Healthcare Data Privacy

What is Individually Identifiable Health Information?

Posted by HIPAA Journal

What is individually identifiable health information and what must HIPAA-covered entities do to the information before it can be shared for reasons not detailed in the permitted uses and disclosures of the HIPAA Privacy Rule?

What is Individually Identifiable Health Information?

Before answering the question, what is individually identifiable health information, it is necessary to define health information.

HIPAA defines health information as any information created or received by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or business associate of a HIPAA-covered entity.

Health information includes past, present, and future information about mental and physical health and the condition of an individual, the provision of healthcare to an individual, and information related to payment for healthcare, again in the past, present, or future. Health information also includes demographic information about an individual.

Individually identifiable health information is a subset of health information, and as the name suggests, is health information that can be linked to a specific person, or if it would be reasonable to believe that an individual could be identified from the information. (See 45 CFR 46.160.103).

The HIPAA Privacy Rule places restrictions on uses and disclosures of individually identifiable health information, but not on health information that does not allow an individual to be identified.

If a HIPAA-covered entity has a data set containing individually identifiable health information, before the information can be shared with an organization or individual for a reason that would otherwise be prohibited under the HIPAA Privacy Rule, the data must first be de-identified.

De-identifying health information requires the following 18 identifiers to be removed from the data set prior to sharing:

  1. Full name or last name and initial(s)
  1. Geographical identifiers smaller than a state, except the initial three digits of a zip code, provided the combination of all zip codes starting with those three digits. When the initial three digits of a zip code contains 20,000 or fewer people it is changed to 000
  2. Dates directly related to an individual, other than year
  3. Phone Numbers
  4. Fax numbers
  5. Email addresses
  6. Social Security numbers
  7. Medical record numbers
  8. Health insurance beneficiary numbers
  9. Account numbers
  10. Certificate/license numbers
  11. Vehicle identifiers
  12. Device identifiers and serial numbers;
  13. Web Uniform Resource Locators (URLs)
  14. IP addresses
  15. Biometric identifiers, including finger, retinal and voice prints
  16. Full face photographic images and any comparable images
  17. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Further information on how to deidentify health information can be viewed on this link.

The post What is Individually Identifiable Health Information? appeared first on HIPAA Journal.

HIPAA Compliance for Association Health Plans

Posted by HIPAA Journal

HIPAA compliance for Association Health Plans has been a topic of conversation between contributors to HIPAA Journal since the Department of Health & Human Services (HHS) released a proposed rule to help small businesses and self-employed workers buy less expensive health coverage.

In October 2017, President Trump issued Executive Order 13813 – “Promoting Healthcare Choice and Competition across the United States”. The Executive Order directs the Administration to facilitate the purchase of health coverage across State borders in order to promote competition in healthcare markets and limit excessive consolidation throughout the healthcare system.

In order to achieve the objectives of the Executive Order, the President suggests expanding existing alternatives to the “expensive, mandate-laden Patient Protection and Affordable Care Act”. The existing alternatives include Association Health Plans, Short-Term Limited-Duration Insurance Plans, and Health Reimbursement Arrangements.

HHS´ Proposed Rule Broadens the Criteria of ERISA

The HHS´ proposed rule addresses the requirements of the Executive Order by broadening the criteria of the Employee Retirement Income Security Act (ERISA). Under the proposed changes, the definition of an “employer” is changed in part to include small businesses and self-employed workers who have a “commonality of interest” – for example a common geography or industry.

The amended definition of an employer allows small business and self-employed workers to form an association for the purposes of obtaining less expensive health coverage through economies of scale. In this respect, Association Health Plans are no different to Multiple Employer Welfare Arrangements or Professional Employer Organization plans except that – by allowing a “commonality of interest” based on industry – States´ rights to regulate the providers of Association Health Plans are removed.

The proposed rule also exempts Association Health Plans from being treated the same as individual and small-group insurance plans. Whereas HIPAA compliance for Association Health Plans will apply inasmuch as the plans cannot exclude an employee with a pre-existing condition from coverage, the plans will be able to charge different premiums according to employees´ age, gender or industry; and are not required to provide the same level of benefits as mandated by the Affordable Care Act.

The Consequences of the Proposed Changes to ERISA

If the HHS´ proposed rule is adopted, the consequences will be significant. The opportunity to take advantage of lower premiums for young male employees working in safe industries will prompt many qualifying small businesses and self-employed workers to join or create Association Health Plans. According to the Department of Labor, up to 11 million employees would qualify for cheaper healthcare insurance under the proposed rule.

At present there are fewer than two hundred Association Health Plans in operation throughout the country. With the necessity to demonstrate the Association is “bono fide” (as required by many states) and the regulatory and administrative requirements of the Affordable Care Act removed, the likelihood is the number will increase to more than one thousand – similar to the levels reported in the 1990s. There are however negative consequences as well.

With up to 11 million employees opting out of insurance policies regulated by the Affordable Care Act, premiums for employees in large fully-insured group plans will increase. The effect has been likened to the creation of a “high-risk pool” catering for older and sicker workers employed in high-risk industries. Businesses may not only suffer from increased premiums, but also higher deductibles in order to maintain the level of benefits mandated by the Affordable Care Act.

HIPAA Compliance Obligations Remain Exactly as Before

The removal of States´ rights to regulate providers of Association Health Plans and the removal of Affordable Care Act requirements has no impact on HIPAA compliance for Association Health Plans.  Regardless of whether the plan is fully-insured, fully-insured with a high deductible, or self-insured, employers and plan administrators have exactly the same HIPAA compliance obligations as before.

What will likely change is the number of health plans HIPAA applies to if the fivefold increase in Association Health Plans occurs as expected. There may also be more unauthorized disclosures of Protected Health Information due to the inexperience of the parties administering the plans – particularly if the plans are self-insured and self-administered.

For parties considering Association Health Plans with limited experience of HIPAA (the Health Insurance Accountability and Portability Act), we have produced a general HIPAA Compliance Guide which is free to download. As our Guide relates to HIPAA in general, the following information relating specifically to HIPAA Compliance for Association Health Plans should be of interest.

HIPAA Compliance for Association Health Plans

Under HIPAA, all health plans are “Covered Entities”. Covered Entities must comply with the HIPAA regulations in their entirety to ensure the security, integrity and confidentiality of Protected Health Information at rest or in transit (an explanation of “Protected Health Information” is provided in the Guide). The HHS – who is responsible for enforcing HIPAA – can issue fines for non-compliance with HIPAA, and parties in breach of the regulations can also face civil action and criminal prosecution.

Most small businesses and self-employed workers joining an existing fully-insured plan will likely not have to worry about HIPAA compliance for Association Health Plans, as it is the plan – and not the individual members of the plan – that are responsible for compliance with HIPAA. Smaller plans may engage third-party administrators, who act on behalf of the Covered Entity as “Business Associates” and who are responsible for the integrity of the Protected Health Information they handle.

When HIPAA compliance for Association Health Plans does become important to know is when the plan is self-insured (also known as “employee-sponsored”) and self-administered. Although individual employers are still regarded as separate entities, they will encounter Protected Health Information in the course of executing administrative duties on behalf of the plan and are bound by HIPAA or how the Protected Health Information can be used and disclosed.

Rules Relating to Employer Use of Protected Health Information

If an employer is administering a self-insured Association Health Plan (on behalf of his employees or on behalf of other members´ employees) each employee must be given a Notice of Privacy Practices explaining how their Protected Health Information can and cannot be used. For example, the HIPAA Privacy Rule prohibits employers for using Protected Health Information for employment-related actions (unless authorized by the employee the Protected Health Information relates to).

To ensure HIPAA compliance for Association Health Plans, the administering employer must create a policy for the plan determining the permitted uses of Protected Health Information by the plan sponsor(s). This requires a certification from the plan sponsor(s) that:

  • Employee information will not be disclosed outside the permitted uses unless authorized by the employee.
  • Agents and sub-contractors will not be given access to Protected Health Information without a similar certification.
  • Protected Health Information will not be used or disclosed for employment-related actions (as mentioned above).
  • Employee information will be made available to employees who request it, amended as necessary, and destroyed when it is no longer required.
  • The plan sponsor(s) will report any use or disclosure of which it is aware that is inconsistent with the permitted and required uses and disclosures.
  • Policies for resolving unauthorized disclosures and issues of non-HIPAA compliance for Association Health Plans are in place (and adhered to).
  • Policies and records retained by the plan sponsor(s) relating to the use and disclosure of Protected Health Information received from the plan will be made to HHS inspectors in the event of an investigation or HIPAA audit.

In the event a self-insured Association Health Plan uses a third-party administrator, a certification may also be required from the plan sponsor(s) to address the permitted uses and disclosures of Protected Health Information received directly by the sponsor(s) from the third-party administrator. For example:

If an employee voluntarily brings information about a claim to an employer, the employee´s authorization for the employer to disclose the information to the third-party administrator is implied. When information is passed back to the employee from the third-party administrator via their employer, there needs to be a certification in place to stipulate how the employer can use that information.

HIPAA Compliance for Association Health Plans: Conclusion

Due to there being so many different possible scenarios relating to HIPAA compliance for Association Health Plans, it is impossible to cover them all in a single article. Areas such as a plan´s capabilities to send and receive HIPAA-standard transactions and employers who provide on-site medical facilities have not been discussed, nor have the penalties for HIPAA violations.

Therefore, small businesses and self-employed workers considering the benefits of an Associated Health Plan should seek professional advice before entering into an agreement with an existing plan or joining a new plan with a self-administered structure. Associated Health Plans will not be as strictly regulated as health plans covered by the Affordable Care Act, but it is still important to understand and implement HIPAA compliance for Association Health Plans.

The post HIPAA Compliance for Association Health Plans appeared first on HIPAA Journal.

Is Azure HIPAA Compliant?

Posted by HIPAA Journal

Is Azure HIPAA compliant? Can Microsoft’s cloud services be used by HIPAA covered entities without violating HIPAA Rules?

Many healthcare organizations are considering moving some of their services to the cloud, and a large percentage already have. The cloud offers considerable benefits and can help healthcare organizations lower their IT costs, but what about HIPAA?

HIPAA does not prohibit healthcare organizations from taking advantage of cloud services; however, it does place certain restrictions on the services that can be used, at least as far as protected health information is concerned.

Most healthcare organizations will consider the three main providers of cloud services. Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. We have already covered AWS HIPAA compliance here, but what about Azure? Is Azure HIPAA compliant?

Is Azure HIPAA Compliant?

Before any cloud service can be used by healthcare organizations, they must first enter into a business associate agreement with the service provider.

Under HIPAA Rules, cloud service providers are considered business associates. Before any PHI can be uploaded to the cloud, HIPAA-covered entities must obtain satisfactory assurances that the service incorporates all the appropriate privacy and security safeguards to meet the requirements of the HIPAA Privacy and Security Rules.

Those assurances come in the form of a business associate agreement – essentially a contract with a vendor in which the responsibilities of the vendor are explained. The BAA must be obtained before any cloud service can be used for storing, processing, or sharing PHI. It does not matter is the service provider does not access customers’ data. A BAA is still required.

Microsoft Will Sign a BAA for Azure

Microsoft is willing to sign a BAA with healthcare organizations that covers Azure*, so does that make Azure HIPAA compliant?

Unfortunately, it is not that simple. No cloud platform can be truly HIPAA compliant. Cloud HIPAA compliance is not so much about platforms and security controls, but how those services are used. Even a cloud service such as Azure can easily be used in a way that violates HIPAA Rules. It is the responsibility of the covered entity to ensure cloud instances are configured correctly.

So Azure is not HIPAA compliant per se, but it does support HIPAA compliance, and incorporates all the necessary safeguards to ensure HIPAA requirements can be satisfied.

Access, Integrity, Audit and Security Controls

Microsoft provides a secure VPN to connect to Azure, so any data uploaded to, or downloaded from, Azure is encrypted and all data stored in its cloud instances are encrypted.

HIPAA requires access controls to be implemented to limit who can access to PHI. Azure offers these controls and uses Active Directory to allow permissions to be set. Multi-factor authentication can also be added.

Audit controls are also necessary for HIPAA compliance. Azure includes detailed logging, so administrators can see who accessed, attempted to access PHI.

So, is Azure HIPAA compliant? Azure can be used in a way that satisfies HIPAA Rules, but note that it is the responsibility of the covered entity to ensure the service is configured and used correctly and staff are trained on its use. Microsoft will accept no responsibility for HIPAA violations caused as a result of the misuse of its services.

*Not all Azure services are included in the BAA. See here for up-to-date information.

The post Is Azure HIPAA Compliant? appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2017

Posted by HIPAA Journal

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches.

2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen.

2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations fared in 2017? Was 2017 another record-breaking year?

Healthcare Data Breaches Increased in 2017

The mega data breaches of 2015 were fortunately not repeated in 2017, and the decline in massive data breaches continued in 2017.

Last year, there were three breaches reported that impacted more than one million individuals and 14 breaches of more than 100,000 records.

In 2017, there was only one reported data breach that impacted more than 500,000 people and 8 breaches that impacted 100,000 or more individuals. The final total for individuals impacted by breaches last year was 14,679,461 – considerably less than the 112,107,579 total the previous year.

The final figures for 2017 cannot yet be calculated as there is still time for breaches to be reported to OCR. The HIPAA Breach Notification Rules allows covered entities up to 60 days to report data breaches of more than 500 records, so the final figures for 2017 will not be known until March 1, 2018. However, based on current data, 2017 has been a reasonably good year in terms of the number of exposed healthcare records. The current total stands at 3,286,498 records – A 347% reduction in breached records year on year.

While it is certainly good news that the severity of breaches has reduced, that only tells part of the story. Breaches of hundreds of thousands of records have reduced, but breaches of more than 10,000 records have remained fairly constant year over year. In 2015, there were 52 breaches of 10,000 or more records. That figure jumped to 82 in 2016. There were 78 healthcare data breaches in 2017 involving more than 10,000 records.

The bad news is there has been a significant rise in the number of healthcare data breaches in 2017.  As of January 4, 2017, there have been 342 healthcare security breaches listed on the OCR breach portal for 2017. It is likely more incidents will be added in the next few days.

The final total for 2015 was 270 breaches, and there were 327 breaches reported in 2016. The severity of healthcare security incidents may have fallen, but the number of incidents continues to rise year on year.

 

reported healthcare data breaches in 2017

 

Unfortunately, there is little evidence to suggest that the annual rise in healthcare data breaches will stop in 2018. Many cybersecurity firms have made predictions for the coming year, and they are united in the view that healthcare data breaches will continue to increase.

The 20 Largest Healthcare Breaches of 2017

The list of the 20 largest healthcare data breaches of 2017 is listed below.

Position Breached Entity Entity Type Records Exposed Cause of Breach
1 Commonwealth Health Corporation Healthcare Provider 697,800 Theft
2 Airway Oxygen, Inc. Healthcare Provider 500,000 Hacking/IT Incident
3 Women’s Health Care Group of PA, LLC Healthcare Provider 300,000 Hacking/IT Incident
4 Urology Austin, PLLC Healthcare Provider 279,663 Hacking/IT Incident
5 Pacific Alliance Medical Center Healthcare Provider 266,123 Hacking/IT Incident
6 Peachtree Neurological Clinic, P.C. Healthcare Provider 176,295 Hacking/IT Incident
7 Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident
8 McLaren Medical Group, Mid-Michigan Physicians Imaging Center Healthcare Provider 106,008 Hacking/IT Incident
9 Harrisburg Gastroenterology Ltd Healthcare Provider 93,323 Hacking/IT Incident
10 VisionQuest Eyecare Healthcare Provider 85,995 Hacking/IT Incident
11 Washington University School of Medicine Healthcare Provider 80,270 Hacking/IT Incident
12 Emory Healthcare Healthcare Provider 79,930 Hacking/IT Incident
13 Salina Family Healthcare Center Healthcare Provider 77,337 Hacking/IT Incident
14 Stephenville Medical & Surgical Clinic Healthcare Provider 75,000 Unauthorized Access/Disclosure
15 Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident
16 Primary Care Specialists, Inc. Healthcare Provider 65,000 Hacking/IT Incident
17 Enterprise Services LLC Business Associate 56,075 Unauthorized Access/Disclosure
18 ABCD Pediatrics, P.A. Healthcare Provider 55,447 Hacking/IT Incident
19 Network Health Health Plan 51,232 Hacking/IT Incident
20 Oklahoma Department of Human Services Health Plan 47,000 Hacking/IT Incident

The Largest Healthcare Data Breaches of 2017 Were Due to Hacking

One thing is abundantly clear from the list of the largest healthcare data breaches of 2017 is hacking/IT incidents affect more individuals than any other breach type. Hacking/IT incidents accounted for all but three of the largest healthcare data breaches of 2017.

In 2016, hacking incidents only accounted for 11 out of the top 20 data breaches and 12 of the top 20 in 2015. Hacking incidents therefore appear to be rising.

 

healthcare data breaches in 2017 (hacking)

 

The rise in hacking incidents can partly be explained by the increase in ransomware attacks on healthcare providers in 2017. Healthcare organizations are also getting better at discovering breaches.

Other Major Causes of Healthcare Data Breaches in 2017

Unauthorized access/disclosures continue to be a leading cause of healthcare data breaches, although there was a slight fall in numbers of these incidents in 2017. That decrease is offset by an increase in incidents involving the improper disposal of physical records and electronic devices used to store ePHI.

 

healthcare data breaches of 2017 (Unauthorized access/disclosures)

 

The use of encryption for stored data is more widespread, with many healthcare organizations having implemented encryption on all portable storage devices and laptops, which has helped to reduce the exposure of ePHI when electronic devices are stolen.

 

Healthcare Data Breaches of 2017 (loss/theft)

Minimizing the Risk of Healthcare Data Breaches

This year saw OCR publish the preliminary findings of its HIPAA compliance audits on HIPAA-covered entities. The audits revealed there is still widespread non-compliance with HIPAA Rules.

One of the biggest problems was not a lack of cybersecurity defenses, but the failure to conduct an enterprise-wide risk analysis.

Even with several layers of security, vulnerabilities are still likely to exist. Unless a comprehensive risk analysis is performed to identify security gaps, and those gaps are addressed, it will only be a matter of time before they are exploited.

Complying with HIPAA Rules will not prevent all data breaches, but it will ensure healthcare organizations achieve at least the minimum standard for data security, which will prevent the majority of healthcare data breaches.

There is a tendency to invest cybersecurity budgets in new technology, but it is important not to forget the basics. Many healthcare data breaches in 2017 could have been prevented had patches been applied promptly, if secure passwords had been chosen, and if cloud storage services and databases had been configured correctly. Many data breaches were caused as a result of employees leaving unencrypted laptops in risky locations – in unattended vehicles for instance.

Phishing remains one of the main ways that malicious actors gain access to protected health information, yet security awareness training is still not being provided frequently. As a result, employees are continuing to fall for phishing and social engineering scams. Technological solutions to block phishing emails are important, but healthcare organizations must also educate employees about the risks, teach them how to recognize scams, and reinforce training regularly. Only then will organizations be able to reduce the risk from phishing to an acceptable and appropriate level.

Insiders continue to be a major threat in healthcare. The value of data on the black market is high, and cash-strapped healthcare employees can be tempted to steal data to sell to identity thieves. Healthcare organizations can hammer the message home that data theft will be discovered and reported to law enforcement, but it is the responsibility of healthcare organizations to ensure policies and technologies are implemented to ensure that the unauthorized accessing of records – theft or snooping – is identified rapidly.  That means frequent audits of access logs and the use of automated monitoring solutions and user behavior analytics.

2017 was a bad year for ransomware attacks and extortion attempts on healthcare organizations. There is no sign that these attacks will slow in 2018, and if anything, they are likely to increase. Ensuring data is backed up will allow organizations to recover files in the event of an attack without having to pay a ransom. The rise in sabotage attacks – NotPetya for example – mean data loss is a real possibility if backups are not created.

By getting the basics right and investing in new technologies, it will be possible for the year on year rise in data breaches to be stopped. But until healthcare organizations get the basics right and comply with HIPAA Rules, healthcare data breaches are likely to continue to rise.

The post Largest Healthcare Data Breaches of 2017 appeared first on HIPAA Journal.

HHS Publishes Final Rule on Confidentiality of Substance Use Disorder Patient Records

Posted by HIPAA Journal

The Department of Health and Human Services has published its final rule on the Confidentiality of Substance Use Disorder Patient Records, altering Substance Abuse and Mental Health Services Administration (SAMHSA) regulations.

The aim of the update is to better align regulations with advances in healthcare delivery in the United States, while ensuring patient’s privacy is protected when treatment for substance abuse disorders is sought. The final rule addresses the permitted uses and disclosures of patient identifying information for healthcare operations, payment, audits and evaluations.

The last substantial changes to the Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR part 2) regulations were in 1987. In 2016, SAMHSA submitted a Notice of Proposed Rulemaking in the Federal Register proposing updates to 42 CFR part 2. The proposed updates reflected the development of integrated health care models and the use of electronic exchange of patient information, while still ensuring patient privacy was protected to prevent improper disclosures.

After considering public comments, a final rule was published by SAMHSA in January 2017, which incorporated greater flexibility for disclosures within the healthcare system while still continuing to protect the confidentiality of substance use disorder records.

A supplemental notice of proposed rulemaking was also issued and public comments were sought on those additional proposals, which covered disclosures related to payment and healthcare operations that can be made to contractors, subcontractors, and legal representatives by lawful holders under the part 2 rule consent provisions, and disclosures for purposes of carrying out Medicaid, Medicare or Children’s Health Insurance Program (CHIP) audits or evaluations.

SAMHSA has now considered all 55 comments received, and has finalized its proposed revisions, taking those comments into consideration.

Several of the commenters sought better alignment with the Health Insurance Portability and Accountability Act (HIPAA) and/or the Health Information Technology for Economic and Clinical Health (HITECH) Act to promote better information flow, provide greater discretion for providers and administrators of services, the establishment of uniform workable regulations with respect to treatment, payment and operations, and to promote more innovative models of health care delivery.

SAMHSA has attempted to align the revisions with HIPAA and the HITECH Act as far as is possible, but explained, “It is important to note that part 2 and its authorizing statute are separate and distinct from HIPAA, the HITECH Act, and their implementing regulations.”

“Part 2 provides more stringent federal protections than other health privacy laws such as HIPAA and seeks to protect individuals with substance use disorders who could be subject to discrimination and legal consequences in the event that their information is improperly used or disclosed.”

Comments were received suggesting SAMHSA should make it easier for healthcare providers using alternative payment models to share records, as the lack of information about substance abuse disorders could negatively affect patient care.

There was considerable disagreement in the comments about whether care coordination and case management should be included in the list of permissible activities under payment and health care operations.

SAMHSA has decided not to include care coordination and case management and the list of permissible activities that SAMHSA considers to be payment and health care operations, and the list is ‘substantively unchanged.’

SAMHSA has also included language in the regulatory text that clarifies disclosures to contractors, subcontractors and legal representatives are not permitted for activities related to a patient’s diagnosis, treatment, or referral for treatment.

SAMHSA will continue to review all of the issues raised in the comments and will explore ways to better align Part 2 with HIPAA and HITECH, including future additional rulemaking for 42 CFR part 2.

A public meeting will also be held prior to March 21, 2018, to determine the effects of 42 CFR part 2 on patient care, health outcomes, and patient privacy. Stakeholders will be given the opportunity to provide input on implementation of part 2, including the changes adopted in the final rule.

The post HHS Publishes Final Rule on Confidentiality of Substance Use Disorder Patient Records appeared first on HIPAA Journal.

OIG Finds Data Security Inadequacies at North Carolina State Medicaid Agency

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General (OIG) has published the findings of an audit of the North Carolina State Medicaid agency. The report shows the State agency has failed to implement sufficient controls to ensure the security of its Medicaid eligibility determination system and the security, integrity, and availability of Medicaid eligibility data.

HHS oversees the administration of several federal programs, including Medicaid. Part of its oversight of the Medicaid program involves the auditing of State agencies to determine whether appropriate system security controls have been implemented and State agencies are complying with Federal requirements.

The aim of the OIG audit was to determine whether adequate information system general controls had been implemented by the state of North Carolina to ensure its Medicaid eligibility determination system and data were secured.

The Office of North Carolina Families Accessing Services Through Technology (NC FAST) was tasked with operating North Carolina’s Medicaid eligibility determination system. NC FAST was assessed on entitywide security, access controls, configuration management, network device management, service continuity, mainframe operations, and application change control, and how those controls related to the North Carolina eligibility determination system for State fiscal year 2016.

OIG found the information security general controls were inadequate and did not meet federal requirements.

The vulnerabilities identified by OIG placed the confidentiality, integrity, and availability of North Carolina’s Medicaid eligibility data in jeopardy. The vulnerabilities could potentially be exploited by malicious actors to gain access to sensitive information. A cyberattack could also result in critical disruption of North Carolina Medicaid eligibility operations. OIG reports “the vulnerabilities are collectively and, in some cases, individually significant.”

While the vulnerabilities could be exploited, no evidence was uncovered to suggest that its system had been compromised or sensitive information had been viewed or stolen.

OIG made several recommendations to North Carolina to ensure its Medicaid eligibility determination system is appropriately secured. North Carolina must work with NC FAST to address all vulnerabilities in a timely manner and bring its information security general controls up to the required Federal standards.

North Carolina did not directly address the recommendations, but concurred with eight of the nine findings and partly agreed with one finding. North Carolina has agreed to make corrective actions that will resolve all nine security vulnerabilities identified by the auditors.

Last year, North Carolina was also found to have failed to ensure sufficient controls were implemented to ensure the security of its Medicaid claims processing systems. Those systems are managed by CRSA, Inc. OIG auditors similarly found vulnerabilities that were collectively and, in some cases, individually significant and could potentially compromise the confidentiality, integrity, or availability of data and its systems. North Carolina concurred with all recommendations and agreed to take corrective actions to address the vulnerabilities.

The post OIG Finds Data Security Inadequacies at North Carolina State Medicaid Agency appeared first on HIPAA Journal.

CMS Clarifies Position on Use of Text Messages in Healthcare

Posted by HIPAA Journal

In November, the Centers for Medicare and Medicaid Services (CMS) explained in emails to healthcare providers that the use of text messages in healthcare is prohibited due to concerns about security and patient privacy.

SMS messages are not secure. The CMS was concerned that the use of text messages in healthcare will lead to the exposure of sensitive patient data and could threaten the integrity of medical records. While this is understandable as far as SMS messages are concerned, many secure messaging applications satisfy all the requirements of HIPAA – e.g. transmission security, access and authentication controls, audit controls, and safeguards to ensure the integrity of PHI.

The use of secure messaging platforms was raised with the CMS by some hospitals; however, the position of the CMS, based on the emails, appeared to be a total ban on the use of text messages in healthcare, even the use of secure messaging platforms.

In the emails, the CMS said, “After meeting with vendors regarding these [secure messaging] products, it was determined they cannot always ensure the privacy and confidentiality of PHI of the information being transmitted. This resulted in the no texting determination.”

In December, the Health Care Compliance Association (HCCA) published an article questioning the stance of the CMS. HCCA said in its Report on Medicare Compliance, that at least two hospitals had received emails from the CMS explaining all forms of text messaging were prohibited.

Nina Youngstrom, Managing Editor of the Report on Medicare Compliance, said in the article that several compliance officers and healthcare attorneys were horrified about the position of the CMS. One attorney said a total ban would be “Like going back to the dark ages.”

CMS explained that concern about text messages in healthcare was not just about transmission security. There was the potential for a lack of access controls on the senders’ and receivers’ devices, stored data may not necessarily be secure and encrypted, and the privacy of patients is not guaranteed. Another concern was information transmitted via text messages also needs to be entered into the patient record and made available for retrieval.

Last year, the Joint Commission relaxed its ban on the use of text messages in healthcare for sending patient orders, only to later backtrack and reinstate the ban. The Joint Commission’s current position is the use of text messaging in healthcare is permitted, provided a secure messaging platform is used. However, the ban on the use of text messages for sending orders for patient care remains in place.

The CMS appeared to be saying no to all forms of text messaging, even though a large percentage of hospitals have switched over to secure text messaging platforms and are finally replacing their outdated pagers. Such a ban would therefore not be too dissimilar to implementing a ban on email, given how text messaging is so extensively used in healthcare.

A recent survey conducted by the Institute for Safe Medication Practices (ISMP) confirms this. In its survey of 788 healthcare professionals, 45% of pharmacists and 35% percent of nurses said texting was used in their facilities. 53% said there was a policy in place prohibiting the use of text messages for patient orders, but despite the Joint Commission ban, 12% said texting patient orders was allowed – 8% only when a secure platform was used and 3% said text messages were permitted under any circumstances.

CMS Confirms The Use of Text Messages in Healthcare is Permitted

On December 28, 2017, a month after the emails were sent, the CMS sent a memo clarifying its position on the use of text messages in healthcare, confirming there is not a total ban in place.

The CMS explained that the ban on the use of all forms of text messaging, including secure text messaging systems, remains in place for orders by physicians or other health care providers. “The practice of texting orders from a provider to a member of the care team is not in compliance with the Conditions of Participation (CoPs) or Conditions for Coverage (CfCs),” specifically stating §489.24(b) and §489.24(c) apply.

Order entries should be made by providers using Computerized Provider Order Entry (CPOE), or via hand written orders. The CMS explained that, “An order if entered via CPOE, with an immediate download into the provider’s electronic health records (EHR), is permitted as the order would be dated, timed, authenticated, and promptly placed in the medical record.”

The CMS accepts that text messages are an important means of communication in healthcare, and that text messages are now essential for effective communication between care team members. However, in order to comply with the CoPs and CfCs, healthcare organizations must use and maintain text messaging systems/platforms that are secure.

Those platforms must encrypt messages in transit and healthcare organizations are required to assess and minimize the risks to the confidentiality, integrity, and availability of PHI as required by HIPAA. The CMS also explained that “It is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients.”

The stance of the CMS is therefore aligned with that of the Joint Commission. Secure text messaging platforms can be used in healthcare, just not for texting orders. Even though secure text messaging meet HIPAA requirements for privacy and security, the ban remains in place over concerns about inputting orders sent by text messages into the EHR. CPOE is still the preferred method of entry to ensure accuracy.

The post CMS Clarifies Position on Use of Text Messages in Healthcare appeared first on HIPAA Journal.

2017 HIPAA Enforcement Summary

Posted by HIPAA Journal

Our 2017 HIPAA enforcement summary details the financial penalties paid by healthcare organizations to resolve HIPAA violation cases investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general.

2017 saw OCR continue its aggressive pursuit of financial settlements for serious violations of HIPAA Rules. There have been 9 HIPAA settlements and one civil monetary penalty in 2017.

In total, OCR received $19,393,000 in financial settlements and civil monetary penalties from covered entities and business associates to resolve HIPAA violations discovered during the investigations of data breaches and complaints.

Last year, there were 12 settlements reached with HIPAA-covered entities and business associates, and one civil monetary penalty issued. In 2016, OCR received $25,505,300 from covered entities to resolve HIPAA violation cases.

Summary of 2017 HIPAA Enforcement by OCR

Listed below are the 2017 HIPAA enforcement activities of OCR that resulted in financial penalties for HIPAA-covered entities and their business associates.

Covered Entity Amount Type Violation Type
Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls
Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI
Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI
Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI
21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations
MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI
Presense Health $475,000 Settlement Delayed Breach Notifications
Metro Community Provider Network $400,000 Settlement Lack of Security Management Process
St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI
The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement

OCR’s 2017 HIPAA enforcement activities have revealed covered entities are continuing to fail to comply with HIPAA Rules in key areas: Safeguarding PHI on portable devices, conducting an organization-wide risk analysis, implementing a security risk management process, and entering into HIPAA-compliant business associate agreements with all vendors.

Throughout 2016 and 2017, many covered entities have failed to issue breach notifications promptly. In 2017, OCR took action for this common HIPAA violation and agreed its first HIPAA settlement solely for delaying breach notifications to patients.

HIPAA Desk Audits Revealed Widespread HIPAA Violations

In late 2016, OCR commenced the much-delayed second phase of its HIPAA-compliance audit program. The first stage involved desk audits of 166 HIPAA-covered entities – 103 audits on the Privacy and Breach Notification Rules, and 63 audits on the Security Rule. 41 desk audits were conducted on business associates on the Breach Notification and Security Rules.

While the full results of the compliance audits have not been released, this fall OCR announced preliminary findings from the compliance audits.

Covered entities were given a rating from 1 to 5 for the completeness of compliance efforts on each control and implementation specification. A rating of 1 signifies full compliance with goals and objectives of the standards and implementation specifications that were audited. A rating of 5 indicates there was no evidence that the covered entity had made a serious attempt to comply with HIPAA Rules.

Preliminary Findings of HIPAA Compliance Audits on Covered Entities

Listed below are the findings from the HIPAA compliance audits. A rating of 5 being the worst possible score and 1 being the best.

Preliminary HIPAA Compliance Audit Findings (2016/2017)
HIPAA Rule Compliance Controls Audited Covered Entities Given Rating of 5 Covered Entities Given Rating of 1
Breach Notification Rule (103 audits) Timeliness of Breach Notifications 15 67
Breach Notification Rule (103 audits) Content of Breach Notifications 9 14
Privacy Rule (103 audits) Right to Access PHI 11 1
Privacy Rule (103 audits) Notice of Privacy Practices 16 2
Privacy Rule (103 audits) Electronic Notice 15 59
Security Rule (63 audits) Risk Analysis 13 0
Security Rule (63 audits) Risk Management 17 1

 

Almost a third of covered entities failed to issue breach notifications promptly and next to no covered entities were found to be fully compliant with the HIPAA Privacy and Security Rules.

OCR has delayed the full compliance reviews until 2018. While some organizations will be randomly selected for a full review – including a site visit – OCR has stated that poor performance in the desk audits could trigger a full compliance review. Financial penalties may be deemed appropriate, especially when there has been no attempt to comply with HIPAA Rules.

Attorneys General Fines for Privacy Breaches

The HITECH Act gave state attorneys general the authority to pursue financial penalties for HIPAA violations and assist OCR with the enforcement of HIPAA Rules. Relatively few state attorneys general exercise this right. Instead they choose to pursue cases under state laws, even if HIPAA Rules have been violated.

Notable 2017 settlements with healthcare organizations and business associates of HIPAA covered entities have been listed below.

Covered Entity State Amount Individuals affected Reason
Cottage Health System California $2,000,000 More than 54,000 Failure to Safeguard Personal Information
Horizon Healthcare Services Inc., New Jersey $1,100,000 3.7 million Failure to Safeguard Personal Information
SAManage USA, Inc. Vermont $264,000 660 Exposure of PHI on Internet
CoPilot Provider Support Services, Inc. New York $130,000 221,178 Late Breach Notifications
Multi-State Billing Services Massachusetts $100,000 2,600 Failure to Safeguard Personal Information

The post 2017 HIPAA Enforcement Summary appeared first on HIPAA Journal.

What is Considered PHI Under HIPAA?

Posted by HIPAA Journal

In a healthcare environment, you are likely to hear health information referred to as protected health information or PHI, but what is considered PHI under HIPAA?

What is Considered PHI Under HIPAA Rules?

Under HIPAA Rules, PHI is considered to be any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity – A healthcare provider, health plan or health insurer, or a healthcare clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services.

It is not only past and current health information that is considered PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health related to the provision of care or payment for care. PHI is health information in any form, including physical records, electronic records, or spoken information.

Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual identifiers. Demographic information is also considered PHI under HIPAA Rules, as are many common identifiers such as patient names, Social Security numbers, Driver’s license numbers, insurance details, and birth dates, when they are linked with health information.

The 18 identifiers that make health information PHI are:

  • Names
  • Dates, except year
  • Telephone numbers
  • Geographic data
  • FAX numbers
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plates
  • Web URLs
  • Device identifiers and serial numbers
  • Internet protocol addresses
  • Full face photos and comparable images
  • Biometric identifiers (i.e. retinal scan, fingerprints)
  • Any unique identifying number or code

When is PHI not PHI?

There is a common misconception that all health information is considered PHI under HIPAA, but there are some exceptions.

First, it depends who records the information. A good example would be health trackers – either physical devices worn on the body or apps on mobile phones. These devices can record health information such as heart rate or blood pressure, which would be considered PHI under HIPAA Rules if the information was recorded by a healthcare provider or was used by a health plan.

However, HIPAA only applies to HIPAA-covered entities and their business associates, so if the device manufacturer or app developer has not been contracted by a HIPAA -covered entities and is a business associate, the information recorded would not be considered PHI under HIPAA.

The same applies to education or employment records. A hospital may hold data on its employees, which can include some health information – allergies or blood type for instance – but HIPAA does not apply to employment records, and neither education records.

PHI also ceases to be PHI when it is stripped of all identifiers that can tie the information to an individual. If PHI is stripped of these identifiers it is considered de-identified protected health information, and the restrictions of the HIPAA Privacy Rule on uses and disclosures no longer apply.

The post What is Considered PHI Under HIPAA? appeared first on HIPAA Journal.