Healthcare Data Privacy

December 2022 Healthcare Data Breach Report

The number of reported healthcare data breaches declined for the second successive month, with 40 data breaches of 500 or more healthcare records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in December 2022 – The lowest monthly total of the year and 29.7% fewer data breaches than the average monthly for 2022. The year ended with 683 data breaches, which is a year-over-year reduction of 4.3%. Only one other year has seen a fall in recorded data breaches (2014).

2022 Healthcare data breaches

The worst month of 2022 for breached records was followed by the best, with 2,174,592 healthcare records exposed or compromised in December, well below the 2022 average of 3,986,025 records per month and 68.5% fewer breached records than in November. While this is certainly great news, even with this reduction, 2022 was the second worst-ever year for healthcare data breaches with more than 47 million records exposed or compromised from January 1 to December 31, 2022.

2022 Breached healthcare records

Largest Healthcare Data Breaches in December 2022

December saw 13 data breaches of 10,000 or more healthcare records reported to OCR. HIPAA Journal has been unable to obtain information on two of those breaches. Ransomware attacks continue to plague the healthcare industry, with 5 of the 13 largest breaches in December confirmed as involving ransomware, two of which involved the protected health information of more than 600,000 patients. Ransomware attacks on the healthcare industry more than doubled between 2016 and 2021 according to one recent analysis, although it is becoming increasingly difficult to obtain reliable data on the extent to which ransomware is used in cyberattacks due to the lack of standardized reporting. While healthcare organizations of all sizes are being attacked, ransomware gangs tend to focus their efforts on larger healthcare organizations, according to a recent report by Delinea.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
CommonSpirit Health IL Business Associate 623,774 Ransomware attack with business associate involvement
Metropolitan Area EMS Authority dba MedStar Mobile Healthcare TX Healthcare Provider 612,000 Ransomware attack
Avem Health Partners OK Business Associate 271,303 Hacking Incident at a business associate
Southwest Louisiana Health Care System, Inc. d/b/a Lake Charles Memorial Health System LA Healthcare Provider 269,752 Ransomware attack
Fitzgibbon Hospital MO Healthcare Provider 112,072 Ransomware attack
Monarch NC Healthcare Provider 56,155 Hacking Incident – No information released
Ola Equipment LLC HI Business Associate 39,000 Hacking Incident – No information released
The Elizabeth Hospice CA Healthcare Provider 35,496 An employee sent PHI to a personal email account
Legacy Operating Company d/b/a Legacy Hospice AL Healthcare Provider 21,202 Compromised email accounts
Employee Group Insurance Benefits Plan of Acuity Brands, Inc. GA Health Plan 20,849 Hacking incident (data theft confirmed)
San Gorgonio Memorial Hospital CA Healthcare Provider 16,846 Hacking incident (data theft confirmed)
Hawaiian Eye Center HI Healthcare Provider 14,524 Ransomware attack
Foundcare, Inc. FL Healthcare Provider 14,194 Compromised email account

Causes of December 2022 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports and typically involve many more records than other types of data breaches. In December, 28 incidents were classified as hacking/IT incidents – 70% of the month’s total breaches. 1,965,032 healthcare records were exposed or impermissibly disclosed in those incidents– 90.4% of the month’s breached records. The average breach size was 70,180 records and the median breach size was 4,152 records. 20 of the month’s breaches involved compromised network servers, with 12 incidents involving hacked email accounts.

Causes of December 2022 Healthcare data breaches

The risk of email-related data breaches can be greatly reduced by providing regular security awareness training to the workforce, as is required by the HIPAA Security Rule, and by implementing multi-factor authentication, with FIDO-based MFA providing the greatest level of protection. HIPAA-regulated entities should also ensure that their password management practices are kept up to date. A recent audit of the Department of the Interior identified many password management failures, which are all too common in the healthcare industry.

There were 10 unauthorized access/disclosure-related data breaches in December involving 168,386 records. The average breach size was 16,839 records and the median breach size was 1,739 records. There has been a decline in these types of data breaches in recent years as HIPAA training and monitoring of medical record access have improved. There were two loss/theft incidents reported involving 41,174 records. Both of these incidents involved computers/other electronic devices and could have been prevented by encrypting the devices.

December 2022 healthcare data breaches - location of breached PHI

December Data Breaches by HIPAA Regulated Entity

Healthcare providers were the worst affected type of HIPAA-regulated entity, with 24 breaches reported of 500 or more records. Business associates reported 11 data breaches and 5 data breaches were reported by 5 health plans. Two of the data breaches reported by healthcare providers had business associate involvement but were reported by the healthcare provider. The chart below shows the breakdown based on where the breach occurred.

December 2022 healthcare data breaches - HIPAA-regulated entity type

States Affected by December 2022 Data Breaches

Healthcare data breaches were reported by HIPAA-regulated entities in 22 states. California was the worst affected with 4 reported breaches.

State Reported Data Breaches
California 4
Florida, New York, Texas & Washington 3
Georgia, Hawaii, Illinois, Massachusetts, Missouri, South Dakota & Virginia 2
Alabama, Connecticut, Louisiana, Maryland, North Carolina, Nebraska, Oklahoma, Rhode Island, Wisconsin & West Virginia 1

HIPAA Enforcement Activity in 2022

OCR closed the year with two financial penalties to resolve alleged HIPAA violations. Health Specialists of Central Florida’s case stemmed from an investigation into a HIPAA Right of Access violation over the failure to provide a woman with a copy of her deceased father’s medical records. The records were provided, but there was a 5-month delay. Health Specialists of Central Florida settled the case and paid a $20,000 financial penalty. This was the 42nd financial penalty to be imposed under OCR’s HIPAA Right of Access enforcement, which was launched in 2019.

New Vision Dental in California was one of just two healthcare providers to settle a HIPAA violation case with OCR in 2022 that did not involve a HIPAA Right of Access violation. OCR investigated New Vision Dental in response to complaints that patient information was being impermissibly disclosed online in response to negative reviews on Yelp. OCR also identified a Notice of Privacy Practices failure. The case was settled for $23,000. Including these two penalties, OCR resolved 22 HIPAA violation cases with settlements and civil monetary penalties in 2022, more than any other year since OCR was given the authority to impose financial penalties for HIPAA violations.

State Attorneys General also have the authority to impose financial penalties for HIPAA violations. In December, a joint investigation by Oregon and Utah resulted in a financial penalty for Avalon Healthcare over a phishing attack. Avalon Healthcare was determined to be in violation of the HIPAA Security and Breach Notification Rules and state laws due to a lack of appropriate safeguards to protect against phishing attacks and an unreasonable delay in sending breach notification letters, which were issued 10 months after the breach was detected. The case was settled for $200,000. This was one of three enforcement actions by state attorneys general in 2022 to resolve HIPAA violations.

The post December 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

AI in Healthcare

The topic of AI in healthcare often gets mixed reactions. While some people are firm believers in the benefits of AI in healthcare and the considerable benefits to patients, others have concerns about the ethics of AI in healthcare and there is considerable apprehension about the use of AI in healthcare attributable to a lack of knowledge about AI. In this article, we will explain what artificial intelligence is, the benefits of AI in healthcare, and how concerns about the ethics of AI in healthcare need to be overcome. 

What is Artificial Intelligence (AI)?

One of the reasons why some people approach the topic of AI in healthcare with a degree of apprehension is that different sources offer different definitions of AI. It is also the case that some sources confuse AI with Machine Learning (ML), which strictly speaking is a subset of AI. To quote Microsoft’s definitions of the two terms: 

Artificial intelligence is the capability of a computer system to mimic human cognitive functions such as learning and problem-solving. Through AI, a computer system uses math and logic to simulate the reasoning that people use to learn from new information and make decisions.

Machine learning is an application of AI. It is the process of using mathematical models of data to help a computer learn without direct instruction. This enables a computer system to continue learning and improving on its own, based on experience.

Therefore, while AI and ML are closely connected, they are not the same. Generally, a computer system uses AI to think like a human and perform tasks on its own, whereas ML is how a computer system develops its intelligence. Importantly, many of the concerns related to AI in healthcare revolve around how computer systems develop Artificial Intelligence and their capabilities to learn and make decisions without human instruction.

How Computer Systems Develop Artificial Intelligence

There are many different standard and hybrid techniques that determine how computer systems develop Artificial Intelligence. Generally, most follow the same two-stage process:

Supervised Learning

Most new AI systems start with a supervised learning process in which labeled datasets with known outcomes are fed into a system to train an algorithm on how to classify data. The outcomes produced by the system are then weighted to match the previously known outcomes. Often, this stage is followed by “semi-supervised learning” in which labeled datasets guide the algorithm as it classifies unlabeled datasets and predicts outcomes for the unlabeled data.

Unsupervised Learning

In unsupervised learning, the trained algorithm has to detect underlying patterns and relationships in never-before-seen unlabeled data in order to produce accurate outcomes. With unsupervised learning, it is important to remember that the aim is to make sense of data in the context of a specific question. How the answer is determined will depend on how the algorithm has been trained and weighted during the supervised and semi-supervised stages.

While this explanation might fail to reassure those who are concerned or apprehensive about AI – because “answers” are dependent on how the algorithm has been trained, the quality of data used to train the algorithm, how the output is weighted, and what the question is that the algorithm is trying to answer – artificial intelligence has in fact been present in many areas of everyday life for several years. For example:

  • Most people have played a video game against an AI-driven computer
  • AI is used by the finance industry to detect potential credit card fraud
  • The security industry uses AI to monitor multiple clusters of CCTV systems 
  • Netflix “because you watched” recommendations are produced by AI
  • AI produces the routes recommended by Google Maps and other travel apps
  • Many email spam filters and antivirus software solutions are fine-tuned by AI

But, what about AI in healthcare? How is that being used, who is using it, and what are the benefits? Additionally, are concerns about the ethics of AI in healthcare justified; and, if so, what can be done to overcome the concerns? These questions are easier to answer with an understanding of what AI is and how computer systems develop artificial intelligence.

Examples of AI in Healthcare

AI in healthcare is an umbrella term for all the many different ML algorithms and other cognitive technologies that are used in the healthcare industry. Some algorithms are more advanced than others, most have been designed to answer specific questions, and – even when the specific question is the same – some have been trained or weighted differently from others.

Consequently, there are many examples of AI in healthcare from patient-orientated AI such as chatbots that can listen to a patient’s symptoms and health concerns, to pharma-orientated AI that can help bring life-saving treatments to market faster. Between either end of the healthcare spectrum, there are many more examples of AI in healthcare:

Medical Imaging

Using computer vision to identify health conditions in medical images is quickly becoming a primary use for AI-driven technology. More advanced algorithms can distinguish tumors from lesions and other diseases – resulting in more accurate diagnoses, faster administration of treatments, and better patient outcomes. 

Precision Medicine

Similarly, computer systems that have been trained on precision medicine can develop medicinal or behavioral regimes specifically tailored to each patient depending on their condition, metabolic profile, microbiome composition, diet, lifestyle, sleep patterns, and many more data points collected and analyzed over years.

Physician Guidance

While robots performing major surgeries may still be a science fiction fantasy, some AI technologies have been developed that can guide physicians during minimally invasive surgical procedures via automated workflows and decision support. Most often, these technologies are used in treating strokes and heart conditions and for endovascular procedures.

Detecting Patient Deterioration

In post-acute environments, healthcare providers dedicate a lot of resources to checking vital signs to identify postoperative adverse events. AI-enabled tools can help care teams by calculating early warning scores that detect patient deterioration due to events such as respiratory failure or cardiac arrest – thus enabling more rapid responses. 

Predictive Equipment Maintenance

As well as detecting patient deterioration, AI can be deployed to predict when medical equipment is in need of maintenance. Through remote sensing, AI can monitor the performance of medical hardware to proactively identify when it may need maintenance or replacement – reducing downtime, preventing avoidable interruptions to clinical practice, and mitigating patient delays.

Automated Resource Allocation

A major administrative challenge for large healthcare providers is patient flow and resource allocation. The failure to have the right resources in the right place at the right time puts patients at risk and increases unnecessary bed occupancy. However, using AI to identify patterns from real-time and historical data enables providers to optimize flow management efficiency.

Healthcare AI Companies 

Compiling a list of healthcare AI companies is difficult because companies face multiple challenges in developing AI solutions that demonstrate real-world performance, meet medical needs, and address regulatory requirements. Consequently, many start-ups fail to make an impact in the healthcare industry and redirect their talents elsewhere. Some of those currently making an impact include:

PathAI

PathAI was founded with the aim of developing AI technology that could reduce error rates in pathology. The company’s AISight pathology platform was developed, trained, and validated using more than fifteen million annotations, and PathAI is now in the process of developing diagnostic solutions for gastroenterologists, dermatologists, oncologists, urologists, and gynecologists.

Regard

Unlike patient-orientated AI which can help users identify the causes of symptoms, Regard is an end-to-end AI solution for physicians that analyzes and synthesizes patient data, recommends diagnoses, and automates note-taking. By mitigating the risk of misdiagnoses and tackling repetitive tasks, physicians have more time available to see more patients and maximize revenues.

Freenome

Freenome is one of a number of healthcare AI companies that combine computational biology and machine learning to support better cancer management through early detection and precision intervention. Freenome’s AI platform can be deployed at general screenings or used to detect signs of cancer in diagnostic and blood tests.

Beth Israel Lahey Health

The Beth Israel Deaconess Medical Center – also known as Harvard University’s teaching hospital – used 25,000 images of blood samples to develop an AI-enhanced microscope that can detect harmful bacteria such as staphylococcus and E. coli much faster than is possible using manual scanning. To date, the microscopes have achieved a 95% accuracy rate.

VirtuSense

VirtuSense uses AI sensors to track inpatients’ movements so that providers and caregivers can be notified of potential falls. The company’s product range includes VSTAlert, which can predict when a patient intends to stand up to alert care reams, and VST Balance, which employs AI and machine vision to analyze a person’s risk of falling within the next year.

Benefits of AI in Healthcare

The above examples of AI in healthcare and technologies developed by healthcare AI companies focus on the “in-house” benefits of AI in healthcare inasmuch as they help deliver accurate diagnoses and treatment plans, prevent adverse events and accidents, and improve patient flow management. Outside of hospital environments, there are many further benefits of AI in healthcare. 

From a patient’s perspective, AI technologies not only improve outcomes and help prevent adverse events in hospitals but can also enhance the remote patient experience. Advocates of AI in healthcare see AI as a way of providing convenient access to medical advice in the home, increasing patient engagement, and empowering patients to take more responsibility for their health and well-being.

Further benefits of AI in healthcare relate to how quickly pharmaceutical companies can bring new drugs to markets. Drug development processes can be significantly accelerated with AI technologies that quickly extract meaningful information from large datasets to predict harmful interactions with existing drugs, improve the quality of clinical trials, and reduce time to approval.

One recent example of the benefits of AI in healthcare is how AI was used during the COVID-19 pandemic to detect outbreaks, facilitate diagnoses, and accelerate gene sequencing. It is hoped that, as a tool for public health, AI can be used in the future to predict and track the spread of other infectious diseases by analyzing data from government, healthcare, and other sources.

Ethics of AI in Healthcare 

According to a survey conducted by Dataiku in 2020, concern about the ethics of AI in healthcare is the primary organizational challenge stalling the adoption of AI in healthcare environments. Although specific concerns differ by organization, the concerns can generally be categorized as informed consent to use data, safety and transparency, algorithmic fairness, and data privacy. 

These concerns are not unique to the United States nor to the healthcare industry. Governments and regulatory agencies across the world have struggled to resolve this challenge – with many implementing rules and regulations to govern how AI is used. In the United States, a patchwork of state and federal laws partially addresses the challenge, but many concerns remain.

To help support governments and regulatory agencies pass fair and consistent legislation, in 2021 the World Health Organization published guidance on the “Ethics and Governance of Artificial Intelligence for Health”. This comprehensive publication endorses six key ethical principles for consideration by governments, developers, companies, and society as a whole:

  • Protect human autonomy
  • Promote human well-being, safety, and the public interest 
  • Ensure transparency, explainability, and intelligibility
  • Foster responsibility and accountability
  • Ensure inclusiveness and equity
  • Promote AI that is responsive and sustainable

Although political influences have resulted in the United States AI strategy shifting towards a market-orientated approach, the National Defense Authorization Act 2021 instructed the National Institute of Standards and Technology (NIST) to develop a framework for trustworthy AI systems that establishes common definitions and characterizations for aspects of trustworthiness. 

With the exception of protecting human autonomy, the five remaining key ethical principles endorsed by the World Health Organization likely will be incorporated into the framework according to NIST’s latest report to Congress. If approved by Congress, the NIST AI standards could resolve many of the concerns about the ethics of AI in healthcare.

How NIST Standards Could Accelerate AI Adoption in Healthcare

In January 2021, a HITECH Act update came into effect – an amendment that gave the HHS’ Office for Civil Rights enforcement discretion when investigating data breaches if the breached organization could demonstrate twelve month’s continuous compliance with “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act” or a similar Act.

There is no evidence that HIPAA Covered Entities and Business Associates took their compliance obligations any more seriously after the enactment of the HITECH Act update, but it is noticeable that – despite a significant increase in the number of financial penalties issued by HHS’ Office for Civil Rights in the past two years – only four have been for violations of the Security Rule.

If there are amendments to the NIST Act to incorporate AI standards, and if a law is passed giving HHS’ Office for Civil Rights enforcement discretion when the standards are applied in healthcare organizations, this could accelerate AI adoption in healthcare as not only would it resolve many of the concerns about the ethics of AI in healthcare, it would also resolve the second highest challenge to the adoption of AI in healthcare (according to Dataiku) – the lack of regulatory guidance.

The Future of AI in Healthcare

The future of AI in healthcare is unclear if concerns about the ethics of AI in healthcare and the lack of regulatory guidance are allowed to continue. If the situation remains as it is, AI will continue to be incorporated into healthcare processes in piecemeal stages – which will continue to add value to healthcare operations and improve the patient experience but may result in inequalities that could make the wider adoption of AI in healthcare much more difficult in the future. 

Alternatively, and notwithstanding that AI technologies are improving and becoming more sophisticated all the time, federal agencies – including the HHS – could introduce temporary guidance on the use of AI until such time as effective standards are developed. This would give healthcare organizations more confidence to adopt AI technologies with benefits for patients, organizations, and public health in general.



The post AI in Healthcare appeared first on HIPAA Journal.

HIPAA Updates and HIPAA Changes in 2023-2024

HIPAA updates and HIPAA changes happen more frequently than many people are aware of because of the nature of the update or because of their minor impact on HIPAA compliance. A major update to HIPAA is long overdue, and steps were taken in December 2020 to address the need for HIPAA changes and HIPAA updates when HHS’ Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking that proposed multiple changes to the HIPAA Privacy Rule.

In addition, there has also been a proposed update to align 42 CFR Part 2 – the Confidentiality of Substance Use Disorder Patient Records regulations – more closely with HIPAA, and proposals to change the conditions under which PHI relating to reproductive healthcare can be used or disclosed. The Part 2 and reproductive health changes are expected to be finalized in 2024, while new proposed Security Rule standards for cybersecurity should be announced in 2024 and implemented in 2025.

We discuss all the HIPAA updates since the inception of HIPAA and this information can be used in conjunction with our HIPAA checklist to understand what is required to ensure compliance.

Please use the form on this page to arrange your free copy of the checklist.

Major HIPAA Updates in the Past 25 Years

Since HIPAA was signed into law there have been a few major HIPAA updates. The HIPAA Privacy and Security Rules were introduced which limited uses and disclosures of protected health information, gave patients new rights over their healthcare data, and introduced a set of minimum security standards.

Those HIPAA updates were followed by the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which saw the introduction of the Breach Notification Rule in 2009 and the Omnibus Final Rule in 2013. Such major HIPAA updates placed a significant burden on HIPAA-covered entities and considerable time and effort were required to introduce new policies and procedures to ensure continued HIPAA compliance.

There have been two minor HIPAA Privacy Rule changes since 2013 – the first, in 2014, allowed patients to have access to test reports to align the Privacy Rule with the Clinical Laboratory Improvement Amendments. The second HIPAA Privacy Rule change, in 2016, allowed covered entities to disclose PHI to the National Instant Criminal Background Check System.

The most commonly updated section of HIPAA is Part 162 of the Administrative Simplification Regulations. Part 162 HIPAA updates are most often made by CMS to existing standards – for example, the 2020 change relating to Schedule II drug refills. However, a proposed Part 162 HIPAA change expected to be finalized in 2024 could have wider implications.

HIPAA Changes in 2024

HIPAA Updates and HIPAA ChangesOver the past few years, there have been increasing calls for HIPAA changes to decrease the administrative burden on HIPAA-covered entities, but the HIPAA 2024 rules and regulations are currently much the same as they were in 2013. OCR responded to feedback from healthcare industry stakeholders by issuing a request for information (RFI) in December 2018 on potential changes to the HIPAA Rules. OCR sought comments from HIPAA-covered entities about possible changes to HIPAA Rules in 2019 and beyond, which are mostly concerned with the easing of certain administrative requirements and the removal of certain provisions of the HIPAA Privacy Rule that have been limiting or discouraging the coordination of care. The comment period closed on February 12, 2019.

OCR asked 54 different questions in its RFI. Some of the main aspects that were under consideration were:

  • Patients’ right to access and obtain copies of their protected health information and the time frame for responding to those requests (Currently 30 days)
  • Removing the requirement to obtain written confirmation of receipt of an organization’s notice of privacy practices
  • Promotion of parent and caregiver roles in care
  • Easing of restrictions on disclosures of PHI without authorization
  • Possible exceptions to the minimum necessary standard for disclosures of PHI
  • Changes to HITECH Act requirements for the accounting of disclosures of PHI for treatment, payment, and healthcare operations
  • Encouragement of information sharing for treatment and care coordination
  • Changing the Privacy Rule to make sharing PHI with other providers mandatory rather than permissible.
  • Expansion of healthcare clearinghouses’ access to PHI
  • Addressing the opioid crisis and serious mental illness

In 2019, then OCR Director, Roger Severino, said, “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”

The aim of the HHS is to implement changes that will make compliance less of a burden without negatively affecting patient privacy or decreasing the security of individuals’ protected health information (PHI). There are no planned changes to the HIPAA Security Rule in this RFI, but several HIPAA Privacy Rule changes have been proposed.

It has been suggested that in many of the areas covered by the RFI, the best solution may not be HIPAA rule changes. Guidance was issued in 2022 and 2023, and it is likely further HIPAA guidance will be issued in 2024 to tackle some of the issues currently experienced with HIPAA compliance by clearing up misconceptions and correcting false interpretations of the HIPAA requirements. However, changes to HIPAA in 2024 are now likely to be implemented, although it may take until 2025 for all the changes to become effective.

Proposed HIPAA Privacy Rule Changes in 2024

OCR issued a Notice of Proposed Rulemaking on December 10, 2020, that detailed the HIPAA changes to the Privacy Rule due to be implemented, based on the responses to its December 2018 RFI. The proposed changes are limited, and several HIPAA Privacy Rule changes that healthcare industry stakeholders have been campaigning for have not been included. Most of the proposed HIPAA changes are relatively minor tweaks to strengthen patient access to PHI, facilitate data sharing, and ease the administrative burden on HIPAA-covered entities.

In 2021, OCR sought feedback on the proposed HIPAA changes for 60 days from the date of publication in the Federal Register, with the comment period extended for a further 45 days to give healthcare industry stakeholders more time to review the proposed changes and provide their feedback. OCR has read the comments and the publication of the Final Rule is now imminent.

The proposed updates to the HIPAA Privacy Rule are as follows:

  • Allowing patients to inspect PHI in person and take notes or photographs of their PHI.
  • Changing the maximum time to provide access to PHI from 30 days to 15 days.
  • Restricting the right of individuals to transfer ePHI to a third party to only ePHI that is maintained in an EHR.
  • Confirming that an individual is permitted to direct a covered entity to send their ePHI to a personal health application if requested by the individual.
  • Stating when individuals should be provided with ePHI without charge.
  • Requiring covered entities to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
  • The Armed Forces’ permission to use or disclose PHI to all uniformed services has been expanded.
  • A definition has been added for electronic health records.
  • Wording change to expand the ability of a covered entity to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.” (currently it is when harm is “serious and imminent.”)
  • A pathway has been created for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
  • Covered entities will not be required to obtain a written acknowledgment from an individual that they have received a Notice of Privacy Practices.
  • HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
  • HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
  • The definition of healthcare operations has been broadened to cover care coordination and case management.
  • Covered healthcare providers and health plans will be required to respond to certain records requests from other covered healthcare providers and health plans when individuals direct those entities to do so when they exercise the HIPAA right of access.
  • Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
  • The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.

The Proposed HIPAA Changes Will Create Challenges for Healthcare Providers

HIPAA UpdatesThe pending HIPAA updates are intended to ease the administration burden on HIPAA-covered entities, although in the short term, the burden will be increased. Updates will need to be made to policies and procedures and changes will be required for notices of privacy practices, although there will not, at least, be the requirement to obtain written acknowledgment that updated NPPs have been received.

What is certain is HIPAA officers and other compliance staff will have a busy few months when the Final Rule is published. OCR will provide sufficient notice before the 2024 HIPAA changes take effect and become enforceable, but there will likely be a lot of work to be done. It will be important to create a plan for making all of the required changes to ensure they are fully implemented ahead of the compliance deadline.

When the Final Rule is published, there will be a requirement to change policies and procedures where necessary, and that will require retraining of employees. HIPAA requires training to be provided to the workforce during or soon after onboarding, and after any material change in policies and procedures. HIPAA training may not need to be provided to the entire workforce, but a significant number of employees will need to be trained, and that is likely to place a considerable burden on covered entities and has the potential to cause workflow disruptions.

Improved access to medical records could pose problems for healthcare providers, who will need to ensure they have sufficient staffing and efficient procedures for verifying identities and providing copies of records – especially as the time frame for providing those records will be shortened from 30 days to 15 days. The extension will also be shortened to 15 days, giving healthcare organizations a maximum of 30 days to provide the requested records.

The definition of EHRs has also been updated to include billing records, and these will need to be provided to patients who request a copy of their PHI. That has the potential to make it more time-consuming to provide copies, as billing records are often kept in different systems than healthcare records. It may be necessary to access two different systems in order to provide patients with a copy of their records.

It will be easy for bottlenecks to occur and important not to get into a situation where 15 day extensions are regularly required. There could well be a need to prioritize requests to make sure patients who urgently need a copy of their records get them in a timely manner. Bear in mind that OCR is laser-focused on healthcare providers that fail to provide patients with timely access to their medical records.

Another of the changes related to patient access is the requirement to allow patients to take notes and photographs of their PHI. There will need to be designated places where patients can inspect PHI privately and, if required, take photographs. Healthcare providers will need to implement safeguards to ensure patients are not taking photographs of PHI they are not authorized to see.

The proposed HIPAA changes prohibit covered entities from imposing unreasonable measures on individuals exercising their right of access, including unreasonable identity verification requirements. That has the potential to cause problems for healthcare providers.

A definition has also been proposed for a personal health application. If finalized, patients must be allowed to have their records sent to a personal health application of their choosing. However, there may be privacy risks associated with doing so, and patients will need to be made aware of those risks. That will add an additional burden on healthcare providers, who may not necessarily have the required information to determine whether there is a privacy and security risk.

Proposed Part 2 and HIPAA Changes in 2024

In November 2022, OCR and the Substance Abuse and Mental Health Services Administration (SAMHSA) issued a Notice of Proposed Rulemaking (NPRM) which sees both Part 2 and HIPAA changes to better align these regulations.

Part 2 protects patient privacy and records related to treatment for substance use disorder (SUD) with HIPAA applying to protected health information. SUD records are treated differently as they are highly sensitive and require greater protection and restrictions than other health information covered by the HIPAA Privacy Rule. While these additional protections are important, they can hamper care coordination due to the barriers that they put in the way of information sharing.

The proposed changes are intended to ease the complexity of compliance with HIPAA and Part 2, break down barriers to information sharing, and improve care coordination, without removing protections for patients. The update expands patient rights regarding the uses and disclosures of their SUD records.

The key changes that were proposed are:

  • Single patient consent for all future uses and disclosures of SUD records for treatment, payment, and healthcare operations.
  • Permitted to redisclose SUD records in accordance with the HIPAA Privacy Rule
  • Patients will be able to obtain an accounting of disclosures of their SUD records and request restrictions on certain disclosures
  • Expansion of prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings
  • Part 2 programs must establish a complaints process about Part 2 violations and must not require patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
  • The breach notification requirements will apply to Part 2 records, which will be covered by the HIPAA Breach Notification Rule.
  • The HIPAA Privacy Rule Notice of Privacy Practices requirements have been updated to address uses and disclosures of Part 2 records and individual rights with respect to those records.
  • The HHS will be able to impose civil money penalties for violations of Part 2, in line with HIPAA and the HITECH Act

The NPRM was issued in November 2022 and there is a 60-day comment period, so it is highly likely that the final rule will be issued in 2024. Covered entities will then be given time to implement the changes before they become enforceable.

HITECH Act Updated in 2021 Regarding Recognized Security Practices

Many healthcare industry stakeholders had been campaigning for the addition of a safe harbor for HIPAA-covered entities and business associates that have adopted a common security framework and have implemented industry-standard security best practices, yet still experienced a data breach. It is not possible to prevent all cyberattacks and data breaches, and it is unfair to punish HIPAA-regulated entities for impermissible disclosures of ePHI when they have made all reasonable efforts to secure their systems.

A bill was proposed in 2020 that called for the HHS to consider the recognized security practices that have been adopted by HIPAA-regulated entities, that have been in place for the 12 months prior to a data breach occurring when deciding on financial penalties and other sanctions. The bill, HR 7898, was signed into law by President Trump on January 5, 2021.

The purpose of the bill is to encourage healthcare organizations to invest in security and adopt a recognized security framework by providing an incentive. The HITECH Act update has not created a safe harbor for HIPAA-regulated entities that have adopted a security framework and have implemented industry-standard security best practices, but OCR will consider the efforts made with respect to security when making determinations in its investigations of complaints and data breaches.

HIPAA-regulated entities that are able to demonstrate they have adopted recognized security practices will benefit from a decrease in the length and extent of audits and investigations of data breaches, and OCR will consider recognized security practices as a mitigating factor to reduce any financial penalties that would otherwise have been applied.

In 2022, in response to another request for information, OCR published a video that explains what recognized security practices are and the evidence that can be submitted to prove they have been in place. OCR said that when investigations are launched, OCR will write to the HIPAA-regulated entity and provide an opportunity for evidence of recognized security practices to be submitted.

HIPAA Fines and Settlements Due to be Shared with Victims of HIPAA Violations

In addition to requesting information on recognized security practices, OCR sought comments on how to implement a requirement of the HITECH Act regarding financial penalties and settlements for HIPAA violations. Section 13410(c)(1) of the HITECH Act requires OCR to share a portion of the funds it receives from its HIPAA enforcement activities with the victims of HIPAA violations. This is important, as there is no private cause of action in HIPAA, which means individuals cannot sue HIPAA-regulated entities for HIPAA violations that have resulted in harm being caused.

The problem for OCR – which is why this requirement has not been implemented to date – is the difficulty in implementing a fair method of determining what victims should receive. In its April 6, 2022, RFI, OCR requested comments to help OCR with establishing a methodology under which an individual who is harmed by an offense punishable under HIPAA may receive a percentage of any civil money penalty or monetary settlement collected with respect to the offense.

The Government Accountability Office (GAO) has shared a methodology for sharing funds, but OCR is seeking comment on any alternative methodologies. The main problem, however, is identifying the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, as “harm” is not defined by statute.

No timescale has been provided on when a Notice of Proposed Rulemaking will be issued in this regard, or when funds will start to be shared with victims of HIPAA violations. These HIPAA changes could occur in 2024, but it may be some years before this HITECH Act requirement is implemented.

HIPAA Changes Due to the 2019 Novel Coronavirus (SARS-CoV-2) and COVID-19

HIPAA Updates HIPAA ChangesIn response to the 2019 Novel Coronavirus pandemic, the HHS announced major changes to the enforcement of HIPAA compliance in 2020, which will remain in place for the duration of the nationwide COVID-19 public health emergency or until the Secretary of the HHS declares the public health emergency is over. These “unprecedented HIPAA flexibilities” were announced in March and April by means of Notices of Enforcement Discretion and are intended to ease the burden on healthcare organizations and business associates that are having to overcome major challenges testing and treating COVID-19 patients. The changes to HIPAA enforcement have been introduced to ensure that HIPAA compliance does not get in the way of the provision of high-quality patient care.

On April 11, 2023, OCR announced that the Secretary of the Department of Health and Human Services will not be renewing the COVID-19 Public Health Emergency, which is due to expire on May 11, 2023. That means the flexibilities introduced through the following Notifications of Enforcement Discretion will come to an end at 11:59 pm on May 11, 2023. From that date and time there will be no further flexibilities and non-compliance will be penalized in the same manner as before the COVID-19 pandemic. There is one exception concerning telehealth. OCR will implement a 90-day transition period, where the flexibilities will continue until 11:59 pm on August 11, 2023, and fines will not be issued with regard to the good faith provision of telehealth services up to that date.

Notification of Enforcement Discretion for Telehealth Remote Communications

The first Notice of Enforcement Discretion was announced by OCR on March 17, 2020. The coronavirus pandemic has seen social distancing measures introduced, and with hospitals dealing with huge numbers of cases, Americans are being encouraged to remain indoors. In order to continue to provide quality care to patients while reducing the risk of patients transmitting or contracting COVID-19, telehealth services have been expanded. The CMS has also expanded telehealth to include all Medicare and Medicaid beneficiaries.

To help ensure that patients receive the care they need, OCR has announced that it will not impose sanctions and penalties on healthcare providers in association with the good faith provision of telehealth services for the purpose of diagnosis and treatment, regardless of whether the telehealth services are directly related to COVID-19. OCR will not impose penalties on healthcare providers in relation to the use of everyday communication technologies for providing those services, even if the platforms used are not completely compliant with HIPAA. For instance, it is permissible to use Skype (rather than Skype for Business), FaceTime, Google Hangouts Video, and Zoom. It is not permitted to use public-facing platforms to provide these services, such as Facebook Live and TikTok.

“We are empowering medical providers to serve patients wherever they are during this national public health emergency,” said Roger Severino, OCR Director. “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”

This Notification of Enforcement Discretion will end at 11:59 pm on May 11, 2023. The ‘grace period’ will last for 90 days, so the hard date for compliance is 11:59 pm on August 11, 2023.

Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities

The second Notice of Enforcement Discretion was announced by OCR on April 2, 2020, and concerns uses and disclosures of PHI by business associates of HIPAA-covered entities for reasons related to public health and health oversight activities. HIPAA does not permit business associates to disclose PHI for public health and health oversight activities unless it is stated that they can do so in their business associate agreement (BAA) with a HIPAA-covered entity.

Under the Notice of Enforcement Discretion, OCR will not impose sanctions and penalties on business associates or their covered entities for these uses and disclosures to the likes of Federal public health authorities and health oversight agencies, such as the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers. Should such a use or disclosure occur, the business associate must notify the covered entity within 10 days of the use or disclosure.

“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” said Roger Severino. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”

This Notification of Enforcement Discretion will end at 11:59 pm on May 11, 2023.

Notification of Enforcement Discretion for Community-Based Testing Sites

The third Notice of Enforcement Discretion was announced by OCR on April 9, 2020 – backdated to March 13, 2020 – and concerns the good faith participation in the operation of COVID-19 testing centers. OCR will be exercising enforcement discretion and will not impose sanctions and penalties on healthcare providers, including pharmacies, and business associates that participate in the operation of COVID-19 testing sites such as mobile testing centers, walk-up facilities, and drive-through testing centers that only provide COVID-19 specimen collection or testing services to the public.

“We are taking extraordinary action to help the growth of mobile testing sites so more people can get tested quickly and safely,” said Roger Severino.  “President Trump has ordered the federal government to use every tool available to help save lives during this crisis, and this announcement is another concrete example of putting the President’s directive into action.”

This Notification of Enforcement Discretion will end at 11:59 pm on May 11, 2023.

Notice of Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for Scheduling of COVID-19 Vaccination Appointments

OCR announced a further Notice of Enforcement Discretion on January 19, 2021, that concerns the scheduling of appointments for COVID-19 vaccinations. OCR said financial penalties and sanctions would not be imposed on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in relation to the good faith use of online or web-based scheduling applications (WBSAs) for scheduling appointments for COVID-19 vaccinations.

WBSAs that would not be fully compliant with the HIPAA Rules under normal circumstances can be used for scheduling COVID-19 vaccination appointments without penalty, although it is not permitted to use a WBSA that does not incorporate reasonable security safeguards to ensure the privacy and security of ePHI and the Notice of Enforcement Discretion does not apply if the solution provider has prohibited the use of the WBSA for scheduling healthcare appointments.

OCR explained that the Notice of Enforcement Discretion does not apply to the use of a WBSA for anything other than scheduling COVID-19 vaccination appointments, such as arranging appointments for other medical services or for screening individuals for COVID-19 prior to arranging an in-person healthcare visit.

OCR encourages HIPAA-covered entities and their business associates to implement reasonable safeguards to ensure the privacy and security of healthcare data, such as adhering to the minimum necessary standard when inputting data, using encryption if available, and ensuring all privacy settings in the WBSA are activated.

OCR will be exercising enforcement discretion retroactive to December 11, 2020. This Notification of Enforcement Discretion will end at 11:59 pm on May 11, 2023.

HIPAA Penalties Could Officially Change in 2024

A HIPAA change occurred in 2019 concerning the penalties for HIPAA violations. OCR issued a Notice of Enforcement Discretion in 2019 which stated that OCR has adopted a new penalty structure for non-compliance with HIPAA Rules after a reevaluation of the requirements of the HITECH Act.

The HITECH Act called for penalties for HIPAA violations to be increased and, in 2013, the HHS implemented a new HIPAA penalty structure with minimum and maximum penalties set for the four penalty tiers, based on the level of culpability. In each category, a maximum penalty of $1.5 million, per violation category, per year was set. The HHS reviewed the language of the HITECH Act in 2019 and interpreted the requirements of the HITECH Act differently. “Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits.”

Rather than a maximum penalty of $1.5 million per year in all four categories, the maximum fine was reduced in the first three tiers.  The current minimum and maximum penalties, adjusted for inflation, can be found here.

Currently, OCR is using the new penalty structure, as detailed in the Notice of Enforcement Discretion published in the Federal Register. While that remains in effect indefinitely, the new penalty structure is not legally binding and can be changed at any time. It is possible that this change to HIPAA will be made official in 2024, although first, a Notice of Proposed Rulemaking will need to be issued. OCR is more likely to continue to use its new interpretation under its Notice of Enforcement Discretion without making it official.

OCR has been pushing Congress to increase the maximum penalties for HIPAA violations as the total funds from OCR’s enforcement actions decreased significantly when the new penalty structure was introduced. OCR’s budget is extremely stretched as funding for the department has remained flat for years despite increasing numbers of hacking incidents and data breaches which has significantly increased OCR’s workload.

As well as the expected HIPAA updates in 2024, OCR will continue to issue HIPAA guidance in 2024 to explain how HIPAA applies in certain situations and to clear up confusion about the requirements of HIPAA. However, what originally starts as guidance could evolve into new HIPAA rulemaking. An example of this is OCR’s response to the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization and the overturning of Roe v Wade, which removed the federal right to an abortion. OCR originally confirmed, through guidance, how the HIPAA Privacy Rule applies to disclosures of reproductive health information, but has since published an NPRM to tackle evolving issues related to this case.

Proposed Changes to Privacy Rule for Reproductive Health Care

According to the NPRM, issues relating to currently permissible uses and disclosures of PHI have evolved due to an increasing number of women in anti-abortion states travelling to other states to have “legal” terminations. Under §164.512(e) of the Privacy Rule, covered entities are permitted to disclose PHI for civil, criminal, or administrative proceedings.

Some states have enacted anti-abortion legislation that criminalizes the facilitation of a termination regardless of where it takes place. Courts in these states could subpoena PHI from covered entities in neighboring “legal” states in pursuit of a criminal conviction against any person who has assisted an individual in obtaining an abortion – including the covered entity.

OCR is concerned that the fear of PHI being disclosed for a procedure considered legal in the location where the procedure was administered could discourage patients from sharing important information with their healthcare providers and dissuade some healthcare providers from performing terminations for out-of-state citizens.

To address these concerns, OCR is proposing changes to the HIPAA Privacy Rule that include the creation of a new category of PHI – “reproductive health care” – and placing limitations on how it can be used and disclosed. These limitations are similar to those for genetic information inasmuch as it will not be possible to disclose reproductive health care records without an attestation it will not be used impermissibly.

The proposals will not only cover terminations, but other reproductive healthcare information, such as the provision of contraceptives (or the provision of contraception advice), fertility treatments, and pregnancy screening. Miscarriage management will also be included in the new category of PHI, as will diagnoses and treatments of conditions related to the reproductive system – even if the recipient of the diagnoses and treatments is not of reproductive age.

Other measures proposed in the NPRM include a new category of uses and disclosures – “Attested uses and disclosures” – which may well be used to align the HIPAA Privacy Rule with Part 2 privacy requirements. Under the new category, recipients of PHI will have to attest that it will not be further used or disclosed for prohibited purposes – i.e., in the case of reproductive health care, to support a civil, criminal, or administrative investigation or proceeding.

Covered entities are already being alerted to the fact that, if the proposals are finalized, any false attestations will be considered notifiable data breaches, while the person(s) that further disclose attested PHI will be in violation of §1177 of the Social Security Act for the wrongful disclosure of individually identifiable health information. Violations of this section are considered to be criminal violations carrying a maximum penalty of up to ten years in jail and a fine of up to $250,000.

HIPAA Security Rule Changes Proposed in Concept Paper

In December 2023, HHS published a Healthcare Sector Cybersecurity Strategy which proposes a framework to help the healthcare sector address cybersecurity threats. The framework is built on the development of cybersecurity goals for the healthcare sector, the incentivization of hospitals to adopt cybersecurity practices, and penalties for those that fail to meet cybersecurity goals.

The penalties will consist of disbarment from Medicare and Medicaid programs for any hospital CMS considers not to have complied with the yet-to-be-produced goals, and civil monetary penalties imposed by HHS’ Office for Civil Rights for any covered entity or business associate that fails to comply with yet-to-be-published Security Rule standards.

In a document outlining the Strategy, HHS states it will begin updating HIPAA Security Rule standards in the Spring of 2024, while working with Congress to increase the civil monetary penalties for HIPAA violations and increase the resource available to investigate potential violations and conduct “proactive audits”. This implies there could also be a 2024 HIPAA audit program on the horizon.

Other HIPAA Rule Changes May Lead to Future Updates

HIPAA rule changes are not exclusive to the Privacy, Security, and Breach Notification Rules. There have been a number of HIPAA rule changes relating to transaction code sets and identifiers (Part 162 of the HIPAA Administrative Simplification Regulations). Usually, these rule changes have a limited impact on covered entities and business associates; however, a proposed HIPAA rule change published in December 2022 could have implications for many day-to-day healthcare operations.

The proposed HIPAA rule change was published by CMS to resolve an issue concerning healthcare attachment transactions. These transactions occur when a health plan needs further information from a healthcare provider to authorize a treatment or pay a bill. Healthcare providers can also provide further information when submitting an authorization request or bill to accelerate treatment and/or payment.

The issue exists because further information cannot be “attached” to an existing transaction and has to be faxed or mailed separately. To resolve the issue, CMS is proposing three new transaction codes. However, in order to authenticate users, ensure the integrity of the attachment, and guarantee nonrepudiation, attachments transmitted using the new codes will have to be digitally signed. To address this issue, CMS has proposed a standard for acceptable e-signatures.

Compliance with the e-signature standard is only necessary when covered entities use the transaction codes to submit attachments electronically. There is no requirement to digitally sign attachments when they are faxed or sent through the mail. It is considered that, like most previous Part 162 HIPAA rule changes, the proposals will have a limited impact on covered entities and business associates.

However, the possibility exists that the proposed standard may be extended to other transactions in the future, and then to day-to-day healthcare operations. As this article discusses, there are a number of ways in which e-signatures are used in day-to-day healthcare operations; and, if the e-signature requirements are rolled out across the rest of the Administrative Simplification Regulations, covered entities and business associates may have to make some significant procedural changes.

FAQs

If HIPAA settlement sharing is introduced, will that result in more fines being issued?

If HIPAA settlement sharing is introduced, it is unlikely to result in more fines being issued by HHS’ Office for Civil Rights. Although the agency may come under pressure to pursue more settlements, there has been no indication that the current policy of voluntary compliance wherever possible will be reviewed.

How was HIPAA updated by the Omnibus Final Rule in 2013?

When HIPAA was updated by the Omnibus Final Rule in 2013, the major changes included further limiting permissible uses and disclosures of PHI, expanding patients’ rights, and making business associates directly liable for HIPAA violations attributable to their non-compliance. The Omnibus Final Rule also confirmed the new violation penalty structure imposed by the HITECH Act.

When was HIPAA last updated?

HIPAA was last updated in 2020 when the Centers for Medicare and Medicaid Services (CMS) published the Interoperability and Patient Access Final Rule. Although some provisions of this Final Rule have since been rescinded or delayed, or are subject to review, CMS is pushing forward with giving patients more choices about how they access PHI despite concerns about security risks.

What were the changes in 2017 that impacted HIPAA compliance?

The changes in 2017 that impacted HIPAA compliance relate to changes in 42 CFR Part 2 of the Public Welfare Code. These changes placed stricter conditions on the uses and disclosures of PHI when a patient is suffering a substance abuse disorder (SUD) and impact HIPAA compliance for providers in this field of healthcare who may have to have a three-tier structure for protecting SUD-related PHI, other PHI, and non-protected personal information.

Where is the best place to find changes to the HIPAA standards?

The best place to find changes to the HIPAA standards in the Administrative Simplification Regulations is the HHS’ Office for Civil Rights website. The website provides the opportunity for visitors to register for a “Weekly News Digest” that will deliver new about Proposed Rules, Interim Rules, and Final Rules straight to your email inbox.

How will HHS announce HIPAA changes in 2024?

HHS will announce HIPAA changes in 2024 via one or more Final Rules published in the Federal Register. Once a Final Rule is published in the Federal Register, HHS will publish a News Release on its website. HHS News Releases are usually widely reported in trade publications and on compliance websites, so it is unlikely that a major change to HIPAA in 2024 will go unnoticed.

Where can compliance officers find the latest version of HIPAA?

Compliance officers can find the latest version of the HIPAA Administrative Simplification Regulations on the eCFR website (https://www.ecfr.gov/). The Administrative Simplification Regulations are in three Parts – 45 CFR 160, 162, and 164. Part 164 includes the Security Rule (Subpart C), the Breach Notification Rule (Subpart D), and the Privacy Rule (Subpart E), but compliance officers should not omit to review other Parts of the Title to identify any other standards that apply.

Will There be an Omnibus HIPAA Final Rule 2024?

It is unlikely there will be an Omnibus Final Rule 2024 due to the volume and variety of new regulations being proposed. While it may be possible that proposed changes to the HIPAA Privacy Rule are amalgamated with proposed changes to 42 CFR Part 2, other proposals – such as electronic signatures, attestations, and interoperability – may be introduced separately and then expanded to other areas of HIPAA in subsequent rule making.

The post HIPAA Updates and HIPAA Changes in 2023-2024 appeared first on HIPAA Journal.

How to Secure Patient Information (PHI)

The issue of how to secure patient information and PHI is challenging because HIPAA does not require all patient information to be secured. Additionally, if Protected Health Information (PHI) is secured too much, it can prevent the flow of information needed to perform treatment, payment, and healthcare operations efficiently.

To best explain how to secure patient information and PHI, it is necessary to distinguish between what is patient information and what is PHI. The easiest way to do this is by defining PHI first, because any remaining information relating to a patient that is not PHI does not need to be secured under HIPAA – although other privacy and security laws may apply.

What is PHI? And What is Not PHI?

The Administrative Simplification Regulations defines PHI as individually identifiable health information “transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium”. To understand why some patient information might not be PHI, it is necessary to review the definition of individually identifiable health information:

“Information […] collected from an individual […] that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or […] can be used to identify the individual.”

These definitions suggest any information that does not relate to a patient´s condition, treatment for the condition, or payment for the treatment is not protected by the privacy and security standards. However, this is not the case.

Individually identifiable health information protected by the privacy and security standards is maintained in one or more “designated record sets”, and any identifying non-health information added to a designated record set assumes the same privacy and security protections. Therefore:

  • “Mr. Jones has a broken leg” is PHI because it identifies the patient and relates to a present health condition.
  • If Mr. Jones´ address, the name of his wife, and their telephone number are added to the designated record set, it is also PHI.
  • However, if a separate record of Mr. Jones´ wife and telephone number is maintained outside the designated record set (i.e., for contact purposes) it is not PHI because the separate record does not contain any health information.

In conclusion, some patient information can be both protected and not protected depending on where it is maintained. This doesn´t make it any easier to explain how to secure patient information and PHI, but it is important to be aware that not all patient information is PHI all the time.

How to Secure Patient Information that is PHI

To say PHI has to be secured is misleading because it implies Protected Health Information has to be locked away in fortress-like environment, whereas the Privacy Rule allows “permissible” uses and disclosures for a variety of reasons. Therefore, although it is important to apply access controls to ensure only authorized personnel can use or disclose PHI, it is not necessary for PHI to be “secured”.

With regards to electronic PHI (ePHI), Covered Entities and Business Associates have to take greater care about how it is protected because healthcare data is highly sought after by cybercriminals. Consequently, many compliance experts suggest organizations adopt a defense in depth strategy that includes as a minimum:

  • A firewall to prevent unauthorized access to networks and data
  • A spam filter to block malicious emails harboring malware
  • A web filter to prevent staff accessing malicious websites
  • An antivirus solution to detect malware from other sources
  • Data encryption on all workstations and portable devices
  • Encryption to protect data in transit – encrypted email for instance
  • An intrusion detection system that monitors for irregular network activity
  • Auditing solutions that monitor for improper accessing of PHI
  • Disaster recovery controls to ensure continued access to data in the event of an emergency
  • Extensive backups to ensure PHI is recoverable in the event of an emergency
  • Security solutions allowing the remote deletion of data stored on mobile devices in the event of loss or theft
  • Security awareness and anti-phishing training for all members of the workforce
  • Physical controls to prevent data and equipment theft
  • Good patch management policies to ensure software is kept up to date and free from vulnerabilities

Informing Patients that Health Information is Protected

Although protecting PHI is a requirement of HIPAA, it can be beneficial to highlight to patients that the security of health information is taken seriously. Research has shown that, when patients trust their health information is being protected, they are more willing to share intimate details about themselves with healthcare providers.

Having more information about a patient´s condition enables healthcare providers to make better informed decisions and more accurate diagnoses to determine the best course of treatment. This in turn leads to better patient outcomes and a reduction in patient readmissions, which can reflect in higher satisfaction scores from patients and their families.

Informing patients that health information is secured doesn´t have to go into details – a few lines of text added to a Notice of Privacy Practices is often sufficient. The important thing to remember is that if an organization claims that health information is protected but fails to implement the necessary standards to secure patient information – and a data breach occurs – this could discredit the organization and will likely be taken into account by an investigation into the data breach.

How to Secure Patient Information FAQs

What privacy and security laws apply other than HIPAA?

Many states now have privacy and/or data security laws with stronger patient protections than HIPAA. Some laws may only apply to certain types of data (i.e., Illinois´ Biometric Information Privacy Act), while others apply across state borders to protect the personal data of any citizen of the state wherever they are (i.e., Texas´ Medical Records Privacy Act).

What can happen if you secure too much information?

Securing too much information can negatively impact healthcare operations. For example, a nursing assistant needs to phone Mr. Jones´ wife urgently but cannot not access the telephone number because they do not have the right credentials to access the designated record set in which the telephone number has been secured.

Not only will the lack of access result in a delay in contacting Mr. Jones´ wife, but the nursing assistant will have to find a colleague with the right credentials to access the designated record set and interrupt what they were doing in order to get the phone number to make the call – an unnecessarily waste of resources.

What are the Administrative Simplification Regulations?

The Administrative Simplification Regulations are the section of the Public Welfare regulations (45 CFR) containing most of the standards that HIPAA Covered Entities and Business Associates have to comply with – i.e., the Privacy Rule, the Security Rule, and the Breach Notification Rule. The Department of Health and Human Services has compiled an unofficial version of the text here.

What are the permissible uses and disclosures of PHI?

The permissible uses and disclosures allowed by the Privacy Rule generally relate to uses and disclosures for treatment, payment, and healthcare operations. However, other uses and disclosures are allowed when (for example) they are covered by a Business Associate Agreement with a third party organization or when a patient has authorized the use or disclosure.

How can a patient check health information is being protected?

Patients can request an accounting of disclosures from their health plan or healthcare provider which should list the times when PHI has been disclosed for purposes other than those permitted by the Privacy Rule in the previous six years. Although it is no guarantee of data security, the accounting of disclosures can be a good indicator of an organization´s HIPAA compliance.

The post How to Secure Patient Information (PHI) appeared first on HIPAA Journal.

What Does HIPAA Stand For?

Many articles discussing what does HIPAA stand for fail to give a complete answer. Most state that HIPAA is an acronym of the Health Insurance Portability and Accountability Act of 1996 and that it led to the development of standards for the privacy of Protected Health Information. However, few articles discussing what does HIPAA stand for explain how a bill with the objective of reforming the health insurance industry evolved into an act of legislation that now controls how healthcare data is safeguarded.

To best fully explain what does HIPAA stand for, it is a necessary to look at the state of the health insurance industry prior to 1996. The industry had grown from a handful of companies offering accident insurance in the 1850s – and employer-sponsored disability insurance from 1911 onwards – into a multi-billion dollar business by the end of the twentieth century. However, at the time, the healthcare insurance industry was governed by a hotchpotch of federal and state legislation.

The reason for the hotchpotch of legislation was that, in the early days, many commercial for-profit health insurance providers were considered to be “unlicensed practitioners of medicine” because they indirectly provided medical services to policy holders and were subsequently banned. To overcome this gray area of law, many states enacted legislation that enabled commercial providers to operate – the legislation stipulating how providers operated and what services they could offer.

Consequently, by 1995, federal laws such as the Employee Retirement Income Security Act of 1974 (ERISA) and the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA) governed most employer-sponsored and individually-purchased health plans, while the operations of commercial for-profit group health plans were governed by state laws – leading to numerous issues relating to access to health insurance and health care benefits, and insurance portability between jobs.

What Does HIPAA Stand for and the Issues HIPAA Aimed to Resolve?

Group health insurance as we know it today started in the 1920s with the Baylor University in Texas guaranteeing teachers twenty-one days of hospital care for $6 per year. This scheme was extended under the name of “Blue Cross” – initially to other employee groups in Dallas, and then nationwide. However, the community-rating system of charging a flat rate regardless of policy holders´ health meant low-risk individuals were subsidizing the healthcare costs of high-risk individuals.

To address this issue, insurers introduced an “experience rating” which charged according to the level of risk. To prevent pricing small businesses out of the market, they also introduced exclusions for individuals with pre-existing conditions and limitations on when health insurance coverage could be carried from one employer to another. This had the impact of creating a “job-lock” scenario in which employees would not change jobs for fear of losing their health insurance benefits.

HIPAA aimed to resolve these issues by prohibiting the exclusion of individuals with certain types of pre-existing conditions and the termination of coverage when employees changed jobs or had a break in employment. The federal legislation would pre-empt state laws where state laws allowed insurance providers to be selective about who they insured or the portability of coverage. However, the prohibition of these restrictive practices would incur costs for the healthcare insurance industry.

Tackling the Cost Implications of HIPAA

When discussing what does HIPAA stand for, many articles suggest the Health Insurance Reform Act of 1995 (S.1028) introduced by Senators Nancy Kassebaum and Ted Kennedy was the forerunner of HIPAA, but it wasn´t. The Health Insurance Reform Act of 1995 never passed; for although it addressed the issues HIPAA aimed to resolve, it didn´t account for the costs that would be incurred by the healthcare insurance industry complying with the provisions.

Keen to avoid a scenario in which insurance companies passed the cost of compliance onto consumers in the form of increased premiums, Congress adopted HR.3103 – a bill introduced by Representative Bill Archer which more closely aligns with what HIPAA compliance means today. The bill included provisions to tackle the cost implications of HIPAA by standardizing the administration of health insurance claims in order to increase efficiency, and to tackle abuse and fraud.

The scale of abuse and fraud at was time was astounding. According to a Congressional Report, fraudulent and abusive insurance practices by unscrupulous healthcare organizations accounted for 10% of total health spending (around $7 billion). The objective of standardizing the administration of health insurance claims was to eliminate the abuse and fraud, save insurance companies money, and prevent the cost of complying with HIPAA being passed onto consumers.

How HR.3103 Evolved into What HIPAA Means Today

The route from the introduction of HR.3103 to what HIPAA means today is a little convoluted. This is because, in order to standardize the administration of health insurance claims, the Secretary of the Department of Health & Human Services (HHS) had to develop standards for electronic transactions (which evolved into the Transactions and Code Sets Rules) and security safeguards to ensure the integrity and confidentiality of data. The provision requiring the availability of data came later.

In the context of HR.3103, the security safeguards were intended to protect claims related to data in transit between health care providers, health plans, and – where appropriate – health care clearinghouses. However, by the time the HIPAA Security Rule was published, the provisions had been expanded to “all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits” – i.e., data in transit and at rest (§164.306).

It is also noticeable that, in the original text of HR.3103, the requirement for HHS to develop privacy standards for health information follow on directly from where HHS is tasked with developing security standards. This was later moved to a separate section of the bill to prevent any confusion that the privacy standards might only relate to covered electronic transactions; and, when HIPAA was passed, led to the HIPAA Privacy Rule (which applies to PHI in any format).

What the Acronym HIPAA Means to Healthcare Organizations

Although the original objectives of HIPAA were mostly to reform the health insurance industry, the biggest impact has been felt by healthcare organizations. Nearly all healthcare-related transactions are governed by the provisions of the Privacy and Security Rules, plus patients now have more rights over healthcare data inasmuch as they can request access to it, request corrections are made when data is incorrect or incomplete, and request a record of who their data has been disclosed to.

The acronym HIPAA also places a considerable administrative overhead on healthcare organizations. Although HIPAA has enhanced the efficiency of the healthcare system by facilitating the secure flow of information, HIPAA Covered Entities are required to develop policies for all types of foreseeable events that could impact the confidentiality, integrity, and availability of electronic PHI, train members of the workforce on the policies, and document both the policies and the training.

Training even has to be provided to members of the workforce who are unlikely to encounter PHI in the execution of their duties. For example, all members of a Covered Entity´s workforce are required to participate in a security and awareness training program. This means a hospital´s environmental services team has to undergo security and awareness training even though access controls should be in place to prevent members of the team logging into systems containing electronic PHI.

What Does HIPAA Stand for to Patients and Healthcare Workers?

For patients, HIPAA stands for the protection of their personally identifiable information. It is important that patients trust their personally identifiable information is being protected because trust is the most important part of a patient-physician relationship. Patients tell their physicians and other healthcare workers intimate details about themselves that they may not even share with partners and family members. Consequently, it is important the trust is upheld.

For healthcare workers, when patients trust their personally identifiable information is being protected and share intimate details, it enables the provision of more accurate and more appropriate health care. Better health care results in better patient outcomes, which raises morale and contributes towards more rewarding work experiences. For this reason, compliance with a healthcare facility´s HIPAA policies should not be seen as a barrier to “getting the job done”.

Finally, it is important to be aware many articles discussing what does HIPAA stand for tend to focus on HIPAA as if it is the only rule governing the privacy of Protected Health Information. However, federal regulations such as the Privacy Act and the Family Educational Rights and Privacy Act can impact the application of HIPAA in specific circumstances, while state laws such as the Texas Medical Records Privacy Act (HB300) preempt HIPAA because of having more stringent privacy protections.

What Does HIPAA Stand For? FAQs

What does the HIPAA acronym stand for?

The HIPAA acronym stands for the Health Insurance Portability and Accountability Act. As the title of the Act suggests, its primary objective was to reform the health insurance industry; but, in order to do this, standards had to be introduced to tackle fraud and abuse, and these led to the development of Privacy and Security Rule standards.

What does HIPAA stand for in medical terms?

In medical terms, HIPAA stands for the policies and procedures that have to be implemented in order to comply with the HIPAA Rules. Most, but not all, medical facilities are required to comply with all the HIPAA Rules – the exceptions being medical facilities that do not conduct electronic transactions for which the Department of Health and Human Services has developed standards.

Is the correct acronym HIPAA or HIPPA?

The correct acronym for the Healthcare Insurance Portability and Accountability Act is HIPAA. However, according to Wikipedia, HIPAA is sometimes incorrectly referred to as the “Health Information Privacy and Portability Act”, for which the acronym would be HIPAA.

Who has to comply with HIPAA?

All health plans and healthcare clearinghouses are required to comply with HIPAA as are healthcare providers that perform HIPAA-covered transactions – which most do. These organizations are collectively referred to as HIPAA Covered Entities,

Does HIPAA apply to employers?

There are circumstances in which employers are subject to “partial compliance” if they act as an administrator for a self-insured health plan or as an intermediary between employees, healthcare providers, and health plans. For a fuller explanation, please see “Does HIPAA Apply to Employers”.

What other state laws preempt HIPAA?

Most states have laws that provide greater protections for data or more patients´ rights – albeit these laws may relate to one specific area of healthcare practice (i.e., genetics). Organizations unsure about their obligations under state law should peak with a compliance professional.

What was the Health Coverage Availability and Affordability Act of 1996?

The Health Coverage Availability and Affordability Act was the original short title of HB.3103 when it was introduced into the House of Representatives. At one point it was nearly renamed the Health Insurance and Long-Term Care Affordability Act before the HIPAA acronym was agreed upon.

The post What Does HIPAA Stand For? appeared first on HIPAA Journal.

Why is HIPAA Important?

HIPAA is important because, due to the passage of the Health Insurance Portability and Accountability Act, the Department of Health and Human Services was able to develop standards that protect the privacy of individually identifiable health information and the confidentiality, integrity, and availability of electronic Protected Health Information.

HIPAA was introduced in 1996, primarily to address one particular issue: Insurance coverage for individuals between jobs and with pre-existing conditions. Without HIPAA, employees faced a potential loss of insurance coverage between jobs. Because of the cost of HIPAA’s primary objective to health insurance companies – and the risk that the cost would be passed onto employers and individuals as higher premiums, Congress instructed the Secretary for Health and Human Services to develop standards that would reduce healthcare insurance fraud and simplify the administration of healthcare transaction.

Due to the increased number of transactions being conducted electronically, standards were also developed to protect the confidentiality, integrity, and availability of electronic Protected Health Information when it was collected, received, maintained and transmitted between healthcare providers, health plans, and health care clearinghouses. Further standards were developed to protect the privacy of individually identifiable health information (in any format) and to give individuals increased rights and control over their health information. The standards became known respectively as the HIPAA Security Rule and HIPAA Privacy Rule.

Why is HIPAA Important for Healthcare Organizations?

HIPAA introduced a number of important benefits for the healthcare industry to help with the transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely.

The standards for recording health data and electronic transactions ensures everyone is singing from the same hymn sheet. Since all HIPAA-covered entities must use the same code sets and nationally recognized identifiers, this helps enormously with the transfer of electronic health information between healthcare providers, health plans, and other entities.

Why is HIPAA Important for Patients?

Arguably, the greatest benefits of HIPAA are for patients. HIPAA compliance is important because it ensures healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities must implement multiple safeguards to protect sensitive personal and health information.

While no healthcare organization wants to expose sensitive data or have health information stolen, without HIPAA there would be no requirement for healthcare organizations to safeguard data – and no repercussions if they failed to do so.

HIPAA established rules that require healthcare organizations to control who has access to health data, restricting who can view health information and who that information can be shared with. HIPAA helps to ensure that any information disclosed to healthcare providers and health plans, or information that is created by them, transmitted, or stored by them, is subject to strict security controls. Patients are also given control over who their information is released to and who it is shared with.

HIPAA is important for patients who want to take a more active role in their healthcare and want to obtain copies of their health information. Even with great care, healthcare organizations can make mistakes when recording health information. If patients are able to obtain copies, they can check for errors and ensure mistakes are corrected.

Obtaining copies of health information also helps patients when they seek treatment from new healthcare providers – information can be passed on, tests do not need to be repeated, and new healthcare providers have the entire health history of a patient to inform their decisions. Prior to the Introduction of the HIPAA Privacy Rule, there was no requirements for healthcare organizations to release copies of patients’ health information.

Why is HIPAA Important? FAQs

What might happen to healthcare data if it were not protected by HIPAA?

What might happen to healthcare data if it were not protected by HIPAA is that it could be stolen and used to commit healthcare fraud. Healthcare data is a valuable commodity on the black market because it can be used by uninsured or underinsured individuals to obtain expensive healthcare treatment. Healthcare fraud results in increased insurance costs, which are passed down to employers and individuals in the form of increased insurance premiums.

What are the financial benefits for healthcare providers of complying with HIPAA?

The financial benefits for healthcare providers of complying with HIPAA include better patient outcomes and higher satisfaction scores, increased staff morale and employee retention rates, and fewer readmissions – a key factor in avoiding CMS payment penalties under the Hospitals Readmissions Reduction Program and other value-based initiatives.

Why is it important for healthcare professionals to comply with HIPAA?

It is important for healthcare professionals to comply with HIPAA to build a culture of trust with patients. If a patient feels any confidential information shared with a healthcare professional will remain confidential, they are more likely to be more forthcoming about health issues and the symptoms they are experiencing.

With more information available to them, healthcare professionals can make better informed diagnoses and treatment decisions. This results in better patient outcomes, which leads to higher morale. Effectively, by complying with HIPAA, healthcare professionals enjoy more rewarding experiences and get more from their vocation.

If patients are unable to exercise their patients´ right allowed by HIPAA, what might happen?

If patients are unable to exercise their patients’ rights allowed by HIPAA, the likely outcome will be a complaint to the Privacy Officer or HHS’ Office for Civil Rights. This could result in a significant financial penalty and a time-consuming corrective action plan.

Allowing patients to exercise their rights under HIPAA is important because it´s not unheard of for mistakes to be made with patients´ records that can result in misdiagnoses, the wrong treatment being provided, or the wrong medication being prescribed.

By giving patients the right to inspect their medical records and make corrections when necessary, the risks of incorrect diagnoses, treatments, and medications are mitigated. Additionally, having access to their records helps patients take more responsibility for their own wellbeing.

How do patients control who their information is released to and shared with?

Patients control who their information is released to and shared with by having the right to request privacy protection for protected health information (45 CFR §164.522). This right enables patients to request restrictions on how PHI is used and disclosed for treatment, payment, and health care operations, and also for involvement in the individual’s care and notification purposes.

Why is the HIPAA Privacy Rule important?

The HIPAA Privacy Rule is important because it sets a “federal floor” of privacy protections and rights for individuals to control healthcare data. This means that Covered Entities throughout the country must comply with the HIPAA Privacy Rule unless a state law offers more stringent privacy protections or greater rights for individuals.

How does HIPAA protect sensitive health information?

HIPAA protects sensitive health information via regulations, standards, and implementation specifications. Covered entities and business associates are required to comply with applicable regulations, standards, and implementation specifications or potentially face a civil monetary penalty from HHS’ Office for Civil Rights – even if no breach of unsecured PHI has occurred.

Who must comply with HIPAA rules?

Entities that must comply with HIPAA Rules include health plans, health care clearinghouses, and healthcare providers that conduct electronic transactions for which the Department of Health and Human Services has developed standards (collectively known as “covered entities”). Businesses that provide services for or on behalf of covered entities that involve the use of disclosure of Protected Health Information are also required to comply with applicable HIPAA Rules.

Why is the HIPAA Breach Notification Rule important?

The HIPAA Breach Notification Rule is important because it requires covered entities and business associates to notify individuals when unsecured PHI has been accessed impermissibly so that individuals can take steps to protect themselves against theft and fraud. The Rule is also important because it makes covered entities and business associates accountable for shortcomings in their compliance efforts.

How does HIPAA support the digitization of health records?

HIPAA supports the digitalization of health records by laying the foundations of a cybersecurity framework to protect electronic health records from unauthorized access. The framework enabled Congress to incentivize the digitalization of health records via the Meaningful Use Program (now the Promoting Interoperability Program), which in turn improved the flow of health information between healthcare providers.

How has HIPAA evolved to meet the changing needs of health information technology?

HIPAA has evolved to meet the changing needs of health information technology via several HIPAA updates. The biggest recent HIPAA update was the Omnibus Final Rule in 2013. However, multiple changes to HIPAA have been proposed since 2020 onward, which would support the further evolution of HIPAA to meet the changing needs of health information technology.

How is compliance with HIPAA enforced?

Compliance with HIPAA is enforced by two offices within the Department for Health and Human Services – the Office of Civil Rights (responsible for compliance with Parts 160 and 164 of the HIPAA Administrative Simplification Regulations) and the Centers for Medical and Medicaid Services (responsible for compliance with Part 162). The Federal Trade Commission also enforces compliance with HIPAA for health appliance vendors that do not qualify as HIPAA covered entities, but who are required to comply with the Breach Notification Rule under Section 5 of the FTC Act.

The post Why is HIPAA Important? appeared first on HIPAA Journal.

Judge Denies Injunction Banning Meta from Collecting Patient Data via Meta Pixel Code

Plaintiffs in a consolidated class action lawsuit against Meta recently sought an injunction against Meta to stop the company from collecting and transmitting data collected from the websites of healthcare providers through Meta Pixel tracking code.

The plaintiffs claim the use of Meta Pixel code on appointment scheduling pages and patient portals allows sensitive information, including patient communications, to be collected and monetized by Meta, which violates federal and state privacy laws. William Orrick, U.S. District Judge for the Northern District of California, has recently issued a ruling denying the injunction.

Background

In the summer, an investigation was conducted by The Markup into the use of tracking technologies such as Meta Pixel on the websites of healthcare providers and found that 33% of the top 100 hospitals in the United States had the code on their websites, some of which had added the code to their patient portals. Meta Pixel can collect any data in HTTP headers, button click data, and form field names. That code was found to be transmitting patient information to Meta when Meta had not entered into a business associate agreement with the hospitals.

In the past few months, Novant Health, Community Health Network, Advocate Aurora Health, and WakeMed Health and Hospitals have all reported impermissible disclosures of patients’ PHI to OCR due to the use of Meta Pixel and other tracking code on their websites. Multiple lawsuits have also been filed against Meta and healthcare providers over the use of Meta Pixel code and the impermissible disclosure of the data of Facebook users, which the lawsuits claim is being used for advertising purposes without consent.

The Department of Health and Human Services’ Office for Civil Rights has recently confirmed that the use of tracking technologies on websites is not permissible under the HIPAA Privacy Rule if those technologies collect and transmit protected health information unless the vendor of the tracking technology qualifies as a business associate and a business associate agreement is in place or if HIPAA-compliant patient authorizations are obtained.

Ruling

Meta has argued that it has a policy in place that limits the data businesses can share through Meta Pixel, and mechanisms are in place that filter out sensitive data to ensure the information is not passed on to advertisers through its ads ranking and optimization systems. Meta also claims that any injunction that requires the company to stop collecting healthcare information would be unfairly burdensome and technologically infeasible.

“The allegations against Meta are troubling: plaintiffs raise potentially strong claims on the merits and their alleged injury would be irreparable if proven,” said Judge Orrick in his ruling. “To secure a mandatory injunction, however, plaintiffs need to show “that the law and facts clearly favor [their] position, not simply that [they are] likely to succeed.”

Orrick explained that Meta has provided evidence that the company is doing all it can to minimize the problems raised by the plaintiffs, and that based on the available facts it is unclear where the truth lies. Orrick said there is a need for discovery to clarify the scope of the problems and the potential solutions that can be implemented to address them. Judge Orrick said, “it is too early to find that the public interest supports a mandatory injunction.”

The post Judge Denies Injunction Banning Meta from Collecting Patient Data via Meta Pixel Code appeared first on HIPAA Journal.

November 2022 Healthcare Data Breach Report

November was a relatively quiet month for healthcare data breaches with 31% fewer breaches reported than the previous month. November’s total of 49 breaches of 500 or more records was also well below the 12-month average of 58 breaches a month. 643 healthcare data breaches have been reported to the HHS’ Office for Civil Rights so far in 2022, which makes this year the second worst year to date for healthcare data breaches.

Despite the fall in reported breaches, the number of breached records increased by 10% from October. November was the worst month of 2022 in terms of the number of breached healthcare records, with 6,904,441 records exposed or impermissibly disclosed – Well above the 12-month average of 3.99 million records a month. So far in 2022, 44,852,648 healthcare records have been breached.

Largest Healthcare Data Breaches in November

17 breaches of 10,000 or more records were reported to OCR in November, five of which involved more than half a million records and three incidents involved the impermissible disclosure of more than 1 million records. The largest data breach was a hacked network server at the Pennsylvania-based business associate Connexin Software – A provider of electronic medical records to pediatric practices. An unauthorized individual gained access to an offline set of patient data that was used for data conversion and troubleshooting. The records of 2,216,365 patients were exposed and potentially stolen.

The Indiana-based healthcare provider, Community Health Network, reported an impermissible disclosure of the protected health information of up to 1.5 million patients. Tracking code had been added to its website that resulted in patient information being transferred to third parties such as Meta and Google, without obtaining consent from patients or having a business associate agreement in place. Several healthcare providers have reported similar breaches this year, prompting OCR to issue a warning to HIPAA-regulated entities this month over the use of tracking technologies on websites and mobile applications.

Doctors’ Center Hospital in Puerto Rico suffered a ransomware attack that exposed the protected health information of up to 1,195,220 patients. Major ransomware attacks were also reported by the Michigan-based prosthetics and orthotics provider, Wright & Filippis, and Health Care Management Solutions in West Virginia.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Data Breach
Connexin Software, Inc. PA Business Associate 2,216,365 Hacking/IT Incident Hacking of network server
Community Health Network, Inc. as an Affiliated Covered Entity IN Healthcare Provider 1,500,000 Unauthorized Access/Disclosure Website tracking code transmitted PHI to third parties
Doctors’ Center Hospital PR Healthcare Provider 1,195,220 Hacking/IT Incident Ransomware attack
Wright & Filippis LLC MI Healthcare Provider 877,584 Hacking/IT Incident Ransomware attack
Health Care Management Solutions, LLC WV Business Associate 500,000 Hacking/IT Incident Ransomware attack on subcontractor of CMS business associate
Gateway Rehabilitation Center PA Healthcare Provider 130,000 Hacking/IT Incident Hacking of network server
Mena Regional Health System AR Healthcare Provider 84,814 Hacking/IT Incident Hacking of network server
Dallam Hartley Counties Hospital District TX Healthcare Provider 69,835 Hacking/IT Incident Hacking of network server (data theft confirmed)
Consumer Directed Services in Texas, Inc. TX Healthcare Provider 56,728 Hacking/IT Incident Hacking incident at a business associate
Stanley Street Treatment and Resources, Inc. MA Healthcare Provider 45,785 Hacking/IT Incident Hacking of network server (data theft confirmed)
South Walton Fire District FL Healthcare Provider 25,331 Hacking/IT Incident South Walton Fire District
Rosenfeld VanWirt, PC PA Business Associate 18,719 Hacking/IT Incident Hacking incident affecting multiple affiliates of the Lehigh Valley Health Network
CCA Health Plans of California, Inc d/b/a CCA Health CA CA Health Plan 14,631 Hacking/IT Incident Hacking of network server (data theft confirmed)
CareFirst Administrators MD Health Plan 14,538 Hacking/IT Incident Phishing attack on business associate
Work Health Solutions CA Healthcare Provider 13,157 Hacking/IT Incident Phishing attack
New York-Presbyterian Hospital NY Healthcare Provider 12,000 Hacking/IT Incident Hacking of network server
Epic Management LLC TN Healthcare Provider 10,862 Hacking/IT Incident Unauthorized email account access

Causes of November Data Breaches

All but one of the 17 data breaches of 10,000 or more records were due to hacking incidents, several of which were ransomware attacks. Many hacking incidents involve ransomware, although it is common for HIPAA-regulated entities not to disclose the exact nature of these attacks. It is therefore difficult to determine the extent to which ransomware is used in cyberattacks on the healthcare industry. 5,374,670 records were exposed or stolen in these hacking incidents – 77.8% of all records breached in November. The average breach size was 134,367 records and the median breach size was 7,158 records.

There were 8 unauthorized access/disclosure incidents reported that involved the records of 1,521,788 individuals. The majority of those records were impermissibly disclosed by one healthcare provider. The average breach size was 190,224 records and the median breach size was 2,275 records.  There was also one theft incident reported involving the records of 7,983 individuals. In the majority of reported incidents, the breached protected health information was located on network servers. There were also 7 incidents involving breaches of email data, and four incidents involving electronic health records.

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the worst affected entities in November, with 26 reported breaches, one of which occurred at a business associate but was reported by the healthcare provider. 6 data breaches were reported by health plans, with one of those breaches occurring at a business associate. Business associates self-reported 17 breaches in November. The pie chart below shows the breakdown of data breaches based on where they occurred, rather than the entities reporting the data breaches.

Healthcare Data Breaches by State

Data breaches were reported by HIPAA-regulated entities in 18 states and Puerto Rico. Pennsylvania was the worst affected state with 12 breaches, which involved 34.8% of the month’s breached records. 10 of those breaches were due to a hacking incident involving healthcare providers that are part of the Lehigh Valley Health Network. HIPAA-regulated entities in California reported 6 breaches, but these were relatively minor, only involving the protected health information of 41,382 patients.

State Breaches
Pennsylvania 12
California 6
Florida & New York 4
Texas 3
Arkansas, Connecticut, Indiana, Maryland, Massachusetts & Tennessee 2
Georgia, Michigan, New Jersey, Nevada, Oregon, Washington, West Virginia, and Puerto Rico 1

HIPAA Enforcement Activity in November

No civil monetary penalties or settlements were announced by OCR in November. Even so, 2022 has seen more HIPAA enforcement actions than in any other year since OCR was given the authority to enforce HIPAA compliance. The majority of the financial penalties in 2022 have been imposed for violations of the HIPAA right of access, and 55% of the year’s enforcement actions over HIPAA violations were on small healthcare providers.

In November, the state of Massachusetts announced that Aveanna Healthcare had been fined $425,000 for a breach of the PHI of 166,000 individuals, 4,000 of whom were Massachusetts residents. Aveanna Healthcare had suffered a phishing attack, with the Massachusetts Attorney General discovering a lack of safeguards such as multi-factor authentication and security awareness training.

The post November 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Telehealth Websites are Transmitting Sensitive Health Information to Big Tech Firms

The private information of visitors to telehealth websites is being shared with big tech companies without user consent due to the use of tracking code snippets on the websites, according to a recent analysis by The Markup.

The websites of 50 direct-to-consumer telehealth companies were analyzed for the presence of third-party tracking code, 49 of which were found to have tracking code that transmitted the information of visitors to third parties, including Meta/Facebook and Google.

The study follows on from an analysis of the websites of the top 100 hospitals in the United States in the summer, which revealed one-third were using tracking code on their websites that was sending data to third parties without consent, valid HIPAA authorizations, or business associate agreements. In a handful of cases, the tracking code was added behind password-protected patient portals.

The latest study of telehealth websites included sites that collect highly sensitive information from visitors, such as the personal and health information of people suffering from Substance Abuse Disorder (SAD) who are seeking treatment. In many cases, the answers to medical questionnaires were also sent to big tech firms from questions relating to that health conditions, medical histories, and drug use.

The report, jointly published by The Markup and STAT, found that 49 of the 50 sites studied transmitted the URLs that an individual had visited, with 35 sites also transferring personal information such as email addresses, phone numbers, and full names. 19 sites recorded and transmitted when the user-initiated checkout, 13 sites sent the answers to questionnaires to third parties, 11 sites sent data confirming when the user had added an item to their cart (such as a treatment plan), and 9 sites transferred the date the user created the account.

The 13 sites that sent questionnaire data were of particular concern, as the answers were to health questions. That information was sent to a variety of companies, including Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, and Pinterest. 25 sites told big tech firms when a user had added an item such as a prescription medication to their cart or checked out with a treatment plan.

All but one of the 50 websites transferred the URLs that a user had visited on the site. The websites provide health and treatment information, so the information detailed on certain pages may be for a specific health complaint. That information is then tied to an individual or a household via an IP address. Amazon Clinic was the only website that did not share website data with third parties.

Potential HIPAA Violations

Healthcare providers are HIPAA-covered entities and disclosures of protected health information are restricted by the HIPAA Privacy Rule. SUD information is also subject to the 45 CFR Part 2 Confidentiality of Substance Use Disorder (SUD) Patient Records regulations. Recently, the HHS’ Office for Civil Rights published guidance for HIPAA-regulated entities that confirmed that the use of third-party tracking code on websites violates HIPAA if that tracking code collects and transfers protected health information (PHI) to third parties unless the third party qualifies as a business associate under HIPAA. In such cases, a HIPAA-compliant business associate agreement is required before the code can be used. If a third party is not a business associate, HIPAA-compliant patient authorizations are required before that code can be used.

HIPAA applies to healthcare providers, health plans, healthcare clearing houses, and business associates of those entities, but many of the telehealth sites studied operate in a gray area, as the websites are not run by HIPAA-regulated entities or SUD treatment providers, therefore the HIPAA and Part2 regulations do not apply, even though the data collected is the same data that would be classed as PHI or SUD records if collected by a covered entity.

The information collected through these websites is passed on to HIPAA-covered entities and entities covered by Part 2, but the websites themselves are intermediaries and are therefore not bound by HIPAA or the Part 2 regulations. For example, one website run by Cerebral Inc. collected HIPAA-covered data but is not a HIPAA-covered entity. The website passes the information to Cerebral Medical Group, P.A., which is a HIPAA-covered entity. The transfer of data to the big tech firms occurred before the transfer to the Cerebral Medical Group, P.A.

WorkIt Health provides healthcare services including SUD treatment. Its website states in its Notice of Privacy Practices (NPP) that, “You are receiving this NPP because you are or intend to receive health care services from a Workit Health Clinic… Each Workit Health Clinic together designates themselves as a single Affiliated Covered Entity (“ACE”) for purposes of compliance with HIPAA.” However, the WorkIt website had trackers from Google, Facebook, Bing, and Twitter, and transferred URLs, personal information, and answers to questionnaires. The Markup contacted WorkIt Health regarding the findings of the study and WorkIt Health removed the tracking technology from its website and initiated an investigation into the privacy breach.

Visitors to These Websites Expect Privacy

Many healthcare organizations add these tracking technologies to their websites with good intentions, as the technology can provide data that can help to improve the user experience on websites and gauge the effectiveness of marketing campaigns, but the extent to which patient information is being shared is not fully understood.

Individuals who visit these websites are unlikely to be aware that any information they provide directly through answers on web forms and medical questionnaires, and indirectly via the sites they visit, is not being kept private and confidential, and that is a big concern. Many of these sites mention HIPAA and Part 2 in their NPPs, yet the extent to which those regulations apply is unclear. The Markup notes that at least 12 of the studied companies state that they are HIPAA compliant, but that does not necessarily mean that the information provided on the site is kept private or is indeed covered by HIPAA at the point it is collected.

The study shows that there is a trade-off when using these websites. Patients get convenience, but it may come at the expense of their privacy. There is a massive gap in HIPAA, which has not been updated to account for changes in how healthcare is being provided, and there are also suggestions of deceptive privacy practices, albeit in many cases unwittingly deceiving visitors about privacy.

“Sensitive health information is being shared, inadvertently, online every day. Hospital websites, online pharmacies, and health information sites, use a variety of applications (site analytics, links to social media, advertising) that collect and share site visitors’ data, including the healthcare terms and medical conditions that the user is searching,” Ian Cohen, CEO of LOKKER told HIPAA Journal. “For example, in LOKKER’s recent research of over 170,000 websites, we identified the Meta Pixel (Facebook) on over 40% of healthcare sites. Similar data was found about data being shared with TikTok, Snapchat, Pinterest, Microsoft, and Google, as well.” Cohen went on to say, “Not only are consumers and patients unaware that their information is being collected and shared, we believe that the website owners don’t fully understand the extent to which they are sharing data back to the social networks.”

The Markup explained that its researchers did not test all webpages on the sites of the telehealth providers, so the full extent to which tracking code has been used is not known. Tracking code can also be configured differently on different web pages.

It is also unclear what the big tech firms do with the transferred data. Several big tech firms state that they do not allow targeted advertising related to health conditions, although there are ways around that by using closely related terms. Meta, for instance, claims to strip out any data it should not receive and does not provide that information to third-party advertisers. The extent to which that occurs is also unclear. Meta is the subject of several lawsuits over this very matter, some of which allege health data has been used to serve targeted ads to patients whose information was collected through the Meta Pixel code snippet.

Steps Operators of Health Websites Should Take

The HHS’ Office for Civil Rights has made clear in its recent guidance that tracking technology on websites violates HIPAA and that this issue needs to be addressed immediately. HIPAA-regulated entities are required to report any HIPAA violations related to the use of third-party tracking technologies. So far, only a few HIPAA-regulated entities have done so, despite huge numbers having added tracking code to their websites. Even if the websites are not run by HIPAA-regulated entities, the operators of those websites have a moral responsibility to protect the privacy of their visitors with respect to their sensitive health information. Ian Cohen suggests all healthcare organizations should take the following actions:

  1. Take inventory of what data your websites and apps are collecting and if you’re violating your own privacy policy, other privacy laws, or your customers’ trust
  2. Know your partners and ensure they aren’t exploiting your customers’ information
  3. Build customer privacy ‘muscle’ by forming teams that include Marketing, IT, and Legal and establish routines for better data hygiene
  4. Don’t just ask for customer consent for bad practices, re-evaluate how you want to better serve your customers and build trust with every interaction by communicating clearly

The post Telehealth Websites are Transmitting Sensitive Health Information to Big Tech Firms appeared first on HIPAA Journal.