Healthcare Data Privacy

Which Situations Allow a Medical Professional to Release Information?

The situations when a medical professional can release information vary depending on who is releasing the information, what information is being released, when it is being released, and where it is being released. 

It is fair to say there is a fair amount of misunderstanding both within and outside the healthcare industry about which situations allow a medical professional to release information. To find evidence supporting this statement, you only have to look at stories covered by mainstream news channels in which patients and their families have been denied their HIPAA rights by medical professionals, or in which politicians have failed to grasp the basics of health information privacy.

To find further evidence supporting this statement, you need only visit the Enforcement Highlights page on the Department of Health and Human Services (HHS) website. The page reveals that, since 2003, the agency has received more than 300,000 complaints alleging violations of HIPAA. Of those 300,000 complaints, more than 200,000 have been rejected because “the complaint did not present an eligible case for enforcement”. The most common reasons for complaints being rejected were:

  • The alleged privacy violation was by an entity not covered by HIPAA.
  • The complaint was withdrawn, or submitted after the 180-day limit.
  • The activity described was not a health information privacy violation.

So, which situations allow a medical professional to release information? We look at the who, what, when, and where of health information privacy to not only establish which situations allow a medical professional to release information but also the situations where medical professionals are not allowed to release information. To do this, it is necessary to answer the questions who is releasing the information, what information is being released, when is information being released, and where?

Who is Releasing the Information?

In the context of which situations allow a medical professional to release information, there are three types of medical professionals to consider:

  • A solo practitioner that qualifies as a Covered Entity under HIPAA.
  • A solo practitioner that does not qualify as a HIPAA Covered Entity.
  • A medical professional that is employed by a Covered Entity.

The difference between the three is that a solo practitioner that qualifies as a Covered Entity is required to comply with the HIPAA Privacy, Security, and Breach Notification Rules and any state laws that preempt the HIPAA Rules because they provide more protection to individually identifiable health information or allow greater rights to patients.

A solo practitioner does not qualify as a HIPAA Covered Entity if they do not conduct electronic transactions for which HHS has published standards in 45 CFR Part 162. However, although they do not have to comply with the HIPAA Privacy, Security, and Breach Notification Rules, they do have to comply with state privacy and breach notification legislation.

A medical professional that is employed by a Covered Entity is required to comply with their employer’s employment policies. Therefore, although some releases of information may be permitted by HIPAA, the medical professional’s employer may have decided that the release of certain information cannot be adequately monitored and has prohibited its release.

The difference between the three types of medical professionals is not absolute. If a Covered Entity refers a patient to a solo practitioner who does not qualify as a HIPAA Covered Entity, the solo practitioner becomes a Business Associate of the Covered Entity and is required to comply with the HIPAA Rules. Therefore, a solo practitioner may be operating under one set of health information privacy regulations in the morning, and a different set of regulations in the afternoon.

What Information is Being Released?

The nature of information being released can also determine which situations allow a medical professional to release information. Generally, Covered Entities and employees of Covered Entities are permitted to release certain types of health information in the circumstances described below when the information being released is Protected Health Information or is individually identifiable (non-health) information maintained in the same record set as Protected Health Information.

The protection of non-health information maintained in the same record set as Protected Health Information is one of the primary reasons why misunderstandings exist about which situations allow a medical professional to release information. This is because information such as a patient’s name, address, and phone number are protected by the Privacy Rule all the time they are maintained in a record set with the patient’s health information, but not when they are maintained in a separate database for operational purposes (although state privacy regulations may apply).

It is also the case that any information can be released by a medical professional with the written authorization of the subject of the information (or their personal representative). Conditions apply to authorizations inasmuch as the subject of the information must be informed what information is being released, what it is being released for, who it is being released to, and for how long it is being released. Therefore, in terms of the nature of information being released, it could be:

  • Individually identifiable health information protected by the HIPAA Privacy Rule.
  • Individually identifiable non-health information maintained in the same record set.
  • Individually identifiable non-health information maintained in a separate database.
  • Any information – the release of which has been authorized by the subject.

The same distinctions in the nature of information can also apply to solo practitioners that do not qualify as a HIPAA Covered Entity depending on the content of state legislation. There are currently forty-four states with medical privacy statutes on their books (the remaining states include medical privacy in digital privacy legislation), and some states have multiple medical privacy statutes dealing with separate medical disciplines. Dissecting them all is beyond the scope of this article.

When is Information being Released?

The HIPAA Privacy Rule protects the privacy of individually identifiable health information by stipulating the permissible uses of Protected Health Information, disclosures of Protected Health Information that require authorization from the subject of the information, and disclosures for which the individual should be given the opportunity to agree or object if possible. These situations when information can be released by medical professionals include (but are not limited to):

  • To individuals exercising their rights to request copies of Protected Health Information.
  • To the HHS’ Office for Civil Rights in response to a patient complaint or compliance audit.
  • Internally or to other Covered Entities for treatment, payment, or healthcare operations.
  • To Business Associates for the purposes stipulated in a Business Associate Agreement.
  • To personal representatives of adult patients and unemancipated minor patients.
  • To authorized public health authorities to prevent or control disease, injury, or disability.
  • To the Federal Drug Administration to report adverse events and track FDA-regulated products.
  • To employers when the release of information is required to fulfill OSHA or state reporting requirements.

There is also a long list of scenarios when authorization or an opportunity to agree or object is not required (45 CFR §164.512). In these scenarios, it is often the case that the information that can be released is limited in content rather than limited to the minimum necessary amount to achieve the purpose of the use or disclosure. These too can create misunderstandings about which situations allow a medical professional to release information and what information can be released.

The misunderstandings can be amplified by state laws that preempt the HIPAA Rules because they provide more protection for individually identifiable health information. As demonstrated in the next section, state laws can limit what information is being released and when it is being released by both Covered Entities and solo practitioners that do not qualify as HIPAA Covered Entities. As mentioned previously, employees of Covered Entities may also be limited on what information can be released – and when – by their employer’s HIPAA policies.

Where is Information being Released?

To demonstrate the challenges of determining which situations allow a medical professional to release information, we have provided two examples that show why it matters who is releasing information (and who the information is being released to), what information is being released, and where the information is being released. Scenarios similar to these could apply anywhere in the country, regardless of whether a medical professional is a Covered Entity, does not qualify as a Covered Entity, or is an employee or a Business Associate of a Covered Entity.

Scenario A – Releasing Information to a Support Group

Patient A and Patient B have been receiving mental health treatment – Patient A from a hospital that qualifies as a Covered Entity and Patient B from a private counselor that does not qualify as a HIPAA Covered Entity. Both the hospital and the counselor are located in California.

The hospital and the private counselor agree it would benefit their respective patients if they were to join the same support group. There is no treatment relationship between either of the medical professionals and the support group. The support group is a voluntary organization that neither qualifies as a Covered Entity nor is part of an Organized Health Care Arrangement.

The hospital cannot disclose any information about Patient A to the support group without the patient´s authorization because there is no treatment relationship. If authorization is provided, the hospital can only provide the minimum necessary information about why the patient is joining the support group.

The private counselor is not subject to the same restrictions as the hospital but is subject to California’s Confidentiality of Medical Information Act (CMIA). Under §56.10 of the Act, the private counselor is allowed to release as much information as they feel is appropriate to benefit the patient without authorization.

Analysis of Scenario A

Although the private counselor has the option to provide more information about Patient B without the patient’s authorization, there is no accountability with regard to Patient B’s health information privacy. Patient B has not been advised there may be no control over what happens to the health information once it has been released to the support group and the private counselor could be held liable (under CMIA) if it is further disclosed.

Because of the requirements of the HIPAA Privacy Rule, only the minimum necessary health information about Patient A can be released by the hospital to the support group (with Patient A’s authorization). This not only limits how much health information is released but, because Patient A has been advised there is no control over what happens to the health information, the hospital is not liable if it is further disclosed.

Scenario B – Reporting Domestic Abuse to Authorities

One of the most complex situations in which medical professionals may – or may not – be permitted to release information relates to reporting domestic abuse and intimate partner violence (IPV).  HIPAA permits medical professionals to release information about an individual to agencies authorized by law to receive reports of abuse, neglect, or domestic violence, provided the information released is limited to the minimum necessary amount.

Whether or not a medical professional is allowed to report domestic violence to authorities – either with or without the patient’s authorization – is more often controlled by state regulations; and in some cases, these can be very different.

For example, in Georgia, medical professionals are required by OCGA §31-7-9 to report any non-accidental patient injuries. The state requires “all physicians, nurses, and other medical personnel [to] be supported and encouraged to assess, intervene, and refer in cases of alleged or suspected IPV” and provides immunity from any civil liability to “any person or persons participating in the making of a report or causing a report to be made to the appropriate police authority.”

In neighboring Florida, the situation is practically reversed. Medical professionals are only permitted to report domestic violence to authorities if the injuries suffered by the victim are life-threatening (Fla. Stat. §790.24) or consist of second- or third-degree burns (Fla. Stat. §877.155). Any other report of domestic violence without a patient’s authorization is a violation of the Florida Information Protection Act, which – because it has more stringent privacy protections in this scenario – preempts HIPAA.

Analysis of Scenario B

In this scenario, a medical professional working on one side of the border between Florida and Georgia will be in violation of state laws if they report domestic abuse that does not involve a life-threatening injury; while a medical professional working on the other side of the border will be in violation of state laws if they fail to report the same domestic abuse. In theory, the Floridian medical professional could be charged with a misdemeanor for something that is a legal requirement in the next town.

While this may be an extreme example of how difficult it can be to determine which situations allow a medical professional to release information, the preemption of HIPAA in this scenario is significant. Throughout the country, there will be laws such as the Florida Information Protection Act that apply in just one or two scenarios to Covered Entities and Business Associates, and it is important to know when these laws – or clauses within laws – apply to prevent unintentional health information privacy violations.

Conclusion

As can be seen from the above examples and the discussions that preceded them, there are no absolute rules about which situations allow a medical professional to release information. Medical professionals of all HIPAA statuses should identify which health information privacy regulations govern the release of information in their locations, what information can be released, and when.

While it is important to comply with state and federal health information privacy regulations, the risk exists that securing health information too rigidly can obstruct the flow of information required for operational efficiency. Additionally, securing health information too rigidly can delay responses to patient access requests – which can result in more stories being published by mainstream news channels. Therefore, if you are a medical professional or an employee of a Covered Entity with responsibility for compliance with health information privacy regulations, and you have any doubts about which situations allow a medical professional to release information in your location, you should seek professional compliance advice.

Steve Alder, Editor-in-Chief, The HIPAA Journal

The post Which Situations Allow a Medical Professional to Release Information? appeared first on HIPAA Journal.

What Gets Overlooked For HIPAA Compliant Email Retention?

In this post, we cover the 5 Requirements for HIPAA Compliant Email Retention.

In a recent survey, we discovered that HIPAA compliant email retention is often overlooked and incorrectly implemented when organizations consider their overall HIPAA data retention requirements.

Email Retention Of PHI

Because Covered Entities email out Protected Health Information (PHI), all emails containing that information, either in the body text or as an attachment, must comply with the following HIPAA regulations:

  • Emails must be securely backed up and retained for a minimum of six years as per the HIPAA Security rule.
  • Specific access and audit controls must be implemented to safeguard the integrity of PHI in emails.
  • A system needs to be in place to prevent improper modification or deletion of emails.

Regular email solutions do not cover these HIPAA requirements. While some solutions such as Office 365 can include email backups, these are not sufficient for full HIPAA email compliance.

As an example of how HIPAA compliant email needs to be implemented we examined a leading HIPAA email retention solution (ArcTitan from TitanHQ) and rated its functionality based on HIPAA compliance requirements. Included below is the review summary and details of exactly how any HIPAA compliant email solution needs to work. You can read the full review here.

Review Summary

  • ArcTitan from TitanHQ is a seamless, easy-to-implement, and cost-effective email retention solution that has been designed for HIPAA compliant email retention requirements.
  • ArcTitan works robustly for any size of Covered Entity or Business Associate, protecting all emails with PHI, and covering all the necessary HIPAA retention requirements.

The 5 Requirements for HIPAA Compliant Email Archiving

Here are the 5 specific ways ArcTitan is HIPAA compliant for email retention, and which must be covered for full HIPAA email compliance.

1. Encrypted Storage

ArcTitan encrypts all emails in its secure data centers, ensuring that PHI is protected from unauthorized access. In addition, ArcTitan provides data loss prevention mechanisms, such as email audit functionality. This guarantees emails have not been altered or deleted and also prevents the destruction of emails by a dishonest or malcontent employee.

2. Retention Policies

ArcTitan enables Covered Entities to implement retention policies for email archiving. In this way, organizations can ensure that emails are retained for the correct period of time as required by HIPAA rules.

What is often overlooked is that most organizations’ email systems are centered around specific email usage on a per-employee basis, and when a person leaves their email address and emails are often deleted. This can invertedly break HIPAA rules unless the departed employee’s emails are backed up and retained for six years as part of the retention policy.

3. Search Capabilities

Emails are automatically placed in a cloud-based secure archive using sophisticated indexing. Unlike a simple data backup, ArcTitan uses the indexing to include a powerful search facility. to enable organizations to quickly and easily search through their email archives. It can be very time consuming to find and recover individual emails with regular backup systems often taking weeks and tying up IT resources.

4. Compliance Reporting & Audit Trails

Organizations can easily demonstrate their compliance with HIPAA rules for email with ArcTitan’s comprehensive reporting and audit trails of all email activity which use ID authentication. This can be very important if an organization is required involved in litigation, needs to confirm proof of delivery, or to comply with an audit request from the Department of Health and Human Services.

5. Access Controls

Access to archived emails on ArcTitan is limited to authorized personnel, known as Data Guardians, thanks to the platform’s strong access controls. Additionally, Data Guardians are responsible for managing legal hold and deletion requests.

You can read the full review here which contains more details of pricing, technical specifications and non HIPAA benefits to organizations.

The post What Gets Overlooked For HIPAA Compliant Email Retention? appeared first on HIPAA Journal.

February 2023 Healthcare Data Breach Report

The number of healthcare data breaches reported over the past three months has remained fairly flat, with only a small uptick in breaches in February, which saw 43 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR), well below the 12-month average of 57.4 reported breaches a month. An average of 41 data breaches have been reported each month over the past 3 months, compared to an average of 50.6 breaches per month for the corresponding period last year.

February 2023 Healthcare Data Breach Report - Records breached

The downward trend in breached records did not last long. There was a sizeable month-over-month increase in breached records, jumping by 418.7% to 5,520,291 records. February was well above the monthly average of 4,472,186 breached records a month, with the high total largely due to a single breach that affected more than 3.3 million individuals.

February 2023 Healthcare Data Breach Report - Records Breached

 

Largest Healthcare Data Breaches Reported in February 2023

17 healthcare data breaches of 10,000 or more records were reported in February, all of which were hacking incidents. The largest data breach affected 3,300,638 patients of 4 medical groups in California that are part of the Heritage Provider Network – Regal Medical Group, Inc.; Lakeside Medical Organization, A Medical Group, Inc.; ADOC Acquisition Co., A Medical Group Inc.; & Greater Covina Medical Group, Inc. This was a ransomware attack with confirmed data theft and was, at the time of reporting, the largest data healthcare data breach of the year. That record did not stand for long, as a 4.4 million-record breach was reported this month (Independent Living Systems).

Hacking incidents were reported by CentraState Healthcare System in New York (617,901 records), Cardiovascular Associates in Alabama (441,640 records), and the Florida-based revenue cycle management company, Revenetics (250,918 records), all of which saw sensitive data exfiltrated. It is unclear whether these incidents were ransomware or extortion attacks. An email account breach at Highmark Inc. rounds out the top five. That incident was reported to the HHS’ Office for Civil Rights as two separate breaches, affecting 239,039 and 36,600 individuals -275,639 in total. The breach occurred as a result of an employee clicking a link in a phishing email.

The full list of 10,000+ record data breaches and their causes are detailed in the table below.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Present
Regal Medical Group, Inc., Lakeside Medical Organization, A Medical Group, Inc., ADOC Acquisition Co., A Medical Group Inc. & Greater Covina Medical Group, Inc. CA Healthcare Provider 3,300,638 Ransomware attack (data theft confirmed)
CentraState Healthcare System, Inc. NJ Healthcare Provider 617,901 Hacking incident (data theft confirmed)
Cardiovascular Associates AL Healthcare Provider 441,640 Hacking incident (data theft confirmed)
Reventics, LLC FL Business Associate 250,918 Hacking incident (data theft confirmed)
Highmark Inc PA Health Plan 239,039 Phishing attack
90 Degree Benefits, Inc. WI Business Associate 175,000 Hacking incident
Hutchinson Clinic, P.A. KS Healthcare Provider 100,000 Hacking incident
Lawrence General Hospital MA Healthcare Provider 76,571 Hacking incident
Sharp Healthcare CA Healthcare Provider 62,777 Hacked web server (data theft confirmed)
Rise Interactive Media & Analytics, LLC IL Business Associate 54,509 Hacking incident
Highmark Inc PA Business Associate 36,600 Phishing attack
Teijin Automotive Technologies Welfare Plan MI Health Plan 25,464 Ransomware attack – Access gained through phishing
Evergreen Treatment Services WA Healthcare Provider 21,325 Hacking incident
Aloha Nursing Rehab Centre HI Healthcare Provider 20,216 Hacking incident (data theft confirmed)
NR Pennsylvania Associates, LLC PA Healthcare Provider 14,335 Hacking incident (data theft confirmed)
Intelligent Business Solutions NC Business Associate 11,595 Ransomware attack
Arizona Health Advantage, Inc. dba Arizona Priority Care; AZPC Clinics, LLC; and health plans for which APC has executed a BAA AZ Healthcare Provider 10,978 Ransomware attack

Causes of Healthcare Data Breaches in February 2023

Hacking and other IT incidents dominated the breach reports in February with 33 such incidents reported, accounting for 76.7% of all breaches reported in February. Across those incidents, the records of 5,497,797 individuals were exposed or stolen – 99.59% of the breached records in February. The average breach size was 166,600 records and the median breach size was 10,978 records.

There were 8 unauthorized access/disclosure incidents reported involving a total of 13,950 records. The average breach size was 1,744 records and the median breach size was 689 records. One of the incidents – reported by Asante – involved a physician accessing the records of patients when there was no treatment relationship. The unauthorized access occurred for 9 years before it was detected, during which time the records of 8,834 patients were impermissibly viewed. Incidents such as this show why it is important to maintain logs of medical record access and to review those logs regularly, ideally automating the process using a monitoring and alerting system.

February 2023 Healthcare Data Breach Report - Causes

One theft incident was reported involving a portable electronic device containing the PHI of 986 patients and one incident involved the improper disposal of paper records that contained the PHI of 7,558 patients.

February 2023 Healthcare Data Breach Report - Location PHI

What HIPAA-Regulated Entities were Affected?

Healthcare providers were the worst affected HIPAA-regulated entity in February, with 31 data breaches of 500 or more records. Seven data breaches were reported by business associates and five were reported by health plans. When data breaches involve business associates, they are often reported by the covered entity. In February, 6 data breaches involved business associates but were reported by the affected healthcare providers and health plans. The two charts are based on where the breach occurred rather than who reported it.

February 2023 Healthcare Data Breach Report - Reporting Entities

The average healthcare provider breach exposed 178,046 records (median: 3,061 records), the average health plan data breach exposed 67,236 records (median: 3,909 records), and the average business associate data breach involved 47,859 records (median: 8,500 records).

February 2023 Healthcare Data Breach Report - records by reporting entity

Where Did the Breaches Occur?

Data breaches were reported by HIPAA-covered entities and business associates in 28 states, with California being the worst affected state with 4 breaches reported in February.

State Breaches
California 4
Pennsylvania & Texas 3
Arizona, Illinois, Kansas, Massachusetts, New Jersey, Oregon, Virginia & Washington 2
Alabama, Colorado, Connecticut, Florida, Georgia, Hawaii, Iowa, Maryland, Michigan, New Hampshire, New Mexico, North Carolina, Rhode Island, Tennessee, Utah, Wisconsin & Wyoming 1

HIPAA Enforcement Activity in February 2023

The HHS’ Office for Civil Rights announced one enforcement action in February to resolve alleged violations of the HIPAA Rules. OCR investigated Banner Health over a 2016 breach of the protected health information of 2.81 million individuals and identified multiple potential HIPAA violations related to risk analyses, system activity reviews, verification of identity for access to PHI, and technical safeguards. Banner Health agreed to settle the case and paid a $1,125,000 financial penalty.

DNA Diagnostics Center was investigated by the Attorneys General in Pennsylvania and Ohio after a reported breach of the personal and health information of 45,600 state residents. The investigation determined there was a lack of safeguards, a failure to update its asset inventory, and a failure to disable or remove assets that were not used for business purposes. While these failures would have been HIPAA violations, the settlement resolved violations of state laws. DNA Diagnostics Center paid a financial penalty of $400,000, which was split equally between the two states.

In February, the Federal Trade Commission (FTC) announced its first-ever settlement to resolve a violation of the FTC Health Breach Notification Rule. While the Rule has been in effect for a decade, the FTC has never enforced it. That has now changed. The FTC stated last year that it would be holding non-HIPAA-covered entities accountable for impermissible disclosures of health information and breach notification failures. GoodRx Holdings Inc. was found to have used tracking technologies on its website that resulted in unauthorized disclosures of personal and health information to Facebook, Google, and other third parties and failed to issue notifications to affected individuals. The allegations were settled and GoodRx paid a $1,500,000 financial penalty.

The post February 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

$3 Million Settlement with Blackbaud Resolves SEC Allegations of Misleading Disclosures About Ransomware Attack

The Securities and Exchange Commission (SEC) has agreed to a $3 million settlement with Blackbaud Inc. to resolve charges that the company issued misleading statements about the impact of its 2020 ransomware attack. Blackbaud is a Charleston, SC-based cloud computing provider that serves the social good community. In May 2020, malicious actors gained access to its self-hosted private cloud environment and used ransomware to encrypt files. The forensic investigation confirmed the hackers gained access to files that included donor information such as names, addresses, phone numbers, email addresses, and birth dates. According to Blackbaud, approximately 13,000 customers were affected.

In July 2020, Blackbaud confirmed that the attack was blocked before the attackers were able to encrypt its systems fully, but not in time to prevent a copy of certain data from being stolen from its cloud environment. Blackbaud paid the ransom to ensure the stolen information was deleted and received proof that the stolen data had been deleted. Blackbaud initially said no financial information or Social Security numbers were exposed; however, Blackbaud later confirmed that a subset of individuals had their bank account information, Social Security numbers, and usernames and passwords exposed.

According to the SEC, Blackbaud publicly announced on July 16, 2020, that bank account information and Social Security numbers were not accessed, but within a few days of those public statements being made, its technology and customer relations staff learned that bank account information and Social Security numbers were in the dataset that was exfiltrated by the attackers. In August 2020, three months after the attack occurred, Blackbaud said in a 10-Q filing that there was only a hypothetical risk that data was stolen in the attack, then confirmed in an 8-K filing in September 2020 that Social Security numbers and bank account information may have been stolen.

Blackbaud did not deliberately issue misleading statements, as technology and customer relations personnel did not communicate the discovery of the theft of financial data and Social Security numbers to the senior management responsible for public disclosures. According to the SEC, Blackbaud failed to maintain disclosure controls and procedures. The SEC determined that Blackbaud had violated sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934, and Rules 12b-20, 13a-13, and 13a-15(a).

“Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” said David Hirsch, Chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit. “Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.” Blackbaud agreed to settle with the SEC with no admission or denial of the charges and agreed to pay a $3 million civil monetary penalty.

“Blackbaud is pleased to resolve this matter with the SEC and appreciates the collaboration and constructive feedback from the commission as the company continuously improves its reporting and disclosure policies, said Blackbaud Chief Financial Officer, Tony Boor. “Blackbaud continues to strengthen its cybersecurity program to protect customers and consumers, and to minimize the risk of cyberattacks in an ever-changing threat landscape.”

The post $3 Million Settlement with Blackbaud Resolves SEC Allegations of Misleading Disclosures About Ransomware Attack appeared first on HIPAA Journal.

Democratic Senators Introduce Legislation to Ban the Use of Health Information for Advertising

Three Democratic Senators have introduced a bill that seeks to improve personal health data privacy by preventing companies from disclosing personally identifiable health information for advertising purposes. The legislation was introduced after two recent enforcement actions by the Federal Trade Commission (FTC) against GoodRx and BetterHelp over disclosures of personal and health information to social media and big tech firms after informing consumers that their health information would be kept private and confidential, and an enforcement action against a data broker – Kochava – for selling geolocation data, which could potentially be used to identify women who visited reproductive healthcare facilities.

The legislation – The Upholding Protections for Health and Online Location Data (UPHOLD) Privacy Act – was introduced by U.S. Senators Amy Klobuchar (D-MN), Elizabeth Warren (D-MA), and Mazie Hirono (D-HI). In addition to prohibiting the use of personally identifiable health information for advertising purposes, the bill seeks to ban data brokers from selling geolocation data, and limits the ability of companies to collect and use personal health information without express consent from consumers. The bill will also give Americans greater access to and ownership over their personal health information.

“For too long, companies have profited off of Americans’ online data while consumers have been left in the dark, which is especially concerning in light of reports that some social media companies collect data related to reproductive health care,” said Sen. Klobuchar. “By stopping the use of personal health information for commercial advertising and banning the sale of location data, this legislation will put new protections in place to safeguard Americans’ privacy while giving consumers greater say over how their sensitive health data is shared online.”

The ban on the use of personal health information for commercial advertising would apply to information collected from any source, including medical centers, fitness trackers and other wearable devices, and web browsing histories, but would not apply to public health campaigns. New data minimization rules would be introduced to restrict the health data that can be collected by companies, and there would be a ban on the sale of precise location data to and by data brokers.

“Since the reversal of Roe, data brokers, and tech firms have continued to profit from the private health and location data of millions of Americans, including those seeking reproductive health care services,” said Sen. Warren. “The UPHOLD Privacy Act would protect consumers’ sensitive data and their right to privacy.”

“With Republicans working to ban and criminalize reproductive health care nationwide, it’s critical we safeguard the reproductive data privacy of everyone in our country,” added Hirono. “Everyone should be able to trust that personal data about their bodies and their health care will be protected. By restricting the sale and use of personally-identifiable health data, this bill will give patients and providers the peace of mind that their private information is secure.”

The post Democratic Senators Introduce Legislation to Ban the Use of Health Information for Advertising appeared first on HIPAA Journal.

Amazon Completes Acquisition of OneMedical Amid Concern About Uses of Patient Data

Amazon has completed its $3.9 billion acquisition of the primary care provider One Medical as the retail behemoth continues its move into the healthcare ecosystem. One Medical has over 220 medical offices, a subscription-based telehealth service, and an electronic health record system, and contracts with more than 9,000 employers across the country. When Amazon announced its intention to acquire One Medical, consumer groups and privacy advocates expressed concern about the potential for misuse of patient data, with many analysts believing that data acquisition was a driving factor behind the deal.

The consumer rights advocacy group, Public Citizen, voiced concern about the merger and has been urging the Federal Trade Commission to step in and block the deal due to fears that Amazon could gain an unfair advantage in the healthcare market, by leveraging the retail side of its business. For instance, Amazon could add One Medical services to its Prime membership package or use the retail side of the business for advertising products related to customers’ medical conditions. Of even greater concern is the potential for Amazon to use the medical data of One Medical patients for other purposes.

One Medical has approximately 836,000 members, and the health data of those individuals could easily be used for a range of purposes. Amazon has stated that One Medical data will be kept totally separate from the retail and marketing side of the business and that it will be fully compliant with HIPAA, which prohibits the use of patient data for reasons not related to treatment, payment, or healthcare operations without consent. There is concern that Amazon may try to get around these restrictions, such as by offering incentives to One Medical patients to consent to the use of health data, such as for marketing purposes.

The FTC also has concerns about the merger and went as far as preparing a lawsuit to challenge the acquisition but it was never filed, presumably because it failed to find sufficient grounds to block the deal. As Rob Weissman, President, Public Citizen, suggested, “It’s a very, very problematic merger, but the kinds of concerns it raises don’t line up perfectly with antitrust law.”

The FTC is concerned about the merger and recently communicated some of its concerns about the limitations of current healthcare data privacy laws. On February 27, 2023, in response to the closure of the deal, FTC Commissioner Alvaro M. Bedoya and Commissioner Rebecca Kelly Slaughter issued a statement regarding the acquisition, calling for Congress to update the Health Insurance Portability and Accountability Act (HIPAA) or otherwise address U.S. privacy law, which they said is “both aging and incomplete.”

In the letter, Bedoya pointed out some of the regulatory gaps in the HIPAA Privacy Rule that could potentially be exploited by Amazon. The HIPAA Privacy Rule restricts uses and disclosures of protected health information (PHI), which is any individually identifiable healthcare information that relates to the past, present, or future health of an individual. PHI ceases to be PHI if it is deidentified, which involves stripping out 18 identifiers that allow that information to be tied to a specific individual. At the time when the HIPAA Privacy Rule was drafted, those 18 identifiers were considered complete, but there are now many more ways that individuals can be identified and that list has not been updated since.

Bedoya explained that when the Privacy Rule was drafted, the HHS failed to limit the uses of deidentified data to improving the efficiency and effectiveness of healthcare delivery. Instead, the HHS ruled that once deidentified, PHI is no longer PHI and is no longer covered by the HIPAA Privacy Rule, so there are no restrictions on what can be done with that data once those 18 identifiers have been removed. With respect to One Medical data, Amazon is free to do whatever it chooses with that data, provided it does not re-identify individuals. As Bedoya explained, Amazon can say it is HIPAA compliant, which suggests that it will not use patient data for anything other than health-related matters, when the reality is patient data – in a deidentified form – can be used for other purposes without restriction.

“When HHS proposed the Privacy Rule in 1999, I doubt that it had reason to anticipate that one day the world’s largest retailer—a company of profound technological sophistication— would amass people’s health information on this scale,” wrote Bedoya. “I encourage Congress to continue working toward new privacy laws and HHS to consider updating its Privacy Rule to better reflect the reality of how firms can use health data.”

Bedoya also said health information is not solely protected under HIPAA, and the FTC will be closely monitoring Amazon and the health app market and will not hesitate to initiate enforcement actions if laws are violated.

The post Amazon Completes Acquisition of OneMedical Amid Concern About Uses of Patient Data appeared first on HIPAA Journal.

Survey Reveals a Majority of Americans Are Uncomfortable with AI in Healthcare

A recent survey conducted by the Pew Research Center found a majority of Americans are uncomfortable with their healthcare providers using artificial intelligence tools to aid the diagnosis and treatment, indicating a need to improve education on the benefits of AI in healthcare.

60% of respondents expressed discomfort with the use of AI in care settings, with 39% of respondents saying they are comfortable with their care providers relying on AI for medical care. 38% of respondents believe AI will lead to better health outcomes, such as faster diagnosis and treatment, with 33% of respondents believing AI would result in worse health outcomes. 27% of respondents said they didn’t think AI would make much difference to patient outcomes.

When probed about the potential benefits of AI in healthcare, 40% of respondents believe AI will reduce the number of mistakes by healthcare providers, such as misdiagnosis or the failure to diagnose a disease, compared to 27% who thought medical mistakes would increase. Out of the respondents who believe there is a problem with racial and ethnic bias in healthcare, 51% believe the situation would improve with AI whereas 15% said they believe the problem would get worse if AI was used to diagnose diseases and recommend treatments.

Other notable concerns about the use of AI include the privacy and security of sensitive health information. 37% of respondents believe AI will make health information less secure, compared to 22% who believe that security would improve. There is also a fear that healthcare providers will adopt AI systems too quickly before the systems have been fully tested and the risks are fully understood. Only 23% of respondents believe adoption will occur too slowly, resulting in missed opportunities.

The biggest perceived problem with AI that was identified by the survey is the potential for patient-provider relationships to deteriorate. 78% of respondents believe relationships between patients and their healthcare providers will get worse if AI is used in the diagnosis and treatment of patients, with only 13% of respondents believing relationships would improve.

The greatest support for AI in healthcare is among younger adults and men, especially individuals with higher levels of education. 46% of men say they are comfortable with AI in healthcare, compared to 33% of women, with the highest support in the 18-29 age range (44%). Support falls to 35% in the over 50 age range. Individuals in the upper-income bracket were most in favor (49%) compared to 36% with HS or lower levels of education. Interestingly, even when individuals have heard a lot about AI, only 50% said they were comfortable with its use in healthcare.

When asked about specific applications of AI in healthcare, 65% of respondents said they would like AI to be used in their own skin cancer screenings; however, there was far less support for the other uses explored by Pew Research. 67% of respondents are opposed to the use of AI to determine the amount of pain medication prescribed, 59% would not want AI-powered robots conducting surgery, and 79% said they would not want AI chatbots to be used to support mental health.

The survey was conducted on 11,004 adults in the United States between December 12 and December 18, 2022.

The post Survey Reveals a Majority of Americans Are Uncomfortable with AI in Healthcare appeared first on HIPAA Journal.

Court Approves FTC’s $1.5 Million Settlement with GoodRx to Resolve FTC Act and Health Breach Notification Rule Violations

On February 1, 2023, the Department of Justice filed a proposed order on behalf of the Federal Trade Commission prohibiting GoodRx from sharing the health information of its users with third parties for advertising purposes, following an investigation by the FTC. The FTC alleged that GoodRx – doing business as GoodRx Gold, GoodRx Care, and Hey Doctor (GoodRx) – violated the FTC Act by engaging in unfair and deceptive trade practices by sharing the data of millions of users without their consent and knowledge and violated the FTC Health Breach Notification Rule by failing to notify users about the privacy violation.

The information shared with third parties included personally identifying information, information about sensitive health conditions, and medications. The FTC alleged that the information was shared despite GoodRx providing repeated assurances to its users that the company would ensure sensitive health information was protected and would not be shared with third parties. The FTC also took issue with GoodRx displaying a seal on its website confirming the company was “HIPAA Secure: Patient Data Protected”, which indicated that GoodRx was a covered entity under HIPAA when it was not and that it was compliant with the HIPAA Rules when it wasn’t.

“Consumers have a right to know whether and how their personal health information will be used, and to know when it has been disclosed to third-parties,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “The Department is committed to enforcing protections against deceptive practices and unauthorized disclosure of personal health information.”

The data was shared with third parties via third-party tracking pixels on its website and plug-and-play software development kits provided by companies such as Google, Facebook, Criteo, Branch, and Twilio. The data collected via those tools were shared with the providers of those software kits and pixels and were potentially used for advertising purposes. GoodRx did not agree with the findings of the FTC, and told The HIPAA Journal there was no wrongdoing and the decision was taken to settle the allegations to avoid the time and expense of protracted litigation.

The settlement was agreed upon by all parties and requires GoodRx to pay a $1.5 million financial penalty and adopt a corrective action plan that will prevent future unauthorized disclosures of sensitive health data and ensure future compliance with the FTC Act and the Health Breach Notification Rule. GoodRx has also agreed not to disclose the sensitive health data of its users without first obtaining consent to do so and will notify all affected individuals about the disclosures. The court recently approved the proposed order and the settlement will now take effect.

“Companies that misuse their customers’ sensitive health information by sharing that information without their customers’ permission or knowledge will be held accountable,” said U.S. Attorney Stephanie M. Hinds for the Northern District of California. “We will continue to work with our partners at the FTC to protect against the unauthorized disclosure of such sensitive, private information.”

The post Court Approves FTC’s $1.5 Million Settlement with GoodRx to Resolve FTC Act and Health Breach Notification Rule Violations appeared first on HIPAA Journal.

On-the-Spot Intervention 95% Effective at Preventing Further Unauthorized Medical Record Access

Defenses need to be put in place to detect and block attempts by cybercriminals to access healthcare networks, but not all threats are external. Each year, many data breaches are reported by hospitals and medical practices that involve unauthorized access to medical records by employees. These data breaches include non-malicious snooping on the medical records of colleagues, friends, family members, and high-profile patients, and insider wrongdoing incidents where patient data is stolen for identity theft and fraud or to take to a new employer. The healthcare industry has historically had a far bigger problem with insider data breaches than other industry sectors.

The study, recently published in the JAMA Open Network, was conducted at a large academic medical center and explored the effectiveness of email warnings in preventing repeated unauthorized access to protected health information by employees. Over a 7-month period in July 2018, the medical center’s PHI access monitoring system flagged 444 instances where employees accessed the medical records of patients when they were not authorized to do so. 49% of those employees (219) were randomly selected and were sent an email warning on the night when the unauthorized access was detected, and the remaining employees received no warnings and served as the control group.

The emails explained that the automated system had detected unauthorized medical record access and advised the employees that this was a privacy violation, as the medical center has a strict policy in place that prohibits accessing the medical records of individuals such as friends, family members, colleagues, and acquaintances unless they have written authorization to do so. No disciplinary action was taken against the employees for the duration of the study, but all employees were later disciplined per the medical center’s sanctions policy.

The study found that only 4 of the 219 employees (2%) who received an email warning repeated the offense, compared to 90 employees in the control group (40%). In the email warning group, the 4 repeat offenses occurred between 20 and 70 days after the initial unauthorized access. 88% of repeat violations by the control group occurred within 10 days of the initial offense, and 17% occurred after 90 days. On-the-spot intervention was found to be 95% effective at preventing further unauthorized access, and email warnings continue to be used by the medical center as a critical access control measure.

The study – Effectiveness of Email Warning on Reducing Hospital Employees’ Unauthorized Access to Protected Health Information – was co-authored by Nick Culbertson, CEO and Co-Founder of Protenus; John Xuefeng Jiang, Ph.D., Professor, Plante Moran Faculty Fellow, Department of Accounting & Information Systems at Michigan State University; and Dr. Ge Bai, Ph.D., CPA, Professor of Accounting at Johns Hopkins Carey Business School.

The post On-the-Spot Intervention 95% Effective at Preventing Further Unauthorized Medical Record Access appeared first on HIPAA Journal.