Healthcare Data Privacy

$30,000 Penatly for Disclosing PHI Online in Response to Negative Reviews

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with a New Jersey provider of adult and child psychiatric services for $30,000. In April 2020, OCR received a complaint alleging Manasa Health Center had impermissibly disclosed patient information online when responding to a negative online review. The complainant alleged Manasa Health Center’s responded to a patient’s review and disclosed the patient’s mental health diagnosis and treatment information.

OCR launched an investigation into the Kendall Park, NJ-based healthcare provider and discovered the protected health information of a total of four patients had been impermissibly disclosed in responses to negative Google Reviews, and notified the practice about the HIPAA Privacy Rule investigation on November 18, 2020. In addition to the impermissible disclosures of PHI, which violated 45 C.F.R. § 164.502(a) of the HIPAA Privacy Rule, the practice was determined to have failed to comply with standards, implementation specifications, or other requirements of HIPAA Privacy Rule and Breach Notification Rules – 45 C.F.R. § 164.530(i).

Manasa Health Center chose to settle the case with OCR with no admission of liability or wrongdoing. In addition to the financial penalty, Manasa Health Center has agreed to adopt a corrective action plan which includes the requirement to develop, maintain, and revise its written policies and procedures to ensure compliance with the HIPAA Privacy Rule, provide training to all members of the workforce on those policies and procedures, issue breach notification letters to the individuals whose PHI was impermissibly disclosed online, and submit a breach report to OCR about those disclosures.

This is not the first time that OCR has imposed a financial penalty for disclosures of PHI on social media and online review platforms. In 2022, OCR agreed to a $23,000 settlement with New Vision Dental and imposed a civil monetary penalty of $50,000 on Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. In 2019, OCR settled an online disclosure case with Elite Dental Associates for $10,000. The HIPAA Privacy Rule does not prohibit HIPAA-regulated entities from responding to online reviews or using social media; however, protected health information must not be disclosed online without written consent from the patient. You can read more about HIPAA and social media here.

“OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed,” said OCR Director Melanie Fontes Rainer. “The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”

This is the 5th OCR HIPAA enforcement action in 2023 that has been resolved with a financial penalty. So far this year, $1,661,500 has been paid by HIPAA-regulated entities to resolve violations of the HIPAA Rules.

The post $30,000 Penatly for Disclosing PHI Online in Response to Negative Reviews appeared first on HIPAA Journal.

Florida Bans Offshore Storage of Electronic Health Records

Posted by Steve Alder

In May 2023, the Florida Legislature passed an update to the Florida Electronic Health Records Exchange Act that prohibits healthcare providers that use certified health record technologies from storing electronic health records outside the United States, its territories, or Canada. The ban also covers patient information stored through a third-party or subcontracted computing facility or cloud computing service, which must similarly maintain the data in the continental United States, its territories, or Canada. When the ban takes effect it will no longer be possible to use overseas vendors that require access to patient information as the update also bans the access, retrieval, and transmission of patient data from locations outside the United States, its territories, or Canada. All healthcare providers covered by the Florida Electronic Health Records Exchange Act must comply with the updated law by July 1, 2023.

“Certified electronic health record technology” is defined as “a qualified electronic health record that is certified pursuant to s. 3001(c)(5) of the Public Health Service Act as meeting standards adopted under s. 3004 of such act, which are applicable to the type of record involved, such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals.”

“Qualified electronic health record” is defined as “an electronic record of health-related information concerning an individual which includes patient demographic and clinical health information, such as medical history and problem lists, and which has the capacity to provide clinical decision support, to support physician order entry, to capture and query information relevant to health care quality, and to exchange electronic health information with, and integrate such information from, other sources.”

Covered healthcare providers include hospitals, ambulatory surgery centers, pharmacies, home health agencies, hospices, laboratories, mental health treatment facilities, substance abuse services, and licensed healthcare providers such as physicians, nurses, dentists, therapists, podiatrists, and massage therapists.

Healthcare providers should conduct an audit to confirm the locations where health records are stored to ensure that they are compliant. If a cloud vendor is used to store patient information, data centers must be located in the specified regions. If contracted third parties are used to provide support services such as managed service providers, IT support companies, scheduling support providers, and other vendors, they, along with any subcontractors they use, should be prohibited from storing or accessing patient information outside of the United States, its territories, or Canada.

If the audit confirms patient data is stored in or is accessed from prohibited locations, steps should be taken immediately to move patient data to a compliant storage location and restrict access from unauthorized locations ahead of the compliance deadline.

The post Florida Bans Offshore Storage of Electronic Health Records appeared first on HIPAA Journal.

Arizona Man Sentenced to 54 Months in Criminal HIPAA Violation Case

Posted by Steve Alder

An Arizona man has been sentenced to 54 months in jail for aggravated identity theft and criminal violations of the Health Insurance Portability and Accountability Act (HIPAA).  Rico Prunty, 41 years old, of Sierra Vista, Arizona, was previously employed at an Arizona medical facility where he unlawfully accessed the medical intake forms of patients between July 2014 and May 2017. The intake forms included information protected under HIPAA such as names, dates of birth, addresses, employer information, social security numbers, diagnoses, and medical information.

He then provided that information to his co-conspirators – Vincent Prunty, Temika Coleman, and Gemico Childress – who used the stolen information to open credit card accounts in the victims’ names. Federal prosecutors investigating the identity theft raided an apartment linked to the suspects and found evidence of the manufacture of credit cards and the opening of fraudulent accounts in victims’ names. Prunty and his co-conspirators attempted to steal more than $181,000 from the victims.

According to court documents, the protected health information of almost 500 patients was accessed without authorization, and their information was impermissibly disclosed to Prunty’s co-conspirators. Rico Prunty pleaded guilty to aggravated identity theft and criminal HIPAA violations for accessing and disclosing patients’ protected health information. The HIPAA violations carried a maximum jail term of 10 years, and aggravated identity has a mandatory sentence of 2 years, which runs consecutively to sentences for other felony crimes. Senior U.S. District Court Judge James Moody imposed a sentence of 54 months with 2 years of supervised release and Prunty was ordered to pay $132,521.98 in restitution to the victims.

His co-conspirators have already been sentenced for their roles in the identity theft scheme. Vincent Prunty pleaded guilty to wire fraud, mail fraud, and aggravated identity theft and was sentenced to 154 months, Gemico Childress pleaded guilty to wire fraud and aggravated identity theft and was sentenced to 134 months, and Temika Coleman pleaded guilty to wire fraud, mail fraud, and aggravated identity theft and was sentenced to 121 months. They were also ordered to pay $181,835.77 in restitution and will each have 2 years of supervised release.

The post Arizona Man Sentenced to 54 Months in Criminal HIPAA Violation Case appeared first on HIPAA Journal.

Senators Demand Answers from Google About Sensitive Location Data Deletion Practices

Posted by Steve Alder

A group of 10 Senators has written to Google demanding answers about its policies for deleting sensitive location data, such as visits to abortion clinics, fertility centers, domestic violence shelters, addiction treatment facilities, and other sensitive locations. Following the decision of the Supreme Court that overturned Roe v Wade and removed the federal right to abortion, Google announced that it would be introducing a new data deletion policy and would be deleting precise geolocation data that indicated a visit to certain sensitive locations. Visits to sensitive locations are highly personal and the information could be abused. Location data could be used by third parties for targeted advertising related to sensitive medical conditions or individuals could be targeted based on their personal healthcare decisions.

The policy announcement was made in July 2022, and Google said the change would take effect in the coming weeks, yet the policy does not appear to have been consistently implemented. The Washington Post investigated to determine the extent to which geolocation data was being deleted by Google and sent reporters to hospitals, fertility clinics, and Planned Parenthood clinics in several states. The reporters found that Google stored the exact name and address of the location they visited, such as the Planned Parenthood Clinic – San Francisco Health Center. In other cases, Google recorded a visit to a nearby establishment or the general neighborhood, and in other cases, the location data was deleted within 24 hours. Another report revealed Google only deleted sensitive location data in 60% of test cases, despite Google claiming that precise geolocation data would be deleted. The Senators said that if the data deletion policy is not consistently applied, it could be considered a deceptive practice.

Sens. Amy Klobuchar (D-MN), Elizabeth Warren (D-MA), Mazie Hirono (D-HA), Peter Welch (D-VT), Ron Wyden (D-OR), Edward Markey (D-MA), Richard Blumenthal (D-CT), Dick Durbin (D-IL), Bernie Sanders (I-VT), and Patty Murray (D-WA) expressed their concern that Google was not upholding its commitment to delete sensitive location data, especially visits to reproductive health care facilities.

The Senators asked Google to confirm how its systems identify a visit to a sensitive location and requested a complete list of the metadata used to make that determination, along with any supporting documents. They also requested a complete list of the locations Google considers sensitive, asked for clarification on how long sensitive location data is stored after a visit, and whether Google allows advertisers to target individuals based on visits to sensitive locations that could reveal a user’s health information. They also asked Google to commit to consistently deleting sensitive location data related to any visit to a reproductive health care facility within 24 hours of that visit occurring and to agree to a third-party audit to verify that such a protocol has been implemented.

The Senators gave Google until May 26, 2023, to respond and provide answers.

The post Senators Demand Answers from Google About Sensitive Location Data Deletion Practices appeared first on HIPAA Journal.

AHA Urges OCR To Reconsider its Guidance on Tracking Technologies

Posted by HIPAA Journal

The American Hospital Association (AHA) has urged the HHS’ Office for Civil Rights to rethink its guidance on online tracking technologies and to stop considering an IP address as a unique identifier under HIPAA with respect to pixels and other website tracking technologies.

OCR’s December 2022 guidance was issued in response to the widespread use of tracking technologies on healthcare provider websites. The tracking code, provided by third parties such as Facebook and Google, can be used for a variety of legitimate purposes that benefit healthcare providers and consumers. The tracking technologies record information about website visits, which includes the pages a user visits on the site, as well as options selected from drop-down menus and form data. That naturally can include information about medical conditions, and that information, together with a unique identifier – the user’s IP address – is often transferred to the provider of the tracking technology.

In the guidance, OCR explained that the IP address ties health information to an individual and is therefore protected health information subject to the HIPAA Privacy Rule as the website visitor is either a past, present, or future patient. The AHA considers this to be a much too broad interpretation  and warns it “will result in significant adverse consequences for hospitals, patients and the public at large,” and suggests “by treating a mere IP address as protected health information under HIPAA, the Online Tracking Guidance will reduce public access to credible health information.”

There are many credible uses of tracking technologies that would potentially be lost based on the current guidance. “Analytics technologies allow hospitals to optimize their online presence to reach more members of the community, including members of the community most in need of certain healthcare information,” explained the AHA, while tracking technologies are used to help ensure non-English speakers have access to important health information, provide individuals with information about where healthcare services are located, and social media tools are used to drive traffic to websites containing trustworthy medical information. The AHA points out that tracking technologies need to be used with the help of third-party vendors, and those vendors will typically not sign business associate agreements and be subject to HIPAA.

“The Online Tracking Guidance puts hospitals and health systems at risk of serious consequences — including class action lawsuits, HIPAA enforcement actions, or the loss of tens of millions of dollars of existing investments in existing websites, apps and portals — for a problem that ultimately is not of their own making,” explained the AHA. The AHA has urged OCR to consider whether the guidance on online tracking technologies is necessary given the increased privacy protections outlined in the proposed modifications to the HIPAA Privacy Rule, to amend the guidance to better reflect the realities of the online activities by hospitals and health systems, or to seek public feedback before reissuing the guidance.

While the AHA has received negative feedback from its members on the tracking technology guidance, feedback on the proposed changes to the HIPAA Privacy Rule with respect to reproductive health information has been largely positive. “The prospect of releasing highly sensitive

Member Login

can result in medical mistrust and the deterioration of the confidential, safe environment that is necessary to quality health care, a functional health care system, and the public’s health generally,” wrote Melinda Reid Hatton, AHA General Counsel and Secretary in the comments for OCR. “If individuals believe that their PHI may be disclosed without their knowledge or consent to initiate criminal, civil, or administrative investigations or proceedings against them or others based primarily upon their receipt of lawful reproductive health care, they are likely to be less open, honest, or forthcoming about their symptoms and medical history.”

The AHA and its members believe that the provision of medical care that is lawful in the location where it is provided should not carry adverse legal consequences and that the proposed Privacy Rule changes will enhance provider-patient relationships. With respect to the requirement for entities requesting health information to attest that they are not seeking to use the information to investigate or penalize the lawful provision of health care, the AHA welcomes the amendments, which it considers common sense. However, the AHA suggests other measures to decrease the burden on healthcare providers such as emphasizing in the final rule that hospitals and health systems will not be burdened by having to question the validity of an attester’s statements, provided the statements are reasonably objective. The AHA also suggests OCR should produce a model attestation form, stipulate that attestation forms include the subpoena or administrative order relevant to the legal process, and make it a requirement for requests to be made only for individuals, and never in bulk.

The post AHA Urges OCR To Reconsider its Guidance on Tracking Technologies appeared first on HIPAA Journal.

April 2023 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 17.5% month-over-month fall in the number of reported healthcare data breaches with 52 breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR) – less than the 12-month average of 58 breaches per month, and one less than in April 2022.

April 2023 Healthcare Data Breaches

One of the largest healthcare data breaches of the year was reported in April, but there was still a significant month-over-month reduction in breached records, which fell by 30.7% to 4,425,891 records. The total is less than the 12-month average of 4.9 million records a month, although more than twice the number of records that were breached in April 2022.

Healthcare records breached in the last 12 months - April 2023

Largest Healthcare Data Breaches Reported in April 2023

As previously mentioned, April saw a major data breach reported that affected 3,037,303 individuals – The third largest breach to be reported by a single HIPAA-covered entity so far this year, and the 19th largest breach to be reported by a single HIPAA-regulated entity to date.  The breach occurred at the HIPAA business associate, NationsBenefits Holdings, and was a data theft and extortion attack by the Clop ransomware group involving the Fortra GoAnywhere MFT solution.  8 of the month’s 21 breaches of 10,000 or more records were due to these Clop attacks, including the top 5 breaches in April. Brightline Inc. was also hit hard by those attacks, which were reported separately for each covered entity client (9 reports). Together, the attacks on Brightline involved the PHI of more than 964,000 individuals.

18 of the 21 breaches of 10,000 or more records were hacking incidents. The remaining three breaches were unauthorized disclosures of protected health information, one due to tracking technologies and the other two due to mailing errors. While ransomware and data theft/extortion attacks dominated the breach reports, phishing, business email compromise, and other email account breaches are common, with 5 of the top 21 breaches involving hacked email accounts. End-user security awareness training is recommended to reduce susceptibility to these attacks and multifactor authentication should be implemented on all email accounts, ideally using phishing-resistant multifactor authentication.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Breach Cause
NationsBenefits Holdings, LLC FL Business Associate 3,037,303 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 462,241 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 199,000 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 180,694 Network Server, Other Hacking and extortion (Fortra GoAnywhere MFT)
California Physicians’ Services d/b/a Blue Shield of California CA Business Associate 61,790 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
MiniMed Distribution Corp. CA Healthcare Provider 58,374 Network Server Unauthorized disclosure of PHI to Google and other third parties (Tracking code)
Brightline, Inc. CA Business Associate 49,968 Network Server, Other Hacking and extortion (Fortra GoAnywhere MFT)
United Steelworkers Local 286 PA Health Plan 37,965 Email Hacked email account
Retina & Vitreous of Texas, PLLC TX Healthcare Provider 35,766 Network Server Hacking incident
Brightline, Inc. CA Business Associate 31,440 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 21,830 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Iowa Department of Health and Human Services – Iowa Medicaid Enterprise (Iowa HHS-IME) IA Health Plan 20,815 Network Server Hacking incident at business associate (Independent Living Systems)_
Lake County Health Department and Community Health Center IL Healthcare Provider 17,000 Email Hacked email account
Southwest Healthcare Services ND Healthcare Provider 15,996 Network Server Hacking incident (data theft confirmed)
La Clínica de La Raza, Inc. CA Healthcare Provider 15,316 Email Hacked email accounts
St. Luke’s Health System, Ltd. ID Healthcare Provider 15,246 Paper/Films Mailing error
Two Rivers Public Health Department NE Healthcare Provider 15,168 Email Hacked email account
Robeson Health Care Corporation NC Healthcare Provider 15,045 Network Server Malware infection
Northeast Behavioral Health Care Consortium PA Health Plan 13,240 Email Hacked email account (Phishing)
Centers for Medicare & Medicaid Services MD Health Plan 10,011 Paper/Films Mailing error at business associate (Palmetto GBA)
Modern Cardiology Associates PR Healthcare Provider 10,000 Network Server Hacking incident

Causes of April 2023 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 36 of the month’s breaches (69.2%) and the vast majority of the breached records. Across those incidents, 4,077,019 healthcare records were exposed or stolen – 92.1% of the records that were breached in April. The average breach size was 119,914 records and the median breach size was 9,675 records.

April 2023 Healthcare data breach causes

Ransomware attacks continue to be conducted by there has been a notable shift in tactics, with many ransomware gangs opting for data theft and extortion without encrypting files, as was the case with the attacks conducted by the Clop ransomware group which exploited a zero-day vulnerability in the Fortra GoAnywhere MFT solution. The BianLian threat group has previously conducted attacks using ransomware, but this year has been primarily conducting extortion-only attacks, which are quieter and faster. 12 of the month’s breaches (40%) involved hacked email accounts, highlighting the importance of security awareness training and multifactor authentication.

There were 13 unauthorized access/disclosure incidents in April, including a 58K-record incident involving tracking technologies that transferred sensitive data to third parties such as Google, instances of paper records not being secured, and PHI that had been exposed over the Internet. Across those 13 breaches, 105,155 records were impermissibly disclosed. The average breach size was 8,089 records and the median breach size was 1,304 records.

There were two theft incidents involving 3,321 records in total and one improper disposal incident. The improper disposal incident was reported as involving 501 records – a placeholder commonly used to meet the Breach Notification Rule reporting deadline when the total number of individuals affected has yet to be determined.  As the chart below shows, the majority of incidents involved ePHI stored on network servers and in email accounts.

Location of PHI in April 2023 healthcare data breaches

Where Did the Breaches Occur?

The raw data on the OCR breach portal shows the reporting entity, which in some cases is a HIPAA-covered entity when the breach actually occurred at a business associate. The breach portal shows 31 data breaches were reported by healthcare providers, 8 by health plans, and 13 by business associates. The charts below are based on where the breach occurred, rather than the entity that reported the data breach, to better reflect the extent to which data breaches are occurring at business associates.

April 2023 healthcare data breaches by HIPAA-regulated entity type

While healthcare providers were the worst affected HIPAA-regulated entity, the majority of the month’s breached records were due to data breaches at business associates.

Records exposed or stolen in April 2023 healthcare data breaches by hipaa-regulated entity type

Geographical Distribution of April 2023 Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 25 states and Puerto Rico, with California the worst affected state with 16 breaches, 9 of which were the same incident that was reported separately for each client by Brightline Inc., which is why the breach count was so high for California this month.

State Breaches
California 16
Florida 4
New York & Pennsylvania 3
Illinois, Kentucky, Ohio, & Texas 2
Alabama, Arizona, Idaho, Iowa, Indiana, Maryland, Michigan, Minnesota, Nebraska, North Carolina, North Dakota, Oregon, Utah, Virginia, Washington, West Virginia, Wisconsin & Puerto Rico 1

HIPAA Enforcement Activity in April 2023

No HIPAA enforcement actions were announced by OCR or state attorneys general in April 2023 to resolve violations of HIPAA and state laws, and no Health Breach Notification Rule enforcement actions were announced by the Federal Trade Commission.

The post April 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

FTC Proposes Changes to Modernize the Health Breach Notification Rule

Posted by HIPAA Journal

The Federal Trade Commission (FTC) has proposed changes to the Health Breach Notification Rule to strengthen the applicability of the Rule to health apps and other emerging direct-to-consumer technologies that collect, store, and transmit identifiable health data.

There has been an explosion of health apps and connected devices that collect health data, and those apps and devices are collecting vast amounts of health data. There are also incentives for companies that collect health data to disclose that information to third parties for advertising and other purposes. The Health Insurance Portability and Accountability Act (HIPAA) requires health data to be safeguarded, places restrictions on uses and disclosures of health data, and if a data breach occurs, the HIPAA Breach Notification Rule requires notifications to be issued. While health apps and connected devices may collect health data that would be classed as Protected Health Information under HIPAA if collected by a HIPAA-regulated entity, most health apps and connected devices are not covered under HIPAA.

The FTC Health Breach Notification Rule applies to vendors of personal health records (PHR) and related entities that are not covered by HIPAA and requires those companies to issue notifications to consumers, the FTC, and the media in the event of a breach of identifiable health data. When a data breach occurs at a third-party service provider to vendors of PHRs and PHR-related entities, the Health Breach Notification Rule requires those entities to issue notifications to vendors and PHR-related entities. The Health Breach Notification Rule has been in effect for a decade, but the FTC has only just started enforcing compliance. Since December 2022, the has taken two enforcement actions against entities alleged to have violated the Health Breach Notification Rule – GoodRx and Easy Healthcare (Premom) –  both of which were found to have failed to issue timely notifications about breaches of identifiable health data.

In September 2021, the FTC issued a policy statement confirming the Health Breach Notification Rule applies to health apps and connected devices that collect, use, or transmit consumer health information. The FTC has reviewed the comments received about the policy statement and has determined that the Health Breach Notification Rule needs to be modernized to clarify its applicability to health apps, connected devices, and other direct-to-consumer technologies.

The proposed updates include a change to the definition of “PHR identifiable health information,” and new definitions have been added for “health care provider” and “health care services or supplies.” The definition of “PHR related entity” has been revised to make it clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities. The FTC has also clarified what it means for a personal health record to draw PHR identifiable health information from multiple sources. The proposed update makes it clear that a “breach of security” includes the unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or unauthorized disclosure.

The FTC has also authorized the expanded use of email and other electronic means as a way of providing clear and effective notice of a breach to consumers, and the required content of notifications has also been expanded. Notifications will need to include information about the potential harm that can be caused by the breach, and notifications must include the names of any third parties who might have acquired unsecured personally identifiable health information.

The comment period on the proposed changes is 60 days from the date of publication of the Notice of Proposed Rulemaking in the Federal Register.

The post FTC Proposes Changes to Modernize the Health Breach Notification Rule appeared first on HIPAA Journal.

$200,000 Penalty for Impermissible Sharing of Premom App Users’ Health Data

Posted by HIPAA Journal

Easy Healthcare, the developer and distributor of the Premom Ovulation Tracker (Premom) app, has agreed to settle an FTC complaint that alleged violations of the FTC Act and Health Breach Notification Rule related to the sharing of app users’ health data with third parties without consent.

The Premom app allows users to track their periods and ovulation cycles. The app allows users to upload pictures of ovulation test strips that the app analyses to predict the user’s next ovulation cycle and the app allows users to upload health data from other devices and apps. The app has been downloaded by hundreds of thousands of women, and between 2017 and 2020, the terms and conditions of use stated, “We do not, and will not, ever sell any information about users’ health to third parties, nor do we share it for advertising purposes.” During that period, the FTC alleged the Premom app transmitted the sensitive health information of app users to third-party advertisers without user consent.

The FTC’s Health Breach Notification Rule ensures entities not covered by the Health Insurance Portability and Accountability Act (HIPAA) face accountability for breaches of consumers’ sensitive health data. The Rule requires notifications to be issued to consumers when there has been a breach of individually identifiable health information, and in September 2021, the FTC issued a policy statement confirming that developers of health apps have a responsibility to secure any collected health data and must prevent unauthorized access.

According to the FTC complaint, Easy Healthcare told app users that their health data would not be shared with third parties without their knowledge or consent and falsely claimed the information it shared with third parties was non-identifiable, and would only be used for internal analytics. The FTC found that since 2018, Easy Healthcare shared Premom user data with Google LLC and the marketing firm AppsFlyers Inc, and between 2018 and 2020, Premom user data was shared with two Chinese mobile analytics companies – Jiguang (aka Aurora Mobile Ltd) and Umeng, and no effort was made by Easy Healthcare to restrict the uses of users’ health data by those companies. As such, the companies could use the data for a broad range of purposes, including advertising. In addition to health data, numbers unique to each mobile device (IMEI numbers) were also shared, along with precise geolocation data. The data sharing only stopped when the Google Play Store informed Easy Healthcare that the data sharing violated Play Store policies.

The FTC determined that Easy Healthcare failed to implement reasonable privacy and data security measures, in violation of the FTC Act. The disclosures meant Easy Healthcare was required to notify app users, the FTC, and the media. The FTC determined that timely and proper notice was not provided, in violation of the Health Breach Notification Rule. “Premom broke its promises and compromised consumers’ privacy,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “We will vigorously enforce the Health Breach Notification Rule to defend consumer’s health data from exploitation. Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses.”

If the order is approved by the court, Easy Healthcare will pay a civil monetary penalty of $100,000 to the Treasurer of the United States. A $100,000 settlement was also agreed with the states of Connecticut, Oregon, and the District of Columbia, which assisted the FTC with the investigation. “Given the intimate health data that apps like Premom collect and what that may reveal about when a pregnancy starts or stops, it is critical that user information is kept safe and private,” said Attorney General Tong. “Our settlement forces Easy Healthcare to adopt strict privacy requirements to ensure that its users’ information is appropriately protected.”

Easy Healthcare has also been ordered to cease sharing personal health data with third parties for advertising purposes and must contact the third parties that were sent user data and request that information is deleted.  Easy Healthcare has also agreed to make improvements to its privacy and security practices and conduct regular privacy and security audits.

Easy Healthcare agreed to settle the case with the FTC to avoid the time and expense of litigation, and the decision to settle is not an admission of wrongdoing. “Rest assured that we do not, and will not, ever sell any information about users’ health to third parties, nor do we share it for advertising purposes. At Easy Healthcare, we adhere to the promises we make to our users. Protecting users’ data is a high priority, which is why we have always been transparent with and cooperated fully throughout the FTC’s review of our privacy program. We remain committed to these principles,” said Easy Healthcare in a statement.

The post $200,000 Penalty for Impermissible Sharing of Premom App Users’ Health Data appeared first on HIPAA Journal.

What is Considered PHI Under HIPAA?

Posted by HIPAA Journal

In a healthcare environment, you are likely to hear health information referred to as protected health information or PHI, but what is considered PHI under HIPAA? PHI is defined as different things by different sources. Some define PHI as patient health data (it isn´t), as the 18 HIPAA identifiers (it´s not those either), or as a phrase coined by the HIPAA Act of 1996 to describe identifiable information in medical records (close – except the term Protected Health Information was not used in relation to HIPAA until 1999).

What is Really Considered PHI Under HIPAA Rules?

To best explain what is really considered PHI under HIPAA compliance rules, it is necessary to review the definitions section of the Administrative Simplification Regulations (§160.103) starting with health information. According to this section, health information means any information, including genetic information, whether oral or recorded in any form or medium, that:

“Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”

From here, we need to progress to the definition of individually identifiable health information which states “individually identifiable health information […] is a subset of health information, including demographic information collected from an individual [that] is created or received by a health care provider, health plan, employer, or health care clearinghouse […] and that identifies the individual or […] can be used to identify the individual.”

Finally, we move onto the definition of protected health information, which states “protected health information means individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium”.

More about what is Considered PHI under HIPAA

To simplify a definition of what is considered PHI under HIPAA: health information is any information relating a patient´s condition, the past, present, or future provision of healthcare, or payment thereof. It becomes individually identifiable health information when identifiers are included in the same record set, and it becomes protected when it is transmitted or maintained in any form (by a covered entity).

Generally, HIPAA covered entities are limited to health plans, health care clearinghouses, and healthcare providers that conduct electronic transactions for which the Department of Health and Human Services (HHS) has published standards. The standards can be found in Subparts I to S of the HIPAA Administrative Data Standards. Therefore:

  • “A broken leg” is health information.
  • “Mr. Jones has a broken leg” is individually identifiable health information.
  • If a covered entity records “Mr. Jones has a broken leg” the health information is protected.

Where do Business Associates Enter the Equation?

As well as covered entities having to understand what is considered PHI under HIPAA, it is also important that business associates are aware of how PHI is defined. This is because any individually identifiable health information created, received, maintained, or transmitted by a business associate in the provision of a service for or on behalf of a covered entity is also protected.

Business associates are required to comply with the Security and Breach Notification Rules when providing a service to or on behalf of a covered entity. However, depending on the nature of service being provided, business associates may also need to comply with parts of the Administrative Requirements and the Privacy Rule depending on the content of the Business Associate Agreement.

When is PHI not PHI?

There is a common misconception that all health information is considered PHI under HIPAA, but this is not the case.

First, it depends on whether an identifier is included in the same record set. Under HIPAA, PHI ceases to be PHI if it is stripped of all identifiers that can tie the information to an individual. If identifiers are removed, the health information is referred to as de-identified PHI. HIPAA does not apply to de-identified PHI, and the information can be used or disclosed without violating any HIPAA Rules.

Health information is also not PHI when it is created, received, maintained, or transmitted by an entity not subject to the HIPAA Rules. For example, even though schools and colleges may have medical facilities, health information relating to students is covered by the Family Educational Rights and Privacy Act (FERPA) which classifies students´ health information as part of their educational records.

Health information maintained by employers as part of an employee´s employment record is not considered PHI under HIPAA. However, employers that administer a self-funded health plan do have to meet certain requirements with regards to keeping employment records separate from health plan records in order to avoid impermissible disclosures of PHI.

It is important to be aware that exceptions to these examples exist. One of the most complicated examples relates to developers, vendors, and service providers for personal health devices that create, collect, maintain, or transmit health information. Entities related to personal health devices are not covered entities or business associates under HIPAA unless they are contracted to provide a service for or on behalf of a covered entity or business associate.

However, entities related to personal health devices are required to comply with the Breach Notification Rule under Section 5 of the Federal Trade Commission Act if a breach of unsecured PHI occurs. This means that, although entities related to personal health devices do not have to comply with the Privacy and Security Rules, it is necessary for these entities to know what is considered PHI under HIPAA in order to comply with the Breach Notification Rule.

The complexity of determining if information is considered PHI under HIPAA implies that both medical and non-medical workforce members should receive HIPAA training on the definition of PHI. It is also important for all members of the workforce to know which standards apply when state laws offer greater protections to PHI or have more individual rights than HIPAA, as these laws will preempt HIPAA.

What is Considered PHI Under HIPAA FAQs

What are the 18 HIPAA Identifiers?

The 18 HIPAA identifiers are the identifiers that must be removed from a record set before any remaining health information is considered to be de-identified under the “safe harbor” method of de-identification (see §164.514). However, due to the age of the list, it is no longer a reliable guide. Since the list was first published in 1999, there are now many more ways to identify an individual,

Importantly, if a Covered Entity removes all the listed identifiers from a designated record set, the subject of the health information might be able to be identified through other identifiers not included on the list – for example, social media aliases, LBGTQ statuses, details about an emotional support animal, etc. Therefore, Covered Entities should ensure no further identifiers remain in a record set before disclosing health information to a third party (i.e., to researchers).

Also, because the list of 18 HIPAA identifiers is more than two decades out of date, the list should not be used to explain what is considered PHI under HIPAA – notwithstanding that any of these identifiers maintained separately from individually identifiable health information are not PHI in most circumstances and do not assume the Privacy Rule protections.

What is PHI under HIPAA?

PHI under HIPAA is individually identifiable health information that is collected or maintained by an organization that qualifies as a HIPAA Covered Entity or Business Associate. Additionally, any information maintained in the same designated record set that identifies – or could be used with other information to identify – the subject of the health information is also PHI under HIPAA.

What does PHI include?

PHI includes information about an individual´s physical or mental health condition, the treatment of that condition, or the payment for the treatment. Additionally, PHI includes any information maintained in the same record set that identifies – or that could be used to identify – the subject of the health, treatment, or payment information.

What are examples of PHI?

Examples of PHI include test results, x-rays, scans, physician’s notes, diagnoses, treatments, eligibility approvals, claims, and remittances. When combined with this information, PHI also includes names, phone numbers, email addresses, Medicare Beneficiary Numbers, biometric identifiers, emotional support animals, and any other identifying information.

Which format of PHI records is covered by HIPAA?

All formats of PHI records are covered by HIPAA. These include (but are not limited to) spoken PHI, PHI written on paper, electronic PHI, and physical or digital images that could identify the subject of health information. It is important to remember that PHI records are only covered by HIPAA when they are in the possession of a covered entity or business associate.

What is the difference between PHI and ePHI?

The different between PHI and ePHI is that ePHI refers to Protected Health Information that is created, used, shared, or stored electronically – for example on an Electronic Health Record, in the content of an email, or in a cloud database. Both PHI and ePHI are subject to the same protections under the HIPAA Privacy Rule, while the HIPAA Security Rule mostly relates to ePHI.

Does the Privacy Rule apply to both paper and electronic health information?

The Privacy Rule applies to both paper and electronic health information despite the language used in the original Health Insurance Portability and Accountability Act leading to a misconception that HIPAA only applies to electronic health records. While the protection of electronic health records was addressed in the HIPAA Security Rule, the Privacy Rule applies to all types of health information regardless of whether it is stored on paper or electronically, or communicated orally.

If an individual calls a dental surgery to make an appointment and leaves their name and telephone number, is that PHI?

If an individual calls a dental surgery to make an appointment and leaves their name and telephone number, the name and telephone number are not PHI at that time because there is no health information associated with them. Only once the individual undergoes treatment, and their name and telephone number are added to the treatment record, does that information become Protected Health Information.

How can future health information about medical conditions be considered “protected”?

Future health information about medical conditions can be considered protected if it includes prognoses, treatment plans, and rehabilitation plans that – if altered, deleted, or accessed without authorization – could have significant implications for a patient. For this reason, future health information must be protected in the same way as past or present health information.

Does the Privacy Rule apply when medical professionals are discussing a patient´s healthcare?

The Privacy Rule does apply when medical professionals are discussing a patient’s healthcare because, although PHI can be shared without authorization for the provision of treatment, when medical professionals discuss a patient´s healthcare, it must be done in private (i.e. not within earshot of the general public) and the Minimum Necessary Standard applies – the rule that limits the sharing of PHI to the minimum necessary to accomplish the intended purpose.

If a medical professional discusses a patient´s treatment with the patient´s employer, is that information protected?

If a medical professional discusses a patient’s treatment with the patient’s employer whether or not the information is protected depends on the circumstances. Usually, a patient will have to give their consent for a medical professional to discuss their treatment with an employer unless the discussion concerns payment for treatment or the employer is acting as an intermediary between the patient and a health plan.

However, disclosures of PHI to employers are permitted under the Privacy Rule if the information being discussed relates to a workplace injury or illness. In such circumstances, a medical professional is permitted to disclose the information required by the employer to fulfil state or OSHA reporting requirements. In these circumstances, medical professionals can discuss a patient’s treatment with the patient’s employer without an authorization.

Is an email PHI?

Whether or not an email is PHI depends on who the email is sent by, what the email contains, and where it is stored. To be PHI, an email has to be sent by a Covered Entity or Business Associate, contain individually identifiable health information, and be stored by a Covered Entity or Business Associate in a designated record set with an identifier (if the email does not already include one).

What is PHI is healthcare?

PHI in healthcare stands for Protected Health Information – information protected by the HIPAA Privacy Rule to ensure it remains private. PHI in healthcare can only be used or disclosed for permitted purposes without a patient´s authorization, and patients have the right to complain to HHS’ Office for Civil Rights if they believe a healthcare provider is failing to protect the privacy of their PHI.

What are HIPAA identifiers?

HIPAA identifiers are pieces of information that can be used – either separately or with other pieces of information – to identify an individual whose health information is protected by the HIPAA Privacy Rule. Several sources confuse HIPAA identifiers with PHI, but it is important to be aware identifiers not maintained with an individual´s health information do not have the same protection as PHI.

What qualifies as PHI?

What qualifies as PHI is individually identifiable health information and any identifying non-health information stored in the same designated record set. Please note that a Covered Entity can maintain multiple designated record sets about the same individual and that a designated record set can consist of a single item (i.e., a picture of a baby on a pediatrician’s baby wall qualifies as PHI).

Is a medical record number PHI?

A medical record number is PHI is it can identify the individual in receipt of medical treatment. However, a seemingly random alpha-numeric code by itself (which medical record numbers often are) does not necessarily identify an individual if the code is not proceeded with “medical record number”, or accompanied by a name or any other information that could be used to identify the individual.

What does PHI include?

PHI includes individually identifiable health information maintained by a Covered Entity or Business Associate that relates to an individual’s past, present, or future physical or mental health condition, treatment for the condition, or payment for the treatment. It can also include any non-health information that could be used to identify the subject of the PHI.

Is a person’s gender PHI?

A person’s gender is PHI if it is maintained in the same designated record set as individually identifiable health information by a HIPAA Covered Entity or Business Associate as it could be used with other information to identify the subject of the individually identifiable health information. However, if a person’s gender is maintained in a data set that does not include individually identifiable health information (i.e., a transportation directory), it is not PHI.

Is a patient’s name alone considered PHI?

A patient’s name alone is not considered PHI. Only when a patient’s name is included in a designated record set with individually identifiable health information by a Covered Entity or Business Associate is it considered PHI under HIPAA.

Under the Privacy Rule which information should be considered PHI?

Under the Privacy Rule, the information that should be considered PHI relates to any identifiers that can be used to identify the subject of individually identifiable health information. However, where several sources mistake what is considered PHI under HIPAA is by ignoring the definitions of PHI in the General Provisions at the start of the Administrative Simplification Regulations (45 CFR Part 160).

Is there a list of PHI identifiers?

There is no list of PHI identifiers in HIPAA – only an out-of-date list of identifiers that have to be removed from a designated record set under the safe harbor method before any PHI remaining in the designated record set is deidentified. Because the list is so out-of-date and excludes many ways in which individuals can now be identified, Covered Entities and Business Associates are advised to have a full understanding of what is considered PHI under HIPAA before developing staff policies.

Is a phone number PHI?

A phone number is PHI if it is maintained in a designated record set by a HIPAA Covered Entity or Business Associate because it could be used to identify the subject of any individually identifiable health information maintained in the same record set. However, if a phone number is maintained in a database that does not include individually identifiable health information, it is not PHI.

The post What is Considered PHI Under HIPAA? appeared first on HIPAA Journal.