Healthcare Data Privacy

How Employees Can Help Prevent HIPAA Violations

Posted by HIPAA Journal

Employees can help prevent HIPAA violations by fully understanding what PHI is, knowing when PHI can permissibly be used and disclosed, and by following their employers’ policies on the compliant use of healthcare technologies and communication devices. Employees can also help prevent HIPAA violations by reporting ongoing poor practices to a manager or compliance officer.

One of the key goals of compliance officers is to prevent HIPAA compliance violations whenever possible. To achieve this goal, many compliance officers rely on technological solutions or sanctions policies to deter employees from noncompliant behaviors. However, by taking a more positive approach, employees can help prevent HIPAA violations.
Ten Most Common HIPAA Violations

Use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full compliance. Please use the form on this page to arrange for your copy.

Most Frequent Complaints

According to the Department of Health and Human Services´ Enforcement Highlights web page, the most frequent complaint received by HHS´ Office for Civil Rights relates to impermissible uses and disclosure of PHI. This is not surprising considering the variety of scenarios in which an authorization to use or disclose PHI is required, when individuals may or may not have the right to object to a use or disclosure, or when permissible uses or disclosures are subject to “other requirements”.

However, it is not only the variety of scenarios that can result in HIPAA violations. Many impermissible uses and disclosures occur due to a lack of understanding of what PHI is. The failure to understand what PHI is – and what it isn´t – can result in the next four most frequent violations occurring:

  • Lack of Privacy Rule safeguards for PHI
  • Lack of patient access to PHI
  • Lack of Security Rule safeguards for ePHI
  • Use or disclosure of more than the minimum necessary PHI

How to Prevent HIPAA Violations of this Nature

The obvious way to prevent HIPAA violations of this nature is to train all members of the workforce – not just employees – on what is considered PHI under HIPAA. Many HIPAA training courses fail to include this fundamental basic of HIPAA compliance in their curriculum – focusing on the HIPAA training requirements of §164.530 and §164.308 to tick the box of compliance, rather than putting policy and procedure training and security and awareness training into context.

However, if members of the workforce do not fully understand what PHI is, it is not hard to imagine why it may be used or disclosed impermissibly, why patients allege access requests are not being acted on, and why more than the minimum necessary PHI is being disclosed. It may also explain why those with a responsibility for the privacy and security of PHI fail to implement reasonable and appropriate Privacy Rule policies or Security Rule safeguards.

How to Prevent Other Types of HIPAA Violations

In addition to providing training on what PHI is, it can help prevent HIPAA violations to highlight the most common violations by members of the workforce and explain how to follow HIPAA guidelines in order to send the message “we know this happens – we don´t want it happening here”. The most common violations of HIPAA by members of the workforce include (but are not limited to).

Sharing passwords to systems containing PHI

Healthcare workers often share passwords to EHRs and other health IT systems – not out of malice, but “to get the job done” when their credentials are not sufficient to access required information. This is a violation of §164.312; and while it is the responsibility of the IT team to ensure each member of the workforce has “unique user identification”, employees should not share passwords, but rather pester the IT team to provide them with the credentials they need.

Leaving devices unsecured and unattended

Devices that can access PHI must have security features such as automatic logoff and PIN-lock (or other device locking process) enabled. All PHI on the device – or accessible by the device – should be encrypted. If a device or workstation used by a member of the workforce does not have these security features enabled, the risk of a data breach exists if a device or workstation is left unattended. This is a risk that is easy to prevent with the right technology.

Using unsecure channels of communication

There are two potential HIPAA violations here. The first relates to transmission security when communicating PHI, while the second relates to an individual´s right to request how they are contacted. HIPAA allows for Covered Entities to use unsecure channels of communication to contact individuals, but individuals should be warned of the risks, and both the warning and the individual´s consent to use the channel of communication should be documented.

Disposing of PHI improperly

While most healthcare organizations have now transitioned to electronic health records, paper documents are still widely used. Any document containing PHI must be kept secure while in use and disposed of properly at end of life. The rules relating to the disposal of PHI also apply to electronic PHI – particularly when systems on which PHI is stored are decommissioned or when removable media and backup tapes are purged for re-use.

Accessing PHI out of curiosity

The accessing of patient health records by employees, without any legitimate reason for doing so, is a serious violation of HIPAA. While most healthcare employees respect the privacy of patients, there have been numerous cases over the years of patients snooping on the records of patients. It is important for all members of the workforce to be made aware that audit logs are implemented to protect patient health information in the workplace and can identify when employees have access PHI without good reason.

Sharing PHI on social media without authorization

One of the reasons it is important that all members of the workforce know what is considered PHI under HIPAA is so that they do not inadvertently or deliberately share PHI on social media without authorization. Even something as apparently innocuous as commenting on a personality being seen at a medical center is a HIPAA violation that could lead to a sanction being applied or a complaint by the personality being made to HHS´ Office for Civil Rights.

The Benefits of Training Employees How to Avoid HIPAA Violations

Training employees how to avoid HIPAA violations not only reduces the number of violations but can also help reduce the number of unjustified complaints made to the organization and to HHS´ Office for Civil Rights. A significant statistic on HHS´ Enforcement Highlights web page, is that many reported violations are not violations at all. Of more than 300,000 complaints received since 2003, more than 200,000 have been rejected because “they did not present an eligible case for enforcement”. Among the reasons given by HHS for rejecting two-thirds of complaints were:

  • The complaint was made against an organization not subject to HIPAA
  • The activity described in the complaint did not violate any HIPAA Rules
  • The complaint was withdrawn by the individual on review.

Training employees to avoid HIPAA violations so they understand what PHI is can be beneficial in reducing unjustified complaints made by individuals who themselves do not know what PHI is. Employees can pass their knowledge on to patients and plan members to reduce the number of complaints made about impermissible uses and disclosures or disclosing more than the minimum necessary PHI – saving compliance officers valuable time replying to unjustified complaints or responding to HHS enquiries in the complaints review process.

How Employees Can Help Prevent HIPAA Violations: FAQs

Where does the Privacy Rule state the permissible uses and disclosures of PHI?

The Privacy Rule states the permissible uses and disclosures of PHI – including those requiring an authorization or in circumstances when an individual has the right to object – in sections §164.502 to §164.514 of the Administrative Simplification Regulations. Many of the standards apply to infrequent events, but it is important members of the workforce know what to do when these infrequent events occur.

How might somebody with a responsibility for security fail to implement safeguards?

The reason why somebody with a responsibility for security might fail to implement safeguards is that a lot of misinformation exists on the Internet. For example, if a Security Officer safeguards the so-called 18 HIPAA identifiers, but no other identifiers, details such as Medicare Beneficiaries Identifiers, social media handles, and emotional support animals (that could be used to identify an individual) could remain unsecured.

What is the problem with sharing passwords to systems containing PHI?

The problem with sharing passwords to systems containing PHI is that if an employee shares their login credentials with a colleague, and the colleague misuses PHI or disclosures PHI impermissibly, the HIPAA violation will be attributed to the owner of the login credentials rather than the colleague who was using them.

Does a personal mobile device have to have HIPAA security features enabled?

A personal mobile device must have HIPAA security features enabled if it is used to access systems containing PHI or communicate PHI with a colleague or patient. In such cases, the device has to be configured to meet the standards of the Security Rule. While applying the standards may seem like an imposition on the owner of the device, they are a best practice for personal data security even if the device is not used to access or communicate PHI.

Is it possible to share PHI on social media with authorization?

It is possible to share PHI on social media with authorization; but, in order to do so, the authorization form must state why PHI is being shared. It also has to be documented that the individual has been made aware that it may not be possible to revoke the authorization. This is because once content is posted on a social media platform, any further use or disclosure is out of the control of the person who posted it.

What is the best way to prevent HIPAA violations?

The best way to prevent HIPAA violations is to ensure HIPAA-compliant policies and procedures are developed, Security Rule safeguards are implemented, and all members of the workforce are thoroughly trained on HIPAA compliance. In addition, Covered Entities and Business Associates need to keep on top of monitoring compliance with the policies and procedures and ensure sanctions are applied consistently and fairly whenever necessary.

How can a healthcare organization avoid HIPAA violations?

A healthcare organization can avoid HIPAA violations by empowering members of the workforce to be the eyes and ears of HIPAA compliance. This can be achieved by implementing an anonymous communication channel through which members of the workforce can raise concerns about non-compliant practices and risks to the privacy of individually identifiable health information.

How is it possible to protect patient health information in the workplace?

There are several ways it is possible to protect patient health information in the workplace. One of the best ways is to minimize the number of designated record sets per patient. This makes it easier to identify where PHI is created, used, and maintained, so appropriate safeguards can be implemented to prevent impermissible disclosures and breaches of unsecure PHI.

What are the top five HIPAA tips for staff?

The five top HIPAA tips for staff can vary according to the role of the individual and the operations of their employer. For example, a nurse working in an ED will have very different compliance challenges than a claims processor working as a business associate. However, there are some common HIPAA tips that apply to all staff:

  • Pay attention to HIPAA training; and, if there is something you don´t understand, ask.
  • Ensure you are aware what PHI is and your employer´s policies for disclosing PHI.
  • If you identify a HIPAA violation in the workplace, report it and document your report.
  • Never share login credentials without first checking with a member of the IT team.
  • Don´t rely on colleagues if you are unsure about HIPAA compliance. Check with a manager or your Privacy/Security Officer.

What advice should a new member of the workforce be given on how to not violate HIPAA?

The advice a new member of the workforce should be given on how to not violate HIPAA is to follow the policies developed by your employer. This is because a member of the workforce cannot be held liable for a violation of HIPAA if their employer´s policies are not HIPAA compliant. It is important to be aware that an employer´s sanctions policy only applies to the policies the employer has developed – which are not necessarily the same as the HIPAA standards.

What are the key HIPAA do’s and don’ts for employees?

The key HIPAA do’s and don’ts for employees are to comply with your employer´s HIPAA policies and – if you feel they contradict HIPAA – don´t assume you know better. In addition, if you see a HIPAA violation in the workplace, do report it – don’t be afraid of alienating work colleagues. Finally, do make sure you participate in security and awareness training and don´t share login credentials.

Why is protecting PHI in the workplace important?

Protecting PHI in the workplace is important because impermissible uses and disclosures of PHI and breaches of unsecured PHI can result in loss, fraud, and reputational damage. This not only applies to the subject(s) of the PHI, but also to healthcare organizations and health plans who could end up providing – and paying for – expensive treatments to criminals in possession of stolen PHI.

How does reporting HIPAA violations in the workplace support HIPAA compliance?

Reporting HIPAA violations in the workplace supports HIPAA compliance in a number of ways. For example, reporting HIPAA violations can alert Privacy Officers to the need for more training, the need to fill gaps in HIPAA policies, and/or the need to better monitor workplace compliance. Once these needs are identified and resolved, the workplace will likely become more HIPAA compliant.

What are HIPAA reminders for staff?

HIPAA reminders for staff can take various forms. They can be verbal reminders from a supervisor who has observed a member of staff taking a compliance shortcut, they can be refresher training provided periodically by a conscientious employer, or they can be the HIPAA security reminders required by the Administrative Safeguards of the Security Rule (45 CFR §164.308(5)(ii)(A)).

What strategies are used to prevent HIPAA privacy violations?

The strategies used to prevent HIPAA privacy violations can vary from organization to organization, but generally they consist of education, supervision, and enforcement – Education being the HIPAA training all new members of the workforce are required to undergo, supervision being the monitoring of staff compliance and security technologies, and enforcement being the fair and consistent application of a HIPAA sanctions policy.

What is the HIPAA policy for healthcare employees?

There is no single HIPAA policy for healthcare employees. In many cases, there are hundreds of HIPAA policies for healthcare employees – although most employees will not be aware of them all. This is because the Privacy Rule only requires covered entities to train healthcare employees “on the policies and procedures […] necessary and appropriate for members of the workforce to carry out their functions with the covered entity”. Although healthcare employees are required to comply with HIPAA, they will only be trained on the HIPAA policies relevant to their roles.

What are the breach prevention best practices according to HIPAA?

HIPAA itself is technology neutral and does not provide breach prevention best practices per se. Indeed, even though the Security Rule stipulates Administrative, Physical, and Technical Safeguards must be implemented to protect the confidentiality, integrity, and confidentiality of electronic PHI, the Rule itself has a “flexibility of approach” clause in its “General Rules” (45 CFR §164.306(b)(1)).

However, since the publication of the Security Rule, the National Institute of Standards and Technology (NIST) Guide SP 800-53 has been widely acknowledged as the source of breach prevention best practices for HIPAA. In 2016, the Department of Health and Human Services published a “crosswalk” to help covered entities and business associates better comply with the Security Rule.

It is important for covered entities and business associates to be aware that adopting the measures in the crosswalk or in NIST´s latest guidance (SP 800-66r2) does not guarantee compliance with the Security Rule. However, the two publications contain what many experts believe to be the most comprehensive breach prevention best practices for HIPAA.

What HIPAA laws do healthcare providers have to comply with?

The HIPAA laws healthcare providers have to comply with are the Privacy Rule, the Security Rule, and the Breach Notification Rule if they qualify as a HIPAA covered entity. Not all healthcare providers qualify as a covered entity; however, if a non-qualifying healthcare provider provides a service to or on behalf of a covered entity as a “business associate”, they may also have to comply with the Privacy Rule (or parts thereof) as well as the Security Rule, and the Breach Notification Rule.

All covered entities and business associates must comply where appropriate with the General Provisions of 45 CFR Parts 160 and 164, while healthcare providers that conduct electronic transactions for which the Department of Health and Human Services has published standards have to comply with all applicable provisions of 45 CFR Part 162 (mostly relating to transactions between health plans and healthcare providers for eligibility, authorization, billing, and payment).

What are the Rules of HIPAA for healthcare organizations?

The Rules of HIPAA for healthcare organizations that qualify as HIPAA covered entities are:

  • The Privacy Rule – the standards for the privacy of individually identifiable health information.
  • The Security Rule – the standards for the protection of electronic protected health information.
  • The Enforcement Rule – the processes for HHS investigations and imposition of sanctions by HHS.
  • The Breach Notification Rule – the standards for notifying individuals and HHS of a data breach.
  • The Final Omnibus Rule – the amendments to existing HIPAA Rules introduced by the HITECH Act.

Most healthcare organizations are required to comply with the above Rules of HIPAA, plus – where applicable – the General Provisions of 45 CFR Parts 160 and 164 of the Administrative Simplification Regulations. Healthcare organizations and business associates that conduct transactions for which the Department of Health and Human Services has published standards are also  required to comply with the General Provisions and the Transactions, Identifier, and Code Set Rules in 45 CFR Part 162.

What is one good way to avoid violating HIPAA?

One good way to avoid violating HIPAA if you are a member of a covered entity´s or business associate´s workforce is to apply the information you learn in HIPAA training to your day-to-day roles – especially the information relating to permissible uses and disclosures of PHI because this is the most alleged HIPAA violation reported to HHS´ Office of Civil Rights via the Complaint Portal.

What can employees do to prevent a security breach in the workplace?

Employees can do a lot to prevent a security breach in the workplace. Possibly the most important thing employees can do is to use unique, complex passwords for each online account, never disclose or share passwords, and protect sensitive accounts and databases with 2-factor authentication – even if your employer does not require these basic security measures.

What does the mitigation of a violation of PHI mean?

The mitigation of a violation of PHI is a strange term to use because usually people talk in terms of HIPAA violations and PHI breaches – the two terms meaning different things. A HIPAA violation is any failure to comply with the standards of the Administrative Simplification Regulations (45 CFR Parts 160 – 164) and the Confidentiality of Substance Abuse Disorder Patient Records (42 CFR Part 2).

A violation of any of these standards doesn´t necessarily result in a breach of unsecured PHI; but when it does, lessening (or mitigating) the impact of the breach can reduce the amount of harm an individual suffers, the risk of compromised PHI being used to commit insurance fraud, and the amount an organization could be fined for failing to comply with the HIPAA standards.

Can an employer disclose medical information to other employees?

Whether or not an employer can disclose medical information to other employees depends on state privacy laws rather than HIPAA. Employers are exempt from HIPAA in their role as an employer, so any health information collected, maintained, or transmitted by an employer as part of an employee’s employment record is not subject to the protection of the Privacy Rule.

Can an employer request medical information?

An employer can request medical information about an employee from a healthcare provider if the information requested is required to comply with state and/or federal requirements for reporting workplace injuries and illnesses. However, the healthcare provider is only allowed to disclose the minimum necessary medical information to meet the reporting requirements.

An employer can also request medical information from an employee to justify an absence, to enroll an employee in a group health plan or wellness program, to maintain the health and safety of other members of the workforce, to comply with the Family Medical Leave Act, or to accommodate members of the workforce under the Americans with Disabilities Act.

My HIPAA rights were violated by my employer. What should I do?

It is unlikely that your HIPAA rights were violated by your employer because, except in a few circumstances, employers are exempt from HIPAA In their role as employer. However, there may be state privacy laws that limit what individually identifiable health information an employer can disclose, and you should discuss your options with your HR department or a legal professional.

The post How Employees Can Help Prevent HIPAA Violations appeared first on HIPAA Journal.

Vermont Attorney General Agrees $264,000 SAManage USA Data Breach Settlement

Posted by HIPAA Journal

The 2016 SAManage USA data breach that saw the Social Security numbers of 660 Vermont residents exposed online has resulted in a settlement of $264,000 with the Vermont Attorney General.

In 2016, SAManage USA, a technology company that provides business support services, failed to secure an Excel spreadsheet relating to the state health exchange, Vermont Health Connect.

The spreadsheet was attached to a job ticket that was part of the firm’s cloud-based IT support system and was assigned a unique URL. The URL could theoretically have been guessed by anyone and accessed via a web browser without any need for authentication.

The spreadsheet was also indexed by the Bing search engine and was displayed in the search results. Bing also displayed a preview of the contents of the spreadsheet, which clearly displayed names and Social Security numbers.

Vermont Attorney General T.J Donovan said a Vermont resident found the spreadsheet via the search engine listings and reported the breach to his office, triggering an investigation. The Vermont Attorney General’s office contacted AWS and requested the document be removed. Amazon in turn contacted SAManage USA to alert the firm to the breach. However, while an engineer was alerted to the SAManage USA data breach, the incident was not communicated to the appropriate personnel within the company.

The Vermont Security Breach Notice Act requires companies to alert the Attorney General’s office of a breach within 14 days of discovery and consumers within 45 days. SAManage USA was alerted to the breach by Amazon on July 25, 2016, but it took until late September 2016 for the Attorney General’s office to be notified, shortly after the Attorney General contacted SAManage USA about the breach.

It took almost two months for breach victims to be notified. Attorney General Donovan said that were it not for the intervention of his office, the breach would not have been reported.

SAManage USA has agreed to a $264,000 settlement to resolve the case and will adopt a robust corrective action plan, which includes implementing a comprehensive information security program to prevent further privacy breaches.

In a statement about the settlement, Attorney General Donovan said, “Vermonters are increasingly aware of the dangers of mishandling Social Security numbers, and we will continue to protect them by enforcing our data breach and consumer protection laws,” he explained that “This is an appropriate penalty given the given the specific facts of this incident and that the company fully cooperated with our investigation.”

The post Vermont Attorney General Agrees $264,000 SAManage USA Data Breach Settlement appeared first on HIPAA Journal.

National Cyber Security Awareness Month: What to Expect

Posted by HIPAA Journal

October is National Cyber Security Awareness Month – A month when attention is drawn to the importance of cybersecurity and several initiatives are launched to raise awareness about how critical cybersecurity is to the lives of U.S. citizens.

National Cyber Security Awareness Month is a collaborative effort between the U.S. Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA) and public/private partners.

Throughout the month of October, the DHS, NCSA, and public and private sector organizations will be conducting events and launching initiatives to raise awareness of the importance of cybersecurity. Best practices will be shared to help U.S. citizens keep themselves safe online and protect their companies, with tips and advice published to help businesses improve their cybersecurity defenses and keep systems and data secure.

DHS and NCSA will focus on a different aspect of cybersecurity each week of National Cyber Security Awareness Month:

National Cyber Security Awareness Month Summary

  • Week 1: Simple Steps to Online Safety (Oct. 2-6)
  • Week 2: Cybersecurity at Work (Oct. 9-13)
  • Week 3: Today’s Predictions for Tomorrow’s Internet (Oct. 16-20)
  • Week 4: Careers in Cybersecurity (Oct. 23-27)
  • Week 5: Cybersecurity and Critical Infrastructure (Oct. 30-31)

Week 1 focuses on basic cybersecurity and cyber hygiene – simple steps that can be taken to greatly improve resilience to cyberattacks.

These basic cybersecurity measures are likely to have already been adopted by the majority of businesses, but these simple controls can all too easily be overlooked. The Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal is littered with reports of security incidents that have resulted from the failures to get the basics of cybersecurity right. Week 1 is the perfect time to conduct a review of these basic cybersecurity measures to ensure they have all been adopted.

This year has already seen several major data breaches reported, including the massive breach at Equifax that impacted 143 million Americans. In May, WannaCry ransomware attacks spread to more than 150 countries and the NotPetya wiper attacks in June causes extensive damage. FedEx and Maersk have both announced that the attacks could end up costing $300 million.

All three of those cyberattacks occurred as a result of the failure to implement patches promptly. Then there is the recently announced Deloitte data breach. That security breach has been linked to the failure to implement two-factor authentication – Another basic cybersecurity measure.

Stop. Think. Connect

During the first week of National Cyber Security Awareness Month, the NCSA will be promoting its “STOP. THINK. CONNECT.” security awareness campaign, which was developed with assistance from the Anti-Phishing Working Group in 2010. The campaign makes available more than 140 online resources that can be used by U.S. citizens to keep themselves secure and by businesses to improve security awareness of the workforce.

Week 2 will focus on cybersecurity in the workplace, highlighting steps that can be taken by businesses to develop a culture of cybersecurity in the workplace. DHS and NCSA will also be encouraging businesses to adopt the National Institute of Standards and Technology Cybersecurity Framework.

Week 3 will focus on protecting personal information in the context of the smart device revolution, highlighting the importance of secure storage, transmission, and handling of data collected by IoT devices.

Week 4 will focus on encouraging students to consider a career in cybersecurity. By 2019, there is expected to be around 2 million unfilled cybersecurity positions in the United States. Advice will be offered about how to switch careers and embark upon a career in cybersecurity.

National Cyber Security Awareness Month finishes with two days of efforts to improve the resiliency of critical infrastructure to cyberattacks.

OCR Encourages HIPAA-Covered Entities to Go Back to Basics

Late last week in its monthly cybersecurity newsletter, OCR sent a reminder to HIPAA-covered entities about the importance of securing health data, saying, “The security of electronic health information is more critical than ever, and it is the responsibility of all in the regulated community to ensure the confidentiality, integrity, and availability of electronic protected health information.” These basic security measures are essential for HIPAA compliance.

OCR suggests HIPAA-covered entities should go back to basics during National Cyber Security Awareness Month and use the tips and advice being issued to ensure all the i’s have been dotted and the t’s crossed.

OCR suggests a good place to start is conducting a review to make sure:

  • Strong passwords have been set – Consisting of passphrases or passwords of at least 10 characters, including lower and upper-case letters, numerals, and special characters.
  • Regular training is provided – To improve phishing awareness, reporting of potential attacks, and covering other important cybersecurity issues.
  • Use multi-factor authentication – So that in the event that a password is obtained or guessed, it will not result in an account being compromised. MFA is strongly recommended for remote access, privileged accounts, and accounts containing sensitive information.
  • Review patch management policies – To ensure that software updates and patches are always applied promptly, on all systems and devices, to fix critical security vulnerabilities.
  • Devices are locked – All devices should be physically secured when they are not in use.
  • Portable device controls are developed – To prohibit the plugging in of personal portable devices into secure computers or networks without first having the devices scanned to make sure they do not contain malware.
  • Policies are developed on reporting threats – Educate the workforce on the importance of reporting potential threats immediately to ensure action can be taken to mitigate risk.

The post National Cyber Security Awareness Month: What to Expect appeared first on HIPAA Journal.

Is OneDrive HIPAA Compliant?

Posted by HIPAA Journal

Many covered entities want to take advantage of cloud storage services, but can Microsoft OneDrive be used? Is OneDrive HIPAA compliant?

Many healthcare organizations are already using Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a convenient platform for storing and sharing files.

Microsoft Supports HIPAA-Compliance

There is certainly no problem with HIPAA-covered entities using OneDrive. Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be used without violating HIPAA Rules.

That said, before OneDrive – or any cloud service – can be used to create, store, or send files containing the electronic protected health information of patients, HIPAA-covered entities must obtain and sign a HIPAA-compliant business associate agreement (BAA).

Microsoft was one of the first cloud service providers to agree to sign a BAA with HIPAA-covered entities, and offers a BAA through the Online Services Terms. The BAA includes OneDrive for Business, as well as Azure, Azure Government, Cloud App Security, Dynamics 365, Office 365, Microsoft Flow, Intune Online Services, PowerApps, Power BI, and Visual Studio Team Services.

Under the terms of its business associate agreement, Microsoft agrees to place limitations on use and disclosure of ePHI, implement safeguards to prevent inappropriate use, report to consumers and provide access to PHI, on request, per the HIPAA Privacy Rule. Microsoft will also ensure that if any subcontractors are used, they will comply with the same – or more stringent – restrictions and conditions with respect to PHI.

Provided the BAA is signed prior to the use of OneDrive for creating, storing, or sharing PHI, the service can be used without violating HIPAA Rules.

Microsoft explains that all appropriate security controls are included in OneDrive, and while HIPAA compliance certification has not been obtained, all of the services and software covered by the BAA have been independently audited for the Microsoft ISO/IEC 27001 certification.

Appropriate security controls are included to satisfy the requirements of the HIPAA Security Rule, including the encryption of data at rest and in transit to HIPAA standards. Microsoft uses 256-bit AES encryption and SSl/TLS connections are established using 2048-bit keys.

There is More to HIPAA Compliance Than Using ‘HIPAA-Compliant’ Services

However, just because Microsoft will sign a BAA, it does not mean OneDrive is HIPAA compliant. There is more to compliance than using a specific software or cloud service. Microsoft supports HIPAA compliance, but HIPAA compliance depends of the actions of users. As Microsoft explains, “Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Prior to the use of any cloud service, a HIPAA-covered entity must conduct a risk analysis and assess the vendor’s provisions and policies. A risk management program must also be developed, using policies, procedures, and technologies to ensure risks are mitigated.

Access policies must be developed and security settings configured correctly. Strong passwords should be used, external file sharing should be disabled, access should be limited to trusted whitelisted networks, and PHI must only be shared with individuals authorized to view the information. When PHI is shared, the minimum necessary standard applies. Logging should be enabled to ensure organizations have visibility into what users are doing with respect to PHI, and when employees no longer require access to OneDrive, such as when they leave the organization, access should be terminated immediately.

So, Is OneDrive HIPAA compliant? Yes and No. OneDrive can be used without violating HIPAA Rules and Microsoft supports HIPAA compliance, but ultimately HIPAA compliance is down to the covered entity, how the service is configured and used.

The post Is OneDrive HIPAA Compliant? appeared first on HIPAA Journal.

Why Dental Offices Should be Worried About HIPAA Compliance

Posted by HIPAA Journal

In 2015, Dr. Joseph Beck became the first dentist to be fined for a HIPAA violation, which sent a warning to dental offices about HIPAA compliance.  Until that point, dental offices had avoided fines for noncompliance with HIPAA Rules.

The penalty was not issued by the Department of Health and Human Services’ Office for Civil Rights (OCR), but by the Office of the Indiana attorney general. The fine of $12,000 was for the alleged mishandling of the protected health information of 5,600 patients.

Since then, many settlements have been reached with covered entities for HIPAA violations. No further penalties have been issued to dental offices, although there is nothing to stop OCR or state attorneys general from fining dental offices for failing to comply with HIPAA Rules and settlements for alleged HIPAA violations are now being reached much more frequently than in 2015. Last year was a record year for settlements and 2017 has continued where 2016 left off.

The probability of HIPAA violations being discovered has also increased. OCR has already commenced the much-delayed second phase of its HIPAA compliance audit program and dental office may still be selected for an audit.

During the first phase of compliance audits in 2011/2012, at least one dental office was audited. That round of audits revealed multiple areas of noncompliance with HIPAA Rules, although OCR chose not to issue any financial penalties. Instead non-compliance was addressed by issuing technical guidance. Now, five years on, covered entities have had plenty of time to implement their compliance programs. Financial settlements can be expected if HIPAA violations are discovered by OCR auditors.

Last year, the threat of HIPAA compliance audits for dental offices prompted Dr. Andrew Brown, chair of the ADA Council on Dental Practice, to issue a stern warning to dental offices on HIPAA compliance, urging them to take HIPAA compliance seriously. Brown said, “There are steep consequences for health care providers that don’t comply with the law and we don’t want to see any dentists having to pay tens of thousands of dollars in a penalty.”

If your dental office has not been selected to demonstrate compliance with HIPAA Rules already, that does not mean an investigation will not be conducted. OCR has only conducted the first round of its phase 2 HIPAA audit program. The second round will involve on-site visits, which are expected to start in early 2018.

OCR also investigates all covered entities that experience a breach of more than 500 records. There has been an increase in cyberattacks on healthcare organizations in recent years, and dental offices can could all too easily come under attack.

Laptop computers containing ePHI can easily be lost or stolen, employees may snoop on records or steal sensitive information, errors can easily be made configuring software, and unaddressed vulnerabilities can easily be exploited. This year, the hacking group TheDarkOverlord exploited a vulnerability and gained access to the records of Aesthetic Dentistry of New York City and stole data – a reportable breach under HIPAA Rules.

If a data breach is experienced, OCR will need to be provided with evidence that HIPAA Rules have been followed. Complaints about privacy violations and other potential HIPAA failures can be submitted via the HHS website, and can easily lead to HIPAA investigations.

It would be a serious error to think that OCR will not investigate small practices. OCR has made it clear that all covered entities, regardless of their size, must comply with HIPAA Rules. It is not only large healthcare organizations that may have to pay a financial penalty for non-compliance with HIPAA Rules, as Dr. Beck could confirm.

The threat of data breaches is greater than ever before and OCR is taking a harder line on healthcare organizations that fail to comply with HIPAA Rules and keep electronic protected health information secure. Dental office should therefore take HIPAA compliance seriously and ensure HIPAA Rules are being followed.

The post Why Dental Offices Should be Worried About HIPAA Compliance appeared first on HIPAA Journal.

HIPAA Compliance and Cloud Computing Platforms

Posted by HIPAA Journal

Before cloud services can be used by healthcare organizations for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered entities must ensure the services are secure.

Even when a cloud computing platform provider has HIPAA certification, or claims their service is HIPAA-compliant or supports HIPAA compliance, the platform cannot be used in conjunction with ePHI until a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A) – has been performed.

A risk analysis is an essential element of HIPAA compliance for cloud computing platforms. After performing a risk analysis, a covered entity must establish risk management policies in relation to the service – 45 CFR §§ 164.308(a)(1)(ii)(B). Any risks identified must be managed and reduced to a reasonable and appropriate level.

It would not be possible to perform a comprehensive, HIPAA-compliant risk analysis unless the covered entity fully understands the cloud computing environment and the service being offered by the platform provider.

Cloud Service Providers are HIPAA Business Associates

A HIPAA business associate is any person or entity who performs functions on behalf of a covered entity, or offers services to a covered entity that involve access being provided to protected health information (PHI).

The HIPAA definition of business associate was modified by the HIPAA Omnibus Rule to include any entity that “creates, receives, maintains, or transmits” PHI. The latter two clearly apply to providers of cloud computing platforms.

Consequently, a covered entity must obtain a signed business associate agreement (BAA) from the cloud platform provider. The BAA must be obtained from the cloud platform provider before any PHI is uploaded to the platform. A BAA must still be obtained even if the platform is only used to store encrypted ePHI, even if the key to unlock the encryption is not given to the platform provider. The only exception would be when the cloud platform is only used to store, process, maintain or transmit de-identified ePHI.

The BAA is a contract between a covered entity and a service provider. The BAA must establish the allowable uses and disclosures of PHI, state that appropriate safeguards must be implemented to prevent unauthorized use or disclosure of ePHI, and explain all elements of HIPAA Rules that apply to the platform provider. Details of the contents of a HIPAA-compliant BAA can be obtained from the HHS on this link.

Cloud computing platform providers and cloud data storage companies that have access to PHI can be fined for failing to comply with HIPAA Rules, even if the service provider does not view any data uploaded to the platform. Not all cloud service providers will therefore be willing to sign a BAA.

A BAA Will Not Make a Covered Entity HIPAA Compliant

Simply obtaining a BAA for a cloud computing platform will not ensure a covered entity is compliant with HIPAA Rules. HIPAA Rules can still be violated, even with a BAA in place. This is because no cloud service can be truly HIPAA compliant by itself. HIPAA compliance will depend on how the platform is used.

For example, Microsoft will sign a BAA for its Azure platform; but it is the responsibility of the covered entity to use the platform in a HIPAA-compliant manner. If a covered entity misconfigures or fails to apply appropriate access controls, it would be the covered entity that is in violation of HIPAA Rules, not Microsoft. As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Penalties for Cloud-Related HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights has already settled cases with HIPAA-covered entities that have failed to obtain business associate agreements before uploading PHI to the cloud, as well as for risk analysis and risk management failures.

St. Elizabeth’s Medical Center in Brighton, Mass agreed to settle its case with OCR in 2015 for $218,400 for potential violations of the HIPAA Security Rule after PHI was uploaded to a document sharing service, without first assessing the risks of using that service.

Phoenix Cardiac Surgery also agreed to settle a case with OCR for failing to obtain a business associate agreement from a vendor of an Internet-based calendar and email service prior to using the service in conjunction with PHI. The case was settled for $100,000.

In 2016, OCR settled a case with Oregon Health & Science University for $2.7 million after it was discovered ePHI was being stored in the cloud without first obtaining a HIPAA-compliant business associate agreement.

HIPAA Compliant Cloud Computing Platforms

Both Amazon’s AWS and Microsoft’s Azure platforms can be used by HIPAA-covered entities. Both have all the necessary privacy and security protections in place to satisfy HIPAA requirements, and Amazon and Microsoft will sign BAAs with healthcare providers and agree to comply with HIPAA Rules.

AWS has long been the leading cloud service provider, although Microsoft appears to be catching up. If you are unsure of the best cloud computing platform provider to use, you can find out more information in this comparison of Azure and AWS.

Cloud storage companies that support HIPAA-compliance and can be used by HIPAA-covered entities for storing ePHI (after a BAA has been obtained) include Box, Carbonite, Dropbox, Google Drive, and Microsoft OneDrive.

The post HIPAA Compliance and Cloud Computing Platforms appeared first on HIPAA Journal.

The Benefits of Using Blockchain for Medical Records

Posted by HIPAA Journal

Blockchain is perhaps best known for keeping cryptocurrency transactions secure, but what about using blockchain for medical records? Could blockchain help to improve healthcare data security?

The use of blockchain for medical records is still in its infancy, but there are clear security benefits that could help to reduce healthcare data breaches while making it far easier for health data to be shared between providers and accessed by patients.

Currently, the way health records are stored and shared leaves much to be desired. The system is not efficient, there are many roadblocks that prevent the sharing of data and patients’ health data is not always stored by a single healthcare provider – instead a patients’ full health histories are fragmented and spread across multiple providers’ systems.

Not only does this make it difficult for health data to be amalgamated, it also leaves data vulnerable to theft. When data is split between multiple providers and their business associates, there is considerable potential for a breach. The Health Insurance Portability and Accountability Act (HIPAA) requires all HIPAA covered entities and their business associates to implement technical safeguards to ensure the confidentiality, integrity, and availability of protected health information. However, each entity implements their own security controls.

The more entities have access to health data, the greater the potential for errors to be made that result in the data being exposed. As the Department of Health and Human Services’ Office for Civil Rights Breach portal clearly shows, HIPAA-covered entities and their business associates are not always as careful as they should be when storing and transmitting data, and even when they are, it is often not possible to prevent breaches. However, using blockchain for medical records could dramatically improve data security.

Blockchain, as the name suggests, is a chain of data blocks which contain details of transactions, each of which is encrypted to ensure privacy. Rather than store data in a single location, blockchain keeps data in an encrypted ledger, which is distributed across synchronized, replicated databases. Each block is linked to the previous block by a unique public key with access to data carefully controlled.

As has been shown with the massive Anthem and Equifax data breaches, single entities cannot be trusted to hold vast quantities of data and keep it secure in a centralized system. Storing data in a decentralized system could be a viable alternative.

With blockchain, each data block in the chain can be encrypted using public key cryptography which can be unlocked with the use of a private key or password, which could be held by a patient.

If blockchain is used for health data, rather than multiple healthcare providers storing their own copies of a patient’s data, the patient would grant each access to their data and provide them with a key.

Without access to the key, the data stored in blockchain would be inaccessible. It would not be possible to hack a single block of data, at least not without simultaneously hacking all the others in the chain’s chronology. It would also not possible for changes to the data blocks to be made and for those changes to be hidden.

With a cryptocurrency such as Bitcoin, blockchain is used for transactions – the buying and selling of the currency. With health records, the transactions would be consultations with physicians, X-ray images or blood test results, prescriptions, or surgical procedures. Each time data is added, it would need to be validated by a trusted entity who has been given an access key. Once validated, it would be added as a block in the chain in chronological order, with the blockchain comprising a patient’s entire medical history.

The use of blockchain for medical records could prove highly beneficial for providers and patients. Not only for keeping medical records secure, but pulling together fragmented medical records stored by multiple healthcare providers.

This would allow full medical records to be easily shared between providers. Medical records would not need to be transmitted electronically between providers, new providers would just be required to be told where to access the information and given the access key.

Blockchain has potential to make it far easier for patients to access their healthcare records. Rather than submitting a request for copies of their health data with several different healthcare providers, one request could be submitted and their full healthcare record could be accessed. Currently, that process can be complicated, time-consuming, and potentially costly for the patient, since each provider is permitted under HIPAA to charge a fee for providing copies of data.

When data is provided through patient portals, the process of piecing together health records can be even more complicated, as is sharing the information. Blockchain could also help sort out the issues that exist with multiple patient identifiers.

Blockchain clearly works for financial transactions but what about blockchain and medical records? Could it work in practice? Trials using Blockchain and medical data have shown very promising results.  One trial conducted by MIT Media Lab and Beth Israel Deaconess Medical Center has shown blockchain to work well for tracking test results, treatments, and prescriptions for inpatients and outpatients over 6 months. In that trial case, data exchange between two institutions was simulated using two different databases at Beth Israel. Plans are now underway to expand the pilot.

There are still issues that must be resolved. Blockchain is not anonymous but pseudonymous. There is also the problem of how to make certain records private, such as psychotherapy notes, to prevent patients accessing that information.

It would also be necessary for blockchain to be extensively tested with health data and healthcare organizations would need to be convinced to adopt blockchain medical records systems. Encouragingly, earlier this year, IBM conducted a survey on 200 healthcare organizations. 16% said they expected to have a commercial blockchain solution in place this year.

The post The Benefits of Using Blockchain for Medical Records appeared first on HIPAA Journal.

OIG Discovers Multiple Security Vulnerabilities in Alabama’s Medicaid Management Information System

Posted by HIPAA Journal

The HHS’ Office of Inspector General (OIG) has conducted a review of Alabama’s Medicaid data and information systems to ascertain whether the state was in compliance with federal regulations. The review covered the Medicaid Management Information System (MMIS) and associated policies and procedures. OIG also conducted a vulnerability scan on networked devices, databases, websites, and servers to identify vulnerabilities that could potentially be exploited to gain access to systems and sensitive data.

The audit revealed Alabama’s MMIS had multiple vulnerabilities that could potentially be exploited by hackers to gain access to its systems and Medicaid data.

Alabama had adopted a security program for its MMIS, although several vulnerabilities had been allowed to persist. OIG said in its report, the vulnerabilities were “collectively and, in some cases, individually significant.”

OIG did not uncover any evidence to suggest the vulnerabilities had already been exploited, although the vulnerabilities did place the integrity of the state Medicaid program at risk. By exploiting the vulnerabilities, unauthorized individuals could have gained access to the MMIS and viewed, altered, or stolen data. OIG concluded the state had not done enough to comply with federal regulations on data security.

Additionally, OIG auditors determined there was insufficient oversight of the state’s Medicaid fiscal agent, HP, to ensure that it had implemented appropriate security controls as was required by the terms of its contract.

Details of the vulnerabilities identified during the audit were not published, although Alabama was provided with a detailed report and was given several recommendations to improve data security. Alabama concurred with all the recommendations and has agreed to implement additional controls to better secure its information systems and Medicaid data and will address all of the identified vulnerabilities.

Alabama only objected to the title of the report – Alabama Did Not Adequately Secure Its Medicaid Data and Information Systems – commenting, “Alabama has always, and will continue to always, strive to secure its Medicare data and information systems.”

Since OIG identified multiple, significant vulnerabilities that could have led to the MMIS being compromised, the title of the report was not changed.

The post OIG Discovers Multiple Security Vulnerabilities in Alabama’s Medicaid Management Information System appeared first on HIPAA Journal.

HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone

Posted by HIPAA Journal

The U.S. Department of Health and Human Services has already issued two partial waivers of HIPAA sanctions and penalties in areas affected by hurricanes this year. Now a third HIPAA waiver has been issued, this time in the Hurricane Maria disaster area in Puerto Rico and the U.S. Virgin Islands.

As was the case with the waivers issued in relation to Hurricane Harvey and Hurricane Irma, the waiver only applies to covered entities in areas where a public health emergency has been declared, only for 72 hours following the implementation of the hospital’s disaster protocol, and only for specific provisions of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

As soon as the 72-hour period has elapsed, or as soon as the Presidential or Secretarial declaration terminates, the waiver ceases to apply and covered entities must comply with the above provisions of the Privacy Rule for all patients still under their care.

Further information on the HIPAA waiver in relation to Hurricane Maria can be viewed here.

In an emergency situation, a waiver of sanctions and penalties for violations of limited provisions of the HIPAA Privacy Rule is not strictly necessary, although such a waiver does offer some reassurance to covered entities that are operating in a disaster area.

The HHS has pointed out in its recent communication that in emergency situations, covered entities are permitted to share limited protected health information of patients even if a waiver has not been issued, when it is in the best interests of patients to do so, to help identify patients, to help locate family members, and for public health activities. In the case of the latter, it is permissible to share PHI with public health authorities such as a state or local health department or the CDC for the purpose of preventing or controlling disease, injury or disability.

PHI can also be shared for the purposes of treatment, either the treatment of the patient or another person who may be affected by the same situation, as well as to help with the coordination or management of healthcare, such as sharing PHI with other healthcare providers or when referring patients for treatment – 45 CFR §§ 164.502(a)(1)(ii), 164.506(c)

PHI can be shared with anyone, as necessary, to prevent or lessen a serious or imminent threat to the health and safety of a person or the public., if that person is in a position to lessen or prevent the threatened harm. Such disclosures can be made without the patient’s permission. It is left to the discretion of the covered entity to make a determination about the nature and severity of the threat to health – 45 CFR 164.512(j).

Disclosures can be made to family, friends, and other individuals involved in a patient’s care, and information can be shared to help identify, locate, and notify family members, guardians, or others responsible for a patient’s care – 45 CFR 164.510(b).

When others not involved in the treatment of a patient, including the media, request information about a specific patient by name, a HIPAA-covered entity is permitted to disclose “limited facility directory information” and provide general information about the patient such as whether they are in critical or stable condition, are deceased, or have been treated and have left the facility, provided the patient has not requested the information be kept private.

In all cases, any disclosures must be limited to the minimum necessary information to achieve the purpose for which the information is disclosed. At all times, even in emergency situations, the HIPAA Security Rule requirements apply and covered entities must continue to ensure administrative, physical, and technical safeguards are in place to preserve the confidentiality, integrity, and availability of PHI.

The post HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone appeared first on HIPAA Journal.