Healthcare Data Privacy

67% of CISOs Expect a Cyberattack or Data Breach in 2018

Posted by HIPAA Journal

The perceived risk of a cyberattack or data breach occurring has increased year on year, according to a new survey conducted by the Ponemon Institute.

The Opus-sponsored survey was conducted on 612 CISOs, CIOs, and other information security professionals, who were asked questions about data security and cyber risk.

The survey revealed confidence in cybersecurity defenses is getting worse, with more than 67% of respondents now believing they will experience a data breach or cyberattack in 2018. Last year, 60% of respondents thought they would likely experience a data breach or cyberattack in 2017.

Hackers have been responsible for a large number of data breaches over the past 12 months and the threat from malware is greater than ever, but the biggest perceived data security risk comes from within. 70% of respondents said the most probable cause of a data breach was a lack of competent in-house staff, with 64% of respondents saying a lack of in-house expertise would likely result in a data breach.

Cyberattacks and malware infections are likely causes of data breaches, but the biggest threat is phishing. Respondents to the survey believed there was a 65% chance of their organization experiencing credential theft as a result of a careless employee falling for phishing scams. Malware infections were expected by 61% of respondents, while cyberattacks resulting in significant downtime were expected by 59% of respondents.

Other probable causes of data breaches were the inability to protect sensitive data (59% of respondents), the inability to keep up with increasingly sophisticated cyberattacks (56% of respondents), and the inability to control the use of sensitive data by third parties (51% of respondents).

The increased use of Internet of Things (IoT) devices is a major risk. 60% of respondents rated IoT devices as the most difficult to secure, followed by mobile devices (54%) and cloud services (50%).

The rapidly changing threat landscape and the broadening of the attack surface means defending an organization from cyberattacks has increased significantly, and as a result, jobs in information security have become harder.

69% of respondents believe their jobs will become more stressful in 2018, while there is also fear that if a data breach is experienced, heads will roll. 45% of respondents were worried they would lose their jobs following a cyberattack on their organization.

Previous surveys have shown a lack of board involvement in cybersecurity, although that does appear to be changing. Half of respondents said the C-Suite was becoming more involved in cybersecurity matters, while a third of respondents said the path to an improved security posture is clear.

Perhaps unsurprisingly considering how employees are perceived to be the main threat, top areas for improvement were staffing, better leadership, and more actionable cyber-intelligence. Technology improvements were also deemed a necessity. However, even though the risk of a cyberattack is increasing, IT security budgets are not. Information security professionals must therefore make budgets go further.

“Once again, we find that people – not just third parties – are the weak link in information security. Smart companies can’t prevent all data breaches, but implementing solid risk management programs supported by good governance, training, proven frameworks and robust technology will go a long way to reducing risk and alleviating CISO stress,” said Dov Goldman, VP, Innovation & Alliances of Opus.

Data breaches and cyber-attacks continue to plague organizations and the responsibility of protecting sensitive data stops with the CISO. It’s critical that companies support CISOs and reduce risk by implementing standard processes, including policy review and documentation, senior leadership and board member oversight, as well as other safeguards to reduce their vulnerability,” said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute.

The post 67% of CISOs Expect a Cyberattack or Data Breach in 2018 appeared first on HIPAA Journal.

1,300 Patients’ Medical Records Viewed Without Authorization by Palomar Health Nurse

Posted by HIPAA Journal

More than 1,300 patients of Palomar Medical Center Escondido are being notified that a former nurse viewed their medical records without authorization while they were receiving treatment at the hospital.

The privacy violations occurred over a 15-month period between February 10, 2016 and May 7, 2017. The unauthorized access was discovered when access logs were reviewed. The audit revealed a pattern of access that was not consistent with the nurse’s work duties.

The audit showed the nurse had viewed the records of patients that had been assigned to her, in addition to patients assigned to another nurse in the same unit.

The incident appears to be a case of snooping, rather than data access with malicious intent. Palomar Health has uncovered no evidence to suggest any information was recorded and removed from the hospital, and no reports have been received to suggest any patient information has been misused. Following an internal investigation into the privacy violations, the nurse resigned.

The information viewed was limited to names, dates of birth, genders, medical record numbers, treatment locations, diagnoses, allergies, and medications for 1,309 patients. Financial information, insurance details, and Social Security numbers of four patients were present in a part of the medical record system that was accessed by the nurse. Those four patients have been offered identity theft protection services.

Palomar Health is currently implementing a new system that will automatically audit the logs created when medical records are viewed and when access attempts are made. The system will allow the health system to rapidly identify cases of snooping and data theft. Staff at the hospital will also receive additional privacy and security awareness training.

The post 1,300 Patients’ Medical Records Viewed Without Authorization by Palomar Health Nurse appeared first on HIPAA Journal.

Patients in Connecticut Can Now Sue Healthcare Providers for Privacy Violations

Posted by HIPAA Journal

There is no private cause of action in the Health Insurance Portability and Accountability Act, so patients are not permitted to sue healthcare providers for privacy violations.

However, there have been rulings in several states, including New York, Missouri, and Massachusetts, allowing patients to file lawsuits against healthcare providers over unauthorized and negligent disclosures of medical records.

Following a ruling by the Connecticut Supreme Court last week, Connecticut residents will be permitted to file lawsuits for damages following negligent disclosures of medical records that have resulted in harm.

The legal precedent was set by the Supreme Court in the case Byrne v. Avery Center for Obstetrics & Gynecology.

Emily Byrne filed a lawsuit against Avery Center for Obstetrics and Gynecology (ACOG) after her medical records were disclosed to a man seeking custody of her child in a paternity suit.

ACOG was issued with a subpoena to appear before an attorney and supply Byrne’s medical records. ACOG did not challenge the subpoena, made no attempt to limit disclosure, and simply mailed a copy of Byrne’s medical file to the New Haven Regional Children’s Probate Court, where the records were made available to the man seeking custody of her child.

Byrne and her attorney, Bruce L. Elstein of Trumbull, claimed this amounted to negligence and breach of contract. ACOG claimed that under HIPAA Rules, patient consent was not required before medical records were disclosed in response to a subpoena.

Byrne argued that HIPAA creates a standard of care for patient medical records, and Avery violated that standard by releasing her records. Byrne lost the case in the Superior Court, which ruled that HIPAA does not permit private suits to be filed against healthcare providers for HIPAA violations. Byrne appealed, and the case was heard by the Supreme Court, which ruled in 2014 that HIPAA could be used as a standard of care for common law claims.

The case went before the Supreme Court for a second time after the trial court deferred the case as no courts had addressed the issue of negligence.  The Supreme Court disagreed with ACOG’s argument that patient consent is not required before medical records are disclosed in response to a subpoena, saying federal laws require the provider to have “satisfactory assurances” that a patient has been given notice about the request.

In this case, satisfactory assurances had not been obtained. Justice Dennis G. Eveleigh wrote, “the defendant did not even comply with the face of the subpoena.”

In the ruling, Justice Eveleigh wrote, “The dispositive issue in this appeal is whether a patient has a civil remedy against a physician if that physician, without the patient’s consent, discloses confidential information obtained in the course of the physician-patient relationship.’’

“We agree with the majority of jurisdictions that have considered the issue, and conclude that the nature of the physician-patient relationship warrants recognition of a common-law cause of action for breach of the duty of confidentiality in the context of that relationship.”

“Finally, we have a remedy in Connecticut that recognizes that there is a duty of confidentiality, the breach of which can lead to compensation for damages,” said Elstein.

The post Patients in Connecticut Can Now Sue Healthcare Providers for Privacy Violations appeared first on HIPAA Journal.

HIPAA Retention Requirements

Posted by HIPAA Journal

The reason the HIPAA retention requirements need clarifying is that the distinction between HIPAA medical records retention and HIPAA record retention can be confusing.

This article aims to clarify what records should be retained under HIPAA compliance rules, and what other data retention requirements Covered Entities and Business Associates may have to consider.

Throughout the Administrative Simplification Regulations of HIPAA, there are several references to HIPAA data retention. These generally fall into two categories – HIPAA medical records retention and HIPAA records retention requirements. The distinction between the two categories is that there are no HIPAA medical records retention requirements, but requirements exist for other documentation.

Read about email retention requirements in our recent HIPAA compliant email retention solution review

One of the reasons the lack of HIPAA medical records retention requirements can be confusing is that, under the Privacy Rule, individuals can request access to and amendment of Protected Health Information “for as long as Protected Health Information is maintained in a designated record set”. However, Covered Entities and Business Associates are required to provide an accounting of disclosures of Protected Health Information for the six years prior to a request.

Why There is No HIPAA Medical Records Retention Period

The reason the Privacy Rule does not stipulate how long medical records should be retained is that there is no mandated HIPAA medical records retention period. This is because each state has its own laws governing the retention of medical records, and – unlike in other areas of the Healthcare Insurance Portability and Accountability Act – HIPAA does not pre-empt state data retention laws.

Consequently, each Covered Entity and Business Associate is bound by state law with regard to how long medical records have to be retained rather than any specific HIPAA medical records retention period. States’ retention periods can vary considerably depending on the nature of the records and to whom they belong. For example:

  • In Arkansas, adults´ hospital medical records must be retained for ten years after discharge but master patient index data must be retained permanently.
  • In Florida, physicians must maintain medical records for five years after the last patient contact, whereas hospitals must maintain them for seven years.
  • In Georgia, doctors have to retain any evaluation, diagnosis, prognosis, laboratory report, or biopsy slide in a patient’s record for ten years from the date it was created.
  • In Nevada, healthcare providers are required to maintain medical records for a minimum of five years, or – in the case of a minor – until the patient has reached twenty-three years of age.
  • In North Carolina, hospitals must maintain patients’ records for eleven years from the date of discharge, and records relating to minors must be retained until the patient has reached thirty years of age.

What HIPAA Retention Requirements Exist for Other Documentation?

Although there are no HIPAA retention requirements for medical records, there are requirements for how long other HIPAA-related documents should be retained. These requirements are covered in 45 CFR 164.316 and 45 CFR 164.530 – both of which state Covered Entities and Business Associates must document policies and procedures implemented to comply [with HIPAA] and records of any action, activity, or assessment with regards to the policies and procedures, or sufficient to meet the burden of proof under the Breach Notification Rule.

Both standards also stipulate documents must be retained for a minimum of six years from when the document was created, or – in the event of a policy – from when it was last in effect. Therefore, if a policy is implemented for three years before being revised, a record of the original policy must be retained for a minimum of nine years after its creation. These HIPAA data retention requirements preempt state laws if they require shorter periods of document retention.

The list of documents subject to the HIPAA retention requirements depends on the nature of the business conducted by the Covered Entity or Business Associate. The following list is an example of the most common types of documents subject to the HIPAA document retention requirements; but, for example, healthcare clearinghouses do not issue Notices of Privacy Practices, so would not be required to retain copies of them:

  • Notices of Privacy Practices.
  • Authorizations for Disclosures of PHI.
  • Risk Assessments and Risk Analyses.
  • Disaster Recovery and Contingency Plans.
  • Business Associate Agreements.
  • Information Security and Privacy Policies.
  • Employee Sanction Policies.
  • Incident and Breach Notification Documentation.
  • Complaint and Resolution Documentation.
  • Physical Security Maintenance Records.
  • Logs Recording Access to and Updating of PHI.
  • IT Security System Reviews (including new procedures or technologies implemented).

What Else to Consider in Addition to HIPAA Record Retention

It was mentioned above the HIPAA retention requirements can be confusing; and when some other regulatory requirements are taken into account, this may certainly be the case. This is because – for example – in addition to HIPAA records retention, health insurance companies may be subject to the complexities of FINRA, while employers that are Covered Entities may have to comply with the record retention requirements of the Employee Retirement Income Security Act and Fair Labor Standards Act. In some cases, this can mean retaining records indefinitely.

The Centers for Medicare & Medicaid Services (CMS) requires records of healthcare providers submitting cost reports to be retained for a period of at least five years after the closure of the cost report, and that Medicare managed care program providers retain their records for ten years. Providers and suppliers need to maintain medical records for each Medicare beneficiary that is their patient. Although much of the documentation supporting CMS cost reports will be the same as those required for HIPAA record retention purposes, the two sets of records must be kept separate for retrieval purposes.

For all Covered Entities and Business Associates, it is recommended any documentation that may be required in a personal injury or breach of contract dispute is retained for as long as necessary. “As long as necessary” will depend on the relevant Statute of Limitations in force in the state in which the entity operates. In many cases, Statutes of Limitation are longer than any HIPAA record retention periods.

HIPAA Record Retention and Destruction/Disposal

When the required retention periods for medical records and HIPAA documentation have been reached, HIPAA requires all forms of PHI to be destructed or disposed of securely to prevent impermissible disclosures of PHI. The Privacy and Security Rules do not require a particular disposal method and the HHS recommends Covered Entities and Business Associates review their circumstances to determine what steps are reasonable to safeguard PHI through destruction and disposal.

HHS also suggests some secure methods for destructing or disposing of PHI once the HIPAA data retention requirements have expired. With regards to paper records, the agency suggests shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed, while for other physical PHI such as labeled prescription bottles, HHS suggests using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.

With regards to electronic PHI, HIPAA requires that Business Associates return or destroy all PHI at the termination of a Business Associate Agreement. In order to comply with this standard, HHS suggests clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding) – methods that could also be used by a Covered Entity when PHI or documentation is no longer subject to the HIPAA retention requirements.

HIPAA Retention Requirements – FAQS

How long does a covered entity have to retain a patient authorization for the disclosure of PHI?

A Covered Entity has to retain patient authorization for the disclosure of PHI for six years. However, if the document is part of the patient´s medical record, it is subject to the state´s medical record retention requirements – which could be longer. Furthermore, if the covered entity operates in a state in which the Statute of Limitations for private rights of action exceeds six years, it will be necessary to retain the document until the Statute of Limitations has expired.

Why are IT security system reviews considered HIPAA-related documents?

IT security system reviews are considered HIPAA-related documents because under the technical safeguards of the HIPAA Security Rule, covered entities are required to enforce IT security measures such as access controls, password policies, automatic log-off, and audit controls regardless of whether systems are being used to access ePHI. These measures would ordinarily be included in an IT security system review, and therefore the reviews have to be retained for a minimum of six years.

How should covered entities and business associates dispose of HIPAA-related documentation?

Covered entities and business associates should dispose of HIPAA-related documentation in the same way as HHS recommends disposing of PHI. For paper records, this means “shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed”. For ePHI and documentation maintained on electronic media, HHS recommends clearing or purging the data, or destroying the media by pulverization, melting, or incinerating.

Can covered entities and business associates be fined for the improper disposal of HIPAA-related documentation?

There have been no cases of a covered entity or business associate being fined for the improper disposal of HIPAA-related documentation, there have been multiple penalties issued by HHS for the improper disposal of PHI. Therefore, in case a document contains both HIPAA-related documentation and PHI (for example, a patient authorization) it is in the organizations’ best interests to train staff on the correct manner to dispose of all documentation relating to healthcare activities.

What are the Administrative Simplification Regulations of HIPAA?

The Administrative Simplification Regulations of HIPAA contain the Rules and standards developed by the Department of Health & Human Services (HHS) to comply with Title II of HIPAA and Subtitle D of the HITECH Act. The Administrative Simplification Regulations not only include the Privacy, Security, and Breach Notification Rules, but also the General Administrative Requirements, the standards for covered transactions, and the Enforcement Rule – which describes how HHS conducts compliance investigations.

When does HIPAA pre-empt state data retention laws?

HIPAA pre-empts state data retention laws when a state has a law requiring the retention of policy documents for (say) five years, but some of those documents are subject to the HIPAA data retention requirements (i.e., complaint and resolution documentation). In such cases, the documents subject to HIPAA data retention requirements must be retained for a minimum of six years rather than five.

If HIPAA states PHI has to be retained for six years, but a state law requires medical records to be retained for ten years, which law takes precedence?

If HIPAA states PHI has to be retained for six years, but a state law requires medical records to be retained for ten years neither law takes precedence over the other because the two laws are relating to different types of information.

The HIPAA data retention requirements only apply to documentation such as policies, procedures, assessments, and reviews. Therefore, Covered Entities should comply with the relevant state law for medical record retention.

However, when the medical record retention period has expired, and medical records are destroyed, HIPAA stipulates how they should be destroyed to prevent impermissible disclosures of PHI. The same processes should also be used for the destruction of HIPAA documentation.

What is the burden of proof under the Breach Notification Rule?

The burden of proof under the Breach Notification Rule relates to impermissible uses or disclosures of unsecured PHI which may qualify as a data breach. Under the Breach Notification Rule, Covered Entities and Business Associates have the burden of proof to demonstrate that an impermissible use or disclosure of unsecured PHI did not constitute a data breach if not notifying it to affected individuals and HHS’ Office for Civil Rights.

If such an event does constitute a notifiable data breach, Covered Entities, and Business Associates also have the burden of proof to demonstrate that all required notifications have been made (i.e., to the individual, to HHS´ Office for Civil Rights, and – when necessary – to the media).

How long is it necessary to retain authorizations for disclosures of PHI?

Authorizations for disclosures of PHI not permitted by the Privacy Rule should include an expiration date or an expiration event that relates to the individual or the purpose of the disclosure (i.e., “end of research study”). The six-year HIPAA retention period finishes six years after the expiration date or event rather than six years after the authorization is signed.

What is the difference between HIPAA record retention and HIPAA data retention?

The difference between HIPAA record retention and HIPAA data is that the term HIPAA record retention is most commonly associated with HIPAA documentation (risk assessments, policies, security reviews, patient access requests, etc.), while the term HIPAA data retention most often relates to PHI – for which there are no HIPAA retention requirements. The retention requirements for PHI are individually mandated by each state.

Are there any HIPAA medical record retention requirements?

There are no HIPAA medical record retention requirements because each state sets its own retention requirements for medical records. State-by-state requirements can be found in this PDF. However, when medical records reach the end of the retention period, the medical records have to be disposed of – or destructed – in compliance with HIPAA.

For medical records stored on paper, this means “shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed”. For medical records stored electronically, HHS recommends clearing or purging the data, or destroying media by pulverization, melting, or incinerating.

Why do some articles assert HIPAA data retention is 7 years, rather than 6 years?

Some articles assert HIPAA data retention is 7 years, rather than 6 years, when they confuse the HIPAA retention requirements with the medical record requirements mandated by a particular state. For example, California, Indiana, and Pennsylvania are among a number of states that require doctors and/or hospitals to retain medical records for a minimum of 7 years.

The HIPAA retention requirements are always 6 years after a HIPAA-related document is last in force. This means that if a policy is created to comply with HIPAA in 2010, and is in force until 2020 (when it is replaced with a new policy), the original policy document has to be retained for 16 years – the ten years it was in force and the six years following.

What are the CMS record retention requirements of 10 years?

The CMS record retention requirements of 10 years apply to Medicare managed care program providers – such as providers of Medicare Advantage plans. Program providers, rather than healthcare organizations that provide services for program participants, have to maintain patient records for a minimum of ten years unless longer state retention requirements exist.

What are the PHI retention requirements under HIPAA?

There are no PHI retention requirements under HIPAA because PHI is maintained in “designated record sets” of payment and medical records, and each state sets its own medical record retention period. However, when the state-mandated medical record retention period comes to an end, PHI must be destroyed or disposed of in compliance with HIPAA.

What are the HIPAA log retention requirements?

The HIPAA log retention requirements are that if a log, note, or record relates to a HIPAA policy or procedure, the log, note, or record must be retained for six years from the date the content was last used or was last effective.

For example, the Security Rule requires Covered Entities and Business Associates to regularly review records of information system activity. A review of this nature would involve analyzing access reports and audit logs. As the access reports and audit logs are key to any new procedures implemented as a result of the review, they must be retained for at least six years from the date of the next review when they will be replaced with more up-to-date access reports and audit logs.

Where can I find a HIPAA data retention policy template?

There is no such thing as a HIPAA data retention policy template because there is no such thing as “HIPAA data”. The term is often mistakenly used to refer to PHI because the Privacy Rule protects PHI. However, each state applies its own data retention requirements for medical records, so medical data retention policies should comply with state laws rather than HIPAA.

What are the HIPAA backup retention requirements?

There are no HIPAA backup retention requirements inasmuch as HIPAA does not dictate how long backups should be retained. However, if data is being backed before being permanently removed from a system (for example, to free up storage space), and the data contains HIPAA-related documentation, the backup will have to be retained for six years after the HIPAA-related documentation was last used or was last effective.

In this scenario, it is important that the backup media is protected by the physical safeguards of the Security Rule to prevent unauthorized access. It is also important to note that some backup media have limits on how long they are able to retain data. For example, data maintained on USB drives can deteriorate within five years – making them unsuitable for saving HIPAA documentation as it will not be possible to recover the documentation when required.

The post HIPAA Retention Requirements appeared first on HIPAA Journal.

20% of RNs Had Breaches of Patient Data at Their Organization

Posted by HIPAA Journal

A recent survey conducted by the University of Phoenix College of Health Professions indicates registered nurses (RNs) are confident in their organization’s ability to prevent data breaches.

The survey was conducted on 504 full time RNs and administrative staff across the United States. Respondents had held their position for at least two years.

Almost half of RNs (48%) and 57% of administrative staff said they were very confident that their organization could prevent data breaches and protect against the theft of patient data, even though 19% of administrative staff and 20% of RNs said their organization had had a data breach in the past. 21% did not know if a breach had occurred.

The survey confirmed that healthcare organizations have made many changes over the years to better protect data and patient privacy, with most of the changes occurring in the past year, according to a quarter of RNs and 40% of administrative staff.

Those changes have occurred across the organization. The biggest areas for change were safety, quality of care, population health, data security and the digitalization of health records.

67% of RNs said privacy and data access policies were being implemented to better protect patient data, while data surveillance was an initiative to improve data privacy and security according to 56% of respondents. 59% of RNs said their organization was implementing role based access to medical records.

69% of administrative staff who took part in the survey said privacy and access policies were being updated, 60% said their organization was implementing role based access, and 55% said data surveillance was a major focus area.

Privacy and security training is being provided to RNs and administrative staff, although 34% of administrative staff and 23 of RNs do not recognize the benefit of such training; however, half of administrative staff respondents and two in five RNs felt they could benefit from further training in his area.

The post 20% of RNs Had Breaches of Patient Data at Their Organization appeared first on HIPAA Journal.

Kathryn Marchesini Appointed Chief Privacy Officer at ONC

Posted by HIPAA Journal

The Office of the National Coordinator for Health IT (ONC) has a new chief privacy officer – Kathryn Marchesini, JD.

The appointment was announced this week by National Coordinator Donald Rucker, M.D. Marchesini will replace Acting Chief Privacy Officer Deven McGraw, who left the position this fall.

The HITECH Act requires a Chief Privacy Officer to be appointed by the ONC. The CPO is required to advise the National Coordinator on privacy, security, and data stewardship of electronic health information and to coordinate with other federal agencies.

Following the departure of McGraw, it was unclear whether the position of CPO would be filled at the ONC. The ONC has had major cuts to its budget, and in an effort to become a much leaner organization, funding for the Office of the Chief Privacy Officer was due to be withdrawn in 2018. However, the decision has been taken to appoint a successor to McGraw.

There are few individuals better qualified to take on the role of CPO. Katheryn Marchesini has extensive experience in the field of data privacy and security, having spent seven years at the Department of Health and Human Services. During her time at the HHS Marchesini assisted with the creation of new federal policies, guidance for HIPAA covered entities on privacy and security, and many HHS health IT privacy initiatives.

Most recently, Marchesini served as senior health information technology and privacy advisor at the HHS’ Office for Civil Rights and as senior advisor on privacy and precision medicine at the ONC. Marchesini also served as Division Director for Privacy at the ONC between 2014 and 2016, Acting Chief Privacy Officer at the ONC for four months in 2014, and Senior Policy Analyst and Privacy Team Leader at the ONC between October 2012 and June 2014.

Prior to joining the HHS, Marchesini worked as a legal associate with two law firms, as a management analyst at Deloitte Consulting, and economics assistant at FERC.

Announcing the appointment, Donald Rucker said, “[Marhesini] brings to her new roles a wealth of experience as a Senior Advisor and Deputy Director for Privacy at ONC where she advised staff and stakeholders about privacy and security implications surrounding electronic health information, technology, and health research.” The appointment has also been welcomed by Deven McGraw.

The post Kathryn Marchesini Appointed Chief Privacy Officer at ONC appeared first on HIPAA Journal.

Data Breach Notification Bill Introduced in North Carolina

Posted by HIPAA Journal

A new data breach notification bill has been introduced in North Carolina in response to the rise in breaches of personal information in 2017. Last year, more than 5.3 million residents of North Carolina were impacted by data breaches.

The rise in data breaches prompted state Attorney General Josh Stein and state Representative Jason Saine to introduce the Act to Strengthen Identity Theft Protections. If passed, North Carolina will have some of the toughest data breach notification laws in the United States.

The Act, introduced on January 8, 2018, is intended to strengthen protections for state residents. The Act updates the definitions of personal information and security breaches, and decreases the allowable time to notify state residents of a breach of their personal information.

The definition of personal information has been expanded to include insurance account numbers and medical information. It is currently unclear whether the new law will apply to organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) or if they will be deemed to be in compliance with state laws if they comply with HIPAA.

The definition of a breach has been updated to include any breach of personal information, including ransomware attacks, even if the personal information of state residents is only encrypted by ransomware and no data theft has occurred.

In the event of a breach of personal information, the Act requires companies to issue notifications to breach victims within 15 days of the discovery of a breach. Faster breach notifications will allow consumers to take prompt action to secure their accounts and limit potential harm from the exposure of their personal information.

Breaches must also be reported to the Attorney General’s office. This will empower the attorney general to determine the risk of harm from the breach, rather than leaving it to the breached entity to make that determination.

The Act also requires businesses to implement and maintain reasonable security protections to keep data secure. The nature of those protections should be appropriate to the sensitivity of the data concerned. The failure to implement sufficient controls would be deemed a violation of the Unfair and Deceptive Trade Practices Act, and each person whose data has been exposed would represent “a separate and distinct violation of the law.”

North Carolina residents must also be allowed to place a credit freeze on their accounts free of charge and the Act requires credit reporting agencies “to put in place a simple, one-stop shop for freezing and unfreezing a consumer’s credit reports.” This would allow consumers to quickly and easily freeze and unfreeze credit across all major consumer reporting agencies.

A new provision has also been included to cover credit reference and consumer reporting agencies. If those agencies experience a breach they will be required to provide five years of free credit monitoring services to consumers.

A summary of the Act is available here.

Image source: By Darwinek [CC BY-SA 3.0] via Wikimedia Commons

The post Data Breach Notification Bill Introduced in North Carolina appeared first on HIPAA Journal.

What is Individually Identifiable Health Information?

Posted by HIPAA Journal

What is individually identifiable health information and what must HIPAA-covered entities do to the information before it can be shared for reasons not detailed in the permitted uses and disclosures of the HIPAA Privacy Rule?

What is Individually Identifiable Health Information?

Before answering the question, what is individually identifiable health information, it is necessary to define health information.

HIPAA defines health information as any information created or received by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or business associate of a HIPAA-covered entity.

Health information includes past, present, and future information about mental and physical health and the condition of an individual, the provision of healthcare to an individual, and information related to payment for healthcare, again in the past, present, or future. Health information also includes demographic information about an individual.

Individually identifiable health information is a subset of health information, and as the name suggests, is health information that can be linked to a specific person, or if it would be reasonable to believe that an individual could be identified from the information. (See 45 CFR 46.160.103).

The HIPAA Privacy Rule places restrictions on uses and disclosures of individually identifiable health information, but not on health information that does not allow an individual to be identified.

If a HIPAA-covered entity has a data set containing individually identifiable health information, before the information can be shared with an organization or individual for a reason that would otherwise be prohibited under the HIPAA Privacy Rule, the data must first be de-identified.

De-identifying health information requires the following 18 identifiers to be removed from the data set prior to sharing:

  1. Full name or last name and initial(s)
  1. Geographical identifiers smaller than a state, except the initial three digits of a zip code, provided the combination of all zip codes starting with those three digits. When the initial three digits of a zip code contains 20,000 or fewer people it is changed to 000
  2. Dates directly related to an individual, other than year
  3. Phone Numbers
  4. Fax numbers
  5. Email addresses
  6. Social Security numbers
  7. Medical record numbers
  8. Health insurance beneficiary numbers
  9. Account numbers
  10. Certificate/license numbers
  11. Vehicle identifiers
  12. Device identifiers and serial numbers;
  13. Web Uniform Resource Locators (URLs)
  14. IP addresses
  15. Biometric identifiers, including finger, retinal and voice prints
  16. Full face photographic images and any comparable images
  17. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Further information on how to deidentify health information can be viewed on this link.

The post What is Individually Identifiable Health Information? appeared first on HIPAA Journal.

HIPAA Compliance for Association Health Plans

Posted by HIPAA Journal

HIPAA compliance for Association Health Plans has been a topic of conversation between contributors to HIPAA Journal since the Department of Health & Human Services (HHS) released a proposed rule to help small businesses and self-employed workers buy less expensive health coverage.

In October 2017, President Trump issued Executive Order 13813 – “Promoting Healthcare Choice and Competition across the United States”. The Executive Order directs the Administration to facilitate the purchase of health coverage across State borders in order to promote competition in healthcare markets and limit excessive consolidation throughout the healthcare system.

In order to achieve the objectives of the Executive Order, the President suggests expanding existing alternatives to the “expensive, mandate-laden Patient Protection and Affordable Care Act”. The existing alternatives include Association Health Plans, Short-Term Limited-Duration Insurance Plans, and Health Reimbursement Arrangements.

HHS´ Proposed Rule Broadens the Criteria of ERISA

The HHS´ proposed rule addresses the requirements of the Executive Order by broadening the criteria of the Employee Retirement Income Security Act (ERISA). Under the proposed changes, the definition of an “employer” is changed in part to include small businesses and self-employed workers who have a “commonality of interest” – for example a common geography or industry.

The amended definition of an employer allows small business and self-employed workers to form an association for the purposes of obtaining less expensive health coverage through economies of scale. In this respect, Association Health Plans are no different to Multiple Employer Welfare Arrangements or Professional Employer Organization plans except that – by allowing a “commonality of interest” based on industry – States´ rights to regulate the providers of Association Health Plans are removed.

The proposed rule also exempts Association Health Plans from being treated the same as individual and small-group insurance plans. Whereas HIPAA compliance for Association Health Plans will apply inasmuch as the plans cannot exclude an employee with a pre-existing condition from coverage, the plans will be able to charge different premiums according to employees´ age, gender or industry; and are not required to provide the same level of benefits as mandated by the Affordable Care Act.

The Consequences of the Proposed Changes to ERISA

If the HHS´ proposed rule is adopted, the consequences will be significant. The opportunity to take advantage of lower premiums for young male employees working in safe industries will prompt many qualifying small businesses and self-employed workers to join or create Association Health Plans. According to the Department of Labor, up to 11 million employees would qualify for cheaper healthcare insurance under the proposed rule.

At present there are fewer than two hundred Association Health Plans in operation throughout the country. With the necessity to demonstrate the Association is “bono fide” (as required by many states) and the regulatory and administrative requirements of the Affordable Care Act removed, the likelihood is the number will increase to more than one thousand – similar to the levels reported in the 1990s. There are however negative consequences as well.

With up to 11 million employees opting out of insurance policies regulated by the Affordable Care Act, premiums for employees in large fully-insured group plans will increase. The effect has been likened to the creation of a “high-risk pool” catering for older and sicker workers employed in high-risk industries. Businesses may not only suffer from increased premiums, but also higher deductibles in order to maintain the level of benefits mandated by the Affordable Care Act.

HIPAA Compliance Obligations Remain Exactly as Before

The removal of States´ rights to regulate providers of Association Health Plans and the removal of Affordable Care Act requirements has no impact on HIPAA compliance for Association Health Plans.  Regardless of whether the plan is fully-insured, fully-insured with a high deductible, or self-insured, employers and plan administrators have exactly the same HIPAA compliance obligations as before.

What will likely change is the number of health plans HIPAA applies to if the fivefold increase in Association Health Plans occurs as expected. There may also be more unauthorized disclosures of Protected Health Information due to the inexperience of the parties administering the plans – particularly if the plans are self-insured and self-administered.

For parties considering Association Health Plans with limited experience of HIPAA (the Health Insurance Accountability and Portability Act), we have produced a general HIPAA Compliance Guide which is free to download. As our Guide relates to HIPAA in general, the following information relating specifically to HIPAA Compliance for Association Health Plans should be of interest.

HIPAA Compliance for Association Health Plans

Under HIPAA, all health plans are “Covered Entities”. Covered Entities must comply with the HIPAA regulations in their entirety to ensure the security, integrity and confidentiality of Protected Health Information at rest or in transit (an explanation of “Protected Health Information” is provided in the Guide). The HHS – who is responsible for enforcing HIPAA – can issue fines for non-compliance with HIPAA, and parties in breach of the regulations can also face civil action and criminal prosecution.

Most small businesses and self-employed workers joining an existing fully-insured plan will likely not have to worry about HIPAA compliance for Association Health Plans, as it is the plan – and not the individual members of the plan – that are responsible for compliance with HIPAA. Smaller plans may engage third-party administrators, who act on behalf of the Covered Entity as “Business Associates” and who are responsible for the integrity of the Protected Health Information they handle.

When HIPAA compliance for Association Health Plans does become important to know is when the plan is self-insured (also known as “employee-sponsored”) and self-administered. Although individual employers are still regarded as separate entities, they will encounter Protected Health Information in the course of executing administrative duties on behalf of the plan and are bound by HIPAA or how the Protected Health Information can be used and disclosed.

Rules Relating to Employer Use of Protected Health Information

If an employer is administering a self-insured Association Health Plan (on behalf of his employees or on behalf of other members´ employees) each employee must be given a Notice of Privacy Practices explaining how their Protected Health Information can and cannot be used. For example, the HIPAA Privacy Rule prohibits employers for using Protected Health Information for employment-related actions (unless authorized by the employee the Protected Health Information relates to).

To ensure HIPAA compliance for Association Health Plans, the administering employer must create a policy for the plan determining the permitted uses of Protected Health Information by the plan sponsor(s). This requires a certification from the plan sponsor(s) that:

  • Employee information will not be disclosed outside the permitted uses unless authorized by the employee.
  • Agents and sub-contractors will not be given access to Protected Health Information without a similar certification.
  • Protected Health Information will not be used or disclosed for employment-related actions (as mentioned above).
  • Employee information will be made available to employees who request it, amended as necessary, and destroyed when it is no longer required.
  • The plan sponsor(s) will report any use or disclosure of which it is aware that is inconsistent with the permitted and required uses and disclosures.
  • Policies for resolving unauthorized disclosures and issues of non-HIPAA compliance for Association Health Plans are in place (and adhered to).
  • Policies and records retained by the plan sponsor(s) relating to the use and disclosure of Protected Health Information received from the plan will be made to HHS inspectors in the event of an investigation or HIPAA audit.

In the event a self-insured Association Health Plan uses a third-party administrator, a certification may also be required from the plan sponsor(s) to address the permitted uses and disclosures of Protected Health Information received directly by the sponsor(s) from the third-party administrator. For example:

If an employee voluntarily brings information about a claim to an employer, the employee´s authorization for the employer to disclose the information to the third-party administrator is implied. When information is passed back to the employee from the third-party administrator via their employer, there needs to be a certification in place to stipulate how the employer can use that information.

HIPAA Compliance for Association Health Plans: Conclusion

Due to there being so many different possible scenarios relating to HIPAA compliance for Association Health Plans, it is impossible to cover them all in a single article. Areas such as a plan´s capabilities to send and receive HIPAA-standard transactions and employers who provide on-site medical facilities have not been discussed, nor have the penalties for HIPAA violations.

Therefore, small businesses and self-employed workers considering the benefits of an Associated Health Plan should seek professional advice before entering into an agreement with an existing plan or joining a new plan with a self-administered structure. Associated Health Plans will not be as strictly regulated as health plans covered by the Affordable Care Act, but it is still important to understand and implement HIPAA compliance for Association Health Plans.

The post HIPAA Compliance for Association Health Plans appeared first on HIPAA Journal.