Healthcare Data Privacy

HIPAA Compliance for Self-Insured Group Health Plans

HIPAA compliance for self-insured group health plans – or self-administered health group plans – is one of the most complicated areas of HIPAA legislation.

The Administrative Simplification Rule of the Health Insurance Portability and Accountability Act (HIPAA) imposed obligations on health care clearinghouses, certain healthcare providers and health plans (collectively known as “Covered Entities”) to comply with national standards for electronic health care transactions, unique health identifiers, and data security.

The standards were developed by the U.S. Department of Health & Human Services and published in 2000 (the HIPAA Privacy Rule) and 2003 (the HIPAA Security Rule). Subsequent amendments, guidelines and companion Rules have shaped HIPAA compliance for self-insured group health plans to account for advances in technology and changes in working practices.

Definition of a Self-Insured Group Health Plan

Due to the complicated nature of HIPAA, and to better understand what HIPAA compliance for self-insured group health plans involves, it is practical to define what a self-insured group health plan is. A self-insured group health plan is one in which an employer assumes the financial risk for providing healthcare benefits to its employees as opposed to purchasing a “fully-insured” plan from an insurance carrier.

Typically, a self-insured employer will set up a special trust fund to earmark money (corporate and employee contributions) to pay incurred claims and either administer the plan themselves or – more commonly for larger employers – retain the services of an outside third-party administrator. A self-insured group health care plan can also include medical expense reimbursement flexible spending account plans (medical FSAs) and health reimbursement account plans (HRAs).

Exemptions from HIPAA Compliance for Self-Insured Companies

Exemptions from HIPAA compliance for self-insured companies are rare. Only if a group health plan is self-insured, self-administered and the employer has fewer than fifty employees is the company exempt from HIPAA compliance – provided medical FSAs and HRAs are also administered by the employer and not an outside third-party administrator. Providing an employee assistance plan or wellness plan can also trigger HIPAA compliance for self-insured companies.

Not surprisingly, there is a gray area of HIPAA compliance for self-insured companies known as “partial compliance”. Partial compliance is applicable when neither the sponsor of a group health plan nor its insurance agent has any access to or transmits Protected Health Information (PHI) electronically. These “hands off” group health plans only occur in specific circumstance, and generally most self-insured group health plans will be subject to HIPAA compliance.

What Does HIPAA Compliance for Self-Insured Group Health Plans Consist Of?

As mentioned above, HIPAA compliance for self-insured group health plans is one of the most complicated areas of HIPAA legislation. This is not only because it can be difficult to determine whether a company is subject to the legislation, but also because compliance requirements will vary from company to company depending on factors such as its size, the nature of its business and its internal organization.

Appoint a Privacy and Security Officer

Companies with self-insured group health plans should start by appointing a HIPAA Privacy Officer and a HIPAA Security Officer. These positions can be performed by the same person and/or an existing employee, and their first role is to identify where, why, and to what extent PHI is created, received, maintained or transmitted by the group health plan. This will likely involve many different departments such as IT, legal, payroll and HR.

Develop HIPAA-Compliant Privacy Policies

Once the discovery of PHI is completed, the next stage of HIPAA compliance for self-insured group health plans is to develop HIPAA-compliant privacy policies establishing the permitted uses and disclosures of PHI. This should take into account third-party administrators who – as a Business Associate – will also have to comply with HIPAA, and with whom it will be necessary to enter into a HIPAA Business Associate Agreement.

Develop HIPAA-Compliant Security Policies

One of the requirements of the HIPAA Security Rule is for Covered Entities to implement administrative, physical and technical safeguards to ensure the integrity of electronic PHI. In order to fulfil this requirement, Security Officers should conduct a risk assessment to identify any vulnerabilities that may lead to the unauthorized disclosure of electronic PHI, and – following a risk analysis – implement suitable measures and policies to address the vulnerabilities.

Develop a Breach Notification Policy

Despite a company´s best efforts to achieve HIPAA compliance for self-insured group health plans, they may be a time when an unauthorized disclosure of PHI occurs. Self-insured companies need to be prepared for such occurrences, and should develop a breach notification policy in order to advise employees that personal information may have been compromised, and the HHS Office for Civil Right when necessary.

Employee Training is Essential

In order to enforce the policies and ensure HIPAA compliance for self-insured companies, employee training is essential. As members of a self-insured group health plan, each employee should be given a notice of the plan´s privacy practices which can be used to explain why maintaining the integrity of PHI is essential. Each employee should also be given a copy of the company´s sanction policy explaining the consequences of failing to comply with the privacy, security and breach notification policies.

Further Information about HIPAA Compliance for Self-Insured Companies

Further information about HIPAA compliance for self-insured companies can be found in our “HIPAA Compliance Guide”. Our free-to-download guide provides more detailed information about the HIPAA Privacy Rule, the administrative, physical and technical safeguards of the HIPAA Security Rule, and the process for conducting risk assessments and risk analyses. You will also be able to find more information on Business Associates and Business Associate Agreements – an essential part of HIPAA compliance for self-insured group health plans if your company uses the services of an outside third-party administrator.

The post HIPAA Compliance for Self-Insured Group Health Plans appeared first on HIPAA Journal.

HIPAA Compliance for HR Departments

Businesses not directly involved in the healthcare or healthcare insurance industries should none-the-less pay close attention to HIPAA compliance for HR departments. It has been estimated a third of all workers and their dependents who receive occupation healthcare benefits do so through a self-insured group health plan.

Although this does not mean a self-insuring business automatically becomes a HIPAA-Covered Entity – and thereby subject to HIPAA regulations – the likelihood is the HR department will have some involvement with insurance-related tasks. During the execution of the insurance-related tasks, HR personnel will undoubtedly come into contact with Protected Health Information.

Why HIPAA Compliance for HR Departments is Important

The original purpose of the Healthcare Insurance Portability and Accountability Act (HIPAA) was to improve the portability and continuity of health insurance coverage. As the Act progressed through Congress, amendments were added with the intention of combating waste, fraud and abuse in the health insurance and healthcare industries.

As a result of these amendments, the HIPAA Privacy and Security Rules were introduced. The Rules restrict access to and use of Protected Health Information (PHI), primarily to give patients and members of group healthcare plans control over how their personal information is used. For example, healthcare organizations can no longer use a patient´s PHI for marketing activities without the patient´s consent.

A further purpose of restricting access to PHI is to prevent one person using somebody else´s PHI to obtain free healthcare – effectively identity theft. As the costs of medical treatment have increased, so has the value of healthcare data. A 2014 report calculated a full dossier of healthcare data on the black market is worth upwards of $1,200. By comparison, a stolen Visa card is worth $4.

Major Areas of HIPAA Compliance for HR Departments

There are four major areas of HIPAA compliance in which HR personnel should be well-versed. These relate to understanding the key components of the Privacy and Security Rules, helping employees understand their rights under HIPAA legislation, safeguarding the PHI of employees, and working with Covered Entities and Business Associates with whom PHI is shared.

These areas of HIPAA compliance for HR departments are comprehensively covered in our “HIPAA Compliance Guide” – a free booklet summarizing the law and its implications. However, there are some areas of HIPAA compliance which – although not unique to HR – sometimes get overlooked in the effort to achieve HIPAA compliance:

Don´t Assume the IT Department is Responsible for Security Rule Compliance

An IT manager is usually delegated as the HIPAA Security Officer, and it is their responsibility to ensure every department within the company is compliant with the Security Rule. But this is not always the case, and HR personnel should not assume the responsibility for security is not theirs.

Remember to Send Updates and Reminders of Privacy Practice Notices

Employees enrolled in a self-insured group health plan must be given a Privacy Practice Notice informing them of their HIPAA-related rights. Most HR departments remember to do this, but some forget to send updates when privacy practices are revised, and a reminder at least once every three years.

Maintain a Written Policy for Investigating and Resolving Complaints

Although not required by HIPAA, a policy should be in place to record privacy complaints, investigations and resolutions. This will be of significant benefit to the company – and the HR department in particular- if an employee pursues their complaint to the Department of Health & Human Services.

Don´t Overlook State Privacy Law Compliance

The relationship between HIPAA and state privacy laws is a source of confusion for some people. HIPAA pre-empts any state privacy laws with weaker privacy protection, but not those that provide stronger privacy protection. In the quest for HIPAA compliance, HR departments should not overlook state requirements.

The post HIPAA Compliance for HR Departments appeared first on HIPAA Journal.

HIPAA Compliance for Community Health Centers

There is an argument there should be a different level of HIPAA compliance for community health centers, due to community health centers having fewer resources available to them than other Covered Entities. Unfortunately, due to the complexity of the Healthcare Insurance Portability and Accountability Act (HIPAA), introducing different levels of HIPAA compliance for community health centers would be logistically complex and lead to demands for other “special interest groups” to be taken into account.

A list of “special interest groups” could be extensive. Should charity-funded hospices, for example, have the same level of HIPAA compliance as privately-owned, for-profit medical centers? It may not seem fair, but the answer is “Yes”. This is because a breach of Protected Health Information (PHI) from any source is still a breach of PHI, and the potential consequences of a breach (identity theft, insurance fraud, etc.) will be no different, regardless of how, where or when the breach occurred.

The Purpose of HIPAA Compliance for Community Health Centers

The purpose of HIPAA compliance for community health centers is to safeguard the privacy of patients and protect against the misuse of their PHI. In order to achieve this, the Department of Health & Human Services has published Privacy and Security Rules and a Breach Notification Rule which Covered Entities (healthcare providers, healthcare plans and healthcare clearinghouses) have to comply with. These Rules cover the use, disclosure, storage and transmission of all forms of PHI (i.e. paper, electronic, etc.).

Community health centers not only have to comply with these Rules themselves, they have to make sure any “Business Associate” they share PHI with are also HIPAA-compliant. Business Associates are best described as entities who do not encounter PHI in their normal or primary business, but who may have access to it in the course of providing a service for a community health center. The list of potential Business Associates is extensive and can include lawyers, accountants, and cloud service providers.

Where to Start with HIPAA Compliance for Community Health Centers

The first stage of achieving HIPAA compliance for community health centers is to appoint a HIPAA Privacy Officer and a HIPAA Security Officer. These roles can be fulfilled by the same person, and can either be somebody brought in to oversee HIPAA compliance or an existing member of the health center team. It is possible to appoint a company to assist with HIPAA compliance during the preliminary stages, and then have an existing member take over the positions once the basic requirements are met

The Officer(s) responsible for HIPAA compliance should first conduct a risk assessment in order to identify areas of the community health center´s operations in which vulnerabilities exist in that may result in the unauthorized disclosure of PHI. The Officer(s) should evaluate existing privacy and security policies in order to determine whether they are configured and used as necessary, and then perform a risk analysis to draw up an action plan of the measures required to achieve HIPAA compliance.

Develop HIPAA-Compliant Policies and Train (and Re-Train) Employees

The action plan will help Privacy and Security Officers prioritize the most crucial vulnerabilities preventing HIPAA compliance for community health centers. Measures need to be implemented to mitigate the risks of a data breach and policies developed to make sure the measures are understood and adhered to. This will involve employee training and the development of a sanctions policy informing employees of the consequences of failing to comply with the new policies.

Employee training should not be regarded as an item to tick off a HIPAA compliance checklist. It should be ongoing and, due to the complexity of HIPAA, more frequent than the annual training suggested by the Department of Health & Human Services. In order to be effective, training about HIPAA compliance for community health centers should address different issues in short sessions. The content of a day´s compressed training is unlikely to be remembered until the next training session one year later.

Further Information about HIPAA Compliance for Community Health Centers

Further information about HIPAA compliance for community health centers can be found in our free-to-download “HIPAA Compliance Guide” – an invaluable review of the legislation that includes more about what constitutes PHI, the contents of the Privacy, Security and Breach Notification Rules, and how relationships with Business Associates should proceed.

There are multiple benefits of achieving and maintaining HIPAA compliance for community health centers. Eligibility for HRSA Section 330 grants and Meaningful Use incentive payments can depend on HIPAA compliance, plus patients will feel happier knowing the integrity of their personal data is being safeguarded. Make sure the community health center under your care is HIPAA compliant. Download our guide today.

The post HIPAA Compliance for Community Health Centers appeared first on HIPAA Journal.

9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack

A Medical College of Wisconsin phishing attack has resulted in the exposure of approximately 9,500 patients’ protected health information. The attackers managed to gain access to several employees’ email accounts, which contained a range of sensitive information of patients and some faculty staff.

The types of information in the compromised email accounts included names, addresses, medical record numbers, dates of birth, health insurance details, medical diagnoses, treatment information, surgical information, and dates of service. A very limited number of individuals also had their Social Security numbers and bank account information exposed.

The incident occurred over the space of a week in the summer between July 21 and July 28 when spear phishing emails were sent to specific individuals at the Medical College of Wisconsin. Responding to those emails resulted in the attackers gaining access to email login credentials.

Medical College of Wisconsin brought in a computer forensics firm to conduct an investigation into the phishing attack, and while that investigation established that access to the email accounts was gained by unauthorized individuals, it was not possible to determine whether emails containing protected health information had been accessed or viewed, or if any sensitive information was stolen. Since the attack occurred, no reports of misuse of patient information have been received.

To protect individuals against identity theft and fraud, credit monitoring and identity theft restoration services have been offered to breach victims free of charge, but only to those individuals whose Social Security numbers were compromised.

Medical College of Wisconsin reports that in addition to some faculty staff and Medical College of Wisconsin patients, some individuals who received treatment at Children’s Hospital of Wisconsin and Froedtert Health have also been impacted by the breach.

The latest Medical College of Wisconsin phishing attack comes just 10 months after a similar incident resulted in the exposure of 3,200 patients’ protected health information.

The post 9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack appeared first on HIPAA Journal.

November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches

Protenus has released its November 2017 healthcare Breach Barometer Report. After a particularly bad September, healthcare data breach incidents fell to more typical levels, with 37 breaches tracked in October.

The monthly summary of healthcare data breaches includes incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents announced via the media and tracked by

Those incidents include several breaches that have yet to be reported to OCR, including a major breach that has impacted at least 150,000 individuals – The actual number of individuals impacted will not be known until the investigation has been completed. The numbers of individuals impacted by 8 breaches have not yet been disclosed.

Including the 150,000 individuals impacted by largest breach of the month, there were 246,246 victims of healthcare data breaches in October 2017 – the lowest monthly total since May 2017.

The healthcare industry has historically recorded a higher than average number of data breaches due to insiders, although over the past few months hacking has been the leading cause of breaches. That trend has continued in October. Hacking was behind 35.1% of all incidents, insider incidents accounted for 29.7% of the total, with the loss and theft of devices behind 16.2% of incidents. The causes of the remaining 18.9% of breaches is not yet known.

While hacking incidents usually result in more records being exposed or stolen, in October insider errors exposed more healthcare data. 65% of all breached records involved insider errors.

157,737 individuals had their PHI exposed due to insider errors and insider wrongdoing, while hacks resulted in the theft of 56,837 individuals’ PHI. Protenus notes that three incidents were due to the hacking group TheDarkOverlord.

In total, there were 11 breaches that were the result of insiders – five  due to errors and six due to insider wrongdoing. The biggest breach involving insider error was the failure to secure an AWS S3 bucket, resulting in the exposure of 316,363 PDF reports – containing the PHI of at least 150,000 individuals: One of two such incidents reported in October that involved unsecured AWS S3 buckets.

Another insider incident involved the mailing of flyers to individuals where PHI was visible through the envelope – A major incident that potentially caused considerable harm, as the information viewable related to patients’ HIV status.

The average time taken from breach to discovery was 448 days in October. The median time was 304 days, showing healthcare organizations are still struggling to detect data breaches rapidly.

Two HIPAA-covered entities reported breaches to OCR well outside the 60-day deadline stipulated in the HIPAA Breach Notification Rule. One of those incidents was reported three years after the breach was detected. In that case, the breach involved a nurse who was stealing patient records and using the information to file false tax returns. The median time from discovery to reporting was 59 days.

Healthcare providers reported 29 incidents, there were 7 incidents reported by health plans, one breach was reported by a school. Four incidents were known to involve a business associate.

California and Florida were the worst hit states in October with four incidents apiece, followed by Texas and New York.

The post November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches appeared first on HIPAA Journal.

Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI

UPMC Susquehanna, a network of hospitals and medical centers in Williamsport, Wellsboro, and Muncy in Pennsylvania, has announced that the protected health information of 1,200 patients has potentially been accessed by unauthorized individuals. Access to patient information is believed to have been gained after an employee responded to a phishing email.

While details of the breach date have not been released, UPMC Susquehanna says it discovered the breach on September 21, when an employee reported suspicious activity on their computer. An investigation was launched, which revealed unauthorized individuals had gained access to that individual’s device.

It is not known whether the attacker viewed, stole, or misused any patient information, but the possibility of data access and misuse could not be ruled out. The information potentially accessed includes names, contact information, dates of birth, and Social Security numbers.

The individuals potentially impacted by the incident had previously received treatment at various UPMC Susquehanna hospitals including Muncy Valley Hospital, UPMC Susquehanna Lock Haven, Sunbury Community Hospital, Soldiers and Sailors Memorial Hospital in Wellsboro, Williamsport Regional Medical Center and Divine Providence Hospital in Williamsport.

UPMC Susquehanna responded quickly to the breach, terminating unauthorized access. Staff have also been provided with “intensive retraining” on hospital policies and appropriate federal and state laws to prevent any recurrence. UPMC Susquehanna stated this training was in addition to the annual training sessions already provided to all staff members on the privacy and confidentiality of patient health information. UPMC Susquehanna has also conducted a complete review of its policies and procedures for keeping patient information secure.

All patients impacted by the incident have been offered complimentary identity theft protection services and have now received notifications in the mail. Patients have also received instructions on the steps they can take to protect their accounts and credit in case their information is misused.

The post Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI appeared first on HIPAA Journal.

October 2017 Healthcare Data Breaches

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed.

Healthcare data breaches by month (July-October 2017)

October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months.

healthcare records breached July-October 2017

Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities.

October 2017 Healthcare Data Breaches by Covered Entity Type

October 2017 healthcare data breaches by covered entity type

Main Causes of October 2017 Healthcare Data Breaches

Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8 hacking incidents, four cases of theft, and one unencrypted laptop computer was lost.

cause of october 2017 healthcare data breaches

Unauthorized access/disclosures were the leading causes of October 2017 healthcare data breaches, although hacking/IT incidents exposed more records – Over twice the number of records exposed by unauthorized access/disclosures and hacking/IT incidents exposed more records than all other breach types combined.

october 2017 healthcare data breaches - records exposed

Location of Exposed and Stolen Protected Health Information

Email was the most common location of breached PHI in October. Five of the nine incidents involving email were the result of hacking/IT incidents such as phishing. The remaining four incidents were unauthorized access/disclosures such as healthcare employees sending emails containing PHI to incorrect recipients. Five incidents involved paper records, highlighting the importance of securing physical records as well as electronic protected health information.

october 2017 healthcare data breaches - location of breached PHI

October 2017 Healthcare Data Breaches by State

In October, healthcare organizations based in 22 states reported data breaches. The state that experienced the most data breaches was Florida, with 3 reported breaches. Maryland, Massachusetts, and New York each had two breaches.

Alabama, Arizona, California, Connecticut, Georgia, Iowa, Illinois, Kansas, Kentucky, Louisiana, Missouri, North Carolina, Ohio, Rhode Island, Tennessee, Texas, Virginia, and Washington each had one reported breach.

Largest Healthcare Data Breaches in October 2017


Breached Entity Entity Type Breach Type Individuals Affected
Chase Brexton Health Care Healthcare Provider Hacking/IT Incident 16,562
East Central Kansas Area Agency on Aging Business Associate Hacking/IT Incident 8,750
Brevard Physician Associates Healthcare Provider Theft 7,976
MHC Coalition for Health and Wellness Healthcare Provider Theft 5,806
Catholic Charities of the Diocese of Albany Healthcare Provider Hacking/IT Incident 4,624
MGA Home Healthcare Colorado, Inc. Healthcare Provider Hacking/IT Incident 2,898
Orthopedics NY, LLP Healthcare Provider Unauthorized Access/Disclosure 2,493
Mann-Grandstaff VA Medical Center Healthcare Provider Theft 1,915
Arch City Dental, LLC Healthcare Provider Unauthorized Access/Disclosure 1,716
John Hancock Life Insurance Company (U.S.A.) Health Plan Unauthorized Access/Disclosure 1,715

The post October 2017 Healthcare Data Breaches appeared first on HIPAA Journal.

How to Handle A HIPAA Privacy Complaint

Healthcare providers need to be prepared to deal with a HIPAA privacy complaint from a patient. In order for an efficient response to be conducted, policies should be developed covering the complaints procedure and staff must be trained to handle HIPAA privacy complaints correctly.

Patients must also be clearly informed how they can make a HIPAA privacy complaint if they feel that their privacy has been violated or HIPAA Rules have been breached. This should be clearly stated in your Notice of Privacy Practices.

A HIPAA Privacy Complaint Should be Taken Seriously

When a HIPAA privacy complaint is filed, it is important that it is dealt with quickly and efficiently. Fast action will help to reassure patients that that you treat all potential privacy and security violations seriously.

While patients may be annoyed or upset that an error has been made, in many cases, patients are not looking to cause trouble. They want the issue to be investigated, any risks to be mitigated, the problem to be addressed to ensure it does not happen again, and in many cases, they seek an apology. If the complaint is dealt with quickly and efficiently, it may not be taken any further.

If a verbal complaint is made, the patient should be asked to submit the complaint in writing. You should provide a form for the patient to do this. The HIPAA privacy complaint form can then be passed on to your Privacy Officer to investigate.

Investigate All Complaints and Take Prompt Action

All HIPAA privacy complaints should be investigated to determine who was involved, and how the privacy of the patient was violated. The privacy breach may not be a one-off mistake. It could be an indication of a widespread problem within your organization. The Privacy Officer must identify the root cause of the privacy violation and take action to ensure that any issues are corrected to prevent similar privacy breaches from occurring in the future.

All individuals involved in the breach must be identified and appropriate action taken – disciplinary action and/or additional training. A report of the incident should be given to law enforcement if a crime is suspected, and policies and procedures may need to be updated to introduce new safeguards to prevent a recurrence.

The Privacy Officer will need to determine whether there has been a HIPAA breach, and if the incident must be reported. The investigation must determine whether any other patients are likely to have had their privacy violated. If so, they will need to be notified within 60 days.

If a HIPAA breach has occurred, the Breach Notification Rule requires covered entities to report the breach to OCR without unnecessary delay. State laws may also require healthcare organizations to notify appropriate state attorneys general of the breach.

A breach impacting 500 or more individuals must be reported to OCR within 60 days of the discovery of the breach, and within 60 days of year end for smaller breaches. The failure to investigate promptly may see that deadline missed. In 2017, OCR issued its first HIPAA penalty solely for a Breach Notification Rule violation.

It is important that all stages of the complaint and investigation are documented. Those documents are likely to be requested in the event of an audit or investigation by OCR or state attorneys general. If any documents are missing, that aspect of the complaint investigation cannot be easily proven to have taken place.

Once the investigation into the HIPAA privacy complaint has been completed, it is important to report back to the complainant and explain that their complaint has been investigated, and the actions taken to mitigate harm and prevent similar incidents from occurring in the future should be explained.

Summary of How to Correctly Handle a HIPAA Complaint

  • Request the HIPAA privacy complaint is made in writing
  • Pass the compliant to the Privacy Officer
  • Privacy Officer should find out who was involved and what PHI was breached
  • The root cause of the breach must be established
  • Action should be taken to mitigate harm
  • Pass information to HR to take disciplinary action against employees (if appropriate)
  • Report the breach to law enforcement (if appropriate)
  • Policies and procedures should be updated to prevent a recurrence
  • Retrain staff
  • Determine whether the breach is a reportable incident
  • Collate all documentation in relation to the breach and investigation
  • Contact the complainant and explain the findings of the investigation

If the breach is determined to be a reportable incident

  • Submit a breach report to OCR
  • Submit breach reports to appropriate state attorneys general
  • Provide a toll-free number for patients to find out more information
  • Notify all affected individuals by mail
  • Post a breach notice in a prominent place on the home page of your organization’s website for 90 days if current contact information for 10 or more individuals is not held

If the breach is discovered to affect more than 500 individuals

  • Issue a press release to a prominent media outlet

Privacy Violations Can Result in Financial Penalties

When patients believe their privacy has been violated, or HIPAA Rules have been breached, they may report the incident to the Department of Health and Human Services’ Office for Civil Rights. Some patients may choose to take this course of action rather than contact the covered entity concerned.

OCR is likely to take an interest in an organization’s HIPAA policies covering privacy complaints. Financial penalties await organizations that do not have documented policies and procedures in place, and the penalties for HIPAA violations can be severe.

OCR wants to see that complaints are treated seriously, they are adequately investigated and resolved, and that prompt action is taken to ensure they do not happen again. A fast and efficient response to a HIPAA privacy complaint – and correction of any HIPAA violations uncovered – will reduce the risk of a HIPAA violation penalty, and the amount of the penalty if it cannot be avoided.

The post How to Handle A HIPAA Privacy Complaint appeared first on HIPAA Journal.

Is Google Hangouts HIPAA Compliant?

Is Google Hangouts HIPAA compliant? Can Google Hangouts be used by healthcare professionals to transmit and receive protected health information (PHI)?

Is Google Hangouts HIPAA Compliant?

Healthcare organizations frequently ask about Google services and HIPAA compliance, and one product in particular has caused some confusion is Google Hangouts. Google Hangouts is the latest incarnation of the Hangouts video chat system, and has taken the place of Huddle (Google+ Messenger). Google Hangouts is a cloud-based communication platform that incorporates four different elements: Video chat, SMS, VOIP, and an instant messaging service.

Google will sign a business associate agreement for G Suite, which currently covers the following Google core services

  • Gmail
  • Calendar
  • Google Drive (Includes Google Docs, Google Sheets, Google Slides, and Google Forms)
  • Apps Script
  • Keep
  • Sites
  • Jamboard
  • Google Cloud Search
  • Vault (If applicable)
  • Google Hangouts (Chat messaging)
  • Hangouts Meet

The Business Associate Agreement does not cover Google Groups, Google Contacts, and Google+, none of which can be used in conjunction with protected health information. Google also advises users to disable the use of non-core services in relation to G suite – for example YouTube, ​Blogger ​and Google ​Photos.

So, certain elements of Google Hangouts are HIPAA compliant and can be used by HIPAA covered entities without violating HIPAA Rules, provided that prior to the use of the services with PHI, the covered entity has entered into a business associate agreement with Google.

However, even with a BAA in place, not all elements of Google Hangouts are HIPAA compliant, so covered entities must exercise caution. Video chat for instance, is not covered by the BAA so cannot be used, and neither the SMS and VOIP options.

To help make Google Hangouts HIPAA compliant, Google has released a guide for healthcare organizations.

Google Hangouts HIPAA Compliance Depends on Users

If you decide to allow the use of Google Hangouts in your organization, it important to address the allowable uses of Google Hangouts with respect to PHI through policies and procedures. Staff must be trained on the correct use of the platform, and instructed which elements of Google Hangouts can be used and which are prohibited. If video chat is important for your organization, you should seek a HIPAA-compliant alternative platform.

As we have mentioned in a previous post, simply obtaining a BAA from Google is no guarantee of HIPAA compliance – that will depend on how Google services are configured and how they are used – See this page for further information of G Suite HIPAA Compliance.

Don’t Forget to Implement Additional Safeguards for Mobile Devices

One area where HIPAA-covered entities could easily violate HIPAA Rules is the use of Google Hangouts on mobile devices. Google does have excellent security controls that can alert users to potential unauthorized access of their Google account. These should be configured to ensure inappropriate access attempts are identified rapidly. Controls should also be implemented on mobile devices to ensure that the devices are protected in case of loss or theft.

Access controls on the device should be implemented to prevent the device, and any ePHI stored on it, from being easily accessed. Policies and procedures should also be developed to ensure lost and stolen devices are reported promptly, and actions taken to secure accounts. It is also recommended to implement controls that allow lost and stolen devices to be located, locked, and remotely wiped.

The post Is Google Hangouts HIPAA Compliant? appeared first on HIPAA Journal.