Healthcare Data Privacy

How to Secure Patient Information (PHI)

Posted by HIPAA Journal

The issue of how to secure patient information and PHI is challenging because HIPAA does not require all patient information to be secured. Additionally, if Protected Health Information (PHI) is secured too much, it can prevent the flow of information needed to perform treatment, payment, and healthcare operations efficiently.

To best explain how to secure patient information and PHI, it is necessary to distinguish between what is patient information and what is PHI. The easiest way to do this is by defining PHI first, because any remaining information relating to a patient that is not PHI does not need to be secured under HIPAA – although other privacy and security laws may apply.

What is PHI? And What is Not PHI?

The Administrative Simplification Regulations defines PHI as individually identifiable health information “transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium”. To understand why some patient information might not be PHI, it is necessary to review the definition of individually identifiable health information:

“Information […] collected from an individual […] that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or […] can be used to identify the individual.”

These definitions suggest any information that does not relate to a patient´s condition, treatment for the condition, or payment for the treatment is not protected by the privacy and security standards. However, this is not the case.

Individually identifiable health information protected by the privacy and security standards is maintained in one or more “designated record sets”, and any identifying non-health information added to a designated record set assumes the same privacy and security protections. Therefore:

  • “Mr. Jones has a broken leg” is PHI because it identifies the patient and relates to a present health condition.
  • If Mr. Jones´ address, the name of his wife, and their telephone number are added to the designated record set, it is also PHI.
  • However, if a separate record of Mr. Jones´ wife and telephone number is maintained outside the designated record set (i.e., for contact purposes) it is not PHI because the separate record does not contain any health information.

In conclusion, some patient information can be both protected and not protected depending on where it is maintained. This doesn´t make it any easier to explain how to secure patient information and PHI, but it is important to be aware that not all patient information is PHI all the time.

How to Secure Patient Information that is PHI

To say PHI has to be secured is misleading because it implies Protected Health Information has to be locked away in fortress-like environment, whereas the Privacy Rule allows “permissible” uses and disclosures for a variety of reasons. Therefore, although it is important to apply access controls to ensure only authorized personnel can use or disclose PHI, it is not necessary for PHI to be “secured”.

With regards to electronic PHI (ePHI), Covered Entities and Business Associates have to take greater care about how it is protected because healthcare data is highly sought after by cybercriminals. Consequently, many compliance experts suggest organizations adopt a defense in depth strategy that includes as a minimum:

  • A firewall to prevent unauthorized access to networks and data
  • A spam filter to block malicious emails harboring malware
  • A web filter to prevent staff accessing malicious websites
  • An antivirus solution to detect malware from other sources
  • Data encryption on all workstations and portable devices
  • Encryption to protect data in transit – encrypted email for instance
  • An intrusion detection system that monitors for irregular network activity
  • Auditing solutions that monitor for improper accessing of PHI
  • Disaster recovery controls to ensure continued access to data in the event of an emergency
  • Extensive backups to ensure PHI is recoverable in the event of an emergency
  • Security solutions allowing the remote deletion of data stored on mobile devices in the event of loss or theft
  • Security awareness and anti-phishing training for all members of the workforce
  • Physical controls to prevent data and equipment theft
  • Good patch management policies to ensure software is kept up to date and free from vulnerabilities

Informing Patients that Health Information is Protected

Although protecting PHI is a requirement of HIPAA, it can be beneficial to highlight to patients that the security of health information is taken seriously. Research has shown that, when patients trust their health information is being protected, they are more willing to share intimate details about themselves with healthcare providers.

Having more information about a patient´s condition enables healthcare providers to make better informed decisions and more accurate diagnoses to determine the best course of treatment. This in turn leads to better patient outcomes and a reduction in patient readmissions, which can reflect in higher satisfaction scores from patients and their families.

Informing patients that health information is secured doesn´t have to go into details – a few lines of text added to a Notice of Privacy Practices is often sufficient. The important thing to remember is that if an organization claims that health information is protected but fails to implement the necessary standards to secure patient information – and a data breach occurs – this could discredit the organization and will likely be taken into account by an investigation into the data breach.

How to Secure Patient Information FAQs

What privacy and security laws apply other than HIPAA?

Many states now have privacy and/or data security laws with stronger patient protections than HIPAA. Some laws may only apply to certain types of data (i.e., Illinois´ Biometric Information Privacy Act), while others apply across state borders to protect the personal data of any citizen of the state wherever they are (i.e., Texas´ Medical Records Privacy Act).

What can happen if you secure too much information?

Securing too much information can negatively impact healthcare operations. For example, a nursing assistant needs to phone Mr. Jones´ wife urgently but cannot not access the telephone number because they do not have the right credentials to access the designated record set in which the telephone number has been secured.

Not only will the lack of access result in a delay in contacting Mr. Jones´ wife, but the nursing assistant will have to find a colleague with the right credentials to access the designated record set and interrupt what they were doing in order to get the phone number to make the call – an unnecessarily waste of resources.

What are the Administrative Simplification Regulations?

The Administrative Simplification Regulations are the section of the Public Welfare regulations (45 CFR) containing most of the standards that HIPAA Covered Entities and Business Associates have to comply with – i.e., the Privacy Rule, the Security Rule, and the Breach Notification Rule. The Department of Health and Human Services has compiled an unofficial version of the text here.

What are the permissible uses and disclosures of PHI?

The permissible uses and disclosures allowed by the Privacy Rule generally relate to uses and disclosures for treatment, payment, and healthcare operations. However, other uses and disclosures are allowed when (for example) they are covered by a Business Associate Agreement with a third party organization or when a patient has authorized the use or disclosure.

How can a patient check health information is being protected?

Patients can request an accounting of disclosures from their health plan or healthcare provider which should list the times when PHI has been disclosed for purposes other than those permitted by the Privacy Rule in the previous six years. Although it is no guarantee of data security, the accounting of disclosures can be a good indicator of an organization´s HIPAA compliance.

The post How to Secure Patient Information (PHI) appeared first on HIPAA Journal.

What Does HIPAA Stand For?

Posted by HIPAA Journal

Many articles discussing what does HIPAA stand for fail to give a complete answer. Most state that HIPAA is an acronym of the Health Insurance Portability and Accountability Act of 1996 and that it led to the development of standards for the privacy of Protected Health Information. However, few articles discussing what does HIPAA stand for explain how a bill with the objective of reforming the health insurance industry evolved into an act of legislation that now controls how healthcare data is safeguarded.

To best fully explain what does HIPAA stand for, it is a necessary to look at the state of the health insurance industry prior to 1996. The industry had grown from a handful of companies offering accident insurance in the 1850s – and employer-sponsored disability insurance from 1911 onwards – into a multi-billion dollar business by the end of the twentieth century. However, at the time, the healthcare insurance industry was governed by a hotchpotch of federal and state legislation.

The reason for the hotchpotch of legislation was that, in the early days, many commercial for-profit health insurance providers were considered to be “unlicensed practitioners of medicine” because they indirectly provided medical services to policy holders and were subsequently banned. To overcome this gray area of law, many states enacted legislation that enabled commercial providers to operate – the legislation stipulating how providers operated and what services they could offer.

Consequently, by 1995, federal laws such as the Employee Retirement Income Security Act of 1974 (ERISA) and the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA) governed most employer-sponsored and individually-purchased health plans, while the operations of commercial for-profit group health plans were governed by state laws – leading to numerous issues relating to access to health insurance and health care benefits, and insurance portability between jobs.

What Does HIPAA Stand for and the Issues HIPAA Aimed to Resolve?

Group health insurance as we know it today started in the 1920s with the Baylor University in Texas guaranteeing teachers twenty-one days of hospital care for $6 per year. This scheme was extended under the name of “Blue Cross” – initially to other employee groups in Dallas, and then nationwide. However, the community-rating system of charging a flat rate regardless of policy holders´ health meant low-risk individuals were subsidizing the healthcare costs of high-risk individuals.

To address this issue, insurers introduced an “experience rating” which charged according to the level of risk. To prevent pricing small businesses out of the market, they also introduced exclusions for individuals with pre-existing conditions and limitations on when health insurance coverage could be carried from one employer to another. This had the impact of creating a “job-lock” scenario in which employees would not change jobs for fear of losing their health insurance benefits.

HIPAA aimed to resolve these issues by prohibiting the exclusion of individuals with certain types of pre-existing conditions and the termination of coverage when employees changed jobs or had a break in employment. The federal legislation would pre-empt state laws where state laws allowed insurance providers to be selective about who they insured or the portability of coverage. However, the prohibition of these restrictive practices would incur costs for the healthcare insurance industry.

Tackling the Cost Implications of HIPAA

When discussing what does HIPAA stand for, many articles suggest the Health Insurance Reform Act of 1995 (S.1028) introduced by Senators Nancy Kassebaum and Ted Kennedy was the forerunner of HIPAA, but it wasn´t. The Health Insurance Reform Act of 1995 never passed; for although it addressed the issues HIPAA aimed to resolve, it didn´t account for the costs that would be incurred by the healthcare insurance industry complying with the provisions.

Keen to avoid a scenario in which insurance companies passed the cost of compliance onto consumers in the form of increased premiums, Congress adopted HR.3103 – a bill introduced by Representative Bill Archer which more closely aligns with what HIPAA compliance means today. The bill included provisions to tackle the cost implications of HIPAA by standardizing the administration of health insurance claims in order to increase efficiency, and to tackle abuse and fraud.

The scale of abuse and fraud at was time was astounding. According to a Congressional Report, fraudulent and abusive insurance practices by unscrupulous healthcare organizations accounted for 10% of total health spending (around $7 billion). The objective of standardizing the administration of health insurance claims was to eliminate the abuse and fraud, save insurance companies money, and prevent the cost of complying with HIPAA being passed onto consumers.

How HR.3103 Evolved into What HIPAA Means Today

The route from the introduction of HR.3103 to what HIPAA means today is a little convoluted. This is because, in order to standardize the administration of health insurance claims, the Secretary of the Department of Health & Human Services (HHS) had to develop standards for electronic transactions (which evolved into the Transactions and Code Sets Rules) and security safeguards to ensure the integrity and confidentiality of data. The provision requiring the availability of data came later.

In the context of HR.3103, the security safeguards were intended to protect claims related to data in transit between health care providers, health plans, and – where appropriate – health care clearinghouses. However, by the time the HIPAA Security Rule was published, the provisions had been expanded to “all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits” – i.e., data in transit and at rest (§164.306).

It is also noticeable that, in the original text of HR.3103, the requirement for HHS to develop privacy standards for health information follow on directly from where HHS is tasked with developing security standards. This was later moved to a separate section of the bill to prevent any confusion that the privacy standards might only relate to covered electronic transactions; and, when HIPAA was passed, led to the HIPAA Privacy Rule (which applies to PHI in any format).

What the Acronym HIPAA Means to Healthcare Organizations

Although the original objectives of HIPAA were mostly to reform the health insurance industry, the biggest impact has been felt by healthcare organizations. Nearly all healthcare-related transactions are governed by the provisions of the Privacy and Security Rules, plus patients now have more rights over healthcare data inasmuch as they can request access to it, request corrections are made when data is incorrect or incomplete, and request a record of who their data has been disclosed to.

The acronym HIPAA also places a considerable administrative overhead on healthcare organizations. Although HIPAA has enhanced the efficiency of the healthcare system by facilitating the secure flow of information, HIPAA Covered Entities are required to develop policies for all types of foreseeable events that could impact the confidentiality, integrity, and availability of electronic PHI, train members of the workforce on the policies, and document both the policies and the training.

Training even has to be provided to members of the workforce who are unlikely to encounter PHI in the execution of their duties. For example, all members of a Covered Entity´s workforce are required to participate in a security and awareness training program. This means a hospital´s environmental services team has to undergo security and awareness training even though access controls should be in place to prevent members of the team logging into systems containing electronic PHI.

What Does HIPAA Stand for to Patients and Healthcare Workers?

For patients, HIPAA stands for the protection of their personally identifiable information. It is important that patients trust their personally identifiable information is being protected because trust is the most important part of a patient-physician relationship. Patients tell their physicians and other healthcare workers intimate details about themselves that they may not even share with partners and family members. Consequently, it is important the trust is upheld.

For healthcare workers, when patients trust their personally identifiable information is being protected and share intimate details, it enables the provision of more accurate and more appropriate health care. Better health care results in better patient outcomes, which raises morale and contributes towards more rewarding work experiences. For this reason, compliance with a healthcare facility´s HIPAA policies should not be seen as a barrier to “getting the job done”.

Finally, it is important to be aware many articles discussing what does HIPAA stand for tend to focus on HIPAA as if it is the only rule governing the privacy of Protected Health Information. However, federal regulations such as the Privacy Act and the Family Educational Rights and Privacy Act can impact the application of HIPAA in specific circumstances, while state laws such as the Texas Medical Records Privacy Act (HB300) preempt HIPAA because of having more stringent privacy protections.

What Does HIPAA Stand For? FAQs

What does the HIPAA acronym stand for?

The HIPAA acronym stands for the Health Insurance Portability and Accountability Act. As the title of the Act suggests, its primary objective was to reform the health insurance industry; but, in order to do this, standards had to be introduced to tackle fraud and abuse, and these led to the development of Privacy and Security Rule standards.

What does HIPAA stand for in medical terms?

In medical terms, HIPAA stands for the policies and procedures that have to be implemented in order to comply with the HIPAA Rules. Most, but not all, medical facilities are required to comply with all the HIPAA Rules – the exceptions being medical facilities that do not conduct electronic transactions for which the Department of Health and Human Services has developed standards.

Is the correct acronym HIPAA or HIPPA?

The correct acronym for the Healthcare Insurance Portability and Accountability Act is HIPAA. However, according to Wikipedia, HIPAA is sometimes incorrectly referred to as the “Health Information Privacy and Portability Act”, for which the acronym would be HIPAA.

Who has to comply with HIPAA?

All health plans and healthcare clearinghouses are required to comply with HIPAA as are healthcare providers that perform HIPAA-covered transactions – which most do. These organizations are collectively referred to as HIPAA Covered Entities,

Does HIPAA apply to employers?

There are circumstances in which employers are subject to “partial compliance” if they act as an administrator for a self-insured health plan or as an intermediary between employees, healthcare providers, and health plans. For a fuller explanation, please see “Does HIPAA Apply to Employers”.

What other state laws preempt HIPAA?

Most states have laws that provide greater protections for data or more patients´ rights – albeit these laws may relate to one specific area of healthcare practice (i.e., genetics). Organizations unsure about their obligations under state law should peak with a compliance professional.

What was the Health Coverage Availability and Affordability Act of 1996?

The Health Coverage Availability and Affordability Act was the original short title of HB.3103 when it was introduced into the House of Representatives. At one point it was nearly renamed the Health Insurance and Long-Term Care Affordability Act before the HIPAA acronym was agreed upon.

The post What Does HIPAA Stand For? appeared first on HIPAA Journal.

Why is HIPAA Important?

Posted by HIPAA Journal

HIPAA is important because, due to the passage of the Health Insurance Portability and Accountability Act, the Department of Health and Human Services was able to develop standards that protect the privacy of individually identifiable health information and the confidentiality, integrity, and availability of electronic Protected Health Information.

HIPAA was introduced in 1996, primarily to address one particular issue: Insurance coverage for individuals between jobs and with pre-existing conditions. Without HIPAA, employees faced a potential loss of insurance coverage between jobs. Because of the cost of HIPAA’s primary objective to health insurance companies – and the risk that the cost would be passed onto employers and individuals as higher premiums, Congress instructed the Secretary for Health and Human Services to develop standards that would reduce healthcare insurance fraud and simplify the administration of healthcare transaction.

Due to the increased number of transactions being conducted electronically, standards were also developed to protect the confidentiality, integrity, and availability of electronic Protected Health Information when it was collected, received, maintained and transmitted between healthcare providers, health plans, and health care clearinghouses. Further standards were developed to protect the privacy of individually identifiable health information (in any format) and to give individuals increased rights and control over their health information. The standards became known respectively as the HIPAA Security Rule and HIPAA Privacy Rule.

Why is HIPAA Important for Healthcare Organizations?

HIPAA introduced a number of important benefits for the healthcare industry to help with the transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely.

The standards for recording health data and electronic transactions ensures everyone is singing from the same hymn sheet. Since all HIPAA-covered entities must use the same code sets and nationally recognized identifiers, this helps enormously with the transfer of electronic health information between healthcare providers, health plans, and other entities.

Why is HIPAA Important for Patients?

Arguably, the greatest benefits of HIPAA are for patients. HIPAA compliance is important because it ensures healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities must implement multiple safeguards to protect sensitive personal and health information.

While no healthcare organization wants to expose sensitive data or have health information stolen, without HIPAA there would be no requirement for healthcare organizations to safeguard data – and no repercussions if they failed to do so.

HIPAA established rules that require healthcare organizations to control who has access to health data, restricting who can view health information and who that information can be shared with. HIPAA helps to ensure that any information disclosed to healthcare providers and health plans, or information that is created by them, transmitted, or stored by them, is subject to strict security controls. Patients are also given control over who their information is released to and who it is shared with.

HIPAA is important for patients who want to take a more active role in their healthcare and want to obtain copies of their health information. Even with great care, healthcare organizations can make mistakes when recording health information. If patients are able to obtain copies, they can check for errors and ensure mistakes are corrected.

Obtaining copies of health information also helps patients when they seek treatment from new healthcare providers – information can be passed on, tests do not need to be repeated, and new healthcare providers have the entire health history of a patient to inform their decisions. Prior to the Introduction of the HIPAA Privacy Rule, there was no requirements for healthcare organizations to release copies of patients’ health information.

Why is HIPAA Important? FAQs

What might happen to healthcare data if it were not protected by HIPAA?

What might happen to healthcare data if it were not protected by HIPAA is that it could be stolen and used to commit healthcare fraud. Healthcare data is a valuable commodity on the black market because it can be used by uninsured or underinsured individuals to obtain expensive healthcare treatment. Healthcare fraud results in increased insurance costs, which are passed down to employers and individuals in the form of increased insurance premiums.

What are the financial benefits for healthcare providers of complying with HIPAA?

The financial benefits for healthcare providers of complying with HIPAA include better patient outcomes and higher satisfaction scores, increased staff morale and employee retention rates, and fewer readmissions – a key factor in avoiding CMS payment penalties under the Hospitals Readmissions Reduction Program and other value-based initiatives.

Why is it important for healthcare professionals to comply with HIPAA?

It is important for healthcare professionals to comply with HIPAA to build a culture of trust with patients. If a patient feels any confidential information shared with a healthcare professional will remain confidential, they are more likely to be more forthcoming about health issues and the symptoms they are experiencing.

With more information available to them, healthcare professionals can make better informed diagnoses and treatment decisions. This results in better patient outcomes, which leads to higher morale. Effectively, by complying with HIPAA, healthcare professionals enjoy more rewarding experiences and get more from their vocation.

If patients are unable to exercise their patients´ right allowed by HIPAA, what might happen?

If patients are unable to exercise their patients’ rights allowed by HIPAA, the likely outcome will be a complaint to the Privacy Officer or HHS’ Office for Civil Rights. This could result in a significant financial penalty and a time-consuming corrective action plan.

Allowing patients to exercise their rights under HIPAA is important because it´s not unheard of for mistakes to be made with patients´ records that can result in misdiagnoses, the wrong treatment being provided, or the wrong medication being prescribed.

By giving patients the right to inspect their medical records and make corrections when necessary, the risks of incorrect diagnoses, treatments, and medications are mitigated. Additionally, having access to their records helps patients take more responsibility for their own wellbeing.

How do patients control who their information is released to and shared with?

Patients control who their information is released to and shared with by having the right to request privacy protection for protected health information (45 CFR §164.522). This right enables patients to request restrictions on how PHI is used and disclosed for treatment, payment, and health care operations, and also for involvement in the individual’s care and notification purposes.

Why is the HIPAA Privacy Rule important?

The HIPAA Privacy Rule is important because it sets a “federal floor” of privacy protections and rights for individuals to control healthcare data. This means that Covered Entities throughout the country must comply with the HIPAA Privacy Rule unless a state law offers more stringent privacy protections or greater rights for individuals.

How does HIPAA protect sensitive health information?

HIPAA protects sensitive health information via regulations, standards, and implementation specifications. Covered entities and business associates are required to comply with applicable regulations, standards, and implementation specifications or potentially face a civil monetary penalty from HHS’ Office for Civil Rights – even if no breach of unsecured PHI has occurred.

Who must comply with HIPAA rules?

Entities that must comply with HIPAA Rules include health plans, health care clearinghouses, and healthcare providers that conduct electronic transactions for which the Department of Health and Human Services has developed standards (collectively known as “covered entities”). Businesses that provide services for or on behalf of covered entities that involve the use of disclosure of Protected Health Information are also required to comply with applicable HIPAA Rules.

Why is the HIPAA Breach Notification Rule important?

The HIPAA Breach Notification Rule is important because it requires covered entities and business associates to notify individuals when unsecured PHI has been accessed impermissibly so that individuals can take steps to protect themselves against theft and fraud. The Rule is also important because it makes covered entities and business associates accountable for shortcomings in their compliance efforts.

How does HIPAA support the digitization of health records?

HIPAA supports the digitalization of health records by laying the foundations of a cybersecurity framework to protect electronic health records from unauthorized access. The framework enabled Congress to incentivize the digitalization of health records via the Meaningful Use Program (now the Promoting Interoperability Program), which in turn improved the flow of health information between healthcare providers.

How has HIPAA evolved to meet the changing needs of health information technology?

HIPAA has evolved to meet the changing needs of health information technology via several HIPAA updates. The biggest recent HIPAA update was the Omnibus Final Rule in 2013. However, multiple changes to HIPAA have been proposed since 2020 onward, which would support the further evolution of HIPAA to meet the changing needs of health information technology.

How is compliance with HIPAA enforced?

Compliance with HIPAA is enforced by two offices within the Department for Health and Human Services – the Office of Civil Rights (responsible for compliance with Parts 160 and 164 of the HIPAA Administrative Simplification Regulations) and the Centers for Medical and Medicaid Services (responsible for compliance with Part 162). The Federal Trade Commission also enforces compliance with HIPAA for health appliance vendors that do not qualify as HIPAA covered entities, but who are required to comply with the Breach Notification Rule under Section 5 of the FTC Act.

The post Why is HIPAA Important? appeared first on HIPAA Journal.

Judge Denies Injunction Banning Meta from Collecting Patient Data via Meta Pixel Code

Posted by HIPAA Journal

Plaintiffs in a consolidated class action lawsuit against Meta recently sought an injunction against Meta to stop the company from collecting and transmitting data collected from the websites of healthcare providers through Meta Pixel tracking code.

The plaintiffs claim the use of Meta Pixel code on appointment scheduling pages and patient portals allows sensitive information, including patient communications, to be collected and monetized by Meta, which violates federal and state privacy laws. William Orrick, U.S. District Judge for the Northern District of California, has recently issued a ruling denying the injunction.

Background

In the summer, an investigation was conducted by The Markup into the use of tracking technologies such as Meta Pixel on the websites of healthcare providers and found that 33% of the top 100 hospitals in the United States had the code on their websites, some of which had added the code to their patient portals. Meta Pixel can collect any data in HTTP headers, button click data, and form field names. That code was found to be transmitting patient information to Meta when Meta had not entered into a business associate agreement with the hospitals.

In the past few months, Novant Health, Community Health Network, Advocate Aurora Health, and WakeMed Health and Hospitals have all reported impermissible disclosures of patients’ PHI to OCR due to the use of Meta Pixel and other tracking code on their websites. Multiple lawsuits have also been filed against Meta and healthcare providers over the use of Meta Pixel code and the impermissible disclosure of the data of Facebook users, which the lawsuits claim is being used for advertising purposes without consent.

The Department of Health and Human Services’ Office for Civil Rights has recently confirmed that the use of tracking technologies on websites is not permissible under the HIPAA Privacy Rule if those technologies collect and transmit protected health information unless the vendor of the tracking technology qualifies as a business associate and a business associate agreement is in place or if HIPAA-compliant patient authorizations are obtained.

Ruling

Meta has argued that it has a policy in place that limits the data businesses can share through Meta Pixel, and mechanisms are in place that filter out sensitive data to ensure the information is not passed on to advertisers through its ads ranking and optimization systems. Meta also claims that any injunction that requires the company to stop collecting healthcare information would be unfairly burdensome and technologically infeasible.

“The allegations against Meta are troubling: plaintiffs raise potentially strong claims on the merits and their alleged injury would be irreparable if proven,” said Judge Orrick in his ruling. “To secure a mandatory injunction, however, plaintiffs need to show “that the law and facts clearly favor [their] position, not simply that [they are] likely to succeed.”

Orrick explained that Meta has provided evidence that the company is doing all it can to minimize the problems raised by the plaintiffs, and that based on the available facts it is unclear where the truth lies. Orrick said there is a need for discovery to clarify the scope of the problems and the potential solutions that can be implemented to address them. Judge Orrick said, “it is too early to find that the public interest supports a mandatory injunction.”

The post Judge Denies Injunction Banning Meta from Collecting Patient Data via Meta Pixel Code appeared first on HIPAA Journal.

November 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

November was a relatively quiet month for healthcare data breaches with 31% fewer breaches reported than the previous month. November’s total of 49 breaches of 500 or more records was also well below the 12-month average of 58 breaches a month. 643 healthcare data breaches have been reported to the HHS’ Office for Civil Rights so far in 2022, which makes this year the second worst year to date for healthcare data breaches.

Despite the fall in reported breaches, the number of breached records increased by 10% from October. November was the worst month of 2022 in terms of the number of breached healthcare records, with 6,904,441 records exposed or impermissibly disclosed – Well above the 12-month average of 3.99 million records a month. So far in 2022, 44,852,648 healthcare records have been breached.

Largest Healthcare Data Breaches in November

17 breaches of 10,000 or more records were reported to OCR in November, five of which involved more than half a million records and three incidents involved the impermissible disclosure of more than 1 million records. The largest data breach was a hacked network server at the Pennsylvania-based business associate Connexin Software – A provider of electronic medical records to pediatric practices. An unauthorized individual gained access to an offline set of patient data that was used for data conversion and troubleshooting. The records of 2,216,365 patients were exposed and potentially stolen.

The Indiana-based healthcare provider, Community Health Network, reported an impermissible disclosure of the protected health information of up to 1.5 million patients. Tracking code had been added to its website that resulted in patient information being transferred to third parties such as Meta and Google, without obtaining consent from patients or having a business associate agreement in place. Several healthcare providers have reported similar breaches this year, prompting OCR to issue a warning to HIPAA-regulated entities this month over the use of tracking technologies on websites and mobile applications.

Doctors’ Center Hospital in Puerto Rico suffered a ransomware attack that exposed the protected health information of up to 1,195,220 patients. Major ransomware attacks were also reported by the Michigan-based prosthetics and orthotics provider, Wright & Filippis, and Health Care Management Solutions in West Virginia.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Data Breach
Connexin Software, Inc. PA Business Associate 2,216,365 Hacking/IT Incident Hacking of network server
Community Health Network, Inc. as an Affiliated Covered Entity IN Healthcare Provider 1,500,000 Unauthorized Access/Disclosure Website tracking code transmitted PHI to third parties
Doctors’ Center Hospital PR Healthcare Provider 1,195,220 Hacking/IT Incident Ransomware attack
Wright & Filippis LLC MI Healthcare Provider 877,584 Hacking/IT Incident Ransomware attack
Health Care Management Solutions, LLC WV Business Associate 500,000 Hacking/IT Incident Ransomware attack on subcontractor of CMS business associate
Gateway Rehabilitation Center PA Healthcare Provider 130,000 Hacking/IT Incident Hacking of network server
Mena Regional Health System AR Healthcare Provider 84,814 Hacking/IT Incident Hacking of network server
Dallam Hartley Counties Hospital District TX Healthcare Provider 69,835 Hacking/IT Incident Hacking of network server (data theft confirmed)
Consumer Directed Services in Texas, Inc. TX Healthcare Provider 56,728 Hacking/IT Incident Hacking incident at a business associate
Stanley Street Treatment and Resources, Inc. MA Healthcare Provider 45,785 Hacking/IT Incident Hacking of network server (data theft confirmed)
South Walton Fire District FL Healthcare Provider 25,331 Hacking/IT Incident South Walton Fire District
Rosenfeld VanWirt, PC PA Business Associate 18,719 Hacking/IT Incident Hacking incident affecting multiple affiliates of the Lehigh Valley Health Network
CCA Health Plans of California, Inc d/b/a CCA Health CA CA Health Plan 14,631 Hacking/IT Incident Hacking of network server (data theft confirmed)
CareFirst Administrators MD Health Plan 14,538 Hacking/IT Incident Phishing attack on business associate
Work Health Solutions CA Healthcare Provider 13,157 Hacking/IT Incident Phishing attack
New York-Presbyterian Hospital NY Healthcare Provider 12,000 Hacking/IT Incident Hacking of network server
Epic Management LLC TN Healthcare Provider 10,862 Hacking/IT Incident Unauthorized email account access

Causes of November Data Breaches

All but one of the 17 data breaches of 10,000 or more records were due to hacking incidents, several of which were ransomware attacks. Many hacking incidents involve ransomware, although it is common for HIPAA-regulated entities not to disclose the exact nature of these attacks. It is therefore difficult to determine the extent to which ransomware is used in cyberattacks on the healthcare industry. 5,374,670 records were exposed or stolen in these hacking incidents – 77.8% of all records breached in November. The average breach size was 134,367 records and the median breach size was 7,158 records.

There were 8 unauthorized access/disclosure incidents reported that involved the records of 1,521,788 individuals. The majority of those records were impermissibly disclosed by one healthcare provider. The average breach size was 190,224 records and the median breach size was 2,275 records.  There was also one theft incident reported involving the records of 7,983 individuals. In the majority of reported incidents, the breached protected health information was located on network servers. There were also 7 incidents involving breaches of email data, and four incidents involving electronic health records.

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the worst affected entities in November, with 26 reported breaches, one of which occurred at a business associate but was reported by the healthcare provider. 6 data breaches were reported by health plans, with one of those breaches occurring at a business associate. Business associates self-reported 17 breaches in November. The pie chart below shows the breakdown of data breaches based on where they occurred, rather than the entities reporting the data breaches.

Healthcare Data Breaches by State

Data breaches were reported by HIPAA-regulated entities in 18 states and Puerto Rico. Pennsylvania was the worst affected state with 12 breaches, which involved 34.8% of the month’s breached records. 10 of those breaches were due to a hacking incident involving healthcare providers that are part of the Lehigh Valley Health Network. HIPAA-regulated entities in California reported 6 breaches, but these were relatively minor, only involving the protected health information of 41,382 patients.

State Breaches
Pennsylvania 12
California 6
Florida & New York 4
Texas 3
Arkansas, Connecticut, Indiana, Maryland, Massachusetts & Tennessee 2
Georgia, Michigan, New Jersey, Nevada, Oregon, Washington, West Virginia, and Puerto Rico 1

HIPAA Enforcement Activity in November

No civil monetary penalties or settlements were announced by OCR in November. Even so, 2022 has seen more HIPAA enforcement actions than in any other year since OCR was given the authority to enforce HIPAA compliance. The majority of the financial penalties in 2022 have been imposed for violations of the HIPAA right of access, and 55% of the year’s enforcement actions over HIPAA violations were on small healthcare providers.

In November, the state of Massachusetts announced that Aveanna Healthcare had been fined $425,000 for a breach of the PHI of 166,000 individuals, 4,000 of whom were Massachusetts residents. Aveanna Healthcare had suffered a phishing attack, with the Massachusetts Attorney General discovering a lack of safeguards such as multi-factor authentication and security awareness training.

The post November 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Telehealth Websites are Transmitting Sensitive Health Information to Big Tech Firms

Posted by HIPAA Journal

The private information of visitors to telehealth websites is being shared with big tech companies without user consent due to the use of tracking code snippets on the websites, according to a recent analysis by The Markup.

The websites of 50 direct-to-consumer telehealth companies were analyzed for the presence of third-party tracking code, 49 of which were found to have tracking code that transmitted the information of visitors to third parties, including Meta/Facebook and Google.

The study follows on from an analysis of the websites of the top 100 hospitals in the United States in the summer, which revealed one-third were using tracking code on their websites that was sending data to third parties without consent, valid HIPAA authorizations, or business associate agreements. In a handful of cases, the tracking code was added behind password-protected patient portals.

The latest study of telehealth websites included sites that collect highly sensitive information from visitors, such as the personal and health information of people suffering from Substance Abuse Disorder (SAD) who are seeking treatment. In many cases, the answers to medical questionnaires were also sent to big tech firms from questions relating to that health conditions, medical histories, and drug use.

The report, jointly published by The Markup and STAT, found that 49 of the 50 sites studied transmitted the URLs that an individual had visited, with 35 sites also transferring personal information such as email addresses, phone numbers, and full names. 19 sites recorded and transmitted when the user-initiated checkout, 13 sites sent the answers to questionnaires to third parties, 11 sites sent data confirming when the user had added an item to their cart (such as a treatment plan), and 9 sites transferred the date the user created the account.

The 13 sites that sent questionnaire data were of particular concern, as the answers were to health questions. That information was sent to a variety of companies, including Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, and Pinterest. 25 sites told big tech firms when a user had added an item such as a prescription medication to their cart or checked out with a treatment plan.

All but one of the 50 websites transferred the URLs that a user had visited on the site. The websites provide health and treatment information, so the information detailed on certain pages may be for a specific health complaint. That information is then tied to an individual or a household via an IP address. Amazon Clinic was the only website that did not share website data with third parties.

Potential HIPAA Violations

Healthcare providers are HIPAA-covered entities and disclosures of protected health information are restricted by the HIPAA Privacy Rule. SUD information is also subject to the 45 CFR Part 2 Confidentiality of Substance Use Disorder (SUD) Patient Records regulations. Recently, the HHS’ Office for Civil Rights published guidance for HIPAA-regulated entities that confirmed that the use of third-party tracking code on websites violates HIPAA if that tracking code collects and transfers protected health information (PHI) to third parties unless the third party qualifies as a business associate under HIPAA. In such cases, a HIPAA-compliant business associate agreement is required before the code can be used. If a third party is not a business associate, HIPAA-compliant patient authorizations are required before that code can be used.

HIPAA applies to healthcare providers, health plans, healthcare clearing houses, and business associates of those entities, but many of the telehealth sites studied operate in a gray area, as the websites are not run by HIPAA-regulated entities or SUD treatment providers, therefore the HIPAA and Part2 regulations do not apply, even though the data collected is the same data that would be classed as PHI or SUD records if collected by a covered entity.

The information collected through these websites is passed on to HIPAA-covered entities and entities covered by Part 2, but the websites themselves are intermediaries and are therefore not bound by HIPAA or the Part 2 regulations. For example, one website run by Cerebral Inc. collected HIPAA-covered data but is not a HIPAA-covered entity. The website passes the information to Cerebral Medical Group, P.A., which is a HIPAA-covered entity. The transfer of data to the big tech firms occurred before the transfer to the Cerebral Medical Group, P.A.

WorkIt Health provides healthcare services including SUD treatment. Its website states in its Notice of Privacy Practices (NPP) that, “You are receiving this NPP because you are or intend to receive health care services from a Workit Health Clinic… Each Workit Health Clinic together designates themselves as a single Affiliated Covered Entity (“ACE”) for purposes of compliance with HIPAA.” However, the WorkIt website had trackers from Google, Facebook, Bing, and Twitter, and transferred URLs, personal information, and answers to questionnaires. The Markup contacted WorkIt Health regarding the findings of the study and WorkIt Health removed the tracking technology from its website and initiated an investigation into the privacy breach.

Visitors to These Websites Expect Privacy

Many healthcare organizations add these tracking technologies to their websites with good intentions, as the technology can provide data that can help to improve the user experience on websites and gauge the effectiveness of marketing campaigns, but the extent to which patient information is being shared is not fully understood.

Individuals who visit these websites are unlikely to be aware that any information they provide directly through answers on web forms and medical questionnaires, and indirectly via the sites they visit, is not being kept private and confidential, and that is a big concern. Many of these sites mention HIPAA and Part 2 in their NPPs, yet the extent to which those regulations apply is unclear. The Markup notes that at least 12 of the studied companies state that they are HIPAA compliant, but that does not necessarily mean that the information provided on the site is kept private or is indeed covered by HIPAA at the point it is collected.

The study shows that there is a trade-off when using these websites. Patients get convenience, but it may come at the expense of their privacy. There is a massive gap in HIPAA, which has not been updated to account for changes in how healthcare is being provided, and there are also suggestions of deceptive privacy practices, albeit in many cases unwittingly deceiving visitors about privacy.

“Sensitive health information is being shared, inadvertently, online every day. Hospital websites, online pharmacies, and health information sites, use a variety of applications (site analytics, links to social media, advertising) that collect and share site visitors’ data, including the healthcare terms and medical conditions that the user is searching,” Ian Cohen, CEO of LOKKER told HIPAA Journal. “For example, in LOKKER’s recent research of over 170,000 websites, we identified the Meta Pixel (Facebook) on over 40% of healthcare sites. Similar data was found about data being shared with TikTok, Snapchat, Pinterest, Microsoft, and Google, as well.” Cohen went on to say, “Not only are consumers and patients unaware that their information is being collected and shared, we believe that the website owners don’t fully understand the extent to which they are sharing data back to the social networks.”

The Markup explained that its researchers did not test all webpages on the sites of the telehealth providers, so the full extent to which tracking code has been used is not known. Tracking code can also be configured differently on different web pages.

It is also unclear what the big tech firms do with the transferred data. Several big tech firms state that they do not allow targeted advertising related to health conditions, although there are ways around that by using closely related terms. Meta, for instance, claims to strip out any data it should not receive and does not provide that information to third-party advertisers. The extent to which that occurs is also unclear. Meta is the subject of several lawsuits over this very matter, some of which allege health data has been used to serve targeted ads to patients whose information was collected through the Meta Pixel code snippet.

Steps Operators of Health Websites Should Take

The HHS’ Office for Civil Rights has made clear in its recent guidance that tracking technology on websites violates HIPAA and that this issue needs to be addressed immediately. HIPAA-regulated entities are required to report any HIPAA violations related to the use of third-party tracking technologies. So far, only a few HIPAA-regulated entities have done so, despite huge numbers having added tracking code to their websites. Even if the websites are not run by HIPAA-regulated entities, the operators of those websites have a moral responsibility to protect the privacy of their visitors with respect to their sensitive health information. Ian Cohen suggests all healthcare organizations should take the following actions:

  1. Take inventory of what data your websites and apps are collecting and if you’re violating your own privacy policy, other privacy laws, or your customers’ trust
  2. Know your partners and ensure they aren’t exploiting your customers’ information
  3. Build customer privacy ‘muscle’ by forming teams that include Marketing, IT, and Legal and establish routines for better data hygiene
  4. Don’t just ask for customer consent for bad practices, re-evaluate how you want to better serve your customers and build trust with every interaction by communicating clearly

The post Telehealth Websites are Transmitting Sensitive Health Information to Big Tech Firms appeared first on HIPAA Journal.

FTC and HHS Update Online Compliance Tool for Mobile Health App Developers

Posted by HIPAA Journal

Developers of mobile health apps may be required to comply with certain federal laws such as the FTC Act, FTC Health Breach Notification Rule, Children’s Online Privacy Protection Act (COPPA), Health Insurance Portability and Accountability Act (HIPAA), Federal Food, Drug and Cosmetics Act (FD&C Act), the 21st Century Cures Act, and the ONC’s Information Blocking Regulations.

To help mobile health app developers avoid compliance missteps, the Federal Trade Commission (FTC), in conjunction with the Department of Health and Human Services’ Office for Civil Rights (OCR), Office of the National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA), developed an online tool to help developers determine which federal laws and regulations they need to comply with.

The online tool asks a series of questions about the nature of the app, the service it provides, the information it collects, and how that information is collected, shared, and used. Based on the answers to the questions, the tool will direct the developer to the relevant federal regulatory privacy, security, and breach notification laws and regulations that may apply.

The tool should be used by any developer of a mobile app that accesses, collects, shares, uses, or maintains information related to an individual’s past, present, or future health. Even if a health app has not been developed for use by a HIPAA-covered entity, there may be one or more federal laws or regulations that apply. The tool will point developers to resources where they can find out more information about their compliance obligations, along with best practices to help them deliver a safe and accurate service while ensuring the privacy and security of the health information of app users.

On December 7, 2022, the HHS announced that the online Mobile Health App Interactive Tool has been updated. The updated version can be found here.

The post FTC and HHS Update Online Compliance Tool for Mobile Health App Developers appeared first on HIPAA Journal.

OCR Confirms Use of Website and Other Tracking Technologies Without a BAA is a HIPAA Violation

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has issued a bulletin confirming that the use of third-party tracking technologies on websites, web applications, and mobile apps without a business associate agreement (BAA) is a HIPAA violation if the tracking technology collects and transmits individually identifiable health information. Even with a BAA in place, the use of the tracking technology may still violate the HIPAA Rules

The bulletin has been issued in response to the discovery earlier this year that Meta Pixel tracking code was being extensively used on the websites of hospitals and that the code snippet transferred data to Meta, including sensitive patient data. These privacy breaches came to light during an investigation by The Markup and STAT, which found Meta Pixel had been added to the websites of one-third of the top 100 hospitals in the United States and, in 7 cases, the code had been added to password-protected patient portals. The study was limited to the top 100 hospitals, so it is likely that hundreds of hospitals have used the code and have – in all likelihood unwittingly – transferred sensitive data to Meta/Facebook without a business associate agreement in place and without obtaining patient consent.

Following the publication of the report, several lawsuits were filed against healthcare providers over these impermissible disclosures, with some plaintiffs claiming the information disclosed on the websites of their healthcare providers had been transferred to Meta and was used to serve them targeted advertisements related to their medical conditions. The news came as a shock to healthcare providers, triggering investigations and recent data breach notifications; however, despite so the widespread use of the tracking code, only a handful of hospitals and health systems have reported the breach and have sent notifications so far. The bulletin from the HHS is likely to trigger a flurry of breach notifications as providers realize that the use of Meta Pixel and other tracking code constitutes a HIPAA violation.

What are Tracking Technologies?

Tracking technologies are commonly snippets of code that are added to websites, web applications, and mobile apps for tracking user activity, typically for determining the journeys of users while using websites and monitoring their on-site interactions. The data collected by these technologies can be analyzed and used to improve the services provided through the websites and applications and enhance the user experience, which benefits patients. While there are benefits to individuals from the use of this code, there is also considerable potential for harm to be caused, as in addition to providing a HIPAA-regulated entity with useful information, the data collected through these technologies is usually transmitted to the vendor.

For instance, if a female patient arranged an appointment on the website of a healthcare provider to discuss the termination of a pregnancy, the tracking technology on the site could be transmitted to the vendor, and subsequently disclosed to other third parties. That information could be provided to law enforcement or other third parties. Information disclosed in confidence by a patient of a website or web application could be transferred to a third party and be used for fraud, identity theft, extortion, stalking, harassment, or to promote misinformation.

In many cases, these tracking technologies are added to websites and applications without the knowledge of users, and it is often unclear how any disclosed information will be used by a vendor and to whom that transmitted information will be disclosed. These tracking technologies often use cookies and web beacons that allow individuals to be tracked across the Internet, allowing even more information to be collected about them to form detailed profiles. When tracking technologies are included in web applications, they can collect device-related information, including location data which is tied to a unique identifier for that device, through which a user could be identified.

All Tracking Technologies Must be HIPAA Compliant

There is nothing in HIPAA that prohibits the use of these tracking technologies, but the HIPAA Rules apply when third-party tracking technologies are used, if the tracking technology collects individually identifiable information that is protected under HIPAA and if it transmits that information to a third party, be that the vendor of the tracking technology or any other third-party. If the tracking technology collects any identifiers, they are classed as protected health information because the information connects the individual to the regulated entity, indicating the individual has received or will receive health care services or benefits from the regulated entity, and that relates to the individual’s past, present, or future health or health care or payment for care.

There is an elevated risk of an impermissible disclosure of PHI when tracking technology is used on patient portals or any other pages that require authentication as these pages usually have access to PHI. If tracking code is added to these pages it must be configured in a way to ensure that the code only uses and discloses PHI in compliance with the HIPAA Privacy Rule, and that any information collected is secured in a manner compliant with the HIPAA Security Rule. Tracking code on unauthenticated pages also has the potential to have access to PHI. The same applies to tracking technologies within a HIPAA-regulated entity’s mobile apps, if it collects and transmits PHI. OCR confirmed that only mobile apps offered by healthcare organizations are covered by HIPAA. HIPAA does not apply to third-party apps that are voluntarily downloaded by individuals, even if the apps collect and transmit health information.

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules,” explained OCR in the bulletin.

The OCR bulleting confirms that if tracking technologies are used, the provider of that code – which includes Meta Platforms (Meta Pixel) and Google (Google Analytics) – would be classed as a business associate and must enter into a business associate agreement (BAA) with the HIPAA-regulated entity before the code can be added to a website or application. The BAA must state the responsibilities of the vendor with respect to the PHI and specify the permitted uses and disclosures of that information. If the vendor will not sign a BAA, PHI cannot legally be provided to that vendor, therefore the code cannot be used or must be configured in a way that it does not collect or transmit PHI. OCR also confirmed that if a vendor states that they will strip out any identifiable information prior to saving or using the transferred data, such a disclosure to the vendor would still only be permitted if a BAA was signed and if the HIPAA Privacy Rule permits such a disclosure.

Other potential violations of HIPAA could occur. If any PHI is disclosed to a vendor, it must be in line with the organization’s privacy policy and be detailed in their Notice of Privacy Practices. It is important to note that simply stating that tracking technology is used in a notice of privacy practices is not sufficient by itself to ensure compliance. In addition to a BAA, any disclosure of PHI for a purpose not expressly permitted by the HIPAA Privacy Rule requires a HIPAA-compliant authorization from a patient, giving their consent to disclose that information. Website banners that ask a website visitor to consent to cookies and the use of web tracking technologies do not constitute valid HIPAA authorizations.

Actions HIPAA-Regulated Entities Should Take Immediately

In light of the bulletin, HIPAA-regulated entities should read it carefully to make sure they understand how HIPAA applies to tracking technologies. They should also conduct a review of any tracking technologies that they are using on their websites, web applications, or mobile apps to ensure those technologies are being used in a manner compliant with the HIPAA Rules. If they are not already, website tracking technologies must be included in a HIPAA-regulated entity’s risk analysis and risk management processes.

It is important to state that a tracking technology vendor is classed as a business associate under HIPAA, even if a BAA is not signed. As such, any disclosures to that vendor would be classed as an impermissible disclosure of PHI without a BAA in place, and the HIPAA-regulated entity would be at risk of fines and other sanctions if PHI is transmitted without a signed BAA.

If during the review a HIPAA-regulated entity discovers tracking technologies are being used in a manner not compliant with the HIPAA Rules, or have been in the past, then the HIPAA Breach Notification Rule applies. Notifications will need to be sent to OCR and the individuals whose PHI has been impermissibly disclosed.

The post OCR Confirms Use of Website and Other Tracking Technologies Without a BAA is a HIPAA Violation appeared first on HIPAA Journal.

HHS, SAMHSA Propose Update to Improve Alignment of HIPAA Privacy Rule and 42 CFR Part 2

Posted by HIPAA Journal

The Department of Health and Human Services (HHS) and the Substance Abuse and Mental Health Services Administration (SAMHSA) have issued a Notice of Proposed Rulemaking (NPRM) detailing changes to the Confidentiality of Substance Use Disorder (SUD) Patient Records (42 CFR Part 2) and HIPAA to increase care coordination and better align Part 2 with the HIPAA Privacy Rule, as required by Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act).

Part 2 protects patient privacy and records related to treatment for SUD and the HIPAA Privacy Rule is concerned with the privacy of protected health information (PHI); however, SUD records are treated differently from other types of PHI. The HIPAA Privacy Rule permits disclosures of protected health information without consent for treatment, payment, or healthcare operations, but Part 2 imposes greater restrictions on disclosures of SUD records. Generally, SUD records can only be disclosed by a SUD treatment provider if consent to do so is obtained from the patient. Further, even with a valid consent form, SUD treatment providers must include a written statement that the information cannot be redisclosed. This is because SUD records are particularly sensitive due to the stigma of substance abuse and the potential discrimination, which can potentially result in loss of insurance and employment.

Having to treat PHI and SUD records differently is problematic as it creates barriers to information sharing that is in the best interests of patients and the dual compliance obligations creates compliance challenges for regulated entities. “Varying requirements of privacy laws can slow treatment, inhibit care, and perpetuate negative stereotypes about people facing substance use challenges,” HHS Secretary Xavier Becerra, hence the need for better alignment of Part 2 with the HIPAA Privacy Rule. It is important, however, to ensure patient privacy, as any lessening of the protections for SUD records could deter individuals suffering from SUD from seeking treatment, which could have life-threatening consequences.

The proposed rule strikes a balance between the need for strong privacy protections and having the flexibility to allow information sharing to improve care coordination. “One of SAMHSA’s priorities is working to make effective treatments and recovery supports for SUD more accessible to all Americans,” said Miriam E. Delphin-Rittmon, Ph.D., the HHS Assistant Secretary for Mental Health and Substance Use and the leader of SAMHSA. “Bringing Part 2 requirements into closer alignment with HIPAA will support more effective coordination for people accessing care. At the same time, the proposed rule mitigates the discrimination and stigma that we know too often people with SUDs experience.”

The key changes in the NPRM are:

  • Permitted use and disclosure of Part 2 records will be based on a single patient consent. Once that consent is given, it covers all future uses and disclosures for treatment, payment, and healthcare operations.
  • Redisclosure of Part 2 records will be permitted – with certain exceptions – if redisclosure is permitted by the HIPAA Privacy Rule.
  • Patients are given new rights under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.
  • Prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings have been expanded.
  • The HHS has new enforcement authority and can impose civil money penalties for violations of Part 2, in line with HIPAA and the HITECH Act
  • Part 2 programs must establish a process to receive complaints about Part 2 violations, those programs are prohibited from taking adverse action in response to complaints, and must not require patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
  • Breach notification requirements to the HHS and affected patients for Part 2 records will be aligned with the HIPAA Breach Notification Rule.
  • The HIPAA Privacy Rule Notice of Privacy Practices requirements have been updated to address uses and disclosures of Part 2 records and individual rights with respect to those records.

The HHS and SAMHSA are encouraging healthcare industry stakeholders and the public to submit comments on the proposed changes. To be considered, they must be submitted within 60 days of publication of the NPRM in the Federal Register. The expected publication date is 12/02/2022. A fact sheet on the proposed changes has been published on the HHS website.

The post HHS, SAMHSA Propose Update to Improve Alignment of HIPAA Privacy Rule and 42 CFR Part 2 appeared first on HIPAA Journal.