Healthcare Data Privacy

Is WhatsApp HIPAA Compliant?

Posted by HIPAA Journal

When WhatsApp announced it was introducing end-to-end encryption, it opened up the prospect of healthcare organizations using the platform as an almost free secure messaging app, but is WhatsApp HIPAA compliant?

Many healthcare employees have been asking if WhatsApp is HIPAA compliant, and some healthcare professionals are already using the text messaging app to send protected health information (PHI).

However, while WhatsApp does offer far greater protection than SMS messages and some other text messaging platforms, WhatsApp is NOT HIPAA compliant for several reasons.

Why Isn’t WhatsApp HIPAA Compliant?

First, it is important to point out that no software platform or messaging app can be truly HIPAA compliant, because HIPAA compliance is not about software. It is about users. Software can support HIPAA compliance and incorporate all the necessary safeguards to ensure the confidentiality, integrity, and availability of ePHI, but those controls can easily be undone by users.

HIPAA does not demand that encryption is used. Provided an alternate, equivalent measure is implemented in its place, encryption is not required. Since WhatsApp now includes end-to-end encryption, this aspect of HIPAA is satisfied.

Access controls are also required – See 45 CFR § 164.312(a)(1). This is one area where WhatsApp is not HIPAA compliant. If WhatsApp is installed on a smartphone, anyone with access to that smartphone will be able to view the messages in the user’s WhatsApp account, without the need to enter in any usernames and passwords. That means any ePHI included in conversations would also be accessible. Additional security controls may be installed on a smartphone to authenticate users before the device can be accessed, but even when those controls have been applied, notifications about new messages can often be seen without opening the App or unlocking the device.

HIPAA also requires audit controls – See 45 CFR § 164.312(b). This is another area where WhatsApp is not HIPAA compliant. Messages and attachments are saved, although they can easily be deleted. There is also no HIPAA compliant audit trail maintained in WhatsApp. All data in the account would also need to be backed up. Currently, if you switch phones, your account will be preserved, but your messages will not.

Then there is the issue of what happens to ePHI in a WhatsApp account on a personal device after the user leaves the company. Controls would need to be incorporated to ensure all messages containing ePHI are permanently erased. That would be a logistical nightmare for any covered entity, as it could not be performed remotely, finding messages would be next to impossible, and users would likely object to their WhatsApp being deleted.

Regardless of the features of WhatsApp and how well data is protected in transit, at the time of writing, WhatsApp will not sign a business associate agreement with a HIPAA covered entity. If HIPAA covered entities want to use WhatsApp, before any ePHI is sent, a HIPAA compliant business associate agreement must be signed with WhatsApp. Even though WhatsApp does not read text messages, that does not mean that no business associate agreement would be required.

So, Is WhatsApp HIPAA compliant? In its current form no. When it comes to WhatsApp and HIPAA compliance, even if covered entities were to use additional controls to prevent accidental disclosures, until WhatsApp is willing to sign a BAA, the service cannot be used to send ePHI without violating HIPAA Rules.

The post Is WhatsApp HIPAA Compliant? appeared first on HIPAA Journal.

Does HIPAA Require Identity Theft Protection Services to Be Offered to Data Breach Victims?

Posted by HIPAA Journal

The HIPAA Breach Notification Rule requires covered entities to issue notifications to individuals after their ePHI has been exposed or stolen, but what about credit monitoring and identity theft protection services? Must they be offered?

HIPAA does not stipulate whether credit monitoring and identity theft protection services should be provided to individuals impacted by a data breach. The decision whether or not to provide those services is left to the discretion of the covered entity.

However, following a breach of unsecured protected health information, HIPAA-covered entities are required to provide breach victims with details of the steps that should be taken to mitigate risk and protect themselves from harm.

Those steps include obtaining a credit report from credit reporting agencies – Equifax, Experian, and TransUnion. The credit reporting bureaus must provide consumers with a free credit report once every 12 months if requested.

Breach victims should be instructed to monitor their accounts for any sign of fraudulent activity and should be told what to do if suspicious activity is identified. They should also be told to monitor their Explanation of Benefits statements for benefits that they have not received. Information should also be provided on placing a fraud alert and freeze on their credit files.

While HIPAA does not require covered entities to offer credit monitoring and identity theft protection services, state laws may differ. From October 1, 2015, a breach of Connecticut residents’ names and Social Security numbers requires the breached entity to provide a minimum of 12 months of “appropriate identity theft prevention services, and if applicable, identity theft mitigation services.”

In California, while it is not mandatory to provide credit monitoring and identity theft protection services to breach victims, if those services are provided they must be free of charge and for a minimum of 12 months. State laws are frequently updated, so covered entities should keep up to date with new legislation introduced in the states in which their patients and members reside.

Even though it may not be mandatory for healthcare organizations to provide identity theft protection services to breach victims, many choose to do so. Providing those services can help to reducing the fallout from a data breach.

Credit monitoring services should be provided to data breach victims for 12 or 24 months, if credit/debit card numbers, Social Security numbers, and/or bank account information is believed to have been stolen.

Credit monitoring services inform breach victims when credit monitoring companies receive notifications of applications for credit, loans, or when personal information is changed – changes of address or phone number for example.

Identity theft protection services cover a much broader range of activities, some of which may not show up on credit reports. These include the use of personal documentation such as Social Security numbers, Driver’s license numbers, medical ID numbers, and passport numbers.

The decision about which services to offer should be based on the level of risk breach victims are likely to face. The level of risk will be determined by the nature of the attack, the likelihood of data being used for identity theft and fraud, the risk of data being sold on, and types of data that have been exposed.

The post Does HIPAA Require Identity Theft Protection Services to Be Offered to Data Breach Victims? appeared first on HIPAA Journal.

What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity

Posted by HIPAA Journal

The terms covered entity and business associate are used extensively in HIPAA legislation, but what are the differences between a HIPAA business associate and HIPAA covered entity?

What Are HIPAA Covered Entities?

HIPAA covered entities are healthcare providers, health plans, and healthcare clearinghouses that electronically transmit health information for transactions covered by HHS standards.

Healthcare providers include hospitals and clinics, doctors, dentists, chiropractors, psychologists, pharmacies and nursing homes. Health plans include health insurance companies, company health plans, government programs that pay for healthcare, and HMO’s. Healthcare clearinghouses include transcription service companies that format data to make it compliant and organizations that process non-standard health information.

Even if an entity is a healthcare provider, health plan or healthcare clearinghouse, they are not considered a HIPAA covered entity if they do not transmit any information electronically for transactions that HHS has adopted standards. In such cases, the entity would not be required to comply with HIPAA Rules.

Legally, the HIPAA Privacy Rule only applies to covered entities, although since covered entities usually require the services of vendors, which may need access to PHI in order to perform certain tasks, the HIPAA Privacy Rule permits covered entities to share PHI with those companies.

Before PHI can be shared, vendors must agree to use the PHI only for the tasks that they have been contracted to perform. They must also agree not to disclose the PHI to other entities, and must implement safeguards to ensure the confidentiality, integrity, and availability of PHI. Covered entities must obtain ‘satisfactory assurances,’ in writing, in the form of a contract, that HIPAA Rules will be followed.

What is a HIPAA Business Associate?

A HIPAA business associate is any entity, be that an individual or a company, that is provided with access to protected health information to perform services for a HIPAA covered entity.

Software providers, whose solutions interact with systems that contain ePHI, are considered business associates, as are cloud service providers, cloud platforms, document storage companies (physical and electronic storage), collection agencies, medical billing companies, asset and document recycling companies, answering services, attorneys, actuaries, consultants, medical device manufacturers, transcription companies, CPA firms, third party administrators, medical couriers, and marketing firms. Business associates of covered entities must also comply with HIPAA Rules and can be fined directly by regulators for noncompliance.

Business associates of HIPAA covered entities must sign a contract with the covered entity, termed a business associate agreement or BAA, that outlines the responsibilities of the business associate and explains that the business associate is required to comply with HIPAA Rules.

It is the responsibility of a business associate to ensure that if any subcontractors are used, they too agree to comply with HIPAA Rules and sign a BAA. Information on when a business associate agreement is not required are detailed here.

While a business associate must agree to comply with HIPAA Rules and is responsible for ensuring the confidentiality, integrity, and availability of PHI in its possession, it is the responsibility of a covered entity to ensure that all business associates are complying with HIPAA Rules. If a business associate fails to comply with HIPAA Rules, it is the responsibility of the covered entity to take action to ensure noncompliance is corrected or the contract with the business associate is terminated.

The HHS has developed a tool that explains the differences between a HIPAA business associate and a HIPAA covered entity. You can use the tool to determine if you are a covered entity or a business associate and whether HIPAA Rules must be followed.

The post What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity appeared first on HIPAA Journal.

Government Accountability Office Report Confirms Widespread Security Failures at 24 Federal Agencies

Posted by HIPAA Journal

A Government Accountability Office report has shown federal agencies are struggling to implement effective information security programs and are placing data systems and data at risk of compromise.

In its report to Congress – Federal Information Security – Weaknesses Continue to Indicate Need for Effective Implementation of Policies and Practices – GAO explained, “The emergence of increasingly sophisticated threats and continuous reporting of cyber incidents underscores the continuing and urgent need for effective information security.” However, “Systems used by federal agencies are often riddled with security vulnerabilities—both known and unknown.”

GAO explained that “The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies in the executive branch to develop, document, and implement an information security program and evaluate it for effectiveness.”

Every year, each federal agency is required to have information security program and practices reviewed by its inspector general, or an external auditor, to determine the effectiveness of the program and practices. In 2016, 24 federal agencies were inspected, but only 7 of those agencies were determined to have effective information security programs.

Critical security weaknesses were discovered during those audits that could lead to a system compromise and the exposure and theft of sensitive data. Security weaknesses were found at 24 federal agencies, including the Department of Health and Human Services, Department of Veteran Affairs, and Internal Revenue Service.

Most of the agencies were discovered to have weaknesses in five control areas, including access controls, segregation of duties, configuration management controls, contingency planning, and agency-wide security management.

The Food and Drug Administration (FDA) was found to have “A significant number of security control weaknesses that jeopardize the confidentiality, integrity, and availability of its information systems and industry and public health data.”

“The National Aeronautical and Space Administration, Nuclear Regulatory Commission, Office of Personnel Management, and the Department of Veteran Affairs had not always effectively implemented access controls over selected high-impact systems.”

“The Internal Revenue Service had weaknesses in information security controls that limited its effectiveness in protecting the confidentiality, integrity, and availability of financial and sensitive taxpayer data.”

All agencies had weaknesses in their access controls, 223 configuration management weaknesses were identified at 23 of the 24 agencies. More than half of the agencies did not segregate incompatible duties to prevent unauthorized actions or unauthorized access to assets or records. 623 security management weaknesses across the 24 agencies, and 20 of the 24 agencies had weaknesses in implementing a security training program.

No new recommendations were made in the report, as previous audits have highlighted the vulnerabilities and hundreds of recommendations have previously been made by inspectors general to address those vulnerabilities.

GAO points out that “Until agencies correct longstanding control deficiencies and address our and agency inspectors general’s recommendations, federal IT systems will remain at increased and unnecessary risk of attack or compromise. We continue to monitor the agencies’ progress on those recommendations.”

The post Government Accountability Office Report Confirms Widespread Security Failures at 24 Federal Agencies appeared first on HIPAA Journal.

Privacy and Security Awareness Lacking in 70% of Employees

Posted by HIPAA Journal

When it comes to privacy and security awareness, many U.S. workers still have a lot to learn. Best practices for privacy and security are still not well understood by 70% of U.S. employees, according to a recent study by MediaPro, a provider of privacy and security awareness training.

For the study, MediaPro surveyed 1,012 U.S. employees and asked them a range of questions to determine their understanding of privacy and security, whether they followed industry best practices, and to find out what types of risky behaviors they engage in. 19.7% of respondents came from the healthcare industry – the best represented industry in the study.

Respondents were rated on their overall privacy and security awareness scores, being categorized as a hero, novice, or a risk to their organization. 70% of respondents were categorized as a novice or risk. Last year when the study was conducted, 88% of U.S. workers were rated as a novice or risk.

Last year, only 12% of respondents ranked as a hero. This year the percentage increased to 30% – A good sign that some employees have responded to training and are taking more care at work. Worryingly, while the percentage of novices fell from 72% last year to 51% in 2017, the number of individuals classed as a risk increased from 16% in 2016 to 19% this year.

Tom Pendergast, chief strategist for security, privacy, and compliance at MediaPro explained that in the risk category, there are two areas that have been consistently poor over the past two years: Physical security and safe remote working/mobile computing. In the latter category, one of the biggest risks was connecting to insecure Wi-Fi networks. The percentage of respondents that admitted doing this jumped from 45% last year to 62.3% this year – Overall, 19% of respondents admitted to risky practices when working remotely.

The overall scores across six of the eight categories being tested improved year over year, with notable improvements in identifying malware and phishing threats, reporting incidents, working remotely, identifying personal information, and cloud computing.

The two areas where there was decline were physical security – such as allowing individuals into a facility without checking identification – and social media security  – such as posting personal and sensitive company information on social media accounts.

Perhaps the biggest risk faced by organizations today is phishing. Phishing emails are the primary method of delivering malware and ransomware and obtaining sensitive information such as login credentials.

Respondents were tested on their phishing awareness and were presented with four emails, which they were asked to rate as legitimate or phishy. 8% of respondents were unable to identify the phishing emails correctly. Out of the phishing emails tested, the email offering a stock tip from a well-known investor fooled the highest number of respondents. 92% of respondents were able to identify a phishing email with a potentially malicious attachment, up from 75% last year.

The post Privacy and Security Awareness Lacking in 70% of Employees appeared first on HIPAA Journal.

OCR Clarifies HIPAA Rules on Disclosures to Family, Friends and Other Individuals

Posted by HIPAA Journal

The recent attack in Las Vegas has prompted the Department of Health and Human Services’ Office for Civil Rights to clarify HIPAA Rules on disclosures to family, friends and other individuals.

Following Hurricane Irma and Hurricane Maria, OCR issued a partial waiver of certain provisions of the HIPAA Privacy Rule in the disaster areas of both hurricanes. OCR sometimes, but not always, issued such a waiver after a natural disaster when a public health emergency has been declared.

However, OCR did not issue a HIPAA Privacy Rule waiver after the attack in Las Vegas, and neither was a waiver issued following the Orlando nightclub shootings in 2016. OCR does not usually issue waivers of HIPAA Rules following shootings and other man-made disasters. Healthcare organizations involved in the treatment of victims of the Las Vegas shootings were required to continue to follow the provisions of the HIPAA Privacy Rule.

In its reminder about HIPAA Rules on disclosures to family, friends and other individuals, OCR explained that the HIPAA Privacy Rule allows healthcare organizations to disclose PHI to family, friends, and other individuals that have been identified by a patient as being involved in his or her care. PHI may also be shared to help identity or locate individuals involved in a patient’s care, or to notify them of the patient’s location, health status, or death.

In an emergency situation, covered entities should try to obtain verbal permission from the patient to share information, although when this is not possible, such as when a patient is incapacitated, it is down to the professional judgement of the covered entity to determine whether sharing information is in the patient’s best interest.

In the case of natural disasters, PHI may need to be shared with disaster relief organizations to assist with disaster relief efforts. While permission should be obtained, it is not necessary if obtaining permission would interfere with the organization’s ability to respond to an emergency situation.

The HIPAA Privacy Rule permits covered entities to inform the media about a specific patient’s general health condition (critical, stable, deceased, or treated and released) if a request is made about a patient that is mentioned by name, provided the patient has not previously objected to the sharing of such information, in which case the patient’s request should be honored.

Any sharing of other information, such as test results, details of an illness, or other health information, must generally only be shared if permission has first been obtained from the patient in writing.

Whenever PHI is shared, the minimum necessary standard applies and any PHI shared must be limited to the minimum necessary information to achieve the purpose for which the information is shared.

The provisions of the HIPAA Privacy Rule are detailed in: 45 CFR 164.510(b) – Disclosures to family, friends, and other individuals involved in a patient’s care; 45 CFR 164.510(a) – Disclosures to the media and individuals not involved in a patient’s care; 45 CFR 164.508 – HIPAA authorizations; 45 CFR §§ 164.502(b) and 45 CFR §§ 164.514(d) – The minimum necessary standard.

The post OCR Clarifies HIPAA Rules on Disclosures to Family, Friends and Other Individuals appeared first on HIPAA Journal.

NIST Updates its Risk Management Framework for Information Systems and Organizations

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has updated its Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (SP 800-37) – The first time the Risk Management Framework has been updated in the seven years since it was first published.

NIST was called upon to update the Framework by the Defense Science Board, the Office of Management and Budget, and the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.

Because of the importance of information risk management to an organization’s overall risk management strategy, the C-Suite needs to get more involved in the implementation of information risk management processes. Security and privacy need to be taken into account when larger risk management decisions are being made.

The Information Risk Management Framework is typically implemented at the system level, the realm of the Chief Information Security Officer (CISO) and Chief Information Officer (CIO). However, NIST found that organizations often fail to communicate issues effectively with the C-suite.

One of the main aims of the update is to provide closer linkage and communication risk management processes at the system and organization level with those of the C-Suite. More C-suite involvement will help to ensure that the Risk Management Framework is more effective when it is implemented.

The update will help to institutionalize critical enterprise-wide risk management preparatory activities enabling more cost-effective execution of the Framework at the system and operational level. NIST has also unified security and privacy concepts into the Framework to help organizations develop a more integrated approach to risk management.

The discussion draft of the updated NIST Risk Management Framework is open for comments until November 3, 2017. NIST said, “This draft is intended to promote discussion on the new organizational preparation step and the other innovations introduced in RMF 2.0.” Public comments will accepted when the public draft of the guidance is issued in November 2017.

NIST hopes to release the final draft of the updated Risk Management Framework for Information Systems and Organizations in January 2018, and the final publication in March 2018.

The post NIST Updates its Risk Management Framework for Information Systems and Organizations appeared first on HIPAA Journal.

How Employees Can Help Prevent HIPAA Violations

Posted by HIPAA Journal

Employees can help prevent HIPAA violations by fully understanding what PHI is, knowing when PHI can permissibly be used and disclosed, and by following their employers’ policies on the compliant use of healthcare technologies and communication devices. Employees can also help prevent HIPAA violations by reporting ongoing poor practices to a manager or compliance officer.

One of the key goals of compliance officers is to prevent HIPAA compliance violations whenever possible. To achieve this goal, many compliance officers rely on technological solutions or sanctions policies to deter employees from noncompliant behaviors. However, by taking a more positive approach, employees can help prevent HIPAA violations.
Ten Most Common HIPAA Violations

Use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full compliance. Please use the form on this page to arrange for your copy.

Most Frequent Complaints

According to the Department of Health and Human Services´ Enforcement Highlights web page, the most frequent complaint received by HHS´ Office for Civil Rights relates to impermissible uses and disclosure of PHI. This is not surprising considering the variety of scenarios in which an authorization to use or disclose PHI is required, when individuals may or may not have the right to object to a use or disclosure, or when permissible uses or disclosures are subject to “other requirements”.

However, it is not only the variety of scenarios that can result in HIPAA violations. Many impermissible uses and disclosures occur due to a lack of understanding of what PHI is. The failure to understand what PHI is – and what it isn´t – can result in the next four most frequent violations occurring:

  • Lack of Privacy Rule safeguards for PHI
  • Lack of patient access to PHI
  • Lack of Security Rule safeguards for ePHI
  • Use or disclosure of more than the minimum necessary PHI

How to Prevent HIPAA Violations of this Nature

The obvious way to prevent HIPAA violations of this nature is to train all members of the workforce – not just employees – on what is considered PHI under HIPAA. Many HIPAA training courses fail to include this fundamental basic of HIPAA compliance in their curriculum – focusing on the HIPAA training requirements of §164.530 and §164.308 to tick the box of compliance, rather than putting policy and procedure training and security and awareness training into context.

However, if members of the workforce do not fully understand what PHI is, it is not hard to imagine why it may be used or disclosed impermissibly, why patients allege access requests are not being acted on, and why more than the minimum necessary PHI is being disclosed. It may also explain why those with a responsibility for the privacy and security of PHI fail to implement reasonable and appropriate Privacy Rule policies or Security Rule safeguards.

How to Prevent Other Types of HIPAA Violations

In addition to providing training on what PHI is, it can help prevent HIPAA violations to highlight the most common violations by members of the workforce and explain how to follow HIPAA guidelines in order to send the message “we know this happens – we don´t want it happening here”. The most common violations of HIPAA by members of the workforce include (but are not limited to).

Sharing passwords to systems containing PHI

Healthcare workers often share passwords to EHRs and other health IT systems – not out of malice, but “to get the job done” when their credentials are not sufficient to access required information. This is a violation of §164.312; and while it is the responsibility of the IT team to ensure each member of the workforce has “unique user identification”, employees should not share passwords, but rather pester the IT team to provide them with the credentials they need.

Leaving devices unsecured and unattended

Devices that can access PHI must have security features such as automatic logoff and PIN-lock (or other device locking process) enabled. All PHI on the device – or accessible by the device – should be encrypted. If a device or workstation used by a member of the workforce does not have these security features enabled, the risk of a data breach exists if a device or workstation is left unattended. This is a risk that is easy to prevent with the right technology.

Using unsecure channels of communication

There are two potential HIPAA violations here. The first relates to transmission security when communicating PHI, while the second relates to an individual´s right to request how they are contacted. HIPAA allows for Covered Entities to use unsecure channels of communication to contact individuals, but individuals should be warned of the risks, and both the warning and the individual´s consent to use the channel of communication should be documented.

Disposing of PHI improperly

While most healthcare organizations have now transitioned to electronic health records, paper documents are still widely used. Any document containing PHI must be kept secure while in use and disposed of properly at end of life. The rules relating to the disposal of PHI also apply to electronic PHI – particularly when systems on which PHI is stored are decommissioned or when removable media and backup tapes are purged for re-use.

Accessing PHI out of curiosity

The accessing of patient health records by employees, without any legitimate reason for doing so, is a serious violation of HIPAA. While most healthcare employees respect the privacy of patients, there have been numerous cases over the years of patients snooping on the records of patients. It is important for all members of the workforce to be made aware that audit logs are implemented to protect patient health information in the workplace and can identify when employees have access PHI without good reason.

Sharing PHI on social media without authorization

One of the reasons it is important that all members of the workforce know what is considered PHI under HIPAA is so that they do not inadvertently or deliberately share PHI on social media without authorization. Even something as apparently innocuous as commenting on a personality being seen at a medical center is a HIPAA violation that could lead to a sanction being applied or a complaint by the personality being made to HHS´ Office for Civil Rights.

The Benefits of Training Employees How to Avoid HIPAA Violations

Training employees how to avoid HIPAA violations not only reduces the number of violations but can also help reduce the number of unjustified complaints made to the organization and to HHS´ Office for Civil Rights. A significant statistic on HHS´ Enforcement Highlights web page, is that many reported violations are not violations at all. Of more than 300,000 complaints received since 2003, more than 200,000 have been rejected because “they did not present an eligible case for enforcement”. Among the reasons given by HHS for rejecting two-thirds of complaints were:

  • The complaint was made against an organization not subject to HIPAA
  • The activity described in the complaint did not violate any HIPAA Rules
  • The complaint was withdrawn by the individual on review.

Training employees to avoid HIPAA violations so they understand what PHI is can be beneficial in reducing unjustified complaints made by individuals who themselves do not know what PHI is. Employees can pass their knowledge on to patients and plan members to reduce the number of complaints made about impermissible uses and disclosures or disclosing more than the minimum necessary PHI – saving compliance officers valuable time replying to unjustified complaints or responding to HHS enquiries in the complaints review process.

How Employees Can Help Prevent HIPAA Violations: FAQs

Where does the Privacy Rule state the permissible uses and disclosures of PHI?

The Privacy Rule states the permissible uses and disclosures of PHI – including those requiring an authorization or in circumstances when an individual has the right to object – in sections §164.502 to §164.514 of the Administrative Simplification Regulations. Many of the standards apply to infrequent events, but it is important members of the workforce know what to do when these infrequent events occur.

How might somebody with a responsibility for security fail to implement safeguards?

The reason why somebody with a responsibility for security might fail to implement safeguards is that a lot of misinformation exists on the Internet. For example, if a Security Officer safeguards the so-called 18 HIPAA identifiers, but no other identifiers, details such as Medicare Beneficiaries Identifiers, social media handles, and emotional support animals (that could be used to identify an individual) could remain unsecured.

What is the problem with sharing passwords to systems containing PHI?

The problem with sharing passwords to systems containing PHI is that if an employee shares their login credentials with a colleague, and the colleague misuses PHI or disclosures PHI impermissibly, the HIPAA violation will be attributed to the owner of the login credentials rather than the colleague who was using them.

Does a personal mobile device have to have HIPAA security features enabled?

A personal mobile device must have HIPAA security features enabled if it is used to access systems containing PHI or communicate PHI with a colleague or patient. In such cases, the device has to be configured to meet the standards of the Security Rule. While applying the standards may seem like an imposition on the owner of the device, they are a best practice for personal data security even if the device is not used to access or communicate PHI.

Is it possible to share PHI on social media with authorization?

It is possible to share PHI on social media with authorization; but, in order to do so, the authorization form must state why PHI is being shared. It also has to be documented that the individual has been made aware that it may not be possible to revoke the authorization. This is because once content is posted on a social media platform, any further use or disclosure is out of the control of the person who posted it.

What is the best way to prevent HIPAA violations?

The best way to prevent HIPAA violations is to ensure HIPAA-compliant policies and procedures are developed, Security Rule safeguards are implemented, and all members of the workforce are thoroughly trained on HIPAA compliance. In addition, Covered Entities and Business Associates need to keep on top of monitoring compliance with the policies and procedures and ensure sanctions are applied consistently and fairly whenever necessary.

How can a healthcare organization avoid HIPAA violations?

A healthcare organization can avoid HIPAA violations by empowering members of the workforce to be the eyes and ears of HIPAA compliance. This can be achieved by implementing an anonymous communication channel through which members of the workforce can raise concerns about non-compliant practices and risks to the privacy of individually identifiable health information.

How is it possible to protect patient health information in the workplace?

There are several ways it is possible to protect patient health information in the workplace. One of the best ways is to minimize the number of designated record sets per patient. This makes it easier to identify where PHI is created, used, and maintained, so appropriate safeguards can be implemented to prevent impermissible disclosures and breaches of unsecure PHI.

What are the top five HIPAA tips for staff?

The five top HIPAA tips for staff can vary according to the role of the individual and the operations of their employer. For example, a nurse working in an ED will have very different compliance challenges than a claims processor working as a business associate. However, there are some common HIPAA tips that apply to all staff:

  • Pay attention to HIPAA training; and, if there is something you don´t understand, ask.
  • Ensure you are aware what PHI is and your employer´s policies for disclosing PHI.
  • If you identify a HIPAA violation in the workplace, report it and document your report.
  • Never share login credentials without first checking with a member of the IT team.
  • Don´t rely on colleagues if you are unsure about HIPAA compliance. Check with a manager or your Privacy/Security Officer.

What advice should a new member of the workforce be given on how to not violate HIPAA?

The advice a new member of the workforce should be given on how to not violate HIPAA is to follow the policies developed by your employer. This is because a member of the workforce cannot be held liable for a violation of HIPAA if their employer´s policies are not HIPAA compliant. It is important to be aware that an employer´s sanctions policy only applies to the policies the employer has developed – which are not necessarily the same as the HIPAA standards.

What are the key HIPAA do’s and don’ts for employees?

The key HIPAA do’s and don’ts for employees are to comply with your employer´s HIPAA policies and – if you feel they contradict HIPAA – don´t assume you know better. In addition, if you see a HIPAA violation in the workplace, do report it – don’t be afraid of alienating work colleagues. Finally, do make sure you participate in security and awareness training and don´t share login credentials.

Why is protecting PHI in the workplace important?

Protecting PHI in the workplace is important because impermissible uses and disclosures of PHI and breaches of unsecured PHI can result in loss, fraud, and reputational damage. This not only applies to the subject(s) of the PHI, but also to healthcare organizations and health plans who could end up providing – and paying for – expensive treatments to criminals in possession of stolen PHI.

How does reporting HIPAA violations in the workplace support HIPAA compliance?

Reporting HIPAA violations in the workplace supports HIPAA compliance in a number of ways. For example, reporting HIPAA violations can alert Privacy Officers to the need for more training, the need to fill gaps in HIPAA policies, and/or the need to better monitor workplace compliance. Once these needs are identified and resolved, the workplace will likely become more HIPAA compliant.

What are HIPAA reminders for staff?

HIPAA reminders for staff can take various forms. They can be verbal reminders from a supervisor who has observed a member of staff taking a compliance shortcut, they can be refresher training provided periodically by a conscientious employer, or they can be the HIPAA security reminders required by the Administrative Safeguards of the Security Rule (45 CFR §164.308(5)(ii)(A)).

What strategies are used to prevent HIPAA privacy violations?

The strategies used to prevent HIPAA privacy violations can vary from organization to organization, but generally they consist of education, supervision, and enforcement – Education being the HIPAA training all new members of the workforce are required to undergo, supervision being the monitoring of staff compliance and security technologies, and enforcement being the fair and consistent application of a HIPAA sanctions policy.

What is the HIPAA policy for healthcare employees?

There is no single HIPAA policy for healthcare employees. In many cases, there are hundreds of HIPAA policies for healthcare employees – although most employees will not be aware of them all. This is because the Privacy Rule only requires covered entities to train healthcare employees “on the policies and procedures […] necessary and appropriate for members of the workforce to carry out their functions with the covered entity”. Although healthcare employees are required to comply with HIPAA, they will only be trained on the HIPAA policies relevant to their roles.

What are the breach prevention best practices according to HIPAA?

HIPAA itself is technology neutral and does not provide breach prevention best practices per se. Indeed, even though the Security Rule stipulates Administrative, Physical, and Technical Safeguards must be implemented to protect the confidentiality, integrity, and confidentiality of electronic PHI, the Rule itself has a “flexibility of approach” clause in its “General Rules” (45 CFR §164.306(b)(1)).

However, since the publication of the Security Rule, the National Institute of Standards and Technology (NIST) Guide SP 800-53 has been widely acknowledged as the source of breach prevention best practices for HIPAA. In 2016, the Department of Health and Human Services published a “crosswalk” to help covered entities and business associates better comply with the Security Rule.

It is important for covered entities and business associates to be aware that adopting the measures in the crosswalk or in NIST´s latest guidance (SP 800-66r2) does not guarantee compliance with the Security Rule. However, the two publications contain what many experts believe to be the most comprehensive breach prevention best practices for HIPAA.

What HIPAA laws do healthcare providers have to comply with?

The HIPAA laws healthcare providers have to comply with are the Privacy Rule, the Security Rule, and the Breach Notification Rule if they qualify as a HIPAA covered entity. Not all healthcare providers qualify as a covered entity; however, if a non-qualifying healthcare provider provides a service to or on behalf of a covered entity as a “business associate”, they may also have to comply with the Privacy Rule (or parts thereof) as well as the Security Rule, and the Breach Notification Rule.

All covered entities and business associates must comply where appropriate with the General Provisions of 45 CFR Parts 160 and 164, while healthcare providers that conduct electronic transactions for which the Department of Health and Human Services has published standards have to comply with all applicable provisions of 45 CFR Part 162 (mostly relating to transactions between health plans and healthcare providers for eligibility, authorization, billing, and payment).

What are the Rules of HIPAA for healthcare organizations?

The Rules of HIPAA for healthcare organizations that qualify as HIPAA covered entities are:

  • The Privacy Rule – the standards for the privacy of individually identifiable health information.
  • The Security Rule – the standards for the protection of electronic protected health information.
  • The Enforcement Rule – the processes for HHS investigations and imposition of sanctions by HHS.
  • The Breach Notification Rule – the standards for notifying individuals and HHS of a data breach.
  • The Final Omnibus Rule – the amendments to existing HIPAA Rules introduced by the HITECH Act.

Most healthcare organizations are required to comply with the above Rules of HIPAA, plus – where applicable – the General Provisions of 45 CFR Parts 160 and 164 of the Administrative Simplification Regulations. Healthcare organizations and business associates that conduct transactions for which the Department of Health and Human Services has published standards are also  required to comply with the General Provisions and the Transactions, Identifier, and Code Set Rules in 45 CFR Part 162.

What is one good way to avoid violating HIPAA?

One good way to avoid violating HIPAA if you are a member of a covered entity´s or business associate´s workforce is to apply the information you learn in HIPAA training to your day-to-day roles – especially the information relating to permissible uses and disclosures of PHI because this is the most alleged HIPAA violation reported to HHS´ Office of Civil Rights via the Complaint Portal.

What can employees do to prevent a security breach in the workplace?

Employees can do a lot to prevent a security breach in the workplace. Possibly the most important thing employees can do is to use unique, complex passwords for each online account, never disclose or share passwords, and protect sensitive accounts and databases with 2-factor authentication – even if your employer does not require these basic security measures.

What does the mitigation of a violation of PHI mean?

The mitigation of a violation of PHI is a strange term to use because usually people talk in terms of HIPAA violations and PHI breaches – the two terms meaning different things. A HIPAA violation is any failure to comply with the standards of the Administrative Simplification Regulations (45 CFR Parts 160 – 164) and the Confidentiality of Substance Abuse Disorder Patient Records (42 CFR Part 2).

A violation of any of these standards doesn´t necessarily result in a breach of unsecured PHI; but when it does, lessening (or mitigating) the impact of the breach can reduce the amount of harm an individual suffers, the risk of compromised PHI being used to commit insurance fraud, and the amount an organization could be fined for failing to comply with the HIPAA standards.

Can an employer disclose medical information to other employees?

Whether or not an employer can disclose medical information to other employees depends on state privacy laws rather than HIPAA. Employers are exempt from HIPAA in their role as an employer, so any health information collected, maintained, or transmitted by an employer as part of an employee’s employment record is not subject to the protection of the Privacy Rule.

Can an employer request medical information?

An employer can request medical information about an employee from a healthcare provider if the information requested is required to comply with state and/or federal requirements for reporting workplace injuries and illnesses. However, the healthcare provider is only allowed to disclose the minimum necessary medical information to meet the reporting requirements.

An employer can also request medical information from an employee to justify an absence, to enroll an employee in a group health plan or wellness program, to maintain the health and safety of other members of the workforce, to comply with the Family Medical Leave Act, or to accommodate members of the workforce under the Americans with Disabilities Act.

My HIPAA rights were violated by my employer. What should I do?

It is unlikely that your HIPAA rights were violated by your employer because, except in a few circumstances, employers are exempt from HIPAA In their role as employer. However, there may be state privacy laws that limit what individually identifiable health information an employer can disclose, and you should discuss your options with your HR department or a legal professional.

The post How Employees Can Help Prevent HIPAA Violations appeared first on HIPAA Journal.

Vermont Attorney General Agrees $264,000 SAManage USA Data Breach Settlement

Posted by HIPAA Journal

The 2016 SAManage USA data breach that saw the Social Security numbers of 660 Vermont residents exposed online has resulted in a settlement of $264,000 with the Vermont Attorney General.

In 2016, SAManage USA, a technology company that provides business support services, failed to secure an Excel spreadsheet relating to the state health exchange, Vermont Health Connect.

The spreadsheet was attached to a job ticket that was part of the firm’s cloud-based IT support system and was assigned a unique URL. The URL could theoretically have been guessed by anyone and accessed via a web browser without any need for authentication.

The spreadsheet was also indexed by the Bing search engine and was displayed in the search results. Bing also displayed a preview of the contents of the spreadsheet, which clearly displayed names and Social Security numbers.

Vermont Attorney General T.J Donovan said a Vermont resident found the spreadsheet via the search engine listings and reported the breach to his office, triggering an investigation. The Vermont Attorney General’s office contacted AWS and requested the document be removed. Amazon in turn contacted SAManage USA to alert the firm to the breach. However, while an engineer was alerted to the SAManage USA data breach, the incident was not communicated to the appropriate personnel within the company.

The Vermont Security Breach Notice Act requires companies to alert the Attorney General’s office of a breach within 14 days of discovery and consumers within 45 days. SAManage USA was alerted to the breach by Amazon on July 25, 2016, but it took until late September 2016 for the Attorney General’s office to be notified, shortly after the Attorney General contacted SAManage USA about the breach.

It took almost two months for breach victims to be notified. Attorney General Donovan said that were it not for the intervention of his office, the breach would not have been reported.

SAManage USA has agreed to a $264,000 settlement to resolve the case and will adopt a robust corrective action plan, which includes implementing a comprehensive information security program to prevent further privacy breaches.

In a statement about the settlement, Attorney General Donovan said, “Vermonters are increasingly aware of the dangers of mishandling Social Security numbers, and we will continue to protect them by enforcing our data breach and consumer protection laws,” he explained that “This is an appropriate penalty given the given the specific facts of this incident and that the company fully cooperated with our investigation.”

The post Vermont Attorney General Agrees $264,000 SAManage USA Data Breach Settlement appeared first on HIPAA Journal.