Healthcare Technology News

Paubox Launches HIPAA Compliant Online Forms

Posted by Steve Alder

Paubox, the market leader in HIPAA-compliant email, has added a new feature to the Paubox Email Suite that allows HIPAA-regulated entities to create secure, HIPAA-compliant online forms for collecting patient data.

Healthcare providers need to collect information from patients and the easiest and most efficient way to do so is by using an online form. Patients can be sent a link to a form that they can access on their mobile devices and can quickly and efficiently provide the required information. They can share files and attach images to help their provider better prepare for an appointment, which can shorten appointment times and allow providers to see more patients.

Online forms streamline information collection and can be used for getting feedback, arranging telehealth services, collecting insurance information, and obtaining consent. Before any online form can be used by a HIPAA-regulated entity, they must ensure that the forms are HIPAA-compliant and securely collect, store, and transmit patient data. The providers of online forms are classed as business associates and their forms must be covered by a business associate agreement.

Paubox is a HITRUST CSF-certified leader in HIPAA-compliant communication and marketing solutions for healthcare organizations and is trusted by more than 5,000 healthcare organizations worldwide, including AdaptHealth, CostPlus Drugs, Covenant Health, and SimonMed Imaging. The new Paubox Forms feature is covered by Paubox’s business associate agreement and can be used free of charge with existing Paubox Email Suite paid subscriber plans.

Paubox Forms includes an intuitive form builder that allows healthcare organizations to create forms for a variety of different healthcare needs, including customizable question types such as text fields, dropdowns, multiple-choice, signature collection, and secure file uploads. Paubox Forms integrates directly with Paubox Marketing and enhances the efficiency of patient communications and marketing and allows patients and staff to share information and files without the cumbersome need for portals or extra steps.

“With Paubox Forms, we’re setting a new standard for secure patient data collection in healthcare. Providers can gather essential information effortlessly while upholding the highest standards of HIPAA compliance and data protection. It’s our commitment to advancing healthcare communication with solutions that are secure and seamlessly integrated into daily workflows, empowering providers to deliver better care without compromising on privacy or efficiency,” Hoala Greevy, CEO of Paubox told The HIPAA Journal. “Paubox Forms was inspired by our commitment to innovation and customer feedback. We’ve created a solution that not only meets the current needs of healthcare providers but also paves the way for future advancements in secure healthcare communication.”

Early adopters of the forms have benefitted from the speed and efficiency of data collection. “As the landscape changes, remote clients need new workflows designed around them,” said Tony Cox, CIO at Henderson Behavioral Health, who has recently started using Paubox Forms. “The biggest advantage of an online form over paper is speed, getting the consent or Release of Information in before the client’s appointment, which allows us to be better prepared and see more clients.”

The post Paubox Launches HIPAA Compliant Online Forms appeared first on HIPAA Journal.

3 in 5 Patients Accessed Health Records Online or Via Apps in 2022

Posted by Steve Alder

According to the HHS’ Office of the National Coordinator for Health IT (ONC) there has been a significant increase in the number of patients who are accessing their medical records through patient portals or smartphone apps. Providing patients with easy access to their electronic health records empowers them to make informed decisions about their health and track their progress toward health-related goals, which translates into better patient outcomes. According to the ONC, other benefits include decreased healthcare costs and stronger patient-physician relationships.

In 2022, around three in five individuals who were offered access to their health records via an app or patient portal chose to access them, which is a 46% increase from 2020. In 2022, around three in four patients were offered either online access to their medical records or app-based access, which is a 24% increase from 2020. More than half of patients who were offered access viewed their health records at least three times, with one in six individuals accessing their records on six or more occasions. Only one in five individuals who were offered online or app-based access to their records did not view their health records in the past 12 months, which is a reduction of around 50% from 2017.

The ONC Cures Act Final Rule, published in 2020, sought to increase patient and provider access to healthcare records via smartphone apps via secure standardized application programming interfaces (APIs). Access to electronic health information through online patient portals has been increasing for several years, and the ONC’s rules that encourage access to electronic health information and prohibit information blocking are helping to increase access to health records and app-based access is growing.

48% of patients chose to access their online records only via a website and 19% only used an app, with 32% using a combination of the two. Individuals who used apps to view their health data were much more likely to access their health records frequently, compared to individuals who only used a website – 42% versus 28%. The most common reasons for accessing online medical records or patient portals were to view test results (90%) and clinical notes (70%). One in three patients chose to download their healthcare data and one in five sent their health data to a third party.

Healthcare providers that offered a patient portal saw much higher levels of access to electronic medical records (81%), especially when they also encouraged their patients to use the portals (83%), compared to a national average of 68%. Usage of patient portals was considerably more common with white patients, 70% of whom used a patient portal to access their records, compared to only 60% of black patients and 57% of Hispanic patients.

While the data are encouraging they show there is still room for improvement. Just under half of individuals who were offered online access to their health records chose not to view them in 2022, and the number of black and Hispanic patients using online portals or apps is much lower than white patients. Healthcare providers should try to promote equitable access to patient portals, recommend using the portals, and explain the benefits.

Relatively few patients are downloading their health records and even fewer are sending their records to a third party, which suggests a lack of education of patients and providers on these features and the benefits. While only 2% of patients used a health app to combine medical records from the portals of more than one healthcare provider, in 2022 the ONC was still implementing the Cures Act Final Rule provisions and that percentage is expected to increase significantly in 2023.

The post 3 in 5 Patients Accessed Health Records Online or Via Apps in 2022 appeared first on HIPAA Journal.

Is ChatGPT HIPAA Compliant?

Posted by Steve Alder

ChatGPT is a large language model-based chatbot that can be used to create high-quality written content, similar to content written by humans, but is ChatGPT HIPAA-compliant? Can the tool be used in healthcare? OpenAI, the developer of ChatGPT, does not support HIPAA compliance for its chatbot at present. As ChatGPT is not HIPAA-compliant, the tool cannot be used with any electronic protected health information (ePHI).

Generative AI and HIPAA

Generative AI has many potential uses in healthcare; however, organizations that are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) are not permitted to use these tools in connection with any ePHI unless the tools have undergone a security review and there is a signed, HIPAA-compliant business associate agreement in place with the provider of the tool. HIPAA-covered entities must obtain satisfactory assurances from business associates that any ePHI provided or encountered by a business associate will only be used for the purposes for which the business associate was engaged by the covered entity.

Some tech companies have developed healthcare-specific generative AI tools and are willing to enter into business associate agreements with HIPAA-covered entities. For instance, Google has developed generative AI tools such as PaLM 2 and Med-PaLM 2, which are helping healthcare organizations improve administrative and operational processes. Med-PaLM 2 supports HIPAA compliance and is covered by Google’s business associate agreement.

ChatGPT Use in Healthcare

ChatGPT is a large language model that has been developed to perform a range of tasks usually performed by humans. ChatGPT can generate human-like text if prompted to do so, including drafting letters and emails. ChatGPT can also summarize large amounts of text, saving users a considerable amount of time. ChatGPT has considerable potential for use in healthcare. ChatGPT could potentially be used by physicians for summarizing patient records, transcription, assisting with diagnoses if fed a list of symptoms, and suggesting a treatment plan.

ChatGPT has the potential to save administrative staff a considerable amount of time. For instance, it could be used for scheduling appointments, triaging patient calls, and generating patient reminders, and the chatbot could be used for answering general health queries. While ChatGPT is an advanced generative AI tool, any output must be verified. ChatGPT, like other large language models, can make mistakes and could generate information that isn’t necessarily based on its training data.

ChatGPT could save healthcare professionals a huge amount of time by eliminating repetitive tasks, and could help to improve efficiency and lower costs; however, there is the issue of HIPAA compliance. OpenAI would be classed as a business associate under HIPAA and would be required to enter into a business associate agreement with a HIPAA-covered entity before ChatGPT could be used in connection with any electronic protected health information (ePHI).

Is ChatGPT HIPAA Compliant?

OpenAI will not currently sign a business associate agreement with HIPAA-regulated entities, so the tool cannot be used in connection with any ePHI. Using ChatGPT, for instance, to summarize patient records or draft letters to patients risks violating HIPAA, as ChatGPT is not HIPAA compliant.

OpenAI has confirmed that from March 1, 2023, data submitted by customers via API will not be used to train or improve its large language models, unless customers opt in. Data sent through the API will be retained for up to 30 days for abuse and misuse monitoring purposes, after which the data will be deleted unless that information must be retained by law. Non-API data will be used to train its model unless customers opt out. While opting out will improve privacy, it does not mean the tool can be used with ePHI. Without a business associate agreement, ChatGPT must not be used in connection with any ePHI.

That does not mean that ChatGPT cannot be used by healthcare organizations. ChatGPT can be used in connection with de-identified protected health information (PHI), which is PHI that has been stripped of all personal identifiers, provided the PHI has been de-identified using a method permitted by the HIPAA Privacy Rule. Deidentified PHI is no longer PHI and is therefore not subject to the HIPAA Rules.

While ChatGPT is not HIPAA compliant, there are Generative Pre-trained Transformers (GPT) solutions that can be used in healthcare and tools that can be combined with ChatGPT to gain the benefits in a HIPAA-compliant way. For instance, BastionGPT and CompliantGPT have been developed to get around the HIPAA compliance problems with ChatGPT, and the providers of these tools will sign a business associate agreement with HIPAA-regulated entities. Their solutions use ChatGPT, but prevent it from coming into contact with any ePHI.

The post Is ChatGPT HIPAA Compliant? appeared first on HIPAA Journal.

Is BitRaser HIPAA Compliant?

Posted by Steve Alder

BitRaser is a HIPAA-compliant vendor of data erasure products that support HIPAA compliance. BitRaser products can be used to securely and permanently erase electronic protected health information (ePHI) in accordance with the standards and implementations of the HIPAA Security Rule.

What is BitRaser?

BitRaser is a suite of data erasure & diagnostics software solutions developed by Stellar Data Recovery Inc., that can be used to permanently eradicate data from electronic storage devices to make reconstruction of the data impossible, without having to destroy the drives on which data are stored. Many data erasure products delete data but do not eliminate all data traces, which can allow some data to be recovered.

Stellar Data Recovery is an Indian corporation with North American headquarters in Metuchen, New Jersey. Stellar Data Recovery provides data recovery, data erasure, mailbox conversion, and file repair software and services in more than 190 countries and has more than 3 million customers including government entities such as the U.S. Department of State, Department of Public Safety & Correctional Services, and many Fortune 500 firms including HP, Zoom, Deloitte, Merck, and BNP Paribas.

The BitRaser product suite includes several software solutions that are of benefit to HIPAA-regulated entities:

  • Drive Erasure & Diagnostics Software for erasing HDDs and SSDs in desktops, laptops, Macs, and servers
  • Bulk Drive Erasure Software for erasing data on loose/mounted drives and PCs, Macs, and servers over networks.
  • Mobile Erasure & Diagnostics Software for erasing and diagnosing iOS & Android devices.
  • File Erasure Software for erasing files, folders, and partitions from PCs, laptops, and servers.

BitRaser products support an extensive list of 24 international data erasure standards, including NIST 800-88, DoD 3 & 7 Passes & HMG, and have been tested and approved by the U.S. Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST).

HIPAA and the Disposal of ePHI

45 CFR § 164.310 (d) of the HIPAA Security Rule requires physical safeguards to be implemented to ensure the confidentiality, integrity, and availability of ePHI and includes a required implementation specification regarding the disposal of ePHI.

  • 164.310 (d)(i) – Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
  • 164.310 (d)(ii) – Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

While the HIPAA text does not specify the methods that must be used to permanently erase ePHI when it is no longer required, the HHS’ Office for Civil Rights (OCR) has issued guidance confirming several methods can be used. OCR suggests “For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).”

While HIPAA states that PHI must be securely and permanently erased or destroyed when it is no longer required, simply destroying unneeded data does not ensure HIPAA compliance. If a vendor provides software to achieve that purpose, that software solution will come into contact with ePHI, and even though the software erases the data, the software vendor is classed as a business associate under HIPAA and that means it is necessary to enter into a business associate agreement with the vendor. HIPAA-regulated entities must also ensure that an audit trail is maintained for all ePHI, which includes confirmation of permanent erasure. Prior to disposing of any sensitive data, it is important to ensure that the data retention requirements have been satisfied, not just HIPAA retention requirements but also other federal and state laws.

Is Bitraser HIPAA Compliant?

Many companies claim to provide HIPAA-compliant software solutions and services; however, the reality is that a product or service may only support HIPAA compliance. A vendor can implement all the required safeguards to meet its responsibilities under the HIPAA Rules, but it is the responsibility of each HIPAA-covered entity to ensure that the product or service is used in a HIPAA-compliant way.

Bitraser software is clearly beneficial for HIPAA-regulated entities, which are required to ensure that protected health information is permanently destroyed when it is no longer required. BitRaser has implemented all appropriate privacy and security controls to ensure compliance with the HIPAA Security Rule and will enter into business associate agreements with HIPAA-regulated entities. Bitraser software solutions also generate secure and 100% tamperproof erasure certificates to meet HIPAA documentation requirements.

Additionally, BitRaser has partnered with Compliancy Group and used the company’s compliance software and methodology to ensure full compliance with all appropriate provisions of the HIPAA Rules and ensure that it has an effective HIPAA-compliance program in place to ensure future compliance. The company’s products have also been tested and approved by NIST and the DHS.

We can therefore conclude that BitRaser is HIPAA compliant and its products can be used by HIPAA-regulated entities to permanently and securely erase data protected under HIPAA. Provided HIPAA-regulated entities enter into a business associate agreement with BitRaser, the company’s data erasure and drive wiping solutions can be considered HIPAA compliant and can help HIPAA-regulated entities comply with their responsibilities under the HIPAA Privacy and Security Rules with respect to the disposal of ePHI.

The post Is BitRaser HIPAA Compliant? appeared first on HIPAA Journal.

Amazon Launches AWS HealthScribe – A HIPAA-Eligible AI-Powered Transcription Tool

Posted by Steve Alder

Generative artificial intelligence chatbots such as OpenAI’s ChatGPT are attractive tools for clinicians as they can be used to automate repetitive administrative tasks such as producing medical notes for electronic medical records, saving considerable time. The problem with many of these tools is they cannot be used in connection with protected health information without violating the Health Insurance Portability and Accountability Act (HIPAA) Rules. At present, OpenAI will not sign a business associate agreement with healthcare providers, so any protected health information processed by ChatGPT would be classed as an impermissible disclosure.

Amazon has recognized the need for an AI-based digital stenography tool for physicians and has recently launched its own generative AI service focused specifically on healthcare providers – AWS HealthScribe. According to Amazon, its new AI-based service will reduce the time doctors have to spend on clinical documentation. The tool can analyze and transcribe conversations between doctors and patients and provide a summary of the key points for entry into a patient’s medical record. “With AWS HealthScribe, healthcare software providers can use a single API to automatically create robust transcripts, extract key details (e.g., medical terms and medications), and create summaries from doctor-patient discussions that can then be entered into an electronic health record (EHR) system,” said Amazon in a press release announcing the new tool, which is charged per second of audio processed each month. Crucially, Amazon’s offering is HIPAA-eligible. Amazon will sign a business associate agreement with HIPAA-regulated entities covering the new tool.

According to Amazon, users will have full control over their data, including storage locations for transcriptions and preliminary clinical notes, and the tool can be integrated into healthcare providers’ own clinical applications, rather than having to use a standalone app. Amazon has also confirmed that AWS will not use any inputs or outputs generated through AWS HealthScribe to train AWS HealthScribe. Initially, the tool is being previewed for general medicine and orthopedics; however, AWS may expand to other specialties based on client feedback. The tool is attracting considerable interest, with 3M Health Information Systems, Babylon, and ScribeEMR among the companies planning to integrate the tool into their own systems.

While the new tool has the potential to save physicians countless hours of documentation time, the usefulness of the tool will depend on accuracy. Amazon is not the only tech firm to provide a generative AI-based notetaking product that can be used by HIPAA-regulated entities. Like Microsoft’s Nuance and Google’s Suki, Amazon has not published data on the accuracy of the tool, although the generated summaries include highlighted text from the transcript to allow physicians to review the generated content prior to authorizing entry into EHRs.

The post Amazon Launches AWS HealthScribe – A HIPAA-Eligible AI-Powered Transcription Tool appeared first on HIPAA Journal.

What is a HIPAA Compliant Cloud Drive?

Posted by Steve Alder

There is no doubt that data storage in the cloud has many benefits for healthcare organizations; however, if electronic protected health information (ePHI) is to be stored in the cloud, it is necessary to use a HIPAA compliant cloud drive – a HIPAA compliant cloud storage solution from a cloud service provider (CSP).

HIPAA and Cloud Computing

The Health Insurance Portability and Accountability Act was enacted just as the use of virtual computers started to gain popularity in the 1990s; however, it was not until the early 2000s that cloud computing really took off, although healthcare organizations were slow to embrace the cloud. The situation is very different today. According to Market Data Forecast, in 2022 the healthcare cloud computing market was worth $5.22 billion and it is expected to reach $201.1 billion by 2032. 90% of healthcare organizations are already using cloud-based services or plan to use them by 2025.

Even though cloud computing services have now been widely adopted by healthcare organizations, there is no mention of cloud computing in the HIPAA text. HIPAA was written in a way to ensure that it is technology agnostic to ensure that when new technologies were introduced, the HIPAA Rules could be easily applied to those technologies. Cloud services can be used by HIPAA-regulated entities, as long as they are fully compliant with the HIPAA Privacy and Security Rules. Healthcare organizations that have yet to transition to the cloud may be unaware what a HIPAA compliant cloud drive is, how HIPAA compliant cloud storage differs from other cloud storage services, and how they can ensure HIPAA compliance in the cloud, all of which are explained below.

What is a HIPAA Compliant Cloud Drive?

Technically, there is no such thing as a HIPAA compliant cloud drive as no cloud server can be truly HIPAA compliant. HIPAA compliance depends on the actions of the people. Even if appropriate security is applied to secure ePHI in the cloud, if healthcare organizations misconfigure settings or do not implement appropriate access controls, ePHI could easily be exposed over the Internet, thus violating the HIPAA Rules.

That said, many CSPs offer HIPAA compliant cloud storage to HIPAA-regulated entities. What this means is the service they offer incorporates all of the necessary security controls to ensure the confidentiality, integrity, and availability of ePHI and prevent impermissible disclosures. Those controls apply to ePHI at rest (stored on cloud servers) and in motion to and from the cloud server or service. Access controls can be configured to restrict access to ePHI to ensure only authorized individuals can view, alter, or transmit data, and audit logs are maintained of successful and unsuccessful access attempts and any alterations to ePHI.

A HIPAA compliant cloud service provider will ensure that safeguards are incorporated into the platform to ensure that it can be used in a HIPAA-compliant way; however, it is up to each HIPAA-regulated entity to ensure that the controls are correctly configured and the service is used in a manner that is compliant with the HIPAA Privacy and Security Rules.

A Business Associate Agreement Must be Obtained from a Cloud Service Provider

If a HIPAA-regulated entity engages the services of any vendor to create, receive, maintain, or transmit ePHI on their behalf, that vendor is classed as a business associate under HIPAA. If cloud services are used in connection with any ePHI, including the processing and storage of ePHI in the cloud, the CSP is a business associate and has responsibilities under HIPAA, even if the CSP only stores encrypted ePHI and does not hold an encryption key for the data. Any subcontractors used by the CSP are also business associates of the CSP and must also comply with certain requirements of the HIPAA Rules.

HIPAA-regulated entities must obtain a HIPAA compliant business associate agreement from the CSP before any HIPAA-covered data is uploaded to the cloud, and a CSP must obtain a HIPAA compliant business associate agreement from any third-party vendor before allowing them access to a HIPAA-regulated entity’s environment. The CSP and any subcontractors used are contractually liable for meeting the terms of the business associate agreement and are directly liable for compliance with the applicable requirements of the HIPAA Rules. If a CSP is not prepared to sign a business associate agreement, their services must not be used in connection with any ePHI.

In addition to a business associate agreement (BAA), many covered entities address other requirements through a service-level agreement (SLA). The BAA outlines the responsibilities of the CSP with respect to HIPAA, while the SLA deals with technical aspects such as availability and reliability of the service, data backups and recovery, the security responsibilities of each party, and how any stored data will be returned when the service is no longer used.

HIPAA Compliant Cloud Storage Requires More than a BAA!

Covered entities must obtain a BAA prior to any cloud service being used in conjunction with ePHI, but having a BAA is not sufficient to avoid a penalty for noncompliance with HIPAA Rules. Before any cloud service is used, covered entities must conduct a comprehensive risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and must subject any identified risks to a risk management process to reduce them to a low and acceptable level. Policies and procedures must be developed and implemented covering the use of the cloud service, and training must be provided to the workforce on the HIPAA-compliant use of cloud services.

Access controls must be configured correctly to ensure that only authorized individuals are able to access cloud-stored data. Even though a HIPAA compliant cloud drive may meet the requirements of the HIPAA Security Rule, covered entities must ensure they are fully compliant with the requirements of the HIPAA Privacy Rule. Covered entities should apply single sign-on controls, use multifactor authentication, automatic logoff controls, and secure passwords, and procedures should be developed to ensure ePHI is available in emergencies.

Audit controls are required to ensure all activities in relation to ePHI are recorded. HIPAA-regulated entities are required to conduct regular checks of logs to monitor for unauthorized activity and regulators may require access to those logs in the event of an audit or compliance investigation. Any data stored in the cloud should be encrypted and covered entities must ensure data uploaded to the cloud is encrypted in transit. The encryption algorithms used should meet the standards of the National Institute of Standards and Technology (NIST).

What Cloud Storage is HIPAA Compliant?

Many CSPs offer HIPAA compliant cloud storage and file-sharing services and are willing to sign BAAs with HIPAA-regulated entities. Sync is one of the current market leaders and is used by many healthcare providers for storing files in the cloud and private and secure file sharing, including Mount Sinai Hospital, Doctorcare, Equalize Health, and the Canadian Red Cross. The platform allows mission-critical files to be accessed easily by authorized individuals from any computer, mobile device, or the web, no matter where care is provided. Sync signs business associates with HIPAA-regulated entities and supports HIPAA compliance, PIPEDA compliance for Canadian healthcare companies, GDPR compliance for European healthcare providers, and other privacy and security regulations. The platform integrates with Microsoft Office 365, Windows and macOS desktops, and mobile devices, and all data is protected with strong encryption, robust access controls, and state-of-the-art security.

Many cloud service providers offer a variety of plans to meet the needs of individuals and businesses; however, not all plans are covered by business associate agreements. For example, Sync offers a HIPAA compliant cloud drive and will sign a BAA, but only for the Sync Professional and Teams Plans. HIPAA-regulated entities must sign up for a Professional or Business Plan and obtain a signed BAA before the service is used.

Summary

While there is no mention of HIPAA cloud storage and cloud computing in the HIPAA text, healthcare organizations can engage the services of CSPs and use their platforms to reduce costs, improve productivity, and connect and communicate more easily, provided they use HIPAA-compliant cloud services and obtain a BAA from the CSP. You can find out more about HIPAA cloud storage from the HHS, which recently published guidance for HIPAA-regulated entities on HIPAA compliant data storage in the cloud and the use of other cloud services in connection with ePHI.

The post What is a HIPAA Compliant Cloud Drive? appeared first on HIPAA Journal.

OCR/FTC Warn Hospitals & Telehealth Companies About Tracking Technologies

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have written to 130 hospitals and telehealth providers warning them about the risks of using tracking technologies such as pixels on their websites and web apps which may disclose sensitive health information to third parties in violation of the HIPAA Rules and the FTC Act.

A study published in Health Affairs suggests 98.6% of US nonfederal acute care hospitals have used tracking technologies on their websites, and a 2022 analysis by The Markup found one-third of the top 100 hospitals in the United States were using tracking technologies on their websites that could collect individually identifiable information, including information about health conditions. Following these discoveries, several hospitals and health systems reported breaches of protected health information, some of which involved impermissible disclosures of millions of patient records.

A later study by The Markup found that the technologies were also widely used by telehealth companies. Even companies that are not required to comply with the HIPAA Rules have an obligation to protect personal health information against impermissible disclosure. The FTC has already taken action against entities that are not covered by HIPAA, such as GoodRx, BetterHelp, and Premom, over the use of these tracking technologies for alleged violations of the FTC Act and Health Breach Notification Rule.

In December 2022, OCR issued guidance to HIPAA-regulated entities on HIPAA and tracking technologies. While these tools can provide valuable insights for improving the services provided to patients, these technologies can collect and transmit information protected by HIPAA. Further, these technologies also permit the tracking of users even after they navigate away from the website or mobile app where the tracking technology is used. Any information transmitted to a third party may then be used for a purpose not permitted under the HIPAA Rules, and the collected information may be further disclosed to other third parties.

“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”

“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”

The letters were jointly sent by OCR and the FTC to 130 entities cautioning them about tracking technologies on websites and mobile apps that can potentially disclose sensitive health data. The organizations that were sent the letters are believed to have used or are using tracking technologies such as Pixel from Meta/Facebook and Google

Analytics code to collect and analyze user interactions on websites and web apps. The letters do not mean that an organization has been found to be in violation of violated HIPAA or the FTC Act nor does the failure to receive a letter mean that an organization is in the clear. All organizations that collect personal health information should review their websites and web apps to identify any tracking technologies and ensure they are fully compliant with all relevant laws. If tracking technologies are discovered to have been used on websites or apps that impermissibly disclosed personal health information or protected health information to third parties, then the breaches should be reported in accordance with the HIPAA Breach Notification Rule and FTC Health Breach Notification Rule.

“Both agencies are closely watching developments in this area,” explained the FTC and OCR in the letters. “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”

The post OCR/FTC Warn Hospitals & Telehealth Companies About Tracking Technologies appeared first on HIPAA Journal.

Vulnerabilities Identified in Popular Telemedicine Software Development Kit

Posted by Steve Alder

Security flaws have been identified in the QuickBlox software development kit (SDK) and application programming interface (API) that supports the real-time chat and video applications used by many telemedicine providers.

The vulnerabilities were identified by security researchers from Claroty’s Team82 and Check Point Research who collaborated to look into the security of the popular QuickBlox SDK and API, which support applications used in telemedicine, finance, and smart IoT device applications. The SDK and API are provided to mobile and web application developers to deliver user management, real-time public and private chats, and incorporate security features to support HIPAA and GDPR compliance.

The researchers identified two vulnerabilities that put sensitive data at risk, including protected health information (PHI). Given the extent to which the QuickBlox chat and video framework is used, the sensitive information of millions of individuals was at risk of exposure. CVE-2023-311847 is a high-severity flaw with a CVSS 3.1 base score of 7.8 and is due to the creation of hard-coded credentials. The second vulnerability, tracked as CVE-2023-31185, is a high-severity flaw with a CVSS 3.1 base score of 7.5 and allows information disclosure via an unspecified request.

The vulnerabilities make it possible to log in to QuickBlox on behalf of any user – doctor or patient – and view all of their data, including personal information, medical histories, chat histories, and medical record files. The researchers say full impersonation is also possible, so a malicious actor could log in as any doctor, modify information, and communicate in real-time via chat and video with real patients. The patient would be unaware that they were not chatting with a real physician. The researchers developed proof-of-concept exploits for the vulnerabilities against multiple applications and demonstrated how secret tokens and passwords embedded in applications along with the use of an insecure QuickBlox API would allow malicious actors to gain access to the PHI of millions of users.

The researchers looked at a popular telemedicine application that integrates with the QuickBlox SDK and provides chat and video services allowing patients to communicate with doctors. The researchers were able to exploit the QuickBlox vulnerabilities alongside specific telemedicine app vulnerabilities, and gain access to the entire user database, along with related medical records and medical histories stored in the application. They were also able to log in as any user, making it possible to impersonate a doctor. At the time of publication, the telemedicine application was still running the vulnerable versions of the framework.

Team82 and CPR worked closely with QuickBlox to resolve the identified vulnerabilities. QuickBlox has now designed a new, secure architecture and API to eliminate the vulnerabilities. All users should ensure they migrate to the latest version as soon as possible to the flaws being exploited.

The post Vulnerabilities Identified in Popular Telemedicine Software Development Kit appeared first on HIPAA Journal.

Médecins Sans Frontières/Doctors Without Borders Deploys Celo Health Secure Messaging Solution to Support its Humanitarian Efforts in 87 Countries

Posted by Steve Alder

Securely sharing patient information is vital in the United States where healthcare organizations and their business associates are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) and state laws governing health information privacy. In Europe, all personal data must be secured to comply with the General Data Protection Regulation (GDPR), and many countries have regulations covering personally identifiable health. In order to comply with these regulations, organizations that operate globally must ensure that medical information is fully protected when it is transmitted electronically and access controls are in place to ensure that only authorized individuals can view that information.

Médecins Sans Frontières (MSF), aka Doctors Without Borders, is a non-governmental organization that provides emergency humanitarian medical care in conflict zones and countries affected by natural disasters, endemic diseases, and exclusion. MSF was formed in 1971 and has grown into an international movement of 63,000 people in more than 70 countries. MSF operates in extremely challenging environments and its clinicians must rely on smartphones for sharing critical patient information with their coordination teams, peers, and remote specialists. Any information shared electronically must be kept private and confidential and needs to be rapidly communicated to support clinical decisions that save lives.

There are many instant messaging platforms for mobile devices that allow rapid communication of information but they often lack the necessary privacy protections and security safeguards for communicating medical information to ensure global compliance. MSF conducted an in-depth review of messaging apps that could meet its unique communication needs and chose Celo Health’s secure messaging technology. Celo Health’s cloud communications platform was chosen due to its ease of use, global compliance, affordability, and reliability in challenging network environments. The platform was easy to implement on iOS and Android phones and desktop computers, required no training, and allowed instant onboarding of employees. The platform’s built-in directory enables MSF healthcare teams to reach the right person instantly, and the time saved communicating helps MSF to save lives.

“Due to the sensitive nature of information discussed and shared in MSF projects globally, providing secure messaging services is a top priority for the Telemedicine program,” said Clara Mazon, director of Telemedicine at MSF. “We look forward to working with Celo to improve access to secure messaging for MSF projects worldwide.” MSF has now confirmed that it has successfully implemented the Celo Health platform across the organization and is being used to support its operations in 87 countries. The collaboration between MSF and Celo Health has transformed communication within MSF teams, facilitating the instant secure exchange of patient-related clinical information even in the most challenging environments.

“We’re excited to partner with such a prestigious humanitarian organization and to help them transform their communications so it can deliver healthcare in crisis zones and underserved areas throughout the world. Celo is also committed to supporting MSF’s noble mission of providing free medical care to people who need it,” said Steve Vlok, CEO and founder of Celo. “MSF was also impressed by Celo’s simple yet comprehensive interface and onboarding process. Our team’s due diligence and transparency around privacy and security measures also made Celo stand out among our global competitors.”

The post Médecins Sans Frontières/Doctors Without Borders Deploys Celo Health Secure Messaging Solution to Support its Humanitarian Efforts in 87 Countries appeared first on HIPAA Journal.