Healthcare Data Privacy

$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR

Posted by HIPAA Journal

A 21st Century Oncology HIPAA settlement has been agreed with the Department of Health and Human Services’ Office for Civil Rights (OCR) to resolve potential HIPAA violations discovered during the investigation of a 2015 breach of 2.2 million patients’ PHI.

The breach in question was discovered by the Federal Bureau of Investigation (FBI) in 2015. The FBI informed 21st Century Oncology on November 13 and December 13, 2015, that an unauthorized individual accessed and stole information from one of its patient databases.

21st Century Oncology conducted an investigation with the assistance of a third-party computer forensics company and discovered the network SQL database was potentially first accessed on October 3, 2015. The database was accessed through Remote Desktop Protocol from an Exchange Server within 21st Century Oncology’s network. The database contained the protected health information of 2,213,597 individuals.

As occurs after all data breaches that impact more than 500 individuals, OCR conducted an investigation into the 21st Century Oncology data breach. That investigation uncovered multiple potential violations of HIPAA Rules.

OCR determined that 21st Century Oncology failed to conduct a comprehensive, organization-wide risk assessment to determine the potential risks to the confidentiality, integrity, and availability of electronic protected health information, as required by 45 C.F.R. § 164.308(a)(1)(ii)(A).

21st Century Oncology was also determined to have failed to implement sufficient measures to reduce risks to an appropriate and acceptable level to comply with 45 C.F.R. § 164.306(A).

21st Century Oncology also failed to implement procedures to regularly review logs of system activity, including audit logs, access reports, and security incident tracking reports, as required by 45 C.F.R. §164.308(a)(1)(ii)(D).

The breach resulted in the impermissible disclosure of the protected health information of 2,213,597 patients.

Further, protected health information of patients was disclosed to business associates without first entering into a HIPAA-compliant business associate agreement and obtaining satisfactory assurances that HIPAA requirements would be followed.

To resolve those potential HIPAA violations, 21st Century Oncology agreed to pay OCR $2.3 million. In addition to the financial settlement, 21st Century Oncology has agreed to adopt a comprehensive corrective action plan (CAP) to bring its policies and procedures up to the standards demanded by HIPAA.

Under the CAP, 21st Century Oncology must appoint a compliance officer, revise its policies and procedures with respect to system activity reviews, access establishment, modification and termination, conduct an organization-wide risk assessment, develop internal policies and procedures for reporting violations of HIPAA Rules, and train staff on new policies.

21st Century Oncology is also required to engage a qualified, objective, and independent assessor to review compliance with the CAP.

Separate $26 Million Settlement Resolves Meaningful Use, Stark Law, and False Claims Act Violations

In addition to the OCR settlement to resolve potential HIPAA violations, 21st Century Oncology has also agreed to a $26 million settlement with the Department of Justice to resolve allegations that it submitted false or inflated Meaningful Use attestations in order to receive incentive payments. 21st Century Oncology self-reported that employees falsely submitted information relating to the use of EHRs to avoid downward payment adjustments. Fabricated reports were also submitted, and the logos of EHR vendors were superimposed on reports to make them appear genuine.

The settlement also resolves allegations that the False Claims Act was violated by submitting or enabling the submission of claims that involved kickbacks for physician referrals, and also violations of the Stark Law, which covers physician self-referrals.

According to the Department of Justice, “The Stark Law prohibits an entity from submitting claims to Medicare for designated health services performed pursuant to referrals from physicians with whom the entity has a financial relationship unless certain designated exceptions apply.”

“We appreciate that 21st Century Oncology self-reported a major fraud affecting Medicare, and we are also pleased that the company has agreed to accept financial responsibility for past compliance failures,” said Middle District of Florida Acting U.S. Attorney Stephen Muldrow.

In addition to paying the settlement amount, 21st Century Oncology has entered into a 5-year Corporate Integrity Agreement with the HHS’ Office of Inspector General (OIG).

The post $2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR appeared first on HIPAA Journal.

November 2017 Healthcare Data Breach Report

Posted by HIPAA Journal

In November 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) received 21 reports of healthcare data breaches that impacted more than 500 individuals; the second consecutive month when reported breaches have fallen.

healthcare data breaches by month (November 2017)

While the number of breaches was down month on month, the number of individuals impacted by healthcare data breaches increased from 71,377 to 107,143.

breached healthcare records November 2017

Main Causes of November 2017 Healthcare Data Breaches

In November there was an even spread between hacking/IT incidents, unauthorized disclosures, and theft/loss of paper records or devices containing ePHI, with six breaches each. There were also three breaches reported involving the improper disposal of PHI and ePHI. Two of those incidents involved paper records and one involved a portable electronic device.

The two largest data breaches reported in November – the 32,000-record breach at Pulmonary Specialists of Louisville and the 16,474-record breach at Hackensack Sleep and Pulmonary Center – were both hacking/IT incidents. The former involved an unauthorized individual potentially gaining access to electronic medical records, while the latter was a ransomware attack.

Seven of the 21 breaches reported in November impacted more than 5,000 individuals. The mean breach size was 5,102 records. The median breach size was 1,551 records.

 

causes of healthcare data breaches November 2017

records exposed by breach type

Location of Exposed and Stolen Protected Health Information

The OCR breach reports show the importance of implementing physical safeguards to ensure the confidentiality of paper records. In November, one third of reported data breaches (7 incidents) involved paper/films. Last month there were five reported incidents involving paper records.

A recent Accenture/HIMSS Analytics survey revealed email was the most common vector in cyberattacks on healthcare organizations. That was the case in October when email was the common location of breached data. In November, email was the second most common location of breached PHI behind paper films, with four email-related breaches reported.  There was an even spread between all other locations of breached PHI.

Location of PHI in November 2017 healthcare data breaches

 

November 2017 Healthcare Data Breaches by Covered Entity Type

November 2017 saw 19 data breaches reported by healthcare providers and two breaches affecting health plans. The breach reports indicate no business associates of covered entities were involved in any incidents reported in November.

 November 2017 Healthcare Data Breaches by Covered Entity Type

 

Largest Healthcare Data Breaches of November 2017

 

Breached Entity Entity Type Breach Type Individuals Affected
Pulmonary Specialists of Louisville, PSC Healthcare Provider Hacking/IT Incident 32,000
Hackensack Sleep and Pulmonary Center Healthcare Provider Hacking/IT Incident 16,474
Shop-Rite Supermarkets, Incorporated Healthcare Provider Improper Disposal 12,172
The Medical College of Wisconsin, Inc. Healthcare Provider Hacking/IT Incident 9,500
Valley Family Medicine Healthcare Provider Unauthorized Access/Disclosure 8,450
Sports Medicine & Rehabilitation Therapy, Inc. Healthcare Provider Hacking/IT Incident 7,000
Humana Inc Health Plan Unauthorized Access/Disclosure 5,764
Alere Toxicology Healthcare Provider Unauthorized Access/Disclosure 2,146
Family & Cosmetic Dentistry of the Rockies Healthcare Provider Improper Disposal 1,850
Aetna Inc. Health Plan Unauthorized Access/Disclosure 1,600

 

November 2017 Healthcare Data Breaches by State

The reported breaches in November were spread across 15 states. The states worst affected were Kentucky and Massachusetts with 3 breaches apiece, followed by Colorado and New Jersey each with 2 breaches. One breach was reported by healthcare organizations based in Alabama, California, Connecticut, Florida, Indiana, New York, Pennsylvania, Texas, Virginia, Washington, and Wisconsin.

The post November 2017 Healthcare Data Breach Report appeared first on HIPAA Journal.

Noncompliance with HIPAA Costs Healthcare Organizations Dearly

Posted by HIPAA Journal

Noncompliance with HIPAA can carry a significant cost for healthcare organizations, yet even though the penalties for HIPAA violations can be considerable, many healthcare organizations have substandard compliance programs and are violating multiple aspects of HIPAA Rules.

The Department of Health and Human Services’ Office for Civil Rights (OCR) commenced the much delayed second phase of HIPAA compliance audits last year with a round of desk audits, first on healthcare organizations and secondly on business associates of covered entities.

Those desk audits revealed many healthcare organizations are either struggling with HIPAA compliance, or are simply not doing enough to ensure HIPAA Rules are followed.

The preliminary results of the desk audits, released by OCR in September, showed healthcare organizations’ compliance efforts were largely inadequate. 94% of organizations had inadequate risk management plans, 89% were rated as inadequate on patients’ right to access their PHI, and 83% had performed inadequate risk analyses. It would appear that for many healthcare organizations, little has changed since the first phase of compliance audits were conducted in 2011/2012. Noncompliance with HIPAA is still widespread.

A few years ago, the risk of the discovery of a HIPAA violation was relatively low. Even when HIPAA violations were discovered, OCR rarely issued financial penalties. Similarly, even though the HITECH Act permits state attorneys general to issue fines for HIPAA violations, relatively few have exercised that right.

Today, the risk of HIPAA violations being discovered is significantly higher. Patients are now much more knowledgeable about their rights under HIPAA, and OCR has made it easy for them to file complaints about suspected HIPAA violations. HIPAA complaints are investigated by OCR.

The rise in cyberattacks on healthcare organizations mean data breaches are now far more likely to occur. A recent study by HIMSS Analytics/Mimecast showed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, while an Accenture/AMA report showed 83% of physicians have experienced a cyberattack.

OCR investigates all breaches of more than 500 records to determine whether HIPAA Rules are being followed. When a breach occurs, organizations’ HIPAA compliance programs will be scrutinized.

OCR has also stepped up enforcement of HIPAA Rules and financial penalties are far more common. Since January 1, 2016, there have been 20 settlements reached between OCR and HIPAA covered entities and their business associates, and two civil monetary penalties issued.

OCR has yet to state whether financial penalties will be pursued as a result of the HIPAA audits, but OCR is not expected to turn a blind eye to major HIPAA failures. Multiple violations of HIPAA Rules could well see financial penalties pursued.

The higher likelihood of a data breach occurring or a complaint being filed means noncompliance with HIPAA is likely to be discovered. But what are the costs of noncompliance with HIPAA? What are the incentives for ensuring all HIPAA Rules are followed?

The Cost of Noncompliance with HIPAA

The high cost of HIPAA noncompliance has been summarized in the infographic below:

 

The Cost of Noncompliance with HIPAA

The post Noncompliance with HIPAA Costs Healthcare Organizations Dearly appeared first on HIPAA Journal.

City of Portland Apologizes for Sharing PHI of HIV Positive Patients Without Prior Consent

Posted by HIPAA Journal

information with third parties without first obtaining consent from patients. That has led some patients and healthcare officials to believe the City of Portland violated HIPAA by sharing information on HIV-positive patients with the University of Southern Maine without first obtaining consent.

Portland runs a HIV-positive health program, and individuals enrolled in that program were not informed that some of their information – their name, address, phone number and HIV positive status – would be shared with USM’s Muskie School of Public Service (MSPS).

The information was shared in order for MSPS to conduct a survey on behalf of the city.  When that survey was conducted, it became clear to patients that some of their PHI had been shared without their knowledge. Two patients complained that their privacy had been violated.  Following receipt of the complaints, the city suspended its survey and conducted an investigation into the alleged privacy violation.

While the HIPAA Privacy Rule does restrict the sharing of PHI with third parties, there are exceptions. Officials at the City of Portland maintain that HIPAA Rules were not violated. HIPAA does permit healthcare organizations to share PHI with third parties for research programs, and in such cases, consent from patients is not a requirement, provided certain conditions are met.

While HIPAA Rules may not have been violated, the City of Portland will be issuing a written apology to all affected patients – which number more than 200 – about the privacy violation. The letter, written by Portland’s public health director, Dr. Kolawole Bankole, said, “We have learned important lessons from this experience and are implementing new and updated policies and procedures for ensuring that our health care entities and programs better communicate with patients regarding uses and disclosures of their patient’s [PHI] for these types of research, program evaluation and business associate-related purposes going forward.”

While some city officials do not believe HIPAA Rules have been violated, that view is not shared by all. Dr. Ann Lemire, a former director of Portland’s India Street clinic had previously warned the city not to share the list of patients with USM researchers as doing so would be a violation of HIPAA. Lemire told the Press Herald, “I feel our patients have been violated and continue to be treated poorly and without respect.”

While HIPAA Rules may allow Portland to share PHI in this instance, information appears to have been shared before both parties entered into a business associate agreement. According to USM’s assistant provost for research, Ross Hickey, the list of patients was shared before a business associate agreement was obtained. After receiving the list, USM requested a BAA. That BAA was subsequently provided, in which the responsibilities USM had with respect to PHI were detailed.

In this case, the BAA made no difference to how USM secured the list and restricted access to the shared PHI, as strict privacy and security policies were already in place. However, the sharing of the list before entering into a BAA is something the Department of Health and Human Services’ Office for Civil Rights may choose to investigate, in addition to determining whether consent should have been obtained from patients before the information was shared.

If it is discovered that HIPAA Rules were violated there is potential for a financial penalty, either from OCR or the Maine attorney general, who since the HITECH Act was passed, is also permitted to take action against organizations discovered to have violated HIPAA Rules.

The post City of Portland Apologizes for Sharing PHI of HIV Positive Patients Without Prior Consent appeared first on HIPAA Journal.

Is GoToMeeting HIPAA Compliant?

Posted by HIPAA Journal

Is GoToMeeting HIPAA complaint? Can GoToMeeting be used by HIPAA-covered entities and their business associates for communicating protected health information without violating HIPAA Rules?

GoToMeeting is an online meeting and video conferencing solution offered by LogMeIn. The service is one of many conferencing and desktop sharing solutions that can improve communication and collaboration, with many benefits for healthcare organizations.

In order for collaboration tools to be used by healthcare organizations that are required to comply with Health Insurance Portability and Accountability Act Rules, tools must a subject to a risk analysis and determined to meet the security standards demanded by HIPAA.

Fail to ensure that a particular service is HIPAA compliant and you could violate the privacy of patients, breach HIPAA Rules, and potentially have to cover a sizable financial penalty for non-compliance.

It should be pointed out that no software or communications platform can be truly HIPAA-compliant. Even if appropriate safeguards are incorporated to ensure the confidentiality, integrity, and availability of ePHI, it is still possible to use a ‘HIPAA-compliant’ service in a non-compliant manner. It is up to a HIPAA-covered entity or business associate to ensure that any software or communication platform is configured correctly, is used appropriately, that PHI is only shared or communicated to people authorized to receive the information, and that when information is disclosed, the minimum necessary standard applies.

How secure is GoToMeeting? Is GoToMeeting HIPAA compliant?

Is GoToMeeting HIPAA Compliant?

In order to consider GoToMeeting HIPAA compliant, technical safeguards would need to be incorporated to meet the requirements of the HIPAA Security Rule.

To protect data in transit, GoToMeeting employs full end-to-end data encryption. All transmitted data is protected using HMAC-SHA-1 message authentication codes, while chat, video, audio, and control data are protected in transit using AES 128-bit encryption. AES 128-bit encryption meets the current standards for encryption recommended by NIST.

Protecting data in transit is only one element of HIPAA compliance. If PHI is to be transmitted – via email, secure text messages, or conferencing solutions – there must be audit controls. An audit trail must be maintained allowing activity relating to PHI to be examined. GoToMeeting creates logs of connection and session activity, and access to reporting and management tools are available to account managers.

Controls must also be present that ensure only authorized individuals are able to gain access to the system. GoToMeeting is protected by unique meeting codes and includes the option of setting strong passwords. When meetings are set up they are not publicly listed, and meeting organizers have full control over who can join the meetings.

Each user that wishes to join a meeting must identify themselves using a unique email address and/or number along with a unique password, and users are automatically logged off after a period of inactivity, which can be set by the meeting organizer.

GoToMeeting also confirms on its website, “the technical security controls employed in the GoToMeeting service and associated host and client software meet or exceed HIPAA technical standards.”

While the technical safeguards meet HIPAA requirements, HIPAA-covered entities must also enter into a HIPAA-compliant business associate agreement with service providers prior to using a service for communicating PHI. GoToMeeting offers a business associate agreement which covers use of the service, meeting this regulatory requirement.

So, is GoToMeeting HIPAA-compliant? Provided HIPAA-covered entities and business associates enter into a BAA with GoToMeeting prior to using the service for communicating PHI, GoToMeeting can be used in a HIPAA-compliant manner.

However, as GoToMeeting explains, “Organizations should carefully review all configurable security features of GoToMeeting in the context of their specific environments, user population and policy requirements to determine which features should be enabled and how best to configure.”

The post Is GoToMeeting HIPAA Compliant? appeared first on HIPAA Journal.

How to Make Your Email HIPAA Compliant

Posted by HIPAA Journal

Many healthcare organizations would like to be able to send protected health information via email, but how do you make your email HIPAA compliant? What must be done before electronic PHI (ePHI) can be sent via email to patients and other healthcare organizations?

How to Make Your Email HIPAA Compliant

Whether you need to make your email HIPAA compliant will depend on how you plan to use email with ePHI. If you will only ever send emails internally, it may not be necessary to make your email HIPAA compliant.

If your email network is behind a firewall, it is not necessary to encrypt your emails.  Encryption is only required when your emails are sent beyond your firewall. However, access controls to email accounts are required, as it is important to ensure that only authorized individuals can access email accounts that contain ePHI.

If you want to use email to send ePHI externally – beyond your firewall – you will need to make your email HIPAA-compliant.

There are many email service providers that offer an encrypted email service, but not all are HIPAA compliant and incorporate all of the necessary safeguards to meet the requirements of the HIPAA Privacy and Security Rules. To make your email HIPAA compliant there are several things to consider:

Ensure you have end-to-end encryption for email

Email is a quick and easy way to communicate electronically, but it is not necessarily secure. Even services that encrypt messages in transit may not have the required level of security to make them HIPAA compliant. To make your email HIPAA compliant you should ensure you have end-to-end encryption, which encrypts both messages in transit and stored messages. Access controls are used to ensure only the intended recipient and the sender can access the messages.

Some email service providers require individual emails to be encrypted by clicking a button or using a portal. Since it is easy to forget to turn on encryption and accidentally send an unencrypted email, it is a better choice to encrypt all emails, not only those that contain ePHI. This will reduce the potential for human error.

The type of encryption used is also important. While previously Data Encryption Standard (DES) was considered secure, that is no longer the case. You should consult NIST for advice on suitable encryption standards. Currently AES 128, 192, or 256-bit encryption is recommended.

For many HIPAA-covered entities, especially smaller healthcare providers that do not have in-house IT staff to ensure their email is HIPAA-compliant, the use of a third-party HIPAA compliant email service provider is strongly recommended.

Research potential HIPAA compliant email service providers to ensure that they provide a service that is suitable for your requirements. A search on Google will produce several potential service providers.

Enter into a HIPAA-compliant business associate agreement with your email provider

If you use a third-party email provider, you should obtain a business associate agreement prior to using the service for sending ePHI. The business associate agreement outlines the responsibilities of the service provider and establishes that administrative, physical, and technical safeguards will be used to ensure the confidentiality, integrity and availability of ePHI.

If an email service provider is not prepared to enter into a business associate agreement, you should look elsewhere. There are several email service providers who are prepared to sign a BAA to allow them to work with HIPAA-covered entities and their business associates.

Ensure your email is configured correctly

Even when a BAA is obtained, there are still risks associated with email and it is possible to fail to configure the email service correctly and violate HIPAA Rules. Simply using an email service that is covered by a BAA does not make your email HIPAA compliant.

Google’s G Suite includes email and is covered by its business associate agreement. Though G Suite, email can be made HIPAA compliant provided the service is used alongside a business domain. Even if you want to use G Suite, care must be taken configuring the service to ensure end-to-end encryption is in place.

Note that G Suite is not the same as Gmail. Gmail is not intended for business use and cannot be made HIPAA compliant. Google does not sign a BAA for its free services, only for its paid services.

Develop policies on the use of email and train your staff

Once you have implemented your HIPAA compliant email service it is important to train staff on the correct use of email with respect to ePHI. There have been several data breaches that have occurred as a result of errors made by healthcare staff – The accidental sending of ePHI via unencrypted email and the sending of ePHI to individuals unauthorized to view the information. It is important to ensure that all staff are aware of their responsibilities under HIPAA and are trained on the use of the email service.

Ensure all emails are retained for 6 years

HIPAA requires covered entities and business associates to retain past email communications containing ePHI. The retention period is six years. Even for small to medium-sized healthcare organizations, storing 6 years of emails, including attachments, for all members of staff requires considerable storage space. Consider using a secure, encrypted email archiving service rather than email backups. Not only will this free up storage space, since an email archive is indexed, searching for emails in an archive is a quick and easy process. If emails need to be produced for legal discovery or for a compliance audit, they can be quickly and easily retrieved.

As with an email service provider, any provider of an email archiving service will also be subject to HIPAA Rules as they will be classed as a business associate. A BAA would need to be entered into with that service provider and reasonable assurances obtained that they will abide by HIPAA Rules.

Obtain consent from patients before communicating with them via email

HIPAA-covered entities should note that while it may be convenient to send emails containing ePHI to patients, consent to use email as a communication method must be obtained from the patient in writing before any ePHI is sent via email, even if a HIPAA compliant email provider is used. Patients must be advised that there are risks to the confidentiality of information sent via email. If they are prepared to accept the risks, emails containing ePHI can be sent without violating HIPAA Rules.

Seek legal advice on HIPAA compliance and email

If you are unsure of the requirements of HIPAA with respect to email, it is strongly recommended that you speak with a healthcare attorney that specializes in HIPAA to advise you of your responsibilities and the requirements of HIPAA with respect to email.

The post How to Make Your Email HIPAA Compliant appeared first on HIPAA Journal.

18,500 Patients PHI Exposed After Multiple Email Accounts Were Compromised

Posted by HIPAA Journal

The Detroit-based Henry Ford Health System has started notifying almost 18,500 patients that some of their protected health information has potentially been accessed by an unauthorized individual.

The breach was detected on October 3, 2017 when unauthorized access to the email accounts of several employees was detected. While protected health information was potentially accessed or stolen, the health system’s EHR system was not compromised at any point. All data was confined to the compromised email accounts.

It is currently unclear exactly how access to the email accounts was gained. Typically, breaches such as this involve phishing attacks, where multiple emails are sent to healthcare employees that fool them into disclosing their login credentials. An internal investigation into the breach is ongoing to determine the cause of the attack and how the login credentials of some of its employees were stolen.

Henry Ford Health System has conducted a review of all emails in the accounts and has determined that 18,470 patients have been affected. The emails contained a range of information on patients including names, medical record numbers, dates of birth, provider’s name, department’s name, location, dates of service, medical diagnoses, and the name of health insurers. Each patient impacted by the breach had some or all of the above information exposed. Financial information and Social Security numbers were not present in any of the compromised email accounts.

At this stage in the investigation it is unclear whether the person who accessed the accounts viewed or stole any information, and whether any of the PHI has been used inappropriately.

A spokesperson for Henry Ford Health System said, “We take very seriously any misuse of patient information, and we are continuing our own internal investigation to determine how this happened and to ensure no other patients are impacted,” and “To reduce future risk of this happening again, we are strengthening our security protections for employees, all of whom will be educated about this measure in the coming weeks.”

Henry Ford Health System will also be reviewing its policies on email retention and the use of two-factor authentication.

The post 18,500 Patients PHI Exposed After Multiple Email Accounts Were Compromised appeared first on HIPAA Journal.

Does HIPAA Apply to Employers?

Posted by HIPAA Journal

HIPAA applies to employers in certain circumstances and, although HIPAA does not protect individually identifiable health information maintained by a covered entity in its role as an employer,  it is important for employers to understand what these circumstances are to avoid HIPAA violations. Employers also need  to ensure that their workforces understand whether or not health data collected and maintained by their employer is protected by the HIPAA Privacy Rule.

Does HIPAA Apply To EmployersYou can use our HIPAA Checklist For Employers to view your compliance requirements and avoid HIPAA violations.

The HIPAA Privacy Rule is one of the most complicated pieces of legislation affecting the healthcare and health insurance industries. Because of its objectives to standardize how individually identifiable personal information is protected across many different use cases, the language of the HIPAA Privacy Rule is “non-specific” and open to a number of interpretations.

Many attempts have been made to summarize the HIPAA Privacy Rule in a format that clearly outlines who is covered by the legislation and how it should be applied.

Because of its complicated nature, most summaries fail to adequately answer the question how does HIPAA apply to employers? This article aims to answer that question as adequately as possible.

Let´s First Discuss HIPAA-Covered Transactions

Does HIPAA Apply To Employers In HealthcareThe HIPAA Privacy Rule defines what constitutes individually identifiable health information and how it should be protected from unauthorized uses and disclosures.

It is often the case that a new employee may disclose some elements of protected health information – for example to an employer’s HR Department – when the new employee commences with the new employer.  So, under that summarized interpretation, the answer to the question “Does HIPAA Apply to Employers”, would be “yes”.

However, Protected Health Information is only covered by HIPAA when it is used to communicate information about an individual´s past, present or future medical condition, the provision of healthcare to an individual, or the payment for the provision of healthcare. If a worker supplied their individually identifiable health information to an employer’s HR Department, and it was never used for any of these purposes, HIPAA does not apply to employers in this scenario.

One factor sometimes overlooked in summaries of the HIPAA Privacy Rule is that, in order for a “covered entity” to be subject to the regulations, the purpose of creating, using, storing or sharing Protected Health Information has to be a HIPAA-covered transaction. HIPAA-covered transactions include (but are not limited to):

  • A request to obtain payment from a healthcare provider to a health plan accompanied by supporting documentation.
  • An inquiry from a healthcare provider to a health plan about the eligibility of an individual to receive treatment.
  • A request to a health plan to refer an individual to another healthcare provider (and the health plan´s response).
  • The transmission of either of the following from a health plan to a healthcare provider: (1) Explanation of benefits. (2) Remittance advice.

For further information about what qualifies as a HIPAA-covered transaction, please refer to 45 CFR Part 2, specifically §§ 162.1101 to 162.1801. With regard to the question “Does HIPAA apply to Employers who Conduct HIPAA-Covered Transactions”, this is addressed in the next section.

Does HIPAA Apply to Employers’ Self-Insured Health Plans?

Using the criteria described above for HIPAA-covered transactions, the only circumstances in which an employer may be involved in these types of transactions if they provide onsite clinics as an employee health benefit, provide a self-insured health plan for employees, or act as an intermediary between employees, healthcare providers, and health plans.

Because an onsite clinic is an employee health benefit that is not “portable” (i.e. the benefit cannot be taken with an employee when they move to a new job), it is exempt from the Privacy Rule. Employers providing self-insured health plans are also exempt because HIPAA regards the employer and the health plan as two separate legal entities, even if the employer administers the self-insured health plan.

However, in order to administer a self-insured health plan, or act as an intermediary between employees, healthcare providers and health plans, the employer is subject to “partial compliance” and is required to provide a certification that Protected Health Information will be safeguarded as prescribed by the HIPAA Privacy Rule and not used for employment-related actions.

The certification is not unlike a Business Associate Agreement and it allows the self-insured health plan to share Protected Health Information with the employer, but only for the purposes of administering the health plan. Any other uses of the Protected Health Information would constitute an unauthorized disclosure and the employer would be subject to sanctions by the Department of Health & Human Services. Further information about employer certification can be found in 45 CFR 164.504(f).

What HIPAA Means to Employers

What HIPAA means to employers generally is that they do not have to implement measures to protect the privacy of individually identifiable health information in accordance with the Privacy and Security Rules, nor notify employees and HHS´ Office for Civil Rights in the event of a data breach. However, HIPAA is not the only legislation that relates to the privacy and security of employee data.

Other federal laws such as the Fair Credit Reporting Act and Fair and Accurate Credit Transaction Act govern what employers can do with certain types of employee data, while state laws such as the California Privacy Rights Act grants employees rights over what data is maintained about them similar to the patients´ right provisions of the HIPAA Privacy Rule.

Employers and Protected Health Information: Conclusion

The answer to the question “Does HIPAA Apply to Employers” is generally “no”. However there are circumstances in which employers are subject to HIPAA with regard to safeguarding the confidentiality, integrity and security of Protected Health Information. These circumstances may be few and far between; but, when they occur, it is important employers are aware of their compliance obligations.

In most cases, HIPAA does not prevent an employer from announcing the birth of a child to the parent´s workplace colleagues, but it will likely apply if an employer administers a self-insured health plan or acts as an intermediary in a high-deductible, consumer-directed health plan. Companies still unsure about how HIPAA applies to employers should seek professional advice relevant to their specific circumstances.

Does HIPAA Apply to Employers? FAQs

If I give my employer a doctor’s note to prove I was sick, does HIPAA apply to the doctor’s note?

If you give your employer a doctor’s note to prove you were sick, HIPAA does not apply to the doctor’s note, even if you work for a covered entity or business associate. This is because the doctor’s note will not be used for a HIPAA-covered transaction. The doctor’s note is considered to be part of your employment record, like any other personal information you might provide to your employer.

If an employer phones a hospital to enquire about the wellbeing of an employee, is the information provided by the hospital covered by HIPAA?

If an employer phones a hospital to enquire about the wellbeing of an employee, the information provided by the hospital is not covered by HIPAA once it has been disclosed to the employer. by the hospital provided. However, before any information is disclosed to an employer by a hospital, the hospital must obtain the employee´s consent to disclose PHI. A disclosure to an employer without consent – other than permissible disclosures for workers’ comp purposes and to comply with OSHA –  is a violation of HIPAA.

Does HIPAA apply to employers in medical teaching institutions?

HIPAA can apply to employers in medical teaching institutions depending on the nature of medical services provided by the institution. If medical services are only available to employees and students, the institution is not a HIPAA covered entity because the provision of medical services to employees is not portable and the provision of medical services to students is covered by FERPA.

If medical services are available to the public, the institution is a hybrid entity required to comply with HIPAA for the medical services provided to members of the public, but not for non-portable medical services provided to employees or for FERPA-covered medical services provided to students. Further information about hybrid entities can be found in this HHS article.

If an employer is a federal agency, does HIPAA or the Privacy Act apply?

If an employer is a federal agency that qualifies as a covered entity and engages in HIPAA-covered transactions, HIPAA preempts the Privacy Act. In most other circumstances, federal agencies have to comply with the Privacy Act – the exceptions being when state or local laws offer greater protections to health information than HIPAA or the Privacy Act.

Does HIPAA apply to employers that are business associates of a covered entity?

HIPAA does not apply to employers that are business associates of a covered entity if a business associate in its role as an employer maintains employee healthcare data that is not used for HIPAA-covered transactions. In such cases, the business associate is not subject to HIPAA in respect of employee data – but still subject to HIPAA in respect of any ePHI received from the covered entity with whom the employer has a Business Associate Agreement.

Can an employer ask about medical conditions under HIPAA?

An employer can ask about medical conditions under HIPAA because employers – in their role of employers – are not covered entities. In the Privacy Rule there is nothing preventing an employer asking an employee about medical conditions that would violate HIPAA. However, if an employer asks a covered entity to disclose information about an employee´s medical condition, HIPAA only permits the disclosure under certain circumstances or with the consent of the employee.

When does HIPAA apply to employers?

HIPAA applies to employers when they create, maintain, or transmit Protected Health Information in connection with a HIPAA-covered transaction. This is a rare occurrence, and usually only happens when the employer administers a self-insured health plan. In such circumstances, the Protected Health Information created, maintained, or transmitted by the self-insured health plan should be kept separate from other employee data – which is not subject to the Privacy and Security Rules.

Is a new employee’s health information disclosed to an HR department protected by HIPAA?

A new employee’s health information disclosed to an HR department is not protected by HIPAA unless the information will be disclosed in a HIPAA-covered transaction by an employer who qualifies as a HIPAA covered entity. This is an extremely rare event – even if the new employee’s role is with a healthcare facility – because employers do not ordinarily qualify as HIPAA covered entities in their role as an employer.

What does “partial compliance” mean for employers in the context of HIPAA?

What partial compliance means in the context of HIPAA is that, if an employer administers a self-insured health plan or acts as an intermediary between employees, healthcare providers, and health plans, the employer is required to safeguard the PHI they have access to in their role as an administer or intermediary and certify that PHI will be protected as prescribed by the HIPAA Privacy Rule and not used for employment-related actions.

Can an employer announce the birth of a child to a parent’s workplace colleagues without violating HIPAA?

An employer can announce the birth of a child to a parent’s workplace colleagues without violating HIPAA unless the employer administers a self-insured health plan or acts as an intermediary between the parent and a health plan and learns of the birth in their role as an administrator or intermediary. In such circumstances, it would be necessary to obtain the parent’s consent to avoid violating HIPAA.

What is a HIPAA-covered transaction?

A HIPAA-covered transaction is any transaction that the Department of Health and Human Services has developed standards for in Part 162 of the HIPAA Administrative Simplification Regulations. Most HIPAA-covered transactions relate to eligibility checks for treatment, authorizations for treatment, billing, and remittances – transactions that rarely apply to employers in their role as employers.

If an employer qualifies as a partial entity, what is the first step to take to avoid HIPAA violations?

If an employer qualifies as a partial entity, the first step to take to avoid HIPAA violations is to understand what information collected, maintained, or transmitted by the employer is protected by the Privacy Rule. Thereafter, the employer must implement safeguards to protect the privacy of individually identifiable health information and to ensure the confidentiality, integrity, and availability of electronic PHI.

The post Does HIPAA Apply to Employers? appeared first on HIPAA Journal.

Exploitable IV Infusion Pump and Digital Smart Pen Vulnerabilities Uncovered

Posted by HIPAA Journal

New vulnerabilities that threatens the confidentiality, integrity, and availability of ePHI have been discovered by Spirent SecurityLabs researcher Saurabh Harit.

The vulnerabilities exist in certain digital Smart pens and IV infusion pumps. The vulnerabilities could be exploited to gain access to sensitive patient information, while the IV infusion pump vulnerability could also be exploited to cause patients harm, with potentially fatal consequences for patients.

Smart pens are used by doctors to write prescriptions for medications, which are then transmitted to pharmacies. While the smart pen manufacturers claim the devices do not store sensitive information, Harit was able to gain access to sensitive information through the devices and view patient names, addresses, phone numbers, clinical information, and even medical records.

Harit was able to reverse engineer the smart pens and view the operating system a monitor connected to the device through a serial interface. Initially, low-privilege access to the operating system of the smart pens was gained, but by using an exploit the researcher was able to elevate privileges to gain administrator access. Once administrative rights were gained, and the encryption was defeated, Harit was able to access the backend servers used by the healthcare organization and view sensitive information on patients of several doctors who used the smart pens. The vendors of the smart pens were notified of the flaws and patches have now been released to correct the vulnerability.

Harit also discovered a so far unpatched vulnerability in an IV infusion pump which could be exploited to administer lethal doses of drugs to patients, potentially on all IV pumps used at a particular hospital. Far from being a complex and expensive hack, it was possible with a device that could be purchased for just $7. That device allowed Harit to interface with the pump, read its configuration data, and the access point to which the device connected.

It was possible to set up a fake access point to connect to the device and collect sensitive data on the patient, including the master drug list and doses of drugs to be administered. Harit claims it would be possible to write malware that could attack all IV infusion pumps used by a hospital.

Fortunately, for the vulnerabilities to be exploited, physical access to the devices would be required.

Harit will not disclose the names of the companies or devices affected, but will present the findings on the vulnerabilities at Black Hat Europe later this week.

The post Exploitable IV Infusion Pump and Digital Smart Pen Vulnerabilities Uncovered appeared first on HIPAA Journal.