Healthcare Data Privacy

When Should You Promote HIPAA Awareness?

Posted by HIPAA Journal

All employees must receive training on HIPAA Rules, but when should you promote HIPAA awareness? How often should HIPAA retraining take place?

HIPAA-covered entities, business associates and subcontractors are all required to comply with HIPAA Rules, and all workers must receive training on HIPAA. HIPAA training should ideally be provided before any employee is given access to PHI.

Training should cover the allowable uses and disclosures of PHI, patient privacy, data security, job-specific information, internal policies covering privacy & security, and HIPAA best practices.

The penalties for HIPAA violations, and the consequences for individuals discovered to have violated HIPAA Rules, must also be explained. If employees do not receive training, they will not be aware of their responsibilities and privacy violations are likely to occur.

Additional training must also be provided whenever there is a material change to HIPAA Rules or internal policies with respect to PHI, following the release of new guidance, or implementation of new technology.

HIPAA Training Cannot be a One-Time Event

The provision of training at the start of an employment contract is essential, but training cannot be a one-time event. It is important to ensure employees do not forget about their responsibilities, so retraining is necessary and a requirement for continued HIPAA compliance.

HIPAA does not specify how often retraining should occur, as this is left to the discretion of the covered entity. HIPAA only requires retraining to be conducted ‘regularly.’ The industry best practice is for retraining to take place annually.

The HIPAA Privacy Rule Administrative requirements, detailed in 45 CFR § 164.530, require all members of the workforce to receive training on HIPAA Rules and policies and procedures with respect to PHI. Training should be provided, as appropriate, to allow employees to conduct their work duties and functions within the covered entity. One training program therefore does not fit all. HIPAA training for the IT department is likely to be different to training provided to administrative workers. The Privacy Rule requires training to be provided for all new employees “within a reasonable timeframe”.

The HIPAA standard 45 CFR § 164.308(a)(5) covers two types of training – Job-specific training and security awareness training, neither of which can be a one-time event.

While it is important to provide training for HIPAA compliance and security awareness, it is also important to ensure that training has been understood, that it is remembered, and to ensure HIPAA Rules are followed on a day to day basis. It therefore recommended that you promote HIPAA awareness throughout the year.

How to Promote HIPAA Awareness

There is no hard and fast rule for HIPAA retraining and there are many ways that healthcare organizations can promote HIPAA awareness. While formal training sessions can be conducted on an annual basis, the use of newsletters, email bulletins, posters, and quizzes can all help to raise and maintain awareness of HIPAA Rules.

In the case of security awareness training this is especially important. Annual training on HIPAA is a good best practice, but it is important to promote HIPAA awareness with respect to security more frequently. It is a good best practice to provide security awareness training biannually and issue cybersecurity updates on a monthly basis. Any specific threats to the workforce should be communicated as necessary – new phishing threats for instance. However, care should be taken not to bombard employees with threat information, to avoid employees suffering from alert fatigue.

When HIPAA Retraining Required?

In addition to annual refresher training sessions, retraining on HIPAA Rules is recommended following any privacy or security violation and after a data breach has been experienced.

While the individuals concerned should be retrained, it is a good best practice to take these incidents as a training opportunity for all staff to ensure similar breaches do not occur in the future. If one employee makes a mistake with HIPAA, it is possible that others have failed to understand HIPAA requirements or are making similar mistakes.

The post When Should You Promote HIPAA Awareness? appeared first on HIPAA Journal.

Former Employees of Virginia Medical Practice Inappropriately Used Patient Information

Posted by HIPAA Journal

Two former employees of Valley Family Medicine in Staunton, VA have been discovered to have inappropriately used a patient list, in violation of the practice’s policies.

The list was used to inform patients of a new practice that was opening in the area. One of the employees used the list to send postcards to Valley Family Medicine patients to advise them that a new practice, unaffiliated to Valley Family Medicine, was being opened. Patients were invited to visit the new practice.

The mailing was sent in mid-July this year, although it was not discovered by Valley Family Medicine until September 15. The discovery prompted a full investigation of the breach, which confirmed that the only information used by the employees was the information contained on the list. That information was limited to names and addresses. No other protected health information was taken or used by the employees.

Those two individuals are no longer employed at the practice and the list has now been recovered. Valley Family Medicine is satisfied that there have been no further misuses or disclosures of the information, and that no other copies of the list exist.

In compliance with HIPAA Rules, the breach has been reported to appropriate authorities, including the Department of Health and Human Services’ Office for Civil Rights. All 8,450 patients on the list have been sent a breach notification letter explaining the nature of the incident and informed that there should be no further consequences for patients.

The post Former Employees of Virginia Medical Practice Inappropriately Used Patient Information appeared first on HIPAA Journal.

Is G Suite HIPAA Compliant?

Posted by HIPAA Journal

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules?

Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider.

Making G Suite HIPAA Compliant (by default it isn’t)

As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules.

Obtain a BAA from Google

One important requirement of HIPAA is to obtain a signed, HIPAA-compliant business associate agreement (BAA).

Google first agreed to sign a business associate agreement with healthcare organizations in 2013, back when G Suite was known as Google Apps. The BAA must be obtained prior to G Suite being used to store, maintain, or transmit electronic protected health information. Even though privacy and security controls are in place, the failure to obtain a BAA would be a HIPAA violation.

Obtaining a signed BAA from Google is the first step toward HIPAA compliance, but a BAA alone will not guarantee compliance with HIPAA Rules.

Configure Access Controls

Before G Suite can be used with any ePHI, the G Suite account and services must be configured correctly via the admin console. Access controls must be set up to restrict access to the services that are used with PHI to authorized individuals only. You should set up user groups, as this is the easiest way of providing – and blocking – access to PHI, and logs and alerts must be also be configured.

You should also make sure all additional services are switched off if they are not required, switch on services that include PHI ‘on for some organizations,’ and services that do not involve PHI can be switched on for everyone.

Set Device Controls

HIPAA-covered entities must also ensure that the devices that are used to access G Suite include appropriate security controls. For example, if a smartphone can be used to access G Suite, if that device is lost or stolen, it should not be possible for the device to be used by unauthorized individuals. A login must be required to be entered on all mobiles before access to G Suite is granted, and devices configured to automatically lock. Technology that allows the remote erasure of all data (PHI) stored on mobile devices should also be considered. HIPAA-covered entities should also set up two-factor authentication.

Not All Google Services are Covered by the BAA

You may want to use certain Google services even if they are not covered by the BAA, but those services cannot be used for storing or communicating PHI. For example, Google+ and Google Talk are not included in the BAA and cannot be used with any PHI.

If you do decide to leave these services on, you must ensure that your policies prohibit the use of PHI with these services and that those policies are effectively communicated to all employees. Employees must also receive training on G Suite with respect to PHI to ensure HIPAA Rules are not accidentally violated.

What Services in G Suite are HIPAA Compliant?

At the time of writing, only the following core services of G Suite are covered by Google’s BAA, and can therefore be used with PHI:

  • Gmail (Not free Gmail accounts)
  • Calendar
  • Drive
  • Apps Script
  • Keep
  • Sites
  • Jamboard
  • Hangouts (Chat messaging only)
  • Google Cloud Search
  • Vault

Google Drive

In the case of Google Drive, it is essential to limit sharing to specific people. Otherwise it is possible that folders and files could be accessed by anyone over the Internet> drives should be configured to only allow access by specific individuals or groups. Any files uploaded to Google Drive should not include any PHI in titles of files, folders, or Team Drives.

Gmail

Gmail, the free email service offered by Google, is not the same as G Suite. Simply using a Gmail account (@gmail.com) to send PHI is not permitted. The content of Gmail messages is scanned by third parties. If PHI is included, it is potentially being ‘accessed’ by third parties, and deleting an email does not guarantee removal from Google’s servers. Free Gmail accounts are not HIPAA compliant.

G Suite HIPAA Compliance is the Responsibility of Users

Google encourages healthcare organizations to use G Suite and has done what it can to make G Suite HIPAA compliant, but Google clearly states it is the responsibility of the user to ensure that the requirements of HIPAA are satisfied.

Google help healthcare organziations make G Suite HIPAA compliant, Google has developed guidance for healthcare organizations on setting up G Suite: See Google’s G Suite HIPAA Implementation Guide.

The post Is G Suite HIPAA Compliant? appeared first on HIPAA Journal.

What Happens if a Nurse Violates HIPAA?

Posted by HIPAA Journal

What happens if a nurse violates HIPAA Compliance Rules? How are HIPAA violations dealt with and what are the penalties for individuals that accidentally or deliberately violate HIPAA and access, disclose, or share protected health information (PHI) without authorization?  

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be followed by all covered entities and their business associates. The failure to comply with HIPAA Rules can result in significant penalties for HIPAA covered entities. Business associates of covered entities can also be fined directly for HIPAA violations, but what about individual healthcare workers such as nurses? What happens if a nurse violates HIPAA Rules?

What are the Penalties if a Nurse Violates HIPAA?

Accidental HIPAA violations by nurses happen, even when care is taken to follow HIPAA Rules. While all HIPAA violations can potentially result in disciplinary action, most employers would accept that accidental violations are bound to occur from time to time. In many cases, minor violations of HIPAA Rules may not have negative consequences and can be dealt with internally. Employers may decide to provide additional training in some cases to ensure the requirements of HIPAA are fully understood.

If a nurse violates HIPAA by accident, it is vital that the incident is reported to the person responsible for HIPAA compliance in your organization – the Privacy Officer, if your organization has appointed one – or your supervisor. The failure to report a minor violation could have major consequences. You can read more about accidental HIPAA violations here.

Serious violations of HIPAA Rules, even when committed without malicious intent, are likely to result in disciplinary action, including termination and punishment by the board of nursing. Termination for a HIPAA violation does not just mean loss of current employment and benefits. It can make it very hard for a nurse to find alternative employment. HIPAA-covered entities are unlikely to recruit a nurse that has previously been fired for violating HIPAA Rules.

Willful violations of HIPAA Rules, including theft of PHI for personal gain or use of PHI with intent to cause harm, can result in criminal penalties for HIPAA violations. HIPAA-covered entities are likely to report such incidents to law enforcement and investigations will be launched. Complaints about HIPAA violations submitted to the Office for Civil Rights can be referred to the Department of Justice to pursue criminal penalties, including fines and imprisonment. Criminal prosecutions are rare, although theft of PHI for financial gain is likely to result in up to 10 years in jail.

There is no private cause of action in HIPAA. If a nurse violates HIPAA, a patient cannot sue the nurse for a HIPAA violation. There may be a viable claim, in some cases, under state laws.

Further information on the penalties for HIPAA violations are detailed here.

Examples of HIPAA Violations by Nurses

The list of possible HIPAA violations by nurses is long, although the most common nurse HIPAA violations are listed below.

  • Accessing the PHI of patients you are not required to treat
  • Gossiping – Talking about specific patients and disclosing their health information to family, friends & colleagues
  • Disclosing PHI to anyone not authorized to receive the information
  • Taking PHI to a new employer
  • Theft of PHI for personal gain
  • Use of PHI to cause harm
  • Improper disposal of PHI – Discarding protected health information with regular trash
  • Leaving PHI in a location where it can be accessed by unauthorized individuals
  • Disclosing excessive PHI and violating the HIPAA minimum necessary standard
  • Using the credentials of another employee to access EMRs/Sharing login credentials
  • Sharing PHI on social media networks (See below)

Nurses Who Violate HIPAA with Social Media

Sharing protected health information on social media websites should be further explained. There have been several instances in recent years of nurses who violate HIPAA with social media.

Posting any protected health information on social media websites, even in closed Facebook groups, is a serious HIPAA violation. The same applies to sharing PHI including photographs and videos of patients via messaging apps such as WhatsApp, Skype, and Facebook Messenger. Unless prior authorization has been received from a patient, in writing, nurses should avoid sharing photographs and videos of patients (or any PHI) on social media sites. The National Council of State Boards of Nursing (NCSBN) has released a useful guide for nurses on the use of social media (on this link).

There have been several recent cases of nurses taking photographs and videos of patients in compromising positions, recording abuse of patients in nursing homes, and taking embarrassing or degrading photographs and sharing them with friends via social media networks.

There has been considerable publicity surrounding the practice, following the publication of a report on the extent to which this is occurring by ProPublica (Summarized here). In that case it involved the sharing of photographs of patients on Snapchat. 35 separate cases were uncovered.

In January, a nursing assistant was fired for sharing videos and photos of abuse of a patient with Alzheimer’s on Snapchat. A criminal complaint was filed and the nursing assistant faces up to three and a half years in jail if convicted.

What Happens when a Nurse Violates HIPAA? FAQs

What are the most common causes of HIPAA violations by nurses?

Each year, HHS publishes a table indicating the top five issues in investigated cases. While the table does not distinguish between HIPAA violations by nurses and Covered Entities´ non-compliance, the most common causes of HIPAA violations in recent years that could be attributed to nurses include impermissible uses and disclosures of PHI, the failure to respond to – or a delay in responding to – patient access requests, and failing to comply with the Minimum Necessary Standard.

If a nurse accidently discloses ePHI due to a Covered Entity failing to implement a technical safeguard, who is at fault?

The designation of fault can depend on many factors. For example: Should the nurse have known their actions may have resulted in an accidental disclosure of ePHI? Had the actions been covered in security and awareness training? Was the technical safeguard an addressable or required safeguard? What was the impact of the accidental disclosure? Without knowing the answers to these questions, it is impossible to determine who is at fault for the accidental disclosure.

What happens if a nursing student violates HIPAA?

The consequences of HIPAA violation by a nursing student can also depend on many factors. For example: Had the nursing student received adequate training before being exposed to PHI/ePHI? Was the nursing student accompanied by a preceptor or supervisor who should have prevented the HIPAA violation? Was the HIPAA violation attributable to a lack of knowledge, or was it a malicious act? Had the nursing student been given a copy of the Covered Entity´s sanctions policy? Again, without knowing the answers to these questions, it is impossible to discuss potential consequences.

Can a nurse be held responsible for a HIPAA violation if the non-compliant event occurs frequently in the nursing unit?

Nurses are under intense pressure to work as efficiently as possible; and, due to this pressure, there may be times when shortcuts are taken with HIPAA compliance in order to “get the job done”. When shortcuts develop into a “cultural norm”, HIPAA violations can occur frequently without them being recognized as HIPAA violations. However, although the HIPAA violations might not be recognized as such within the nursing unit, a nurse can still be held responsible for a violation – albeit an unintentional violation – that results from an unofficial working practice.

Why is it a violation of HIPAA to share EMR login credentials?

Under the Administrative Safeguards of the Security Rule (45 CFR § 164.308) Covered Entities are required to implement procedures that record system activity including who accesses systems containing ePHI and when. If nurses share EMR login credentials, it is impossible for Covered Entities to accurately monitor system access or determine if a system containing ePHI has been access by a person without authorization.

The post What Happens if a Nurse Violates HIPAA? appeared first on HIPAA Journal.

New Study Reveals Lack of Phishing Awareness and Data Security Training

Posted by HIPAA Journal

There is a commonly held view among IT staff that employees are the biggest data security risk; however, when it comes to phishing, even IT security staff are not immune. A quarter of IT workers admitted to falling for a phishing scam, compared to one in five office workers (21%), and 34% of business owners and high-execs, according to a recent survey by Intermedia.

For its 2017 Data Vulnerability Report, Intermedia surveyed more than 1,000 full time workers and asked questions about data security and the behaviors that can lead to data breaches, malware and ransomware attacks.

When all it takes is for one employee to fall for a phishing email to compromise a network, it is alarming that 14% of office workers either lacked confidence in their ability to detect phishing attacks or were not aware what phishing is.

Confidence in the ability to detect phishing scams was generally high among office workers, with 86% believing they could identify phishing emails, although knowledge of ransomware was found to be lacking, especially among female workers. 40% of female workers did not know what ransomware was, compared to 28% of male workers. 31% of respondents said they did not know what ransomware was prior to taking part in staff training sessions.

The survey revealed security awareness training was lacking at many businesses. 30% of office workers said they did not receive regular training on how to deal with cyber threats. Even though the threat level has risen significantly in the past two years, many businesses have not responded. The 2015 data vulnerability report shows 72% of companies regularly communicated cyber threat information to employees and provided regular training, but in 2017 little has changed. Only 70% of companies provide regular training and threat information to employees. 11% of companies offered no security training whatsoever.

The recently published Global State of Security Survey by Pricewaterhouse Coopers, which was conducted globally on 9,500 executives in 122 countries, suggests the percentage of companies that do not provide security awareness training may well be far higher – 48% of respondents to that survey said they have no employee security awareness training program in place.

Many Employees Pay Ransoms Personally

One of the most interesting insights into ransomware attacks on businesses from the Intermedia study was many employees are so embarrassed and concerned about installing ransomware that they pay the ransom demand out of their own pocket.

Out of the office workers that had experienced a ransomware attack, 59% personally paid the ransom. 37% said the ransom was paid by their employer. The average ransom payment was $1,400. The ransom was typically paid quickly in the hope that data could be restored before anyone else found out about the attack.

While employees were not asked whether they would be made to pay the ransom by their employers, paying the ransom quickly to prevent anyone discovering the attack is unlikely to work. Even when the ransom is paid, businesses still experience considerable downtime. The same study also indicates one in five ransom payments will not see viable decryption keys provided by the attackers.

The post New Study Reveals Lack of Phishing Awareness and Data Security Training appeared first on HIPAA Journal.

HIMSS Draws Attention to Five Current Cybersecurity Threats

Posted by HIPAA Journal

In its October Cybersecurity report, HIMSS draws attention to five current cybersecurity threats that could potentially be used against healthcare organizations to gain access to networks and protected health information.

Wi-Fi Attacks

Security researchers have identified a new attack method called a key reinstallation (CRACK) attack that can be conducted on WiFi networks using the WPA2 protocol. These attacks take advantage of a flaw in the way the protocol performs a 4-way handshake when a user attempts to connect to the network. By manipulating and replaying the cryptographic handshake messages, it would be possible to reinstall a key that was already in use and to intercept all communications. The use of a VPN when using Wi-Fi networks is strongly recommended to limit the potential for this attack scenario and man-in-the-middle attacks.

BadRabbit Ransomware

Limited BadRabbit ransomware attacks have occurred in the United States, although the NotPetya style ransomware attacks have been extensive in Ukraine. As with NotPetya, it is believed the intention is to cause disruption rather than for financial gain. The attacks are now known to use NSA exploits that were also used in other global ransomware attacks. Mitigations include ensuring software and operating systems are kept 100% up to date and all patches are applied promptly. It is also essential for that backups are regularly performed. Backups should be stored securely on at least two different media, with one copy stored securely offsite on an air-gapped device.

Advanced Persistent Threats

A campaign conducted by an APT group known as Dragonfly has been ongoing since at least May 2017. The APT group is targeting critical infrastructure organizations. The typical attack scenario is to target small networks with relatively poor security, and once access has been gained, to move laterally to major networks with high value assets. While the group has primarily been attacking the energy sector, the healthcare industry is also at risk. Further information on the threat and the indicators of compromise can be found on the US-CERT website.

DDE Attacks

In October, security researchers warned of the risk of Dynamic Data Exchange (DDE) attacks targeting Outlook users. This attack scenario involves the use of calendar invites sent via phishing emails. The invites are sent in Rich Text Format, and opening the invites could potentially result in the installation of malware. Sophos warned of the threat and suggested one possible mitigation is to view emails in plaintext. These attacks will present a warning indicating attachments and email and calendar invites contain links to other files. Users should click no when asked to update documents with data from the linked files.

Medical Device Security

HIMSS has drawn attention to the threat of attacks on medical devices, pointing out that these are a soft-spot and typically have poor cybersecurity protections. As was pointed out with the APT critical infrastructure attacks, it is these soft spots that malicious actors look to take advantage of to gain access to networks and data. HIMSS has warned healthcare organizations to heed the advice of analysts, who predict the devices will be targeted with ransomware. Steps should be taken to isolate the devices and back up any data stored on the devices, or the computers and networks to which they connect.

Medical device security was also the subject of the Office for Civil Rights October cybersecurity newsletter.

While not specifically mentioned in its list of current cybersecurity threats, the threat from phishing is ongoing and remains one of the most serious threats to the confidentiality, integrity, and availability of PHI. The threat can be reduced with anti-phishing defenses such as spam filtering software and with training to improve security awareness.

The post HIMSS Draws Attention to Five Current Cybersecurity Threats appeared first on HIPAA Journal.

Survey Reveals Sharing EHR Passwords is Commonplace

Posted by HIPAA Journal

While data on the practice of password sharing in healthcare is limited, one survey suggests the practice of sharing EHR passwords is commonplace, especially with interns, medical students, and nurses.

The research was conducted by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also involved researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center. The study was conducted on 299 medical students, nurses, medical residents, and interns and the results of the survey were recently published in Healthcare Informatics Research.

The information stored in EHRs is sensitive and must be protected. Regulations such as HIPAA control access to that information. All individuals that require access to the information in EHR systems must be issued with a unique user ID and password.

Any attempts to access protected health information must be logged to allow healthcare organizations to monitor for unauthorized access. If login credentials are shared with other individuals, it is no longer possible to accurately record which individuals have viewed health information – a violation of HIPAA Rules. The researchers note that sharing EHR passwords is one of the most common HIPAA violations and causes of healthcare data breaches.

The survey suggests that sharing EHR passwords is commonplace, even though the practice is prohibited by hospital policies and HIPAA Rules. 73% of all respondents admitted to using the password of another individual to access EHR records on at least one occasion. 57% of respondents estimated the number of times they had accessed EHR information – The average number of occasions was 4.75.

All medical students surveyed said they had accessed EHRs using the credentials of another individual, and 57% of nurses admitted to using another individual’s credentials to access EHRs. The reasons for doing so were highly varied.

Common reasons for sharing EHR passwords were permissions on the user’s account did not allow them to complete their work duties, technical problems prevented them from using their own credentials, and personal logins had not been issued, even though EHR access was required to complete work duties.

The researchers suggest the provision of timely and efficient care is often at odds with security protections. The researchers noted, “In an attempt to achieve better security, usability is hindered to the level the users feel that the right thing to do is to violate the security regulations altogether.”

The researchers made two recommendations: “Usability should be added as the fourth principal in planning EMRs and other PHI-containing medical records. Second, an additional option should be included for each EMR role that will grant it maximal privileges for one action. When this option is invoked, the senior physician/the PHI security officer would be informed. This would allow junior staff to perform urgent, lifesaving, decisions, without outwitting the EMR, and under formal retrospective supervision by the senior members in charge.”

The post Survey Reveals Sharing EHR Passwords is Commonplace appeared first on HIPAA Journal.

FDA Publishes Final Guidance for Medical Device Manufacturers Sharing Information with Patients

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has released final guidance for medical device manufacturers sharing information with patients at their request.

Legally marketed medical devices collect, store, process, and transmit medical information. When patients request copies of the information recorded by or stored on the devices, manufacturers may share patient-specific information with the patient that makes the request.

The FDA encourages information sharing as it can help patients be more engaged with their healthcare providers. When patients give their healthcare providers data collected by medical devices, it can help them make sound medical decisions.

While information sharing is not a requirement of the Federal Food, Drug, and Cosmetic Act (FD&C Act), the FDA felt it necessary to provide medical device manufacturers with recommendations about sharing patient-specific information with patients. The guidelines are intended to help manufacturers share information appropriately and responsibly.

The FDA explains that in many cases, patient-specific information recorded by medical devices is shared with the patient’s healthcare providers, and oftentimes the patient is able to obtain copies of that information from their healthcare providers. However, sometimes patients may submit a request to the device manufacturer for a copy of the patient-specific information recorded by the device.

The FDA explains that patient-specific information is information that is unique to a particular patient – or unique to the patient’s diagnosis and treatment – that has been recorded, stored, processed, or derived from a legally marketed medical device. “This information may include, but is not limited to, recorded patient data, device usage/output statistics, healthcare provider inputs, incidence of alarms, and/or records of device malfunctions or failures.”

The FDA notes that patient-specific information does not include labelling, which is covered by the FD&C Act. Labelling covers information such as descriptions of intended use, benefit and risk information, and instructions for use and the sharing of such information is subject to applicable requirements of the FD&C Act.

The FDA encourages device manufacturers to share information with patients when copies are requested, even though data sharing is not a requirement FD&C Act. The FDA also explains that data can be shared with patients at the patient’s request, without the need to undergo an additional premarket review in advance.

Some medical devices record, store, and transmit information in a format that makes it difficult to share the information with patients, or in some cases, information is recorded in a closed system that cannot be accessed by the device manufacturer. The FDA is aware that in such cases it may not be feasible to share data with patients.

When information sharing is possible, device manufacturers should respond to requests promptly and information should be “comprehensive and contemporary.” Data should include all information that is available, up until the point that the request is made.

The FDA points out that its guidance does not establish any legally enforceable responsibilities, and neither does it affect any federal, state or local laws. That includes HIPAA, and specifically the HIPAA Privacy Rule, which will apply if the device manufacturer is a business associate of a HIPAA-covered entity.

The post FDA Publishes Final Guidance for Medical Device Manufacturers Sharing Information with Patients appeared first on HIPAA Journal.

Tips for Reducing Mobile Device Security Risks

Posted by HIPAA Journal

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level.

As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI).

As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records.

17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand encryption for mobile devices, yet such a security measure could have prevented a high percentage of the 71 data breaches reported to OCR.

When a mobile device containing ePHI is lost or stolen, the HIPAA Breach Notification Rule requires the breach to be reported and notifications to be sent to affected individuals. If PHI has been encrypted and a device containing ePHI is lost or stolen, notifications need not be sent as it would not be a HIPAA data breach. A breach report and patient notifications are only required for breaches of unencrypted PHI, unless the key to decrypt data is also obtained.

Even though HIPAA does not demand the use of encryption, it must be considered. If the decision is taken not to encrypt data, the decision must be documented and an alternative safeguard – or safeguards – must be employed to ensure the confidentiality, integrity, and availability of ePHI. That alternative safeguard(s) must provide a level of protection equivalent to encryption.

Before the decision about whether or not to encrypt data can be made, HIPAA covered entities must conduct an organization-wide risk analysis, which must include all mobile devices. All risks associated with the use of mobile devices must be assessed and mitigated – see 45 C.F.R. § 164.308(a)(1)(ii)(A)–(B).

OCR Reminds Covered Entities of Need to Address Risks Associated with Mobile Devices

In its October 2017 Cybersecurity Newsletter, OCR reminded covered entities of the risks associated with mobile devices that are used to create, receive, maintain, or transmit ePHI. HIPAA covered entities were reminded of the need to conduct an organization-wide risk assessment and develop a risk management plan to address all mobile device security risks identified during the risk analysis and reduce them to an appropriate and acceptable level.

While many covered entities allow the use of mobile devices, some prohibit the use of those devices to create, receive, maintain, or transmit ePHI. OCR reminds covered entities that if such a policy exists, it must be communicated to all staff and the policy must be enforced.

When mobile devices can be used to create, receive, maintain, or transmit ePHI, appropriate safeguards must be implemented to reduce risks to an appropriate and acceptable level. While loss or theft of mobile devices is an obvious risk, OCR draws attention to other risks associated with the devices, such as using them to access or send ePHI over unsecured Wi-Fi networks, viewing ePHI stored in the cloud, or accessing or sharing ePHI via file sharing services.

OCR also remined covered entities to ensure default settings on the devices are changed and how healthcare employees must be informed of mobile device security risks, taught best practices, and the correct way to uses the device to access, store, and transmit ePHI.

OCR offers the following advice to covered entities address mobile security risks and keep ePHI secure at all times.

To access OCR’s guidance – Click here.

OCR’s Tips for Reducing Mobile Device Security Risks

  • Implement policies and procedures regarding the use of mobile devices in the work place – especially when used to create, receive, maintain, or transmit ePHI.
  • Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
  • Install or enable automatic lock/logoff functionality.
  • Require authentication to use or unlock mobile devices.
  • Regularly install security patches and updates.
  • Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
  • Use a privacy screen to prevent people close by from reading information on your screen.
  • Use only secure Wi-Fi connections.
  • Use a secure Virtual Private Network (VPN).
  • Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
  • Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
  • Include training on how to securely use mobile devices in workforce training programs.

Penalties for Failing to Address Mobile Security Risks

The failure to address mobile device security risks could result in a data breach and a penalty for noncompliance with HIPAA Rules. Over the past few years there have been several settlements reached between OCR and HIPAA covered entities for the failure to address mobile device security risks.

These include:

Covered Entity HIPAA Violation Individuals Impacted Penalty
Children’s Medical Center of Dallas Theft of unencrypted devices 6,262 $3.2 million
Oregon Health & Science University Loss of unencrypted laptop / Storage on cloud server without BAA 4,361 $2,700,000
Cardionet Theft of an unencrypted laptop computer 1,391 $2.5 million
Catholic Health Care Services of the Archdiocese of Philadelphia Theft of mobile device 412 $650,000

Addressing Mobile Device Security Risks

Mobile device security risks must be reduced to a reasonable and appropriate level.  Some of the mobile device security risks, together with mitigations, have been summarized in the infographic below. (Click image to enlarge)

mobile device security risks

The post Tips for Reducing Mobile Device Security Risks appeared first on HIPAA Journal.