Healthcare Data Privacy

Does HIPAA Apply to Employers?

Posted by HIPAA Journal

HIPAA applies to employers in certain circumstances and, although HIPAA does not protect individually identifiable health information maintained by a covered entity in its role as an employer,  it is important for employers to understand what these circumstances are to avoid HIPAA violations. Employers also need  to ensure that their workforces understand whether or not health data collected and maintained by their employer is protected by the HIPAA Privacy Rule.

Does HIPAA Apply To EmployersYou can use our HIPAA Checklist For Employers to view your compliance requirements and avoid HIPAA violations.

The HIPAA Privacy Rule is one of the most complicated pieces of legislation affecting the healthcare and health insurance industries. Because of its objectives to standardize how individually identifiable personal information is protected across many different use cases, the language of the HIPAA Privacy Rule is “non-specific” and open to a number of interpretations.

Many attempts have been made to summarize the HIPAA Privacy Rule in a format that clearly outlines who is covered by the legislation and how it should be applied.

Because of its complicated nature, most summaries fail to adequately answer the question how does HIPAA apply to employers? This article aims to answer that question as adequately as possible.

Let´s First Discuss HIPAA-Covered Transactions

Does HIPAA Apply To Employers In HealthcareThe HIPAA Privacy Rule defines what constitutes individually identifiable health information and how it should be protected from unauthorized uses and disclosures.

It is often the case that a new employee may disclose some elements of protected health information – for example to an employer’s HR Department – when the new employee commences with the new employer.  So, under that summarized interpretation, the answer to the question “Does HIPAA Apply to Employers”, would be “yes”.

However, Protected Health Information is only covered by HIPAA when it is used to communicate information about an individual´s past, present or future medical condition, the provision of healthcare to an individual, or the payment for the provision of healthcare. If a worker supplied their individually identifiable health information to an employer’s HR Department, and it was never used for any of these purposes, HIPAA does not apply to employers in this scenario.

One factor sometimes overlooked in summaries of the HIPAA Privacy Rule is that, in order for a “covered entity” to be subject to the regulations, the purpose of creating, using, storing or sharing Protected Health Information has to be a HIPAA-covered transaction. HIPAA-covered transactions include (but are not limited to):

  • A request to obtain payment from a healthcare provider to a health plan accompanied by supporting documentation.
  • An inquiry from a healthcare provider to a health plan about the eligibility of an individual to receive treatment.
  • A request to a health plan to refer an individual to another healthcare provider (and the health plan´s response).
  • The transmission of either of the following from a health plan to a healthcare provider: (1) Explanation of benefits. (2) Remittance advice.

For further information about what qualifies as a HIPAA-covered transaction, please refer to 45 CFR Part 2, specifically §§ 162.1101 to 162.1801. With regard to the question “Does HIPAA apply to Employers who Conduct HIPAA-Covered Transactions”, this is addressed in the next section.

Does HIPAA Apply to Employers’ Self-Insured Health Plans?

Using the criteria described above for HIPAA-covered transactions, the only circumstances in which an employer may be involved in these types of transactions if they provide onsite clinics as an employee health benefit, provide a self-insured health plan for employees, or act as an intermediary between employees, healthcare providers, and health plans.

Because an onsite clinic is an employee health benefit that is not “portable” (i.e. the benefit cannot be taken with an employee when they move to a new job), it is exempt from the Privacy Rule. Employers providing self-insured health plans are also exempt because HIPAA regards the employer and the health plan as two separate legal entities, even if the employer administers the self-insured health plan.

However, in order to administer a self-insured health plan, or act as an intermediary between employees, healthcare providers and health plans, the employer is subject to “partial compliance” and is required to provide a certification that Protected Health Information will be safeguarded as prescribed by the HIPAA Privacy Rule and not used for employment-related actions.

The certification is not unlike a Business Associate Agreement and it allows the self-insured health plan to share Protected Health Information with the employer, but only for the purposes of administering the health plan. Any other uses of the Protected Health Information would constitute an unauthorized disclosure and the employer would be subject to sanctions by the Department of Health & Human Services. Further information about employer certification can be found in 45 CFR 164.504(f).

What HIPAA Means to Employers

What HIPAA means to employers generally is that they do not have to implement measures to protect the privacy of individually identifiable health information in accordance with the Privacy and Security Rules, nor notify employees and HHS´ Office for Civil Rights in the event of a data breach. However, HIPAA is not the only legislation that relates to the privacy and security of employee data.

Other federal laws such as the Fair Credit Reporting Act and Fair and Accurate Credit Transaction Act govern what employers can do with certain types of employee data, while state laws such as the California Privacy Rights Act grants employees rights over what data is maintained about them similar to the patients´ right provisions of the HIPAA Privacy Rule.

Employers and Protected Health Information: Conclusion

The answer to the question “Does HIPAA Apply to Employers” is generally “no”. However there are circumstances in which employers are subject to HIPAA with regard to safeguarding the confidentiality, integrity and security of Protected Health Information. These circumstances may be few and far between; but, when they occur, it is important employers are aware of their compliance obligations.

In most cases, HIPAA does not prevent an employer from announcing the birth of a child to the parent´s workplace colleagues, but it will likely apply if an employer administers a self-insured health plan or acts as an intermediary in a high-deductible, consumer-directed health plan. Companies still unsure about how HIPAA applies to employers should seek professional advice relevant to their specific circumstances.

Does HIPAA Apply to Employers? FAQs

If I give my employer a doctor’s note to prove I was sick, does HIPAA apply to the doctor’s note?

If you give your employer a doctor’s note to prove you were sick, HIPAA does not apply to the doctor’s note, even if you work for a covered entity or business associate. This is because the doctor’s note will not be used for a HIPAA-covered transaction. The doctor’s note is considered to be part of your employment record, like any other personal information you might provide to your employer.

If an employer phones a hospital to enquire about the wellbeing of an employee, is the information provided by the hospital covered by HIPAA?

If an employer phones a hospital to enquire about the wellbeing of an employee, the information provided by the hospital is not covered by HIPAA once it has been disclosed to the employer. by the hospital provided. However, before any information is disclosed to an employer by a hospital, the hospital must obtain the employee´s consent to disclose PHI. A disclosure to an employer without consent – other than permissible disclosures for workers’ comp purposes and to comply with OSHA –  is a violation of HIPAA.

Does HIPAA apply to employers in medical teaching institutions?

HIPAA can apply to employers in medical teaching institutions depending on the nature of medical services provided by the institution. If medical services are only available to employees and students, the institution is not a HIPAA covered entity because the provision of medical services to employees is not portable and the provision of medical services to students is covered by FERPA.

If medical services are available to the public, the institution is a hybrid entity required to comply with HIPAA for the medical services provided to members of the public, but not for non-portable medical services provided to employees or for FERPA-covered medical services provided to students. Further information about hybrid entities can be found in this HHS article.

If an employer is a federal agency, does HIPAA or the Privacy Act apply?

If an employer is a federal agency that qualifies as a covered entity and engages in HIPAA-covered transactions, HIPAA preempts the Privacy Act. In most other circumstances, federal agencies have to comply with the Privacy Act – the exceptions being when state or local laws offer greater protections to health information than HIPAA or the Privacy Act.

Does HIPAA apply to employers that are business associates of a covered entity?

HIPAA does not apply to employers that are business associates of a covered entity if a business associate in its role as an employer maintains employee healthcare data that is not used for HIPAA-covered transactions. In such cases, the business associate is not subject to HIPAA in respect of employee data – but still subject to HIPAA in respect of any ePHI received from the covered entity with whom the employer has a Business Associate Agreement.

Can an employer ask about medical conditions under HIPAA?

An employer can ask about medical conditions under HIPAA because employers – in their role of employers – are not covered entities. In the Privacy Rule there is nothing preventing an employer asking an employee about medical conditions that would violate HIPAA. However, if an employer asks a covered entity to disclose information about an employee´s medical condition, HIPAA only permits the disclosure under certain circumstances or with the consent of the employee.

When does HIPAA apply to employers?

HIPAA applies to employers when they create, maintain, or transmit Protected Health Information in connection with a HIPAA-covered transaction. This is a rare occurrence, and usually only happens when the employer administers a self-insured health plan. In such circumstances, the Protected Health Information created, maintained, or transmitted by the self-insured health plan should be kept separate from other employee data – which is not subject to the Privacy and Security Rules.

Is a new employee’s health information disclosed to an HR department protected by HIPAA?

A new employee’s health information disclosed to an HR department is not protected by HIPAA unless the information will be disclosed in a HIPAA-covered transaction by an employer who qualifies as a HIPAA covered entity. This is an extremely rare event – even if the new employee’s role is with a healthcare facility – because employers do not ordinarily qualify as HIPAA covered entities in their role as an employer.

What does “partial compliance” mean for employers in the context of HIPAA?

What partial compliance means in the context of HIPAA is that, if an employer administers a self-insured health plan or acts as an intermediary between employees, healthcare providers, and health plans, the employer is required to safeguard the PHI they have access to in their role as an administer or intermediary and certify that PHI will be protected as prescribed by the HIPAA Privacy Rule and not used for employment-related actions.

Can an employer announce the birth of a child to a parent’s workplace colleagues without violating HIPAA?

An employer can announce the birth of a child to a parent’s workplace colleagues without violating HIPAA unless the employer administers a self-insured health plan or acts as an intermediary between the parent and a health plan and learns of the birth in their role as an administrator or intermediary. In such circumstances, it would be necessary to obtain the parent’s consent to avoid violating HIPAA.

What is a HIPAA-covered transaction?

A HIPAA-covered transaction is any transaction that the Department of Health and Human Services has developed standards for in Part 162 of the HIPAA Administrative Simplification Regulations. Most HIPAA-covered transactions relate to eligibility checks for treatment, authorizations for treatment, billing, and remittances – transactions that rarely apply to employers in their role as employers.

If an employer qualifies as a partial entity, what is the first step to take to avoid HIPAA violations?

If an employer qualifies as a partial entity, the first step to take to avoid HIPAA violations is to understand what information collected, maintained, or transmitted by the employer is protected by the Privacy Rule. Thereafter, the employer must implement safeguards to protect the privacy of individually identifiable health information and to ensure the confidentiality, integrity, and availability of electronic PHI.

The post Does HIPAA Apply to Employers? appeared first on HIPAA Journal.

Exploitable IV Infusion Pump and Digital Smart Pen Vulnerabilities Uncovered

Posted by HIPAA Journal

New vulnerabilities that threatens the confidentiality, integrity, and availability of ePHI have been discovered by Spirent SecurityLabs researcher Saurabh Harit.

The vulnerabilities exist in certain digital Smart pens and IV infusion pumps. The vulnerabilities could be exploited to gain access to sensitive patient information, while the IV infusion pump vulnerability could also be exploited to cause patients harm, with potentially fatal consequences for patients.

Smart pens are used by doctors to write prescriptions for medications, which are then transmitted to pharmacies. While the smart pen manufacturers claim the devices do not store sensitive information, Harit was able to gain access to sensitive information through the devices and view patient names, addresses, phone numbers, clinical information, and even medical records.

Harit was able to reverse engineer the smart pens and view the operating system a monitor connected to the device through a serial interface. Initially, low-privilege access to the operating system of the smart pens was gained, but by using an exploit the researcher was able to elevate privileges to gain administrator access. Once administrative rights were gained, and the encryption was defeated, Harit was able to access the backend servers used by the healthcare organization and view sensitive information on patients of several doctors who used the smart pens. The vendors of the smart pens were notified of the flaws and patches have now been released to correct the vulnerability.

Harit also discovered a so far unpatched vulnerability in an IV infusion pump which could be exploited to administer lethal doses of drugs to patients, potentially on all IV pumps used at a particular hospital. Far from being a complex and expensive hack, it was possible with a device that could be purchased for just $7. That device allowed Harit to interface with the pump, read its configuration data, and the access point to which the device connected.

It was possible to set up a fake access point to connect to the device and collect sensitive data on the patient, including the master drug list and doses of drugs to be administered. Harit claims it would be possible to write malware that could attack all IV infusion pumps used by a hospital.

Fortunately, for the vulnerabilities to be exploited, physical access to the devices would be required.

Harit will not disclose the names of the companies or devices affected, but will present the findings on the vulnerabilities at Black Hat Europe later this week.

The post Exploitable IV Infusion Pump and Digital Smart Pen Vulnerabilities Uncovered appeared first on HIPAA Journal.

Cottage Health Fined $2 Million By California Attorney General’s Office

Posted by HIPAA Journal

Santa Barbara-based Cottage Health has agreed to settle a data breach case with the California attorney general’s office. Cottage Health will pay $2 million to resolve multiple violations of state and federal laws.

Cottage Health was investigated by the California attorney general’s office over a breach of confidential patient data in 2013. The breach was discovered by Cottage Health on December 2, 2013, when someone contacted the healthcare network and left a message on its voicemail system warning that sensitive patient information had been indexed by the search engines and was freely available via Google.

The sensitive information of more than 50,000 patients was available online, without any need for authentication such as a password and the server on which the information was stored was not protected by a firewall. The types of information exposed included names, medical histories, diagnoses, prescriptions, and lab test results. In addition to the individual who alerted Cottage Health to the breach, the server had been accessed by other individuals during the time that it was unsecured.

As is required under state laws, the incident was reported to state attorney general Kamala D. Harris. Two years later, while the attorney general’s office was investigating the incident, Cottage Health experienced a second breach. The second breach involved the records of 4,596 patients, and similarly, were left exposed and accessible online without any need for authentication.

The information was accessible for almost two weeks before the error was identified and protections put in place to prevent unauthorised access. The information exposed in the second breach included personally identifiable information and protected health information such as names, addresses, medical record numbers, account numbers, employment information, Social Security numbers, and admission and discharge dates.

Cottage Health claims that while both incidents resulted in the exposure of patient data, there are no indications to suggest any patient information was used inappropriately. The breaches prompted Cottage Health to review its information security controls and strengthen its policies, procedures, and security protections to prevent similar breaches from occurring in the future. In each case, the health network’s security teams acted quickly to limit harm and secure the exposed information. New system monitoring tools have now been implemented, and advanced security solutions are in place that allow vulnerabilities to be identified and mitigated much more rapidly.

The response to the breach may have been reasonable and appropriate, and protections now far better, but it is the lack of protections leading up to the data breaches that warranted a financial penalty. The California state attorney general’s office alleges that Cottage Health breached California’s Confidentiality of Medical Information Act, its Unfair Competition Law, and HIPAA Rules were also violated. According to the complaint, “Cottage failed to employ basic security safeguards.” Cottage Health was running outdated software, patches were not applied promptly, default configurations had not been changed, strong passwords were not used, access to sensitive PII was not limited, and regular risk assessments were not conducted.

Announcing the settlement, California Attorney General Xavier Becerra said, “When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” Becerra explained that “The law requires health care providers to protect patients’ privacy. On both of these counts, Cottage Health failed.”

In addition to the $2 million settlement, Cottage Health is required to update and maintain information security controls and ensure security practices and procedures match industry standards.

Specifically, the judgement requires Cottage Health to:

  • Assess hardware and software for vulnerabilities to the confidentiality, integrity, and availability of patients’ medical information.
  • Update access controls and security settings as appropriate
  • Evaluate the response to and protections from external threats, including firewall security
  • Encrypt patients’ medical information in transit to industry standards
  • Maintain reasonable policies and protocols for all information practices regarding data retention, internal audits, security incident tracking reports, risk assessments, incident management, and remediation plan
  • Conduct periodic vulnerability scans and penetration tests to identify and assess vulnerabilities, and remediate any vulnerabilities discovered
  • Conduct employee training on the correct use and storage of patients’ medical information.

The post Cottage Health Fined $2 Million By California Attorney General’s Office appeared first on HIPAA Journal.

HIPAA Compliance for Self-Insured Group Health Plans

Posted by HIPAA Journal

HIPAA compliance for self-insured group health plans – or self-administered health group plans – is one of the most complicated areas of HIPAA legislation.

The Administrative Simplification Rule of the Health Insurance Portability and Accountability Act (HIPAA) imposed obligations on health care clearinghouses, certain healthcare providers and health plans (collectively known as “Covered Entities”) to comply with national standards for electronic health care transactions, unique health identifiers, and data security.

The standards were developed by the U.S. Department of Health & Human Services and published in 2000 (the HIPAA Privacy Rule) and 2003 (the HIPAA Security Rule). Subsequent amendments, guidelines and companion Rules have shaped HIPAA compliance for self-insured group health plans to account for advances in technology and changes in working practices.

Definition of a Self-Insured Group Health Plan

Due to the complicated nature of HIPAA, and to better understand what HIPAA compliance for self-insured group health plans involves, it is practical to define what a self-insured group health plan is. A self-insured group health plan is one in which an employer assumes the financial risk for providing healthcare benefits to its employees as opposed to purchasing a “fully-insured” plan from an insurance carrier.

Typically, a self-insured employer will set up a special trust fund to earmark money (corporate and employee contributions) to pay incurred claims and either administer the plan themselves or – more commonly for larger employers – retain the services of an outside third-party administrator. A self-insured group health care plan can also include medical expense reimbursement flexible spending account plans (medical FSAs) and health reimbursement account plans (HRAs).

Exemptions from HIPAA Compliance for Self-Insured Companies

Exemptions from HIPAA compliance for self-insured companies are rare. Only if a group health plan is self-insured, self-administered and the employer has fewer than fifty employees is the company exempt from HIPAA compliance – provided medical FSAs and HRAs are also administered by the employer and not an outside third-party administrator. Providing an employee assistance plan or wellness plan can also trigger HIPAA compliance for self-insured companies.

Not surprisingly, there is a gray area of HIPAA compliance for self-insured companies known as “partial compliance”. Partial compliance is applicable when neither the sponsor of a group health plan nor its insurance agent has any access to or transmits Protected Health Information (PHI) electronically. These “hands off” group health plans only occur in specific circumstance, and generally most self-insured group health plans will be subject to HIPAA compliance.

What Does HIPAA Compliance for Self-Insured Group Health Plans Consist Of?

As mentioned above, HIPAA compliance for self-insured group health plans is one of the most complicated areas of HIPAA legislation. This is not only because it can be difficult to determine whether a company is subject to the legislation, but also because compliance requirements will vary from company to company depending on factors such as its size, the nature of its business and its internal organization.

Appoint a Privacy and Security Officer

Companies with self-insured group health plans should start by appointing a HIPAA Privacy Officer and a HIPAA Security Officer. These positions can be performed by the same person and/or an existing employee, and their first role is to identify where, why, and to what extent PHI is created, received, maintained or transmitted by the group health plan. This will likely involve many different departments such as IT, legal, payroll and HR.

Develop HIPAA-Compliant Privacy Policies

Once the discovery of PHI is completed, the next stage of HIPAA compliance for self-insured group health plans is to develop HIPAA-compliant privacy policies establishing the permitted uses and disclosures of PHI. This should take into account third-party administrators who – as a Business Associate – will also have to comply with HIPAA, and with whom it will be necessary to enter into a HIPAA Business Associate Agreement.

Develop HIPAA-Compliant Security Policies

One of the requirements of the HIPAA Security Rule is for Covered Entities to implement administrative, physical and technical safeguards to ensure the integrity of electronic PHI. In order to fulfil this requirement, Security Officers should conduct a risk assessment to identify any vulnerabilities that may lead to the unauthorized disclosure of electronic PHI, and – following a risk analysis – implement suitable measures and policies to address the vulnerabilities.

Develop a Breach Notification Policy

Despite a company´s best efforts to achieve HIPAA compliance for self-insured group health plans, they may be a time when an unauthorized disclosure of PHI occurs. Self-insured companies need to be prepared for such occurrences, and should develop a breach notification policy in order to advise employees that personal information may have been compromised, and the HHS Office for Civil Right when necessary.

Employee Training is Essential

In order to enforce the policies and ensure HIPAA compliance for self-insured companies, employee training is essential. As members of a self-insured group health plan, each employee should be given a notice of the plan´s privacy practices which can be used to explain why maintaining the integrity of PHI is essential. Each employee should also be given a copy of the company´s sanction policy explaining the consequences of failing to comply with the privacy, security and breach notification policies.

Further Information about HIPAA Compliance for Self-Insured Companies

Further information about HIPAA compliance for self-insured companies can be found in our “HIPAA Compliance Guide”. Our free-to-download guide provides more detailed information about the HIPAA Privacy Rule, the administrative, physical and technical safeguards of the HIPAA Security Rule, and the process for conducting risk assessments and risk analyses. You will also be able to find more information on Business Associates and Business Associate Agreements – an essential part of HIPAA compliance for self-insured group health plans if your company uses the services of an outside third-party administrator.

The post HIPAA Compliance for Self-Insured Group Health Plans appeared first on HIPAA Journal.

HIPAA Compliance for HR Departments

Posted by HIPAA Journal

Businesses not directly involved in the healthcare or healthcare insurance industries should none-the-less pay close attention to HIPAA compliance for HR departments. It has been estimated a third of all workers and their dependents who receive occupation healthcare benefits do so through a self-insured group health plan.

Although this does not mean a self-insuring business automatically becomes a HIPAA-Covered Entity – and thereby subject to HIPAA regulations – the likelihood is the HR department will have some involvement with insurance-related tasks. During the execution of the insurance-related tasks, HR personnel will undoubtedly come into contact with Protected Health Information.

Why HIPAA Compliance for HR Departments is Important

The original purpose of the Healthcare Insurance Portability and Accountability Act (HIPAA) was to improve the portability and continuity of health insurance coverage. As the Act progressed through Congress, amendments were added with the intention of combating waste, fraud and abuse in the health insurance and healthcare industries.

As a result of these amendments, the HIPAA Privacy and Security Rules were introduced. The Rules restrict access to and use of Protected Health Information (PHI), primarily to give patients and members of group healthcare plans control over how their personal information is used. For example, healthcare organizations can no longer use a patient´s PHI for marketing activities without the patient´s consent.

A further purpose of restricting access to PHI is to prevent one person using somebody else´s PHI to obtain free healthcare – effectively identity theft. As the costs of medical treatment have increased, so has the value of healthcare data. A 2014 report calculated a full dossier of healthcare data on the black market is worth upwards of $1,200. By comparison, a stolen Visa card is worth $4.

Major Areas of HIPAA Compliance for HR Departments

There are four major areas of HIPAA compliance in which HR personnel should be well-versed. These relate to understanding the key components of the Privacy and Security Rules, helping employees understand their rights under HIPAA legislation, safeguarding the PHI of employees, and working with Covered Entities and Business Associates with whom PHI is shared.

These areas of HIPAA compliance for HR departments are comprehensively covered in our “HIPAA Compliance Guide” – a free booklet summarizing the law and its implications. However, there are some areas of HIPAA compliance which – although not unique to HR – sometimes get overlooked in the effort to achieve HIPAA compliance:

Don´t Assume the IT Department is Responsible for Security Rule Compliance

An IT manager is usually delegated as the HIPAA Security Officer, and it is their responsibility to ensure every department within the company is compliant with the Security Rule. But this is not always the case, and HR personnel should not assume the responsibility for security is not theirs.

Remember to Send Updates and Reminders of Privacy Practice Notices

Employees enrolled in a self-insured group health plan must be given a Privacy Practice Notice informing them of their HIPAA-related rights. Most HR departments remember to do this, but some forget to send updates when privacy practices are revised, and a reminder at least once every three years.

Maintain a Written Policy for Investigating and Resolving Complaints

Although not required by HIPAA, a policy should be in place to record privacy complaints, investigations and resolutions. This will be of significant benefit to the company – and the HR department in particular- if an employee pursues their complaint to the Department of Health & Human Services.

Don´t Overlook State Privacy Law Compliance

The relationship between HIPAA and state privacy laws is a source of confusion for some people. HIPAA pre-empts any state privacy laws with weaker privacy protection, but not those that provide stronger privacy protection. In the quest for HIPAA compliance, HR departments should not overlook state requirements.

The post HIPAA Compliance for HR Departments appeared first on HIPAA Journal.

HIPAA Compliance for Community Health Centers

Posted by HIPAA Journal

There is an argument there should be a different level of HIPAA compliance for community health centers, due to community health centers having fewer resources available to them than other Covered Entities. Unfortunately, due to the complexity of the Healthcare Insurance Portability and Accountability Act (HIPAA), introducing different levels of HIPAA compliance for community health centers would be logistically complex and lead to demands for other “special interest groups” to be taken into account.

A list of “special interest groups” could be extensive. Should charity-funded hospices, for example, have the same level of HIPAA compliance as privately-owned, for-profit medical centers? It may not seem fair, but the answer is “Yes”. This is because a breach of Protected Health Information (PHI) from any source is still a breach of PHI, and the potential consequences of a breach (identity theft, insurance fraud, etc.) will be no different, regardless of how, where or when the breach occurred.

The Purpose of HIPAA Compliance for Community Health Centers

The purpose of HIPAA compliance for community health centers is to safeguard the privacy of patients and protect against the misuse of their PHI. In order to achieve this, the Department of Health & Human Services has published Privacy and Security Rules and a Breach Notification Rule which Covered Entities (healthcare providers, healthcare plans and healthcare clearinghouses) have to comply with. These Rules cover the use, disclosure, storage and transmission of all forms of PHI (i.e. paper, electronic, etc.).

Community health centers not only have to comply with these Rules themselves, they have to make sure any “Business Associate” they share PHI with are also HIPAA-compliant. Business Associates are best described as entities who do not encounter PHI in their normal or primary business, but who may have access to it in the course of providing a service for a community health center. The list of potential Business Associates is extensive and can include lawyers, accountants, and cloud service providers.

Where to Start with HIPAA Compliance for Community Health Centers

The first stage of achieving HIPAA compliance for community health centers is to appoint a HIPAA Privacy Officer and a HIPAA Security Officer. These roles can be fulfilled by the same person, and can either be somebody brought in to oversee HIPAA compliance or an existing member of the health center team. It is possible to appoint a company to assist with HIPAA compliance during the preliminary stages, and then have an existing member take over the positions once the basic requirements are met

The Officer(s) responsible for HIPAA compliance should first conduct a risk assessment in order to identify areas of the community health center´s operations in which vulnerabilities exist in that may result in the unauthorized disclosure of PHI. The Officer(s) should evaluate existing privacy and security policies in order to determine whether they are configured and used as necessary, and then perform a risk analysis to draw up an action plan of the measures required to achieve HIPAA compliance.

Develop HIPAA-Compliant Policies and Train (and Re-Train) Employees

The action plan will help Privacy and Security Officers prioritize the most crucial vulnerabilities preventing HIPAA compliance for community health centers. Measures need to be implemented to mitigate the risks of a data breach and policies developed to make sure the measures are understood and adhered to. This will involve employee training and the development of a sanctions policy informing employees of the consequences of failing to comply with the new policies.

Employee training should not be regarded as an item to tick off a HIPAA compliance checklist. It should be ongoing and, due to the complexity of HIPAA, more frequent than the annual training suggested by the Department of Health & Human Services. In order to be effective, training about HIPAA compliance for community health centers should address different issues in short sessions. The content of a day´s compressed training is unlikely to be remembered until the next training session one year later.

Further Information about HIPAA Compliance for Community Health Centers

Further information about HIPAA compliance for community health centers can be found in our free-to-download “HIPAA Compliance Guide” – an invaluable review of the legislation that includes more about what constitutes PHI, the contents of the Privacy, Security and Breach Notification Rules, and how relationships with Business Associates should proceed.

There are multiple benefits of achieving and maintaining HIPAA compliance for community health centers. Eligibility for HRSA Section 330 grants and Meaningful Use incentive payments can depend on HIPAA compliance, plus patients will feel happier knowing the integrity of their personal data is being safeguarded. Make sure the community health center under your care is HIPAA compliant. Download our guide today.

The post HIPAA Compliance for Community Health Centers appeared first on HIPAA Journal.

9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack

Posted by HIPAA Journal

A Medical College of Wisconsin phishing attack has resulted in the exposure of approximately 9,500 patients’ protected health information. The attackers managed to gain access to several employees’ email accounts, which contained a range of sensitive information of patients and some faculty staff.

The types of information in the compromised email accounts included names, addresses, medical record numbers, dates of birth, health insurance details, medical diagnoses, treatment information, surgical information, and dates of service. A very limited number of individuals also had their Social Security numbers and bank account information exposed.

The incident occurred over the space of a week in the summer between July 21 and July 28 when spear phishing emails were sent to specific individuals at the Medical College of Wisconsin. Responding to those emails resulted in the attackers gaining access to email login credentials.

Medical College of Wisconsin brought in a computer forensics firm to conduct an investigation into the phishing attack, and while that investigation established that access to the email accounts was gained by unauthorized individuals, it was not possible to determine whether emails containing protected health information had been accessed or viewed, or if any sensitive information was stolen. Since the attack occurred, no reports of misuse of patient information have been received.

To protect individuals against identity theft and fraud, credit monitoring and identity theft restoration services have been offered to breach victims free of charge, but only to those individuals whose Social Security numbers were compromised.

Medical College of Wisconsin reports that in addition to some faculty staff and Medical College of Wisconsin patients, some individuals who received treatment at Children’s Hospital of Wisconsin and Froedtert Health have also been impacted by the breach.

The latest Medical College of Wisconsin phishing attack comes just 10 months after a similar incident resulted in the exposure of 3,200 patients’ protected health information.

The post 9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack appeared first on HIPAA Journal.

November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches

Posted by HIPAA Journal

Protenus has released its November 2017 healthcare Breach Barometer Report. After a particularly bad September, healthcare data breach incidents fell to more typical levels, with 37 breaches tracked in October.

The monthly summary of healthcare data breaches includes incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents announced via the media and tracked by databreaches.net.

Those incidents include several breaches that have yet to be reported to OCR, including a major breach that has impacted at least 150,000 individuals – The actual number of individuals impacted will not be known until the investigation has been completed. The numbers of individuals impacted by 8 breaches have not yet been disclosed.

Including the 150,000 individuals impacted by largest breach of the month, there were 246,246 victims of healthcare data breaches in October 2017 – the lowest monthly total since May 2017.

The healthcare industry has historically recorded a higher than average number of data breaches due to insiders, although over the past few months hacking has been the leading cause of breaches. That trend has continued in October. Hacking was behind 35.1% of all incidents, insider incidents accounted for 29.7% of the total, with the loss and theft of devices behind 16.2% of incidents. The causes of the remaining 18.9% of breaches is not yet known.

While hacking incidents usually result in more records being exposed or stolen, in October insider errors exposed more healthcare data. 65% of all breached records involved insider errors.

157,737 individuals had their PHI exposed due to insider errors and insider wrongdoing, while hacks resulted in the theft of 56,837 individuals’ PHI. Protenus notes that three incidents were due to the hacking group TheDarkOverlord.

In total, there were 11 breaches that were the result of insiders – five  due to errors and six due to insider wrongdoing. The biggest breach involving insider error was the failure to secure an AWS S3 bucket, resulting in the exposure of 316,363 PDF reports – containing the PHI of at least 150,000 individuals: One of two such incidents reported in October that involved unsecured AWS S3 buckets.

Another insider incident involved the mailing of flyers to individuals where PHI was visible through the envelope – A major incident that potentially caused considerable harm, as the information viewable related to patients’ HIV status.

The average time taken from breach to discovery was 448 days in October. The median time was 304 days, showing healthcare organizations are still struggling to detect data breaches rapidly.

Two HIPAA-covered entities reported breaches to OCR well outside the 60-day deadline stipulated in the HIPAA Breach Notification Rule. One of those incidents was reported three years after the breach was detected. In that case, the breach involved a nurse who was stealing patient records and using the information to file false tax returns. The median time from discovery to reporting was 59 days.

Healthcare providers reported 29 incidents, there were 7 incidents reported by health plans, one breach was reported by a school. Four incidents were known to involve a business associate.

California and Florida were the worst hit states in October with four incidents apiece, followed by Texas and New York.

The post November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches appeared first on HIPAA Journal.

Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI

Posted by HIPAA Journal

UPMC Susquehanna, a network of hospitals and medical centers in Williamsport, Wellsboro, and Muncy in Pennsylvania, has announced that the protected health information of 1,200 patients has potentially been accessed by unauthorized individuals. Access to patient information is believed to have been gained after an employee responded to a phishing email.

While details of the breach date have not been released, UPMC Susquehanna says it discovered the breach on September 21, when an employee reported suspicious activity on their computer. An investigation was launched, which revealed unauthorized individuals had gained access to that individual’s device.

It is not known whether the attacker viewed, stole, or misused any patient information, but the possibility of data access and misuse could not be ruled out. The information potentially accessed includes names, contact information, dates of birth, and Social Security numbers.

The individuals potentially impacted by the incident had previously received treatment at various UPMC Susquehanna hospitals including Muncy Valley Hospital, UPMC Susquehanna Lock Haven, Sunbury Community Hospital, Soldiers and Sailors Memorial Hospital in Wellsboro, Williamsport Regional Medical Center and Divine Providence Hospital in Williamsport.

UPMC Susquehanna responded quickly to the breach, terminating unauthorized access. Staff have also been provided with “intensive retraining” on hospital policies and appropriate federal and state laws to prevent any recurrence. UPMC Susquehanna stated this training was in addition to the annual training sessions already provided to all staff members on the privacy and confidentiality of patient health information. UPMC Susquehanna has also conducted a complete review of its policies and procedures for keeping patient information secure.

All patients impacted by the incident have been offered complimentary identity theft protection services and have now received notifications in the mail. Patients have also received instructions on the steps they can take to protect their accounts and credit in case their information is misused.

The post Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI appeared first on HIPAA Journal.