed it was determined that the breach was much more extensive than first thought, and had involved the protected health information of 4,112,892 individuals. Hackers had gained access to its network and used ransomware to encrypt files, with that information also potentially stolen in the attack. The compromised data included names, contact IDs, and information provided during health assessments. More than 35 of the company’s clients were affected, many of which were health plans.

Eye Care Leaders – Hacking Incident Involving at least 3.65 Million Records

Eye Care Leaders is a North Carolina provider of an electronic health record solution (myCare Integrity) to ophthalmology practices across the country. Affected providers started to be notified in March that hackers had gained access to its databases in December 2021. The databases contained extensive patient information, such as contact information, health insurance information, medical record numbers, Social Security numbers, driver’s license numbers, and medical information. As is relatively common in business associate data breaches, each affected healthcare provider reported the breach separately. Texas Tech University Health Sciences Center was one of the worst affected healthcare providers, with 1,290,104 records exposed. HIPAA Journal has tracked the reported data breaches and at least 41 eye care providers and 3,649,470 patients were affected.

Advocate Aurora Health – Impermissible Disclosure of up to 3 Million Records

On October 14, Wisconsin-based Advocate Aurora Health notified OCR about an impermissible disclosure of the protected health information of up to 3,000,000 patients. The disclosure occurred due to the addition of third-party tracking code on its websites, patient portals, and applications. The tracking code was used to gain insights into the use of its patient-facing digital services to improve the patient experience; however, the tracking code transmitted patient information to the developers of that code, including Meta (Facebook) and Google.  The information transmitted was based on each user’s interactions and may have included health information that could be tied to individuals. The transmitted information may have included names, appointment dates/times, provider names, procedure types, insurance information, and communications through the MyChart patient portal. Advocate Aurora Health was not alone. Several health systems had used the code on their websites and transferred patient data to third parties without consent or a business associate agreement in place.

Connexin Software – Hacking Incident Involving 2.2 Million Records

Connexin Software is a Wisconsin-based provider of an electronic health record solution to pediatric practices across the country, operating as Office Practicum. A breach of its network was detected in August 2022, with the investigation confirming the hackers accessed and exfiltrated an offline set of data used for data conversion and troubleshooting. That data set included names, Social Security numbers, health insurance information, billing and/or claims data, and clinical information such as treatment information, procedures, diagnoses, and prescriptions. The breach was reported to OCR on November 11, as affecting 2,216,365 individuals. 119 pediatric practices were affected by the data breach.

Shields Health Care Group – Hacking Incident Involving 2 Million Records

Shields Healthcare Group is a Massachusetts-based vendor that provides MRI, PET/CT, radiation oncology, and surgical services. On May 27, Shields notified OCR about a breach that affected up to 2,000,000 patients from 60 healthcare practices. Hackers had gained access to its network, with the investigation confirming files containing patient data were exfiltrated over two weeks in March. The stolen data included names, contact information Social Security numbers, insurance information, billing information, and clinical information such as diagnoses and treatment information.

Professional Finance Company – Ransomware Attack Involving 1.92 Million Records

Professional Finance Company is a Colorado-based vendor that provides debt recovery services. On February 26, the company detected and stopped what it described as a sophisticated ransomware attack, in which certain systems were accessed by the attackers and disabled. The forensic investigation revealed the attackers had access to files containing names, addresses, accounts receivable balances, information regarding payments made to accounts, Social Security numbers, health insurance information, and medical treatment information. The breach was reported to OCR on July 1 as affecting 1,918,941 patients at 657 of its healthcare provider clients.

Baptist Medical Center – Malware Infection Involving 1.6 Million Records

Baptist Medical Center and Resolute Health Hospital in Texas were affected by a security breach that was detected on April 20. Malicious code was detected on its network that allowed hackers to exfiltrate patient data. The investigation into the breach determined the hackers first gained access to its network in late March. The analysis of the affected files revealed they contained protected health information such as names, Social Security numbers, health insurance information, medical record numbers, diagnosis information, and billing and claims information. The breach was reported to OCR on June 15 as affecting 1,608,549 patients of Baptist Medical Center and 54,209 Resolute Health Hospital patients.

Community Health Network – Impermissible Disclosure of up to 1.5 Million Records

The Indiana-based healthcare provider, Community Health Network, notified OCR on November 18 about the impermissible disclosure of the protected health information of up to 1,500,000 individuals. Third-party tracking code from Meta and Google had been added to its websites to provide insights that would allow the improvement of access to information about critical care services and its patient-facing websites. Community Health Network was unaware that adding the code to its websites would result in identifiable health information being transmitted to Meta and Google. The data transferred included IP addresses, appointment information, patient, portal communications, procedure types, and other information based on the interactions of users on its website.

Novant Health – Impermissible Disclosure of up to 1.36 Million records

The North Carolina-based healthcare provider, Novant Health, notified OCR on August 14 about an impermissible disclosure of the protected health information of 1,362,296 individuals. The notification was issued on behalf of Novant Health ACE, a contractor for NMG Services Inc. Novant Health was the first HIPAA-regulated entity to notify OCR about a HIPAA violation related to the use of third-party tracking technologies on its website. Novant Health said the tracking code had been misconfigured, which allowed patient information to be sent to Meta such as names, appointment types and dates, provider names, button/menu selection details that may have included information about health conditions, and information submitted by patients in free text boxes.

Broward Health – Hacking Incident Involving 1.35 Million Records

The Florida-based healthcare provider, Broward Health, reported a breach of the PHI of 1,351,431 patients to OCR on January 2, which was the result of hackers gaining access to its network in October 2021. The delay in reporting was at the request of the Department of Justice, so as not to interfere with the investigation. The network was breached via a connected third-party vendor and the hackers had access to the network for 4 days during which time employee and patient information was exfiltrated including names, Social Security numbers, driver’s license numbers, financial information, medical histories, and medical record numbers.

Doctors’ Center Hospital – Ransomware Attack Involving 1.2 Million Records

On November 9, Doctor’s Center Hospital in Puerto Rico reported a hacking incident to OCR involving the protected health information of 1,195,220 patients. Hackers gained access to its network and deployed ransomware on or around October 17. A ransomware group called Project Relic was behind the attack and claimed to have exfiltrated 211 GB of data prior to encrypting files, including employee data and patient information such as names, medical record numbers, and medical notes.

MCG Health – Hacking Incident Involving 1.1 Million Records

The Seattle, WA-based software company, MCG Health, which provides patient care guidelines to healthcare providers and health plans, notified OCR on June 10 about a cyberattack on its network. The investigation suggested the hackers gained access to its network as early as February 2020, but the security breach was not detected until March 2022. The hackers exfiltrated files that contained patient and plan member data such as names, addresses, phone numbers, dates of birth, medical codes, and Social Security numbers. The breach was reported to OCR by MCG Health as affecting 793,283 individuals, but some health plan and healthcare provider clients reported the breach separately.  More than 10 U.S. healthcare providers and health plans were affected and 1.1 million individuals are understood to have been affected.

Lessons Learned from the Biggest HIPAA Breaches of 2022

All of these breaches are being investigated by the HHS’ Office for Rights to determine if these organizations were fully compliant with HIPAA and if non-compliance with the requirements of HIPAA caused the data breach, and in some cases, state attorneys general have opened investigations. Class action lawsuits have also been filed against these entities seeking damages and reimbursement of out-of-pocket expenses and losses suffered as a result of misuse of patient and health plan member data. The investigations will uncover whether there have been any HIPAA violations or violations of state law and whether compliance with these regulations would have likely prevented these breaches. While specific information about HIPAA violations is not yet known, there are lessons to be learned by other healthcare providers, health plans, and business associates from these data breaches.

Business Associate Risks Must be Managed

What is clear from the largest HIPAA breaches of 2022 is cyberattacks on business associates can be particularly damaging, often affecting many HIPAA-covered entities. Business associates provide important services to healthcare organizations that are difficult or too costly to perform in-house, but providing patient information to any third-party increases the risk that the information will be exposed, and the more business associates that are used, the greater the risk to patient and plan member data.

Healthcare organizations cannot operate efficiently without third-party vendors, but prior to using any vendor their security measures and protocols should be assessed. HIPAA-covered entities must ensure that a signed business associate agreement (BAA) is obtained, but a BAA alone is not sufficient. The BAA should specify the responsibilities of the business associate with respect to cybersecurity, incident response, and breach reporting, and it may be necessary to enter into a service level agreement with the vendor. HIPAA-covered entities should review their relationships with vendors and their BAAs regularly, conduct annual audits of their vendors to check the cybersecurity measures they have in place, and they should stipulate that vendors must conduct annual risk assessments. It is also worth considering consolidating vendors, where possible.

Care Must be Taken with Tracking Technologies

The use of tracking technologies has come under the spotlight in 2022. These tracking technologies are usually provided by third parties such as big tech firms and are commonly used for website analytics. These tools can be incredibly useful but in healthcare, there is considerable potential for privacy violations. It should be noted that there is no problem with the tools themselves, the problem comes with how they are used and their potential to collect and transmit patient information based on the interactions of individuals.

Due to the potential for disclosures of PHI, HIPAA-compliant patient authorizations may be required and it may be necessary to enter into a business associate agreement with the developer of the code. So far, only a handful of healthcare organizations have reported data breaches associated with tracking technologies, but many hospitals and health systems have used these tracking technologies and may have violated HIPAA and patient privacy. A study by The Markup earlier this year indicated one-third of the top 100 hospitals in the United States had added tracking technologies such as Meta Pixel to their websites. These breaches have highlighted the risks associated with these tools and the importance of conducting a careful assessment of any third-party code prior to adding it to a website or application to verify that it is not transferring data to third parties. If it does, business associate agreements must be in place and patient authorizations may need tobe obtained. OCR has recently issued guidance on the use of these tracking technologies and the requirements for HIPAA compliance.

Develop and Test an Incident Response Plan for Ransomware Attacks

The healthcare industry continues to be targeted by ransomware gangs, who steal sensitive data and encrypt files for extortion. Stolen records are published or sold to other cybercriminal gangs, placing victims at a very real risk of identity theft and fraud, but these attacks also put patient safety at risk. Patients often have to be redirected to other facilities, the lack of access to EHRs requires appointments to be canceled, and the attacks delay diagnosis and essential medical care. In many attacks, electronic systems are taken out of action for several weeks and studies suggest mortality rates increase following a ransomware attack and patient outcomes are affected.

Protecting against ransomware attacks can be a challenge, as ransomware gangs use multiple attack vectors to gain initial access to healthcare networks. Healthcare organizations should keep up to date on the latest threat intelligence and adopt a defense-in-depth approach covering all potential attack vectors. Regaining access to patient data quickly can help to limit the harm caused, and in this regard, it is vital to follow best practices for backups and ensure multiple copies of backups are created with at least one copy stored securely off-site. The key to a fast recovery is contingency planning and implementing a comprehensive incident response plan. Those plans must also be regularly tested with tabletop exercises involving members of all teams involved in the breach response. Some of the most damaging ransomware attacks and hacking incidents were due to contingency and incident response planning failures.

Adopting Recognized Security Practices is Strongly Advisable

An update to the HITECH Act in January 2021 required OCR to consider the recognized security practices an organization has implemented continuously for the 12 months prior to a data breach when making determinations about penalties and sanctions. While HIPAA Security Rule compliance is mandatory, HIPAA-regulated entities are not required by law to implement recognized security practices, but it is strongly advisable. Not only will following recognized security practices reduce the risk of a cyberattack and limit the harm caused, OCR will reduce the length of audits and investigations and the financial penalties imposed.

Issue Breach Notifications Promptly

Several of the biggest HIPAA breaches of 2022 involved delays in issuing breach notifications to OCR and the individuals affected. HIPAA is clear about the maximum time frame for reporting breaches of protected health information, which is 60 days of the discovery of a data breach; however, branch notifications should be issued to OCR and affected individuals without necessary delay. Prompt notification is important as it allows the individuals affected by the breach to take steps to protect themselves against identity theft and fraud. OCR recently issued a reminder about the requirements for responding to security incidents, in which the breach notification requirements of HIPAA were confirmed. This could indicate OCR may be looking at enforcing this aspect of HIPAA compliance more rigorously in the future, as unnecessary delays in issuing breach notifications are common.

Steve Alder 

Editor-in-Chief, HIPAA Journal

The post Editorial: Lessons from Biggest HIPAA Breaches of 2022 appeared first on HIPAA Journal.