Healthcare Data Privacy

HHS Privacy Chief Deven McGraw Departs OCR: Iliana Peters Now Acting Deputy

Deven McGraw, the Deputy Director for Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR) has stepped down and left OCR. McGraw vacated the position on October 19, 2017.

McGraw has served as Deputy Director for Health Information Privacy since July 2015, replacing Susan McAndrew. McGraw joined OCR from Manatt, Phelps & Phillips, LLP where she co-chaired the company’s privacy and data security practice. McGraw also served as Acting Chief Privacy Officer at the Office of the National Coordinator for Health IT (ONC) since the departure of Lucia Savage earlier this year.

In July, ONC National Coordinator Donald Rucker announced that following cuts to the ONC budget, the Office of the Chief Privacy Officer would be closed out, with the Chief Privacy Officer receiving only limited support. It therefore seems an opportune moment for Deven McGraw to move onto pastures new.

OCR’s Iliana Peters has stepped in to replace McGraw in the interim and will serve as Acting Deputy Director until a suitable replacement for McGraw can be found. Peters has vacated her position as senior advisor for HIPAA Compliance and Enforcement at OCR. There are no plans to bring in a replacement for McGraw at the ONC.

One of the first tasks for Peters will be to ensure the statutory obligations of the 21st Century Cures Act are met, and to issue guidance for healthcare organizations and patients on health data access and guidance on the allowable uses and disclosures of protected health information for patients receiving treatment for mental health or substance use disorder.

McGraw is an expert in HIPAA and privacy laws and will be sorely missed at OCR. McGraw said on Twitter, “The HIPAA team at OCR is in good hands with Iliana Peters as Acting Deputy.”

Politico reports that McGraw will be heading to Silicon Valley and will be joining a health tech startup that will be focused on “empowering consumers.” At present, no announcement has been made about which company she is joining. Politico reports that McGraw will be “part of a very small team doing the thinking about what the product will look like, the data we’re collecting and how we’ll manage and secure it.”

The post HHS Privacy Chief Deven McGraw Departs OCR: Iliana Peters Now Acting Deputy appeared first on HIPAA Journal.

OCR Clarifies HIPAA Rules on Sharing Patient Information After Opioid Overdose

The U.S. Department of Health and Human Services’ Office for Civil Rights has cleared confusion about HIPAA Rules on sharing patient information after an opioid overdose. The HIPAA Privacy Rule permits healthcare providers to share limited PHI in certain emergency and dangerous situations. Those situations include natural disasters and during drug overdoses, if sharing information can prevent or lessen a serious and imminent threat to a patient’s health or safety.

Some healthcare providers have misunderstood the HIPAA Privacy Rule provisions, and believe permission to disclose information to the patient’s loved ones or caregivers must be obtained from the patient before any PHI can be disclosed.

In an emergency or crisis situation, such as during a drug overdose, healthcare providers are permitted to share limited PHI with a patient’s loved ones and caregivers without permission first having been obtained from the patient.

During an opioid overdose, healthcare providers can share health information with the patient’s family members, close friends, and caregivers if:

  • The healthcare provider determines, based on professional judgement, that sharing information about an incapacitated or unconscious patient is in the best interests of the patient, provided the information shared is limited to that directly related to the individual’s involvement in the patient’s care or payment of care. Information on the overdose can be shared, but not unrelated health information unless permission has been obtained.
  • Informing the above individuals would help to prevent or lessen a serious threat to the patient’s health and safety – Such as continued opioid abuse on discharge.

In cases when a patient is not unconscious or incapacitated and has decision-making capability, healthcare providers must give the patient the opportunity to object to the disclosure of their overdose to loved ones, close friends, caregivers, or individuals involved in the payment for care. If a patient has decision making capability, or if permission to share the information is denied, healthcare providers cannot share information unless “there is a serious and imminent threat of harm to health.”

There will be situations when a patient is only temporarily incapacitated, and their decision-making capability will be recovered during the course of treatment. In such cases, it is down to the discretion of the healthcare provider whether health information is shared while the patient is incapacitated, the type of information that is shared, and how much. When the patient regains consciousness and decision-making capability, permission must then be obtained before any further disclosures of health information are made.

OCR also points out that it is not only HIPAA Rules that may apply in such situations, explaining “HIPAA does not interfere with state laws or medical ethics rules that are more protective of patient privacy.”

The guidance on HIPAA Rules on sharing patient information after opioid overdose can be viewed on this link.

The post OCR Clarifies HIPAA Rules on Sharing Patient Information After Opioid Overdose appeared first on HIPAA Journal.

Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017

As recent healthcare breach notices have shown, phishing poses a major threat to the confidentiality of protected health information (PHI). The past few weeks have seen several healthcare organizations announce email accounts containing the PHI of thousands of patients have been accessed by unauthorized individuals as a result of healthcare employees responding to phishing emails.

Report Shows Massive Rise in Phishing Attacks Using Malicious URLs

This week has seen the publication of a new report that confirms there has been a major increase in malicious email volume over the past few months.

Proofpoint’s Quarterly Threat Report, published on October 26, shows malicious email volume soared in quarter 3, 2017. Compared to the volume of malicious emails recorded in quarter 2, there was an 85% rise in malicious emails in Q3.

While attachments have long been used to deliver malware downloaders and other malicious code, Q3 saw a massive rise in phishing attacks using malicious URLs. Clicking those links directs end users to websites where malware is downloaded or login credentials are harvested.

Proofpoint’s analysis shows there was a staggering 600% increase in phishing attacks using malicious URLs in Q3. Compared to 2016, the use of malicious URLs has increased by a staggering 2,200%. The volume of malicious emails has not been that high since 2014.

Locky is Back With a Vengeance

For its report, Proofpoint analyzed more than one billion emails and hundreds of millions of social media posts, and identified and analyzed more than 150 million malware samples.

Out of all of the email threats analyzed, 64% were used to deliver ransomware. At the start of the year, Cerber ransomware was the biggest ransomware threat, having taken over from Locky, but in Q3, Locky came back with a vengeance. Locky ransomware accounted for 55% of all malicious payloads and 86% of all ransomware payloads. There were also notable increases in other ransomware variants, including Philadelphia and Globelmposter.

The second biggest threat was banking Trojans, which accounted for 24% of all malicious payloads. Proofpoint’s report shows the Dridex Trojan has fallen out of favor somewhat, with The Trick now the biggest threat in this category. Downloaders accounted for 6% of malicious emails and information stealers 5%.

In the first half of 2016, exploit kits were being extensively used to deliver malware and ransomware, although exploit kit activity dwindled throughout the year and all but stopped by 2017. However, exploit kit activity is climbing once again, with the Rig the most commonly used exploit kit. Proofpoint notes that rather than just using exploits, the actors behind these EKs are now incorporating social engineering techniques into their campaigns to fool users into downloading malware.

Social media attacks also rose, in particular so called “angler attacks” via Twitter. These attacks involve the registration of bogus support accounts. Twitter is monitored for customers who are experiencing difficulty with software, and when a complaint is made, the user is sent a tweet from the bogus account containing malicious links.

Proofpoint also noted a 12% rise in email fraud in Q3, up 32% from last year, and a notable rise in typosquatting and domain spoofing. The registration of suspicious domains now outnumbers defensive domain registrations by 20 to 1.

The advice to all organizations is to implement robust spam filtering software to block malicious emails, use solutions to block malicious URLS such as web filters, use email authentication to stop domain spoofing, and to take steps to protect brands on social media. The risk from look-alike domains can be greatly reduced with defense domain purchases – registering all similar domains before the typosquatters do.

The post Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017 appeared first on HIPAA Journal.

Is AWS HIPAA Compliant?

Is AWS HIPAA compliant? Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes. And No. AWS can be HIPAA compliant, but it is also easy to make configuration mistakes that will leave protected health information (PHI) unprotected and accessible by unauthorized individuals, violating HIPAA Rules.

Amazon Will Sign a Business Associate Agreement for AWS

Amazon is keen for healthcare organizations to use AWS, and as such, a business associate agreement will be signed. Under that agreement, Amazon will support the security, control, and administrative processes required under HIPAA.

Previous, under the terms of the AWS BAA, the AWS HIPAA compliance program required covered entities and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer the case.

As part of its efforts to help healthcare organizations use AWS safely and securely without violating HIPAA Rules, Amazon has published a 26 page guide – Architecting for HIPAA Security and Compliance on Amazon Web Services – to help covered entities and business associates get to grips with securing their AWS instances, and setting access controls.

AWS HIPAA Compliance is Something of a Misnomer

Amazon supports HIPAA compliance, and AWS can be used in a HIPAA compliant way, but no software or cloud service can ever be truly HIPAA compliant. As with all cloud services, AWS HIPAA compliance is not about the platform, but rather how it is used.

The Amazon Simple Storage Service (S3) that is provided through AWS can be used for data storage, data analysis, data sharing, and many other purposes. Data can be accessed from anywhere with an Internet connection, including via websites, and mobile apps. AWS has been developed to be secure, otherwise no one would use the service. But it has also been developed to make data easy to access, by anyone with the correct permissions. Make a mistake configuring users or setting permissions and data will be left exposed.

Just because AWS is HIPAA compliant, it does not mean that using AWS is free from risk, and neither that a HIPAA violation will not occur. Leaving AWS S3 buckets unprotected and accessible by the public is a clear violation of HIPAA Rules. It may seem obvious to secure AWS S3 buckets containing PHI, but this year there have been multiple healthcare organizations that have left their PHI open and accessible by anyone.

Amazon S3 buckets are secure by default. The only way they can be accessed is by using the administrator credentials of the resource owner. It is the process of configuring permissions and providing other users with access to the resource that often goes awry.

When is AWS not HIPAA Compliant?

When is AWS HIPAA compliant? When a BAA has been signed, users have been instructed on the correct way to use the service, and when access controls and permissions have been set correctly. Misconfigure an Amazon S3 bucket and your data will be accessible by anyone who knows where to look.

Documentation is available on the correct way to configure Amazon S3 services and manage access and permissions. Unfortunately, since there are several ways to grant permissions, there are also several points that errors can occur, and simple mistakes can have grave consequences.

On numerous occasions, security researchers have discovered unprotected AWS S3 buckets and have alerted healthcare organizations that PHI has been left unprotected. However, security researchers are not the only ones checking for unsecured data. Hackers are always on the prowl. It is far easier for a hacker to steal data from cloud storage services that have had all protections removed than it is to attack organizations in other ways.

One of the mistakes that has been made time and again is setting access controls to allow access by ‘authenticated users.’ That could be taken to mean anyone who you have authenticated to have access to your data. However, that is not Amazon’s definition of an authenticated user. An authenticated user is anyone with an AWS account, and anyone can obtain an AWS account free of charge.

How Common are AWS Misconfigurations?

AWS misconfigurations are very common. So much so, that Amazon recently emailed users who had potentially misconfigured their S3 buckets to warn them that data could be accessed by anyone.

Amazon said in its email, “We’re writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) are currently configured to allow access from any user on the internet,” going on to explain, “While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available.”

Some of those public disclosures have been by healthcare organisations, but the list is long and varied, including military contractors, financial institutions, mobile carriers, entertainment companies, and cable TV providers. One data analytics firm left data unprotected, exposing the records of 200 million voters. Verizon exposed the data of between 6 and 14 million customers, and World Wide Entertainment exposed the data of 3 million individuals. Patient Home Monitoring, a HIPAA covered entity, left 47GB of data unprotected.

There is no excuse for these oversights. Checking for unprotected AWS buckets is not only a quick and easy process, software can be used free of charge for this purpose. A tool has been developed Kromtech called S3 Inspector that can be used to check for unsecured S3 buckets.

Is AWS HIPAA Compliant?

So, in summary, is AWS HIPAA compliant? Yes, it can be, and AWS offers healthcare organizations huge benefits.

Can the use of AWS violate HIPAA Rules and leave PHI unprotected? Very easily.

Would misconfiguration of AWS lead to a HIPAA violation penalty? That is a distinct possibility. AWS is secure by default. Only if settings are changed will stored data be accessible. It would be hard to argue with OCR auditors that manually changing permissions to allow anyone to access a S3 bucket containing PHI is anything other than a serious violation of HIPAA Rules.

The post Is AWS HIPAA Compliant? appeared first on HIPAA Journal.

The 10 Most Common HIPAA Violations You Should Avoid

HIPAA violations most often occur when covered entities, business associates, or members of either’s workforces fail to comply with the Privacy, Security, or Breach Notification Rules. There are many different types of HIPAA violations, and the ten most common HIPAA violations that have resulted in financial penalties are:

  • Snooping on Healthcare Records
  • Failure to Perform an Organization-Wide Risk Analysis
  • Failure to Manage Security Risks / Lack of a Risk Management Process
  • Denying Patients’ Access to Health Records/Exceeding Timescale for Providing Access
  • Failure to Enter into a HIPAA-Compliant Business Associate Agreement
  • Insufficient ePHI Access Controls
  • Failure to Use Encryption or an Equivalent Measure to Safeguard ePHI on Portable Devices
  • Exceeding the 60-Day Deadline for Issuing Breach Notifications
  • Impermissible Disclosures of Protected Health Information
  • Improper Disposal of PHI

In this article we outline how you can avoid these common HIPAA violations.Ten Most Common HIPAA Violations

You can also use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full compliance. Use any form on this page to arrange for your copy of the checklist.

What are the 10 Most Common HIPAA Violations?

Listed below are 10 of the most common HIPAA violations, together with examples of HIPAA-covered entities and business associates that have been discovered to be in violation of HIPAA Rules.

These example cases have had to settle those violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In many cases, investigations have uncovered multiple HIPAA violations.

The settlements pursued by OCR are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules.

The settlement amounts reflect the seriousness of the violation, the length of time the violation has been allowed to persist, the number of violations identified, and the financial position of the covered entity/business associate.

1. Snooping on Healthcare Records

What are the ten most common HIPAA violationsAccessing the health records of patients for reasons other than those permitted by the Privacy Rule is a violation of patient privacy. Snooping on healthcare records of family, friends, neighbors, co-workers, and celebrities is one of the most common HIPAA violations committed by employees. When discovered, these violations can result in termination of employment but could also result in criminal charges for the employee concerned. Financial penalties for healthcare organizations that have failed to prevent snooping are relatively uncommon, but they are possible – as the University of California Los Angeles Health System discovered.

University of California Los Angeles Health System was fined $865,000 for failing to restrict access to medical records. The healthcare provider was investigated following the discovery that a physician had accessed the medical records of celebrities and other patients without authorization. Dr. Huping Zhou accessed the records of patients without authorization 323 times after learning that he would soon be dismissed.  Dr. Zhou became the first healthcare employee to be jailed for a HIPAA violation and was sentenced to four months in federal prison.

2. Failure to Perform an Organization-Wide Risk Analysis

The failure to perform an organization-wide risk analysis is one of the most common HIPAA violations to result in a financial penalty. If the risk analysis is not performed regularly, organizations will not be able to determine whether any vulnerabilities to the confidentiality, integrity, and availability of PHI exist. Risks are likely to remain unaddressed, leaving the door wide open for violations to occur.

HIPAA settlements with covered entities for the failure to conduct an organization-wide risk assessment include:

3. Failure to Manage Security Risks / Lack of a Risk Management Process

Performing a risk analysis is essential, but it is not just a checkbox item for compliance. Risks that are identified must then be subjected to a risk management process. They should be prioritized and addressed in a reasonable time frame. Knowing about risks to PHI and failing to address them is one of the most common HIPAA violations penalized by the Office for Civil Rights.

HIPAA settlements with covered entities for the failure to manage identified risks include:

4. Denying Patients Access to Health Records/Exceeding Timescale for Providing Access

The HIPAA Privacy Rule gives patients the right to access their medical records and obtain copies on request. This allows patients to check their records for errors and share them with other entities and individuals. Denying patients access to health records, overcharging for copies, or failing to provide records within 30 days is a violation of HIPAA. OCR made HIPAA Right of Access violations one of its key enforcement objectives in late 2019.

HIPAA settlements with covered entities for denying patients access to their records or unnecessary delays in providing access include:

5. Failure to Enter into a HIPAA-Compliant Business Associate Agreement

The failure to enter into a HIPAA-compliant business associate agreement with all vendors that are provided with or given access to PHI is another of the most common HIPAA violations. Even when business associate agreements are held for all vendors, they may not be HIPAA compliant, especially if they have not been revised after the Omnibus Final Rule.

Notable settlements for these common HIPAA violations include:

6. Insufficient ePHI Access Controls

The HIPAA Security Rule requires covered entities and their business associates to limit access to ePHI to authorized individuals. The failure to implement appropriate ePHI access controls is also one of the most common HIPAA violations and one that has attracted several financial penalties.

Financial penalties issued to covered entities for ePHI access control failures include:

7. Failure to Use Encryption or an Equivalent Measure to Safeguard ePHI on Portable Devices

One of the most effective methods of preventing data breaches is to encrypt PHI. Breaches of encrypted PHI are not reportable security incidents unless the key to decrypt data is also accessed. Encryption is not mandatory under HIPAA Rules, but it cannot be ignored. If the decision is taken not to use encryption, an alternative, equivalent security measure must be used in its place.

Recent settlements for the failure to safeguard PHI include:

8. Exceeding the 60-Day Deadline for Issuing Breach Notifications

The HIPAA Breach Notification Rule requires covered entities to issue notifications of breaches without unnecessary delay, and certainly no later than 60 days following the discovery of a data breach. Exceeding that time frame is one of the most common HIPAA violations, which has seen several recent penalties issued:

9. Impermissible Disclosures of Protected Health Information

Any disclosure of protected health information that is not permitted under the HIPAA Privacy Rule can attract a financial penalty. This violation category includes disclosing PHI to a patient’s employer for a purpose not permitted by the Privacy Rule, potential disclosures following the theft or loss of unencrypted laptop computers, careless handling of PHI, disclosing PHI unnecessarily, not adhering to the ‘minimum necessary’ standard, and disclosures of PHI after patient authorizations have expired.

Settlements for impermissible disclosures of PHI include:

10. Improper Disposal of PHI

When physical PHI and ePHI are no longer required and retention periods have expired, HIPAA Rules require the information to be securely and permanently destroyed. For paper records this could involve shredding or pulping and for ePHI, degaussing, securely wiping, or destroying the electronic devices on which the ePHI is stored to prevent impermissible disclosures.

Financial penalties issued to covered entities for improper disposal of PHI/ePHI include:

Non-Financial HIPAA Violation Examples

HIPAA violations do not always result in financial penalties. Many violations of HIPAA investigated by OCR are resolved by guidance, technical assistance, and/or a corrective action plan depending on the nature of the violation and the harm caused, the covered entity’s previous history of violations, and their willingness to cooperate with an OCR investigation.

Because violations resolved by guidance, technical assistance, and/or a corrective action plan rarely attract headlines, some of the work done by OCR to promote compliance with HIPAA can be overlooked. However, as of March 2022, OCR has investigated and resolved 29,478 cases without issuing a financial penalty. Non-financial HIPAA violation examples include:

  • A hospital was required to implement new minimum necessary policies for telephone messages after an employee left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan.
  • A mental health center was required to correct its process for providing Notices of Privacy Practices prior to an intake assessment after the center failed to provide the father of a minor patient with an NPP prior to a mental health evaluation.
  • A covered entity was required to withdraw a $100 “records review fee” charged to a patient for providing the patient with copies of his medical records. Under the Privacy Rule, covered entities are only allowed to charge a reasonable cost-based fee.
  • A private practice was required to implement policies on the verbal communication of PHI after a staff member discussed HIV testing procedures with a patient in the practice´s waiting room – thereby disclosing PHI to others in the waiting room.
  • A radiology practice was required to revise its processes for workers´ compensation disclosures after a patient´s imaging tests were sent to the patient´s employer to support a claim for which the employer´s program was not responsible for payment.
  • A health plan was required to correct a flaw in its computer system, review transactions for a six-month period, and correct corrupted patient information after PHI was included in an explanation of benefits letter mailed to an unauthorized family member.

Examples of HIPAA Violations by Healthcare Employees

Snooping on healthcare records is a fairly obvious HIPAA violation and one that all healthcare employees who have received HIPAA training should know is a violation of their employer’s policies and HIPAA Rules.

Other examples of HIPAA violations often come about as a result of misunderstandings about HIPAA requirements. While each of these common HIPAA violations affect far fewer numbers of patients than the above violations, they can still cause a significant amount of harm to the patient(s) involved and their employer. They can also result in disciplinary action against the employee responsible – including termination.

Listed below are some of the common HIPAA violations committed by healthcare employees. These common HIPAA violations should be covered as part of the HIPAA training given to employees to raise awareness of these frequent areas of noncompliance.

Emailing ePHI to Personal Email Accounts and Removing PHI from a Healthcare Facility

It can be difficult to find the time to complete all the necessary tasks within working hours and it can be tempting to take work home to complete. Removing protected health information from a healthcare facility places that information at risk of exposure. This is a common employee HIPAA violation and may even be routine practice at a healthcare facility that is understaffed. That does not mean it is an acceptable practice.

The same applies to emailing ePHI to personal email accounts. Regardless of the intentions, whether it is to get help with spreadsheets, complete work at home to get ahead for the next day, or to catch up on a backlog, it is a violation of HIPAA Rules.  Further, any emailing of ePHI to a personal email account could be considered theft – the repercussions of which could be far more severe than the termination of an employment contract.

Leaving Portable Electronic Devices and Paperwork Unattended

The HIPAA Security Rule requires PHI and ePHI to be secured at all times. If paperwork is left unattended it could be viewed by an unauthorized individual, be that a member of staff, patient, or visitor to the healthcare facility. Were that to happen it would be considered an impermissible disclosure of PHI.

Electronic devices that contain ePHI must similarly be secured at all times. Electronic devices are portable and valuable. Opportunistic thieves could easily steal an unattended device and gain access to ePHI. There have been many cases of healthcare employees removing unencrypted devices from healthcare facilities, only for them to be stolen from vehicles or homes. Theft can also easily occur within a healthcare facility if devices are not secured. Healthcare employees must ensure that their employer’s policies are followed, and HIPAA Rules are not violated by leaving devices and paperwork unattended.

Releasing Patient Information to an Unauthorized Individual

An authorization form must be obtained from a patient before any of their PHI can be disclosed to a third party for a purpose other than one expressly permitted by the HIPAA Privacy Rule. Disclosing PHI for purposes other than treatment, payment for healthcare, or healthcare operations (and limited other cases) is a HIPAA violation if authorization has not been received from the patient in advance.

Healthcare employees must ensure that, prior to disclosing PHI to a third party, authorization has been obtained from the patient, and information is not disclosed to any individual or company not included on the authorization form. Authorization forms are only valid if they have been signed by the patient or their nominated representative.

Releasing Patient Information Without Authorization

In a similar vein to the previous point, healthcare employees must also exercise caution about the types of information that are released to third parties, even if an authorization form has been received allowing a specific individual, company, or organization to receive PHI.

The authorization form should include what types of information have been authorized to be released. Any information not detailed on the authorization form must remain private and confidential and should not be shared. The disclosure of additional information would violate the HIPAA Privacy Rule.

Disclosures of PHI to Third Parties After the Expiry of an Authorization

All HIPAA authorization forms must include the names or classes of individuals who are being authorized to receive PHI, the types of PHI that will be disclosed, and the reasons for the disclosures. They must also include an expiry date for the authorization.

PHI must not be disclosed to any individual listed on the authorization form after the expiry date has passed, even if authorization has previously been given to that entity to receive PHI. A new authorization form is required before any further disclosure takes place. It should also be noted that an authorization form without an expiry date is not HIPAA compliant.

Impermissible Disclosures of Patient Health Records

The HIPAA Privacy Rule permits patients to obtain a copy of their health records on request or have their records provided to a nominated third party such as a personal representative or other individual. If not collected in person by the patient, the third party must have been given authorization by the patient – on a HIPAA authorization form – to receive the records before they can be released.

Prior to providing copies of patient health records, healthcare employees must verify the identity of the patient or the person collecting the records and must ensure records are only released to an individual authorized to receive them. Care must also be taken to ensure that the correct patient records are released.

Downloading PHI onto Unauthorized Devices

It can be difficult for healthcare IT departments to keep track of all devices that connect to the network, given how many different devices have network access. Ensuring those devices are secured can be an even bigger problem, yet this is a requirement for HIPAA compliance.

Employees need to be aware that there are privacy and security risks associated with downloading ePHI to unauthorized portable electronic devices. Not only does this increase the risk of the accidental disclosure of ePHI – in the event that the device is lost or stolen – it could also be viewed as theft and a HIPAA violation.

Providing Unauthorized Access to Medical Records

It is the responsibility of the covered entity to ensure that access to patient health information and medical records is only given to authorized individuals. This is achieved by implementing access controls via unique logins.

Employees have a responsibility to ensure that they do not give access to health information to co-workers who may not have the same access rights. The sharing of login credentials could not only result in an impermissible disclosure of ePHI but any actions taken by that employee would also be attributed to the individual whose login credentials were used to gain access.

Actual Examples of HIPAA Violations by Employees

There are not very many examples of HIPAA violations by employees because most are dealt with internally according to the organization´s sanction policy. However, in a few cases, employees´ contracts are terminated and examples of HIPAA violations by employees are brought to the attention of the outside world. The following is a small selection of those we have reported on:

In May 2013, Dianna Hereford was terminated from her position as a staff nurse at the Norton Audubon Hospital for improperly disclosing the condition of a patient with Hepatitis C. Hereford claimed she was wrongfully dismissed for an incidental disclosure; but her claim was dismissed by Jefferson Circuit Court and by Kentucky´s Court of Appeals when she appealed the decision.

In March 2017, an employee of New Jersey-based BioReference Laboratories was terminated from their position for failing to securely dispose of documents containing the PHI of 1,772 patients. Rather than following the company´s policy for disposing of PHI, which involved shredding the documents before disposing of them, the employee threw the documents into a dumpster.

Also in 2017, an employee of Lowell General Hospital in Massachusetts was fired for snooping on the healthcare records of 769 patients. As mentioned above, snooping on healthcare records is one of the most common HIPAA violations; but whereas it normally impacts patients who are known to the employee, this was an extreme example of a HIPAA violation by an employee.

Uncommon HIPAA Violations

The common HIPAA violations described above are frequently cited in OCR’s enforcement actions and are common root causes of data breaches; however, there are many types of HIPAA violations. The violations listed below are less common, and in some cases, harder to detect, and do not get reported so frequently.

 

Uncommon HIPAA Violations

Description

Filming Patients without Consent

Filming patients without their consent is a HIPAA violation if it results in the unauthorized disclosure of protected health information, compromising patient privacy and failing to adhere to HIPAA’s requirements for patient consent and privacy protection.

New York Presbyterian Hospital – $2,200,000 penalty for filming patients without consent.

Massachusetts General Hospital– $515,000 penalty for filming patients without consent.

Brigham and Women’s Hospital– $384,000 penalty for filming patients without consent.

Boston Medical Center – $100,000 penalty for filming patients without consent.

Impermissible Data Sharing During Medical Research

Inadequate protection of patient data during collaborative medical research, potentially exposing sensitive information. Researchers must ensure that data sharing adheres to strict privacy safeguards and obtain proper patient consent, when required, to avoid HIPAA violations. Effective safeguards are essential when conducting research that involves patient data that has not been de-identified to prevent unintended exposure.

Huntington Medical Research Institutes Discovers Two HIPAA Breaches

Hospital Researchers Jailed for Stealing and Selling Research Data to China

Non-Secure File Sharing

Sharing patient records through non-secure methods such as personal email accounts or unencrypted file-sharing services is a HIPAA violation. This can occur if proper policies and procedures are not in place and is often the result of insufficient training. Using secure (encrypted) communications tools is necessary to prevent these breaches, and there must be a business associate agreement in place with the provider of a communication platform.

11K Dental Patients’ PHI Uploaded to File Sharing Website

Exposure of Patient Data in Home-Based Care

Lack of adequate data security measures in home-based healthcare settings can lead to unauthorized access to patient records in private residences. Ensuring patient data privacy is essential, even in non-traditional care settings. Secure practices must be used for accessing and transmitting patient information.

Data Issue Arises From Home Diabetes Test

Data Exposure when Working from Home

Exposure of patient data to unauthorized individuals when working from home. When taking paperwork home or working on portable devices, PHI must be protected. While family members and other individuals in the same household may be trusted, they are not authorized to view any patient data. Care must be taken not to leave devices or paperwork unattended with patient data visible.

Potential PHI Disclosure After Employee Works from Home with Hospital Data

Medical Records Sent to Incorrect Patients

Sending medical records to incorrect patients is a HIPAA violation as it constitutes an unauthorized disclosure of protected health information (PHI), compromising patient privacy and failing to safeguard their confidential medical information.

Mailing Error Affects 19,570 Missouri Care Members

Mailing Correspondence with PHI Visible

When PHI is visible on the outside of an envelope or package, it can be easily seen by unauthorized individuals who handle or come into contact with the mail, leading to an unauthorized disclosure of sensitive health information. Patients have the right to expect that their health information will be kept private. Mailing correspondence with visible PHI breaches patient privacy and can cause distress and concern for patients who discover that their sensitive information is exposed. HIPAA mandates that appropriate safeguards, such as physical and administrative safeguards, be in place to protect PHI from unauthorized access or disclosure. Mailing correspondence with visible PHI demonstrates a lack of these safeguards.

Amida Care Mailing Potentially Revealed HIV Status of its Members

Third-Party Mailing Error Sees Aetna Plan Members’ HIV Status Disclosed

Unauthorized Photographs/Sharing of Photographs

Taking photographs of patients without authorization and unauthorized sharing of images is a HIPAA violation. It is not permitted to share photographs of patients with unauthorized individuals, even with other healthcare professionals if the file is shared for reasons other than for treatment, payment, or healthcare operations purposes.

Hospital Staff Shared Photographs of Patient’s Genital Injury

Scrub Nurse Fired for Photographing Employee-Patient’s Genitals

Workplace Sabotage

Deliberate sabotage of healthcare systems, data alteration, or introduction of malware by disgruntled employees is a HIPAA violation. Robust security measures must be implemented, employees should be monitored, and access to data and systems should be promptly revoked when employees are terminated or otherwise leave employment.

Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server

Providing Family Members, Friends, and Partners with Access to PHI

Allowing family members, friends, and partners to access a patient’s medical records without proper authorization or accessing records on their behalf and disclosing PHI. Individuals requesting access to patient data must be authorized to access that information, and PHI may only be disclosed to individuals authorized to receive it. Employees must be made aware of their responsibilities under HIPAA.

Criminal HIPAA Violation Case Sees Healthcare Worker Arraigned on 430 Counts

$853,000 Awarded to Patient Whose PHI Was Impermissibly Disclosed to Former Boyfriend

Data Exposure During Telehealth Visits

Inadequate protection of patient data when conducting telehealth visits. While OCR issued a Notice of Enforcement Discretion covering the good faith provision of telehealth services during the pandemic and allowed non-public-facing communication tools for telehealth, the period of enforcement discretion is over. Only HIPAA-compliant communications tools can be used, that encrypt or otherwise secure communications, and there must be a business associate agreement in place.

OCR’s COVID-19 Telehealth Enforcement Discretion Transition Period Ends

Unauthorized Use of Medical Illustrations

Unauthorized use of medical illustrations or images containing patient information in presentations, publications, or websites. Consent must be obtained before any images that have not been de-identified according to HIPAA standards can be used in presentations, publications, or for training purposes.

Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool

Radiology Groups Issue Warning About PHI Exposure in Online Medical Presentations

Medical Students Tracking Patients on EHRs

Medical students tracking former patients on EHRs to view outcomes and progress is a HIPAA violation unless patient consent has been obtained. Accessing the medical records of former patients on EHRs out of curiosity violates patient privacy.

Med Students Violating HIPAA by Tracking Patients on EHRs

Examples of Unintentional HIPAA Violations

Unintentional HIPAA violations can occur when healthcare professionals or organizations inadvertently access or disclose protected health information (PHI) without proper authorization, or when the HIPAA Rules are violated due to a lack of training.

Unintentional HIPAA Violation Description of HIPAA Violation
Accidental Disclosure in Conversation Healthcare professionals may inadvertently discuss patient information in public areas, like elevators or cafeterias, without realizing that others can overhear, potentially violating HIPAA confidentiality rules. Such disclosures may occur due to a lack of awareness or caution in maintaining patient privacy.

Careless Talk Sees University of Iowa Worker Fired for HIPAA Privacy Violation

Email Errors Sending an email containing protected health information (PHI) to the wrong recipient due to an email address autocomplete mistake or selecting the incorrect recipient. This can lead to unauthorized access to sensitive patient data when the email recipient is not authorized to view the information.

Email Error Exposed the PHI of 8,000 Members of FirstCare Health Plans

Email Error Results in Impermissible Disclosure of the PHI of 900 Campbell County Health Patients

Email Error Impacts 6,500 Saliba’s Extended Care Pharmacy Patients

Dermatologist Email Error Exposes 14,910 Patients’ SSNs

University of Cincinnati Email Errors Result in 1,064-Patient Data Breach

Email Error Exposed the PHI of 8,000 Members of FirstCare Health Plans

Faxing Errors Mistakenly sending a fax with PHI to the wrong fax number or faxing PHI when it may be viewed by unauthorized individuals. Such errors can result in unintended access to patient information by individuals who should not have access to it.

Even HHS Involvement Did Not Stop Months of Fax Privacy Breaches

Faxing Error Sees PHI Sent to Local Media Outlet

Protected Health Information Sent to Incorrect Fax Recipient Over Several Months

New York Hospital Sued for Disclosing Patient’s HIV Status to Employer

Lost or Stolen Devices Losing electronic devices, such as laptops, smartphones, or tablets, that contain unencrypted patient data, or leaving them in areas where they can easily be stolen. If these devices are lost or stolen, it can inadvertently expose PHI to unauthorized individuals who may gain access to the device’s contents.

Lost Blackberry Device Results in $3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas

CardioNet Fined $2.5 Million for Laptop Theft and Data Breach

Lack of Encryption Leads to $3 Million HIPAA Penalty for New York Medical Center

Conn. OIG Reaches $90K Settlement with Hartford Hospital and BA Over 2012 Laptop Theft

Lifespan Laptop Theft Exposes ePHI of 20,000 Patients

Improper Disposal of Records Incorrectly disposing of paper records, like medical charts or billing documents, by placing them in regular trash bins without shredding or using other secure methods to render PHI unreadable, or disposing of electronic devices without securely wiping them. This can lead to unauthorized individuals accessing patient data by retrieving discarded records.

Kaiser Pays $49 Million to Settle Improper Disposal Investigation

Improper Disposal of PHI Results in $300,640 HIPAA Penalty

Improper Disposal Nets Small Pharmacy $125K OCR HIPAA Penalty

HealthReach Community Health Centers Reports Improper Disposal Incident Affecting Almost 117,000 Patients

Improper Disposal Incident at Smith’s Food & Drug Affects Almost 58,000 Patients

Misdirected Mail Mailing patient records or billing statements to the wrong address due to clerical errors or inaccuracies in patient information. Such mistakes can inadvertently share sensitive patient information with individuals who should not have access to it.

Kaiser Permanente Fined $450,000 for Mailing Error

Mailing Error Sees Inmediata Breach Notification Letters Sent to Incorrect Addresses

Email Error Exposed the PHI of 8,000 Members of FirstCare Health Plans

Mailing Error at CMS Vendor Affects 10,000 Medicare Beneficiaries

Mailing Error by State of Colorado Affects 12,230 Individuals

St. Vincent Breast Center Breaches HIPAA with 63K-Patient Mailing

Access by Unauthorized Personnel Allowing healthcare employees without the necessary access permissions to view or handle patient records, and failing to terminate access rights when employees are terminated or leave the company. This oversight can result in unintentional breaches of patient confidentiality.

Failure to Terminate Former Employee’s Access Rights Results in $202,400 HIPAA Fine for New Haven, CT

Failure to Terminate Former Employee’s PHI Access Costs Colorado Hospital $111,400

Pharma Sales Rep Pleads Guilty to Healthcare Fraud and Criminal HIPAA Violations

Survey Reveals Sharing EHR Passwords is Commonplace

Accessing PHI Out of Curiosity Healthcare professionals accessing patient records out of curiosity or without a legitimate medical reason. This action violates patient privacy and confidentiality unintentionally when healthcare workers access PHI without a valid need for patient care or treatment.

$240,000 HIPAA Penalty After Security Guards Access Medical Records

Med Students Violating HIPAA by Tracking Patients on EHRs

Ohio Hospital Worker Snooped on 7,300 Patient Records over 12 Years

Medical Center FacingLegal Action Over Snooping on George Floyd’s Medical Records

Dozens of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records

Henry Mayo Newhall Hospital Fires Employees for Snooping on Medical Records

Hawaii Pacific Health Discovers 5-Year Insider Data Breach

Are Data Breaches HIPAA Violations?

Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare organizations are being targeted by cybercriminals and that it is not possible to implement impregnable security defenses.

Being HIPAA compliant is not about making sure that data breaches never happen. HIPAA compliance is about reducing risk to an appropriate and acceptable level. Just because an organization experiences a data breach, it does not mean the breach was the result of a HIPAA violation.

The OCR breach portal now reflects this more clearly. Many data breaches are investigated by OCR and are found not to involve any violations of HIPAA Rules. When this happens, the investigations are closed without any action being taken.

How are Common HIPAA Violations Discovered?

Common HIPAA violations can continue for many months, or even years before they are discovered. The longer they are allowed to persist, the greater the penalty will be when they are eventually discovered. It is important for HIPAA-covered entities to conduct regular HIPAA compliance reviews (this is required by the HIPAA law) to make sure common HIPAA violations are discovered and corrected before they are identified by regulators.

There are three main ways that common HIPAA violations are discovered:

  1. Investigations into a data breach by OCR (or state attorneys general)
  2. Investigations into complaints about covered entities and business associates
  3. HIPAA compliance audits

Even when a data breach does not involve a HIPAA violation, or a complaint proves to be unfounded, OCR may uncover unrelated HIPAA violations that could warrant a financial penalty.

FAQs

What does it mean to “reduce risk to an appropriate and acceptable level”?

What reducing risk to an appropriate and acceptable level means is that, when potential risks and vulnerabilities are identified, Covered Entities and Business Associates have to decide what measures are reasonable to implement according to the size, complexity, and capabilities of the organization, the existing measures already in place, and the cost of implementing further measures in relation to the likelihood of a data breach and the scale of injury it could cause.

How is it possible to prevent employees from snooping on healthcare records?

To prevent employees from snooping on healthcare records, Covered Entities should implement a program of training, ensure access privileges comply with the Minimum Necessary Standard, activate audit logs, and enforce sanctions. It is also important that employees are made aware during HIPAA training that, although many cases of healthcare snooping are attributable to curiosity rather than malicious intent, all cases of healthcare snooping are HIPAA violations.

If encryption is not mandatory, how can it be a HIPAA violation if records are unencrypted?

Although encryption is not mandatory, it can be a HIPAA violation if records are unencrypted and no other measure that is equally as effective has been implemented. Encryption is an addressable implementation specification of the Security Rule. This means organizations can only avoid implementing the requirement if it is not reasonable and appropriate in the circumstances, or if an alternative security measure is equally as effective. If organizations fail to encrypt records, they have to document the reasons why.

Why was the fine for denying patients access to health records so high?

The fine for denying patients access to health records was so high in the event mentioned in the article because, in this particular case, the non-cooperation of the Covered Entity contributed to the size of the fine (you can read about the case here). Since this case, the CMS´ Meaningful Use program has evolved into the Promoting Interoperability program, and – in addition to being sanctioned for a HIPAA violation – any covered entity failing to provide health records in a timely manner could now also lose a percentage of their Medicare payments.

What are the consequences of accessing a patient chart without reason?

The consequences of accessing a patient chart without reason vary depending on the reason for the impermissible access and the organization´s sanctions policy. If it was an employee’s first violation and no harm was caused by the violation, it is likely the employee will receive a warning and have to undergo additional training. If the violation was a repeat offense, caused harm to the patient or organization, and was done with malicious intent, the likely consequences are termination of contract, a report to a licensing authority, and the possible involvement of law enforcement.

Are HIPAA violations common?

Nobody knows if HIPAA violations are common because, although HHS´ Office for Civil Rights publishes an “Enforcement Highlights” webpage, the statistics on this page only relate to reports and complaints received by the agency. HIPAA violations can also be reported to the Centers for Medicare and Medicaid (CMS), the Federal Trade Commission (FTC), State Attorneys General, the Covered Entity at which the HIPAA violation occurred, or not reported at all.

How do HIPAA violations affect patients?

HIPAA violations affect patients in different ways depending on the nature of the violation. If a hospital has failed to enter into a Business Associate Agreement with a company that provides data analysis services, the violation will not affect patients at all. Conversely, if a HIPAA violation results in the exposure of patients’ personal information, which is then used to conduct identity theft, this will significantly affect patients. For these reasons, there is no one-size-fits-all answer to this question.

What are examples of HIPAA violations?

In addition to the examples of HIPAA violations listed above, Covered Entities can violate HIPAA by failing to comply with the Administrative Requirements of HIPAA. These include the Transaction, Code Sets, and Identifier Standards published by the Department of Health and Human Services; and although Covered Entities are not fined for violations of this nature, they can be excluded from the Medicare program by CMS – which will substantially affect their income.

What is considered a HIPAA violation by the Federal Trade Commission?

An event considered a HIPAA violation by the Federal Trade Commission (FTC) is a failure to comply with the Breach Notification Rule by an organization that has access to PHI, but which does not qualify as a Covered Entity or Business Associate – for example, vendors of Personal Health Records.

Organizations that are not Covered Entities or Business Associates do not have to comply with the Privacy or Security Rule, but they do have to comply with the Breach Notification Rule, and the failure to notify individuals and the FTC of a data breach is considered a HIPAA violation by the FTC – which has the authority to issue substantial fines for non-compliance.

What counts as a HIPAA violation by employees?

What counts as a HIPAA violation by employees is the failure to comply with employers’ HIPAA-related policies and procedures – provided employees have received adequate training on the policies and procedures. In such cases, the employee will be subject to the sanctions listed in their employer’s sanctions policy (verbal warning, written warning, suspension, termination, etc.).

Employees can also violate HIPAA by knowingly and wrongfully disclosing PHI. In such cases, employers are required to notify HHS´ Office for Civil Rights, who will refer the case to the Department of Justice. If there is evidence of criminal wrongdoing, the Department of Justice can pursue fines of up to $250,000 for HIPAA violations by employees and custodial sentences of up to ten years.

What constitutes a HIPAA violation by Business Associates?

What constitutes a HIPAA violation by Business Associates is the failure to comply with any parts of the Security Rule, the requirement to notify Covered Entities of any security incident (not only breaches of unsecured ePHI), or any other requirement stipulated in a Business Associate Agreement.

Generally, Business Associates are required to comply with all provisions of the HIPAA Security Rule and several sections of the Breach Notification Rule. Additionally, depending on the service they provide for or on behalf of a Covered Entity – and the content of Business Associate Agreements – Business Associates may also be required to comply with parts of the Administrative Requirements and the Privacy Rule.

What are the 3 types of HIPAA violations?

There are many “3 types of HIPAA violations”. For example, there are criminal, civil, and accidental violations of HIPAA; Privacy Rule, Security Rule, and Breach Notification Rule violations of HIPAA; and violations of HIPAA reportable to the Centers for Medicare and Medicaid (CMS), HHS´ Office for Civil Rights, and the Federal Trade Commission.

Is it possible for there to be an intentional but acceptable HIPAA violation?

It is possible for there to be an intentional but acceptable HIPAA violation, but only when HHS’ Office for Civil Rights issues a Notice of Enforcement Discretion. These Notices allow Covered Entities to intentionally violate certain HIPAA provisions in certain circumstances for the period of time a Notice of Enforcement Discretion is in force.

It is important to be aware that disclosing PHI in an emergency situation to a Covered Entity with whom no treatment relationship exists is not an intentional but acceptable HIPAA violation. This scenario is permitted by §164.510 of the Privacy Rule provided that any PHI disclosed is limited and relevant to an individual´s care.

Who is responsible for the most common HIPAA violations?

It is not known who is responsible for most common HIPAA violations because it is highly likely most common HIPAA violations are reported to the organization where the violation occurred and this information is not released into the public domain. Additionally, Business Associates are required to report “security incidents” to Covered Entities who then notify affected individuals and HHS’ Office for Civil Rights if the security incident constitutes a breach of unsecured PHI.

Why are there no examples of HIPAA violations by employers?

There are no examples of HIPAA violations by employers because employers are not Covered Entities under HIPAA. Even if a healthcare organization qualifies as a Covered Entity, it is not required to comply with HIPAA in its role as an employer – just in its role as a healthcare organization.

An exception to this explanation exists if an employer administers a self-sponsored health plan. However, because this is a rare scenario – and because employers in this situation are only subject to partial compliance – there are no examples of HIPAA violations by employers publicly reported.

What are the consequences of accessing a patient chart without reason?

The consequences of accessing a patient chart without reason depend on multiple factors. If the person who accessed the chart was a member of a Covered Entity’s workforce, if they did not have the authorization to access the chart, and if they had received training on the Covered Entity’s policies, the event is a violation of the Covered Entity’s policies.

Therefore, the consequences of accessing a patient chart without reason depend on the content of the Covered Entity’s sanctions policy. This may mean the person is given a verbal warning and required to undergo refresher training; or, if the person has received previous verbal warnings, the consequences could be a written warning, final warning, or termination of a contract.

What are HIPAA violations?

HIPAA violations are the failure to comply with the provisions and implementation specifications of the HIPAA Administrative Simplification provisions (45 CFR Parts 160,162, and 164). Most HIPAA violations are civil incidents committed by Covered Entities and Business Associates. It is rare that an individual violates HIPAA because individuals are most often members of a Covered Entity’s or Business Associate’s workforce and subject to their employer’s policies.

Are all violations of HIPAA resolved by financial penalties?

Very few violations of HIPAA are resolved by financial penalties. In most cases, violations of HIPAA are resolved by voluntary compliance, technical assistance, or corrective action plans. However, these “secondary” resolutions also have a financial cost in terms of revising policies and procedures, implementing safeguards, retraining members of the workforce, and other business disruptions.

Are lost medical records a HIPAA violation?

Lost medical records are a HIPAA violation – even if the records are subsequently found – because there has been a failure to ensure the availability of PHI when the records were lost. Additionally, while the medical records were lost, they may have been viewed or altered by an unauthorized person, so there has also been a failure to ensure the confidentiality and integrity of PHI.

What is considered a HIPAA violation punishable by a custodial sentence?

A HIPAA violation punishable by a custodial sentence is considered to be when a person knowingly and wrongfully obtains or discloses individually identifiable health information without authorization. Depending on the motive and whether the act was committed under false pretenses, the person can be fined up to $250,000 and given a custodial sentence of up to ten years.

Who can violate HIPAA?

Who can violate HIPAA is limited to Covered Entities, Business Associates, and members of their workforces. If an organization is not a Covered Entity or Business Associate, or an individual is not a member of either’s workforce, it is not possible to violate HIPAA because HIPAA will not apply to the organization/individual.

What is a HIPAA violation of the Breach Notification Rule?

A HIPAA violation of the Breach Notification Rule is the failure to comply with any provision of 45 CFR 164 Subpart D when Protected Health Information has been acquired, accessed, used, or disclosed in a manner not permitted by the Privacy Rule, and the impermissible acquisition, access, use, or disclosure compromises the security or privacy of the Protected Health Information.

Is it a HIPAA violation to say someone is in the hospital?

It can be a HIPAA violation to say someone is in the hospital, but only in a limited number of circumstances. For example, the person making the statement must be a member of a Covered Entity’s workforce, the statement must be made to somebody with whom there is no direct treatment or familial relationship, and when the subject of the statement has not been given an opportunity to object to the statement being made.

Is inappropriate access to medical records a HIPAA violation example or a HIPAA breach example?

Inappropriate access to medical records is certainly a HIPAA violation example regardless of who the individual accessing the medical records is. Whether or not it constitutes a HIPAA breach example depends on whether the inappropriate access compromises the security or privacy of the Protected Health Information maintained in the medical records.

Is there a list of HIPAA violations?

There is no list of HIPAA violations because many HIPAA violations are reported to the organization at which they occurred, and they never become public knowledge. What you can find a list of is a list of HIPAA data breaches affecting more than 500 individuals that have been reported to HHS’ Office for Civil Rights. This list can be found on the HHS’ Breach Report web page.

Can you sue someone for disclosing medical information?

You cannot sue someone for disclosing medical information under HIPAA because HIPAA has no private right of action. However, if you believe someone has disclosed your medical information – and because of the disclosure you have suffered harm – you may be able to file a civil action under a state law. Because some states have privacy and security laws that include a private right or action and others don´t, it is best to seek legal advice from a local attorney.

How can I find out who has accessed my medical records?

You can find out who has accessed your medical records by requesting an Accounting of Disclosures from your healthcare provider. The healthcare provider has to reply to your request within 30 days and provide you with a list of every time you’re your medical records have been accessed for uses other than those permitted by the Privacy Rule (i.e., treatments, payments, etc.).

Who can access my medical records without my permission?

Your medical records can be accessed without your permission by any member of a Covered Entity’s or Business Associate’s workforce provided they have the authority to access your records and the reason why they are accessing your medical records is permitted by the Privacy Rule. If your medical records are accessed by somebody without the authority to do so, or for a reason not permitted by the Privacy Rule, this would be a violation of HIPAA.

Can a family member violate HIPAA?

A family member can violate HIPAA if, for example, they are also your dentist and they disclose your health information impermissibly. However, if the family member is not a member of the medical profession – or a member of a Covered Entity´s or Business Associate’s workforce – it is not possible for them to violate HIPAA because only Covered Entities, Business Associates, and members of their workforces are required to comply with HIPAA

 

HIPAA Compliance Infographics

The post The 10 Most Common HIPAA Violations You Should Avoid appeared first on HIPAA Journal.

Employees Sue Lincare Over W2 Phishing Attack

In February 2017, Lincare Holdings Inc., a supplier of home respiratory therapy products, experienced a breach of sensitive employee data.

The W2 forms of thousands of employees were emailed to a fraudster by an employee of the human resources department. The HR department employee was fooled by a business email compromise (BEC) scam. While health data was not exposed, names, addresses, Social Security numbers, and details of employees’ earnings were obtained by the attacker.

This year has seen an uptick in W2 phishing scams, with healthcare organizations and schools extensively targeted by scammers. The scam involves the attacker using a compromised company email account – or a spoofed company email address – to request copies of W2 forms from HR department employees.

Cyberattacks that result in the sensitive data of patients and consumers being exposed often results in class action lawsuits, although it is relatively rare for employees to take legal action against their employers. Lincare is one of few companies to face a lawsuit for failing to protect employee data.

Three former Lincare employees whose PII was disclosed in February have been named in a class-action lawsuit against the firm. The plaintiffs are seeking damages for the exposure of their PII, credit monitoring and identity theft protection services for 25 years, and 25 years of coverage by an identity theft insurance policy. Lincare previously offered 24 months of complimentary credit monitoring and identity theft protection services to employees affected by the incident.

The plaintiffs claim Lincare was negligent for failing to implement “the most basic of safeguards and precautions,” such as training its employees how to identify phishing scams. The plaintiffs allege the HR employee failed to authenticate the validity of the request for W2 forms, instead just attaching the information and replying to the email.

In the lawsuit, the plaintiffs argue that had simple security measures been adopted by Lincare the breach could have been easily prevented. Those measures include the use of advanced spam filters, providing information security training to staff, implementing data security controls that prohibit employees having on-demand access to PII, adding multiple layers of computer system security and authentication, and ensuring PII was only sent in encrypted form.

The risk of the PII being used to commit fraud is not theoretical. The attacker has already used the stolen data to apply for credit and loans. The lawsuit points out that Lincare sent an email to staff on April 21 saying, “Current and/or former employees affected by the data breach had already had their PII used by a third party or parties as part of a fraudulent scheme to obtain federal student loans through the Department of Education’s Free Application for Federal Student Aid.”

The question that the courts will need to answer is to what extent Lincare is liable for the attack, whether additional safeguards should have implemented and whether there was an implied agreement that the company would keep employee information secure.

The post Employees Sue Lincare Over W2 Phishing Attack appeared first on HIPAA Journal.

Beazley Publishes 2017 Healthcare Data Breach Report

Beazley, a provider of data breach insurance and response services, has published a special report on healthcare data breaches covering the first nine months of 2017.

While hacking and malware attacks are common, by far the biggest cause of healthcare data breaches in 2017 was unintended disclosures. Hacking and malware accounted for 19% of breaches, while unintended disclosures accounted for 41% of incidents. The figures show healthcare organizations are still struggling to prevent human error from resulting in the exposure of health data.

As Beazley explains in its report, it is easier to control and mitigate internal breaches than it is to block cyberattacks by outsiders, yet many healthcare organizations are failing to address the problem effectively. “We urge organizations not to ignore this significant risk and to invest time and resources towards employee training.”

Beazley notes that the number of cases of employee snooping on records and other insider incidents is getting worse. This time last year, 12% of healthcare data breaches were insider incidents, but in 2017 the percentage has increased to 15%.

While it is not possible to eliminate the risk of healthcare employees improperly accessing patient records, it is straightforward to ensure that when incidents occur they are detected quickly. As the Protenus Breach Barometer reports clearly show, many healthcare employees have been discovered to have been improperly accessing patient health data for months or even years before the unauthorized access is detected. As Beazley points out in the report, the failure to detect insider incidents promptly and take action increases the risk of regulatory action.

Phishing and social engineering attacks also increased significantly in 2017. There has been a 9-fold increase in social engineering scams in 2017. Beazley reports that two types of social engineering attacks in particular have increased in 2017 – Fraudulent instruction incidents and W-2 Form phishing scams.

Fraudulent instruction incidents are a type of Business Email Compromise (BEC) scam where the attacker pretends to be a company executive and sends a request to make a bank transfer. W-2 Form phishing scams similarly involve the spoofing of a company email address. In this case a request is made to send the W-2 forms of all employees that have worked in the previous fiscal year. The information is then used to submit fraudulent tax returns. Healthcare organizations can reduce risk by teaching employees how to recognize these types of email scams.

Along with an increase in data breaches, there has also been an increase in HIPAA enforcement actions by the Department of Health and Human Services’ Office for Civil Rights (OCR). The report notes that there have been nine settlements announced so far in 2017 on top of 13 HIPAA settlements in 2016. In 2014 and 2015 there were 13 settlements.

There has also been a notable increase in settlement amounts. In 2014/2015, the average settlement amount was around $1,000,000. In 2016/2017, the average settlement was $1.8 million.

As Beazley explained in the report, experiencing a breach opens the door to OCR investigators. Part of the OCR breach investigation involves a review of basic HIPAA compliance. When noncompliance is discovered, financial penalties may be deemed appropriate.

Beazley explains there are two main reasons for the increase in settlements for noncompliance with HIPAA Rules: OCR’s growing frustration with covered entities that are still failing to comply with the HIPAA Privacy and Security Rules, and more available resources to devote to pursuing settlements.

The post Beazley Publishes 2017 Healthcare Data Breach Report appeared first on HIPAA Journal.

Termination for Nurse HIPAA Violation Upheld by Court

A nurse HIPAA violation alleged by a patient of Norton Audubon Hospital culminated in the termination of the registered nurse’s employment contract. The nurse, Dianna Hereford, filed an action in the Jefferson Circuit Court alleging her employer wrongfully terminated her contract on the grounds that a HIPAA violation had occurred, when she claims she had always ‘strictly complied with HIPAA regulations.’

The incident that resulted in her dismissal was an alleged impermissible disclosure of PHI. Hereford had been assigned to the Post Anesthesia Care Unit at Norton Audubon Hospital and was assisting with a transesophageal echocardiogram. At the time of the alleged HIPAA violation, the patient was in an examination area that was closed off with a curtain. Hereford was present along with a physician and an echocardiogram technician.

Alleged Improper Disclosure of Sensitive Health Information

Before the procedure took place, Hereford performed a ‘Time-Out’ to ensure the patient understood what the procedure would entail, checked to make sure the site of the procedure was clearly marked and made sure appropriate diagnostic tools were available. Hereford also told the technician and the physician that they should wear gloves because the patient had hepatitis C.

After the procedure the patient filed a complaint, alleging Hereford had spoken sufficiently loudly so that other patients and medical staff in the vicinity would have heard that she had hepatitis C. While the complaint was investigated Hereford was placed on administrative leave, and was later terminated for the HIPAA violation – An unnecessary disclosure of confidential health information.

In her action for unfair dismissal, Hereford claimed this was an ‘incidental disclosure’, which is not a violation of HIPAA Rules. Hereford also obtained the professional opinion of an unemployment insurance referee that a HIPAA violation had not occurred. She also claimed defamatory statements had been made about her to the Metropolitan Louisville Healthcare Consortium.

Norton filed a motion to dismiss or, as an alternative, a motion for summary judgement. The Circuit Court granted the motion to dismiss the claim for wrongful termination, as it was deemed there was an unnecessary disclosure of PHI as a physician should not need to be reminded to wear gloves for a procedure to prevent the contraction of an infectious disease. However, the motion to dismiss the defamation claim was denied.

Norton sought summary judgement on the defamation claim and in October 2015, the defamation claim was dismissed with prejudice. The court determined that speaking the truth about the nurse HIPAA violation being the reason for termination could not have defamed Hereford.

Appeals Court Confirms Nurse HIPAA Violation

Hereford subsequently took her case to the Kentucky Court of Appeals. The Court of Appeals found that Hereford could not rely on HIPAA for a wrongful discharge claim as “HIPAA’s confidentiality provisions exist to protect patients and not healthcare employees.”

With respect to the wrongful dismissal claim, the court based its decision on the minimum necessary standard, which requires any disclosure of PHI to be limited to the minimum necessary to accomplish the necessary purpose – 45 CFR 164.502 – explaining, “Under “HIPAA, Hereford’s statement was not the minimum amount necessary to accomplish the warning.” The court concluded a nurse HIPAA violation had occurred. The Court of Appeals also found the decision of the lower court to dismiss the defamation claim to be correct as there could be no defamation when the Metropolitan Louisville Healthcare Consortium was told the truth about the reason for dismissal.

What Are the Potential HIPAA Violation Penalties for Nurses?

HIPAA violation penalties for nurses who breach HIPAA Rules are tiered, based on the level of negligence. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules.

The minimum fines are $100 per violation for tier 1, $1,000 per violation for tier 2, $10,000 per violation for tier 3, and $50,000 per violation for tier 4. The penalty amounts are determined by the Department of Health and Human Services, or by state attorneys general when they decide to issue penalties for HIPAA violations.

What is the Maximum HIPAA Violation Penalty for Nurses

The maximum penalty for a single HIPAA violation is $50,000 per violation or per record, with an annual maximum of $1.5 million per violation category.

Serious violations of HIPAA Rules can warrant criminal charges for HIPAA violations, and in addition to financial penalties jail time is possible. Criminal violations of HIPAA Rules are handled by the U.S. Department of Justice.

Nurses who knowingly obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and up to one year in jail. If an offense is committed under false pretenses, the criminal penalties rise to a fine of up to $100,000 and up to 5 years in jail. If there is intent to sell, transfer, or illegally use PHI for personal gain, commercial advantage, or malicious harm, the maximum penalty is a fine up to $250,000 and up to 10 years in jail.

When there has been aggravated identity theft, the Identity Theft Penalty Enhancement Act requires a mandatory minimum prison term of two years

Nurse HIPAA Violation Cases

Listed below are some of the recent nurse HIPAA violation cases covered on HIPAA Journal.

Glendale Adventist Medical Center Nurse Fired for HIPAA Violation

Minnesota BCBS Nurse Accused of Unauthorized Accessing of Minnesota Board of Pharmacy Database

Virginia Nurse Charged with Bank Fraud and Identity Theft

Wayne Memorial Hospital Fires Nurse Aide for Inappropriate PHI Access

Minnesota Hospital Fires 32 Over HIPAA Violation

Employees Fired over Sharing of Degrading Photos of Patients on Snapchat

The post Termination for Nurse HIPAA Violation Upheld by Court appeared first on HIPAA Journal.

De-identification of Protected Health Information: How to Anonymize PHI

Healthcare organizations and their business associates that want to share protected health information (PHI) in a HIPAA-compliant way must do so in accordance with the HIPAA Privacy Rule, which limits the possible uses and disclosures of PHI, whereas de-identification of PHI means HIPAA Privacy Rule restrictions no longer apply.

Guide To De-identify Your Protected Health InformationYou can use our free Protected Health Information Guide to learn how to de-identify and anonymize PHI. If you de-identify PHI so that the identity of individuals cannot be determined, and re-identification of individuals is not possible, PHI can be freely shared.

HIPAA Privacy Rule restrictions only covers individually identifiable protected health information. The de-identification of protected health information enables HIPAA covered entities to share health data for large-scale medical research studies, policy assessments, comparative effectiveness studies, and other studies and assessments without violating the privacy of patients or requiring authorizations to be obtained from each patient prior to data being disclosed.

HIPAA-Compliant De-identification of Protected Health Information

HIPAA-compliant de-identification of protected health information is possible using two methods: Safe Harbor and Expert Determination.

Neither method of de-identification of protected health information will remove all risk of re-identification of patients, but both methods will reduce risk to a very low and acceptable level.

Use either of the two methods below and PHI will no longer be considered ‘protected health information’ and not be subject to HIPAA Privacy Rule restrictions.

1.     Safe Harbor – The Removal of Specific Identifiers

How to de-identify protected health informationThe first HIPAA compliant way to de-identify protected health information is to remove specific identifiers from the data set. The identifiable data that must be removed according to 45 CFR §164.514(b)(2) are:

  • Names
  • Geographic subdivisions smaller than a state
  • All elements of dates (except year) related to an individual (including admission and discharge dates, birthdate, date of death, all ages over 89 years old, and elements of dates (including year) that are indicative of age)
  • Telephone, cellphone, and fax numbers
  • Email addresses
  • IP addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Device identifiers and serial numbers
  • Certificate/license numbers
  • Account numbers
  • Vehicle identifiers and serial numbers including license plates
  • Website URLs
  • Full face photos and comparable images
  • Biometric identifiers (including finger and voice prints)
  • Any unique identifying numbers, characteristics or codes

In the case of zip codes, covered entities are permitted to use the first three digits provided the geographic unit formed by combining those first three digits contains more than 20,000 individuals. When that geographical unit contains fewer than 20,000 individuals it should be changed to 000. According to the Bureau of the Census, that means 17 zip codes must have the first three digits changed to zero:

036, 692, 878, 059, 790, 879, 063, 821, 884, 102, 823, 890, 203, 830, 893, 556, 831

Covered entities should not that the above list of zip codes may change after future censuses. The list is based on 5-digit zip codes from the 2000 census.

IMPORTANT NOTE: The list of HIPAA identifiers was compiled in 1999 and is now out-of-date. Additional identifiers that must be removed from a designated record set before it can be considered de-identified include social media aliases, Medicare Beneficiary Numbers, and details relating to an emotional support animal if the animal could be used to identify the subject of the PHI.

2. Expert Determination

De-identify Protected Health InformationThe expert determination method carries a small risk that an individual could be identified, although the risk is so low that it meets HIPAA Privacy Rule requirements.

This method of de-identification of protected health information requires a HIPAA covered entity or business associate to obtain an opinion from a qualified statistical expert that the risk of re-identifying an individual from the data set is very small. In such cases, the methods used to make that determination and justification of the expert’s opinion must be documented and retained by the covered entity or business associate and made available to regulators in the event of an audit or investigation.

The expert must be a person with appropriate knowledge and experience of using generally accepted statistical and scientific principles and methods for removing or altering information to ensure that it is no longer individually identifiable.

When those methods and principles have been applied, the expert must determine that the risk of reidentification of an individual is very small. In such cases, the risk of reidentification must be very small when the information is used alone, and must remain very small should the data be combined with other reasonably available information by an anticipated recipient to identify an individual who is a subject of the information.

HIPAA does not define the level of risk of re-identification other than to say it should be ‘very small’. The expert should define ‘very small’ in relation to the context of the data set, the specific environment, and the ability of an anticipated recipient to be able to reidentify individuals.

Experts may come from a number of different fields and do not require any specific qualifications. What is important is experts have experience of deidentifying data. It is that experience that regulators will look at in the event of an audit, not specific qualifications or certifications.

For further information on de-identification of protected health information by expert determination see 45 CFR § 164.514(b)(1).

The U.S. Department of Health and Human Services’ Office for Civil Rights has issued guidance on de-identification of protected health information which can be viewed on this link.

De-identification of Protected Health Information FAQs

Why is the list of Safe Harbor identifiers the same as many definitions of PHI?

The list of Safe Harbor identifiers is the same as many definitions of PHI because some sources have mistakenly used the list to answer the question “what is PHI?” It is important to be aware this is not the case.

PHI – or Protected Health Information – is individually identifiable health information that relates to an individual’s past, present, or future health condition, treatment for the condition, or payment for the treatment. Only when identifiers are maintained in the same designated record set as PHI do the identifiers assume protected status.

The list of Safe Harbor identifiers is a (now incomplete) list of possible identifiers that could be maintained in the same designated record set as PHI. If so, they (and any other identifiers not included on the list) must be removed from the designated record set before any remaining PHI is considered de-identified.

Do doctors´ names have to be removed from a data set for PHI to be de-identified?

Doctors’ names have to be removed from a data set for PHI to be de-identified if the name of a doctor – individually or with other information – could be used to identify the subject of the data set. If there is very little chance of a patient being identified by a doctor´s name, then the name can remain in the de-identified data set subject to any state laws or confidentiality concerns.

Generally, with regards to the removal of names from designated data sets, the name of the patient (including nicknames, pet names, and any other names they may be known by) have to be removed, along with the names of relatives, employers, and household members. There is no requirement in HIPAA to remove the names of healthcare providers or any workforce members.

Must a Business Associate Agreement or Data Use Agreement be in place before disclosing de-identified health data to a business partner?

A Business Associate Agreement or Data Use Agreement does not have to be in place before disclosing de-identified health data to a business partner. However, covered entities can, if they wish, enter into a Data Use Agreement with the recipient of the data to specify how the recipient can use the data and prohibit its re-identification.

What is considered “appropriate knowledge and experience” for expert determination?

There is no definition of appropriate knowledge and experience for expert determination in HIPAA. However, in the event of a HIPAA compliance audit, the Department of Health & Human Services´ Office for Civil Rights would review the expert´s professional experience and academic training of the expert, and the processes used in the de-identification of the data set to assess their capabilities.

Is there an expiration date for de-identified health data?

There is no expiration date for de-identified health data stipulated in the Privacy Rule. However, the Department for Health & Human Services recognizes that “technology, social conditions, and the availability of information changes over time” and has suggested that covered entities periodically review the chosen de-identification method to ensure it meets the very low risk requirement.

Why is the list of Safe Harbor identifiers incomplete?

The list of Safe Harbor identifiers is incomplete because it was published quarter of a century ago in a time before (for example) social media and emotional support animals. If a patient has a social media handle maintained with PHI in a designated record set – or information relating to an emotional support animal – that information also needs to be removed from a designated record set before it can be considered de-identified.

What is the benefit of de-identifying Protected Health Information?

The benefit of de-identifying Protected Health Information is that the de-identified data can be used for medical research studies, policy assessments, comparative effectiveness studies, and other studies and assessments without violating patient privacy or requiring individual authorizations. Effectively, one PHI is de-identified, the restrictions of the Privacy Rule no longer apply.

What are the two HIPAA-compliant methods for de-identifying PHI?

The two HIPAA-compliant methods of de-identifying PHI are the Safe Harbor method and the Expert Determination method. It is important to be aware that the list of identifiers listed in the Safe Harbor method is out of date, and organizations considering this method of de-identification are advised to seek professional compliance advice before relying on the content of §164.514 to de-identify PHI.

How does the Expert Determination method of de-identifying PHI work?

The Expert Determination method of de-identifying PHI works by obtaining an opinion from a qualified statistical expert indicating that the risk of re-identifying an individual from the de-identified data set is very small. The methods used for this determination and justification of the expert’s opinion must be documented and retained by the covered entity or business associate.

Does the Privacy Rule define the level of risk of re-identification in the Expert Determination method?

The Privacy Rule does not define the level of risk of re-identification in the Expert Determination method other that stating it should be “very small”. This means the expert is required to define “very small” in relation to the context of the data set, the specific environment, what the data set will be used for, and the recipient’s reasonably anticipated ability to reidentify individuals.

The post De-identification of Protected Health Information: How to Anonymize PHI appeared first on HIPAA Journal.