Healthcare Data Privacy

August 2020 Healthcare Data Breach Report

37 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August 2020, one more than July 2020 and one below the 12-month average.

The number of breaches remained fairly constant month-over-month, but there was a 63.9% increase in breached records in August. 2,167,179 records were exposed, stolen, or impermissibly disclosed in August. The average breach size of 58,572 records and the median breach size was 3,736 records.



Largest Healthcare Data Breaches Reported in August 2020


Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Incident
Northern Light Health Business Associate 657,392 Hacking/IT Incident Network Server, Other Blackbaud ransomware attack
Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident Network Server Blackbaud ransomware attack
Assured Imaging Healthcare Provider 244,813 Hacking/IT Incident Network Server Ransomware attack
MultiCare Health System Healthcare Provider 179,189 Hacking/IT Incident Network Server Blackbaud ransomware attack
Imperium Health LLC Business Associate 139,114 Hacking/IT Incident Email Phishing attack
University of Florida Health Healthcare Provider 135,959 Hacking/IT Incident Network Server Blackbaud ransomware attack
Utah Pathology Services, Inc. Healthcare Provider 112,124 Hacking/IT Incident Email Phishing attack
Dynasplint Systems, Inc. Healthcare Provider 102,800 Hacking/IT Incident Network Server Ransomware attack
Main Line Health Healthcare Provider 60,595 Hacking/IT Incident Network Server Blackbaud ransomware attack
Northwestern Memorial HealthCare Healthcare Provider 55,983 Hacking/IT Incident Network Server Blackbaud ransomware attack
Richard J. Caron Foundation Healthcare Provider 22,718 Hacking/IT Incident Network Server Blackbaud ransomware attack
UT Southwestern Medical Center Healthcare Provider 15,958 Unauthorized Access/Disclosure Other Unconfirmed
City of Lafayette Fire Department Healthcare Provider 15,000 Hacking/IT Incident Network Server Ransomware attack
Hamilton Health Center, Inc. Healthcare Provider 10,393 Unauthorized Access/Disclosure Email Misdirected Email


Causes of August 2020 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in August, with the 24 reported incidents making up 64.9% of the month’s data breaches. 2,127,070 records were compromised in those breaches, which is 98.15% of all records breached in August. The average breach size was 88,628 records and the median breach size was 11,550 records.

There were 8 unauthorized/access disclosure incidents involving 32,205 records. The average breach size was 4,026 records and the median breach size was 992 records. There were 5 loss (2) and theft (3) incidents reported. The average breach size was 1,581 records and the median breach size was 1,768 records.

While phishing attacks usually dominate the healthcare data breach reports, in August, attacks on network servers were more common. The increase in network server attacks is largely due to ransomware attacks, notably, an attack on Blackbaud, a business associate of many healthcare organizations in the United States. Blackbaud offers a range of services to healthcare providers, including patient engagement and digital data storage related to donors and philanthropy.

Between February 7, 2020 and May 20, 2020, hackers had access to Blackbaud’s systems and obtained backups of several of its clients’ databases before deploying ransomware. Blackbaud paid the ransom to ensure data stolen in the attack were destroyed.

Only a small percentage of its clients were affected by the attack, but so far at least 52 healthcare organizations have confirmed that their donor data were compromised in the attack. We have data for 17 of those attacks and so far, more than 3 million individuals are known to have been affected. That number is likely to grow significantly over the next few weeks now the deadline for reporting the breach is approaching.

There were also two major phishing incidents reported in August. Imperium Health suffered an attack in which the records of 139, 114 individuals were potentially compromised, and Utah Pathology Services suffered an attack involving the records of 112,124 individuals.

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity with 24 data breaches reported in August. Three breaches were reported by health plans and five breaches were reported by business associates; however, a further 9 breaches had some business associate involvement.

States Affected by August 2020 Data Breaches

Data breaches were reported by entities in 24 states in August. Pennsylvania was the worst affected state with 6 breaches of 500 or more healthcare records, followed by Kentucky with 4, Texas with 3, and Arizona, Ohio, and Washington with 2.  One breach was reported in each of Arkansas, California, Colorado, Connecticut, Florida, Iowa, Idaho, Illinois, Indiana, Maryland, Maine, Michigan, Missouri, New York, Oklahoma, South Carolina, Utah, and Wisconsin.

HIPAA Enforcement Activity in August 2020

There were no HIPAA enforcement actions announced in August by either the HHS Office for Civil Rights or state attorneys general.

The post August 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Senators Demand Answers from VA on 46,000-Record Data Breach

On September 14, 2020, the U.S. Department of Veteran Affairs announced it had suffered a data breach that had impacted 46,000 veterans. Several Senate Democrats are now demanding answers from the VA on the breach and the cybersecurity measures the VA has put in place to prevent data breaches.

Hackers gained access to an application used by the VA’s Financial Services Center to send payments to community healthcare providers to pay for veterans’ medical care. Six payments intended for community care providers were redirected to bank accounts under the control of the hackers and veterans’ data in the system was exposed and potentially stolen.

When the breach was discovered, the application was taken offline and will remain down until a full review has been conducted by the VA’s Office of Information and Technology. Affected veterans have been offered complimentary credit monitoring services and the VA is currently working on compensating the community care providers whose payments were redirected.

Officials at the VA Office of Information and Technology told Senate and House veterans’ affairs committees that approximately 17,000 community care providers were affected by the breach, although the VA has now said that while 17,000 community care providers use the application, only 13 were affected.

In a letter to VA Secretary Robert Wilkie, Sens John Tester, Patty Murray, Sherrod Brown, Richard Blumenthal, Mazie K. Hirono, Joe Manchin III, Kyrsten Sinema, Margaret Wood Hassan, and Jeanne Shaheen expressed “serious concerns” about the ability of the VA to protect veterans’ and community care providers’ data and called for the VA to provide assurances that the department is capable of safeguarding personal and financial data.

“Based on information currently available, it appears this cybersecurity incident was carried out by those able to find weaknesses in the way VA authenticates community care health care providers using VCAs and processes payments for their services,” said the Senators.

“This incident raises numerous concerns not just for this incident, but more broadly with how VA is approaching protecting the PII and other important data within its vast data systems and networks,” wrote the Senators. “This is not a new vulnerability for VA. Rather, it is a long-standing weakness of the Department as identified by independent reviews conducted by the VA OIG and the Government Accountability Office (GAO) for more than 10 years.”

The Senators reference two GAO reports from June 2019 and July 2019 that make several recommendations for agencies on cybersecurity, risk management and data protection, including recommendations specifically for the VA. They have called for the VA to provide information on the current status of the VA’s efforts to implement those recommendations.

The Senators have called for the VA to provide a state-level breakdown of all impacted community care providers and to provide information on the steps that have been taken to assure community care providers and veterans that their personal and financial data will be secure. The Senators want to know who discovered the breach – whether it was the VA or the VA Office of Inspector General. They also requested information on the systems used by the VA Financial Services Center.

The Senators also raised concern that the VA is in a reactive posture waiting for cybersecurity vulnerabilities to arise and want to know what proactive assessments have been conducted to identify vulnerabilities, the frequency of those assessments, and what steps the VA will take to ensure greater oversight of business rules and IT and cybersecurity processes to ensure vulnerabilities are identified and addressed before they are exploited.

“This most recent data breach is unacceptable. It also exposes the fact that VA has not taken the necessary steps to ensure oversight, accountability, and security of the vast financial, health, and other personal data it collects and processes to perform its critical services for America’s veterans,” wrote the Senators. “It is imperative VA take aggressive and decisive action to address this current incident and lay out a strategy to prevent such problems from arising in the future.”

The post Senators Demand Answers from VA on 46,000-Record Data Breach appeared first on HIPAA Journal.

Privacy Risks Found on Almost All Websites Offering COVID-19 Information

A recent study published in JAMA found almost all websites offering information on COVID-19 have third-party tracking code that poses a privacy risk. Many web pages include tracking code that collects information about website visitors and transfers the data to third parties. Code is loaded on websites that initiates a data transfer that often includes details of the URLs that have been visited and the user’s IP address.  Other information may also be collected, and that information allows detailed profiles to be built up on people’s browsing habits and interests. Since IP addresses are collected, that information can easily be tied to a specific individual.

Researchers at the University of Pennsylvania Perelman School of Medicine and Carnegie Mellon University’s School of Computer Science had previously conducted a study of 1 million web pages, including health-related websites, and found that 91% of those websites included a third party data request and 70% had third-party cookies.

The researchers turned their attention to websites offering information on COVID-19, such sites offering symptom checkers, tips to avoid getting infected, post-infection care, and help finding testing sites. The researchers used Google Trends to find the top 25 search queries related to COVID and coronavirus on May 15, 2020. Searches were performed on Google to identify the top 20 URLs for non-personalized searches based on the top 25 search queries.

The researchers used a tool called webXray, which detects third-party tracking code on websites, data requests from third party domains, and cookies. 538 websites were analyzed for the study.

The researchers found that 535 of the 538 websites (99.44%) included third-party data requests and 477 (89%) included third-party cookies. The data requests and cookies did not vary by the type of website, and even government and academic websites, which visitors may expect to have greater privacy protections, also had tracking code and cookies.

“Compared with commercial web pages, third-party cookies were slightly less common, although still highly prevalent, among government and academic web pages,” explained the researchers. “However, the median numbers of third-party data requests and third-party cookies per page were both higher on commercial web pages (77 requests; 130 cookies) than on government (8 requests; 4 cookies), nonprofit (16 requests; 7 cookies), or academic (14 requests; 10 cookies) web pages.”

The researchers suggest decision makers at institutions may not be aware that third-party tracking code transmits data to third parties as it is usually only installed to monitor web traffic.

The researchers point out that there were two limitations to the study. Firstly, the tool used to check for third-party tracking only checked for two mechanisms of tracking and there are others, some of which have been developed to evade automatic capture. The number of websites that have third-party tracking is therefore likely to have been underestimated. Also, since the study was limited to the top 20 search results, the findings may not apply to web pages that appear lower in the search engine listings.

“Amid debate and legislative activity focused on the privacy implications of COVID-19 contact-tracing apps, these findings suggest that attention should also be paid to privacy risks of online information seeking,” warned the researchers.

The post Privacy Risks Found on Almost All Websites Offering COVID-19 Information appeared first on HIPAA Journal.

Poll Shows Consumers Unaware of the Extent Health Insurers Gather and Use Consumer-Generated Data

Health insurers are collecting online data about consumers and using the information to predict an individual’s likely healthcare costs. Consumer-generated data are collected and used to create profiles, which could be used to determine appropriate premiums.

Consumer-generated data is distinct from protected health information (PHI) and relates to an individual’s lifestyle, interests and behavior and come from many different public and private sources. Health insurers may scour online sources for information or obtain data from data brokers. Some data brokers are actively marketing their data to insurers and claim the information includes social determinants of health, such as online shopping habits, memberships to organizations, TV streaming habits, and information posted to social media networks. Data are amalgamated and algorithms can be used to predict the likely cost of providing insurance.

The collection and analysis of consumer-generated data by health insurers and their business associates was highlighted by ProPublica in 2018, but the public is largely unaware of the extent to which information is being collected and used.

MITRE recently commissioned a Harris Poll to explore attitudes to the use of consumer-generated data. The Harris Poll was conducted in June 2020 on 2,065 adults in the United States.

The Harris Poll revealed consumers are largely unaware of the extent to which their information is being collected and used, and the types of information that health insurers and employers may know about individuals. 89% of respondents believed health insurers are not aware of their online spending and streaming habits, when this information is being collected and used.

The use of personal data by employers and health insurers is considered to be acceptable to a majority of the respondents, albeit only for certain purposes. 60% of respondents thought it acceptable for their insurance company to use personal data to design health promotion activities, with 54% believing it acceptable for their employer to do the same. However, two thirds of respondents said it was not acceptable for an employer or health insurer to gather or purchase outside information about employees or health plan members.

“These results reinforce that a significant gap exists between what we believe our insurance companies and employers know about us personally, and what they actually do,” said Erin Williams, executive director and division director for Biomedical Innovation at MITRE. “Americans need more education about the ways third parties are accessing and using their consumer-generated data. But it really shows that companies have an obligation to be more transparent about what data they are collecting from third parties.”

There is broad acceptance that in today’s world there is no such thing as digital privacy, with 77% of respondents saying data privacy doesn’t exist. Respondents to the Harris Poll said they were willing to provide their personal information if they receive something in return, such as improving safety (65%) or for convenience (48%).

While 70% of respondents believe there is an obligation to share personal health information to stop the spread of disease, the same respondents appeared to be reluctant to share they personal data for that purpose. When asked if personal information would be shared with a national database to help stop the spread of COVID-19, only 44% of respondents said they would share their personal information. 36% said they would share their temperature data, 29% would share their location, and only a quarter would share information about chronic illnesses.

When it comes to sharing information, there is distrust of social media networks. 59% of respondents said they would feel uncomfortable with sharing any PHI with a social media network directly, although consumers may still share health information via those networks.

“Organizations may have benevolent intentions—such data can be used in productive ways that ultimately benefit consumers’ health—but consumers can potentially be harmed if this data is used inappropriately or unethically,” explained MITRE.

MITRE has developed an Ethical Framework for the Use of Consumer-Generated Data in Health Care which establishes ethical values, principles, and guidelines to guide the use of consumer-generated data for healthcare purposes.

The framework is intended to guide organizations looking to establish policies promoting the ethical use of consumer-generated data for healthcare purposes and to motivate organizations to discuss the ethical implications of using machine learning systems to analyze consumer-generated data and develop appropriate governance processes to facilitate the ethical use of those systems.

The framework can be downloaded from MITRE on this link.

The post Poll Shows Consumers Unaware of the Extent Health Insurers Gather and Use Consumer-Generated Data appeared first on HIPAA Journal.

Resources to Help Healthcare Organizations Improve Resilience Against Insider Threats

September 2020 is the second annual National Insider Threat Awareness Month (NITAM). Throughout the month, resources are being made available to emphasize the importance of detecting, deterring, and reporting insider threats.

NITAM is a collaborative effort between several U.S. government agencies including the National Counterintelligence and Security Center (NCSC), Office of the Under Secretary of Defense Intelligence and Security (USD(I&S)), National Insider Threat Task Force (NITTF), Department of Homeland Security (DHS), and the Defense Counterintelligence and Security Agency (DCSA). NITAM was devised last year to raise awareness of the risks posed by insiders and to encourage organizations to take action to manage those risks.

Security teams often concentrate on protecting their networks, data, and resources from hackers and other external threat actors, but it is also important to protect against insider threats. An insider is an individual within an organization who has been granted access to hardware, software, data, or knowledge about an organization. Insiders include current and former employees, contractors, interns, and other individuals who have been given access to data or systems. Those trusted insiders could accidentally or deliberately take actions which are disruptive to the business. Those actions could cause damage to company facilities, systems, or equipment, result in financial harm, or expose or disclose intellectual property and sensitive data.

To combat insider threats, organizations need to establish an insider threat mitigation program to detect, deter, and respond to threats from malicious and unintentional insiders. The program should protect critical assets against unauthorized access and malicious acts, and the workforce should be trained how to identify insider threats and conditioned to report any suspicious behavior or activities. The program should also involve the collection and analysis of information to help identify and mitigate insider threats quickly.

The SARS-CoV-2 pandemic has created a new set of challenges. The changes made by organizations in response to the pandemic, such as the expansion of remote working to include the entire workforce, has increased the risk of espionage, unauthorized disclosures, fraud, and data theft. It is more important than ever for organizations to have an effective insider threat mitigation program.

The main focus of NITAM 2020 is improving resilience to insider threats. This can be achieved by improving awareness through education of the workforce, using the resources made available in September to learn how to detect and mitigate the actions of insider threats, and to improve protection against those threats.

The DHS Cybersecurity and Infrastructure Security Agency (CISA) is helping to raise awareness of insider threats and has published resources that can be used by healthcare organizations to improve organizational resilience and mitigate risks posed by insider threats. Games, videos, graphics, posters, and case studies to promote NITAM are available here.

The post Resources to Help Healthcare Organizations Improve Resilience Against Insider Threats appeared first on HIPAA Journal.

Feedback Sought on Draft Consumer Privacy Framework for Health Data Not Covered by HIPAA

The eHealth Initiative & Foundation (eHI) and the Center for Democracy and Technology (CDT) recently released a draft consumer privacy framework for health data to address gaps in legal protections for the health data of consumers that falls outside the protection of the Health Insurance Portability and Accountability Act (HIPAA).

The HIPAA Rules require healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of health data. There are restrictions on uses and disclosures of healthcare data and Americans are also given rights over how their protected health information is used, to whom that information may be disclosed, and they have the right to access their health data.

Many organizations collect, use, store, and transmit many of the data elements within the category of ‘protected health information’, yet if they are not HIPAA-covered entities or business associates of HIPAA-covered entities, HIPAA Rules will not apply.

The eHI/CDT Consumer Privacy Framework for Health Data is a voluntary, self-regulatory program “designed to hold member companies to a set of standards separately developed through a multistakeholder process” and covers consumer health data not covered by HIPAA.

The framework includes a definition of the health data which must be protected as well as the standards and rules to protect that information. The framework places limits on the amount of data collected, how health data can be used, and includes a model for holding companies accountable for data collected, used, and disclosed.

The framework requires companies to obtain affirmative express consent to collect, use, or disclose consumer health data and prohibits companies from using consumer health data for any purpose other than the reason for which the information was requested, and for which consumers gave their consent.

Notice must be provided about the information collected, used or disclosed, the purpose for data collection must be clearly stated, and if there will be any disclosures, to whom disclosures will be made. The framework also prohibits the use of consumer health information for causing harm or discrimination against an individual.

Like HIPAA, the framework calls for limits to be placed on the health information collected, disclosed or used, which should be restricted to the minimum necessary amount to achieve the purpose for which it has been collected.

The framework gives consumers rights with respect to their consumer data, including the right to access the information collected, check health information for errors, have errors collected, and have health information deleted. If technically feasible, consumers should be able to have their data transferred to another participating entity. The framework also calls for participating entities to establish and implement reasonable security policies, practices, and procedures to ensure consumer health information is protected.

eHI/CDT are seeking constructive public feedback on the Consumer Privacy Framework for Health Data. Comments will be accepted until Friday, September 25, 2020.

The post Feedback Sought on Draft Consumer Privacy Framework for Health Data Not Covered by HIPAA appeared first on HIPAA Journal.

OCR Publishes New Resources for MHealth App Developers and Cloud Services Providers

The Department of Health and Human Services’ Office for Civil Rights has announced it has published additional resources for mobile health app developers and has updated and renamed its Health App Developer Portal.

The portal – Resources for Mobile Health Apps Developers – provides guidance for mobile health app developers on the HIPAA Privacy, Security, and Breach Notification Rules and how they apply to mobile health apps and application programming interfaces (APIs).

The portal includes a guidance document on Health App Use Scenarios and HIPAA, which explains when mHealth applications must comply with the HIPAA Rules and if an app developer will be classed as a business associate.

“Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is secure and will be used and disclosed only as approved or expected,” explained OCR. “Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security, and Breach Notification Rules.”

The portal provides access to the Mobile Health Apps Interactive Tool developed by the Federal Trade Commission (FTC) in conjunction with the HHS’ Office of the National Coordinator for Health IT (ONC) and the Food and Drug Administration (FDA). The Tool can be used by the developers of health-related apps to determine what federal rules are likely to apply to their apps. By answering questions about the nature of the apps, developers will discover which federal rules apply and will be directed to resources providing more detailed information about each federal regulation.

The portal also includes information on patient access rights under HIPAA, how they apply to the data collected, stored, processed, or transmitted through mobile health apps, and how the HIPAA Rules apply to application programming interfaces (APIs).

The update to the portal comes a few months after the ONC’s final rule that called for health IT developers to establish a secure, standards-based API that providers could use to support patient access to the data stored in their electronic health records. While it is important for patients to be able to have easy access to their health data to allow them to check for errors, make corrections, and share their health data for research purposes, there is concern that sending data to third-party applications, which may not be covered by HIPAA, is a privacy risk.

OCR has previously confirmed that once healthcare providers have shared a patients’ health data with a third-party app, as directed by the patient, the data will no longer be covered by HIPAA if the app developer is not a business associate of the healthcare provider. Healthcare providers will not be liable for any subsequent use or disclosure of any electronic protected health information shared with the app developer.

A FAQ is also available on the portal that explains how HIPAA applies to Health IT and a guidance document explaining how HIPAA applies to cloud computing to help cloud services providers (CSPs) understand their responsibilities under HIPAA.

The post OCR Publishes New Resources for MHealth App Developers and Cloud Services Providers appeared first on HIPAA Journal.

California Senate Passes Bill Establishing the Genetic Information Privacy Act

A bill (SB-980) that establishes the Genetic Information Privacy Act has been passed by the California Senate and now awaits California Governor Gavin Newsom’s signature.

The Genetic Information Privacy Act will introduce new requirements for companies offering direct-to-consumer genetic tests to protect consumer privacy and safeguard personal and genetic data.

Currently, direct-to-consumer genetic testing services are largely unregulated. There is concern that the practices of companies that offer these services could potentially expose sensitive genetic information and that outside parties could exploit the use of genetic data for questionable purposes, such as mass surveillance, tracking individuals without authorization, or disclose genetic data resulting in discrimination against certain individuals. In contrast to many elements of “protected health information”, genomic data is stable and undergoes little change over the lifetime of an individual, so any disclosures of genetic data could have life-long consequences for the individual concerned.

The Genetic Information Privacy Act will apply to any company that sells, markets, interprets, or otherwise offers genetic testing services that are initiated directly by consumers. The Act will not apply to licensed providers who are diagnosing or treating a medical condition.

The Act has several privacy and data security provisions. All consumers must be provided with notice about the company’s policies and procedures with respect to the collection, use, maintenance, and disclosure of personally identifiable genetic data.

Express consent must be obtained from consumers prior to the collection, use, or disclosure a consumer’s genetic data, and separate express consent must be obtained for certain defined activities, such as any transfer of genetic data to a third party and marketing based on a consumer’s genetic data. If a consumer chooses to revoke their consent at any point, any biological samples provided must be destroyed within 30 days of the revocation being received.

Any entity required to comply with the Genetic Information Privacy Act must implement reasonable security safeguards, procedures, and practices to ensure that a consumer’s genetic data is protected against unauthorized access, use, modification, disclosure, and destruction.

Policies and procedures must be developed and implemented to enable a consumer to access their genetic data, have their account and genetic data deleted, and their sample destroyed. Disclosures of genetic data to certain entities, including those that offer health and life insurance and employers, are not permitted, subject to specified exemptions. Companies are also prohibited from discriminating against a consumer for exercising the rights given to them by the Genetic Information Privacy Act.

Any medical information government by the California Confidentiality of Medical Information Act is exempted, as is any protected health information collected, maintained, used, or disclosed by HIPAA-covered entities or their business associates, pursuant to HIPAA and the HITECH Act.

Any entity covered by the Genetic Information Privacy Act found to have violated any of its provisions will be subject to civil monetary penalties.

The post California Senate Passes Bill Establishing the Genetic Information Privacy Act appeared first on HIPAA Journal.

Radiology Groups Issue Warning About PHI Exposure in Online Medical Presentations

The American College of Radiology, the Society for Imaging Informatics in Medicine, and the Radiological Society of North America have issued a warning about the risk of accidental exposure of protected health information (PHI) in online medical presentations.

Healthcare professionals often create presentations that include medical images for educational purposes; however, care must be taken to ensure that protected health information is not accidently exposed or disclosed. Medical images contain embedded patient identifiers to ensure the images can be easily matched with the right patient but advances in web crawling technology is now allowing that information to be extracted, which places patient privacy at risk.

The web crawling technology used by search engines such as Google and Bing have enabled the large-scale extraction of information from previously stored files. Advances in the technology now allow information in slide presentations that was previously considered to be de-identified to be indexed, which can include patient identifiers. Source images can be extracted from PowerPoint presentations and PDF files, for example, and the technology can recognize alphanumeric characters that are imbedded in the image pixels.

As part of the indexing process, that information becomes associated with the images and search engine searches using a search term containing the information in those images will result in the files being displayed in the search engine results.

If a patient performs a search using their name, for example, an image from a diagnostic study conducted several years previously could be displayed in the search engine results. A click on the image would direct the patient to a website of a professional imaging association that had stored a PowerPoint presentation or Adobe PDF file that was used internally in the past for education purposes.

The professional imaging association would likely be unaware that the image contained any protected health information, the author of the file would be unlikely to be aware that the PHI had not been sufficiently de-identified when the presentation was created, and that saving the presentation as an Adobe PDF file had not ensured patient privacy.

The radiology organizations have offer guidance to healthcare organizations to help them avoid accidental PHI disclosures when creating online presentations containing medical images for educational purposes.

When creating presentations, only medical images that do not include any patient identifiers should be used. If medical images have embedded patient identifiers, screen capture software should be used to capture the part of the medical image that displays the area of interest, omitting the part of the image that contains patient identifiers. Alternatively, an anonymization algorithm embedded in the PACS should be used prior to saving a screen or active window representation or patient information overlays should be disabled before exporting the image.

The radiology organizations warn against the use of formatting tools in the presentation software – PowerPoint, Keynote, Google Slides etc – for cropping the images so as not to display any patient identifiers, as this practice will not permanently remote PHI from the images. They also warn that the use of image editing software such as Adobe Photoshop to blackout patient identifiers is also not a safe and compliant practice for de-identification.

After patient identifiers have been removed, a final quality control check is recommended to ensure that the images have been properly sanitized before they are made public.

You can view the guidance on the removal of PHI from medical images prior to creating medical image presentations on this link.

The post Radiology Groups Issue Warning About PHI Exposure in Online Medical Presentations appeared first on HIPAA Journal.