SOC 2 in healthcare is a privacy and security standard that can provide assurances to the C-Suite, to business partners, and to regulators that an organization has implemented appropriate controls to protect data (SOC 2 Type 1) and is using the controls effectively (SOC 2 Type 2). SOC 2 compliance in healthcare is voluntary, but the benefits of being SOC 2 “ready” can be significant.

What is SOC 2?

SOC 2 stands for System and Organization Controls 2 – one of five sets of standards organizations can use to assess that their privacy, security, and/or administrative processes are adequate to ensure the confidentiality, integrity, and availability of data. In healthcare, SOC 2 is the most relevant of the five sets of standards because SOC 2 controls closely align with the requirements of HIPAA.

Healthcare organizations that have implemented policies and procedures to comply with HIPAA should have little difficulty in attesting SOC 2 compliance and passing an SOC 2 audit. The audit report can then be used to demonstrate that the appropriate controls are in place to protect the privacy and security of healthcare data (Type 1) and that they are being used effectively (Type 2).

The SOC 2 Process

The SOC 2 process consists of determining what “Trust Services Criteria”, what “Control Components”, and what “Points of Focus” within each Control Component apply to your organization. These can then be compiled into an SOC 2 compliance checklist which can be used to assess “point of time” compliance or “ongoing” compliance with the relevant controls.

Once the assessment is complete, you attest that the organization is SOC 2 compliant. To verify the attestation via an audit report, you arrange for an SOC 2 audit conducted by a firm commissioned or certified by the American Institute of Certified Public Accountants (AICPA). Depending on the “Type” of attestation being certified, the audit can take one day (Type 1) or several months (Type 2).

The SOC 2 Controls

The SOC 2 controls consist of  five Trust Services Criteria, within which there can be multiple Control Components and Points of Focus that can be relevant to an organization’s operations. Because different organizations assess themselves on different Criteria, Components, and Points of Focus, there is considerable overlapping of Points of Focus between the five Trust Services Criteria.

Security

Of the five Trust Services Criteria, this is the only one required in an SOC 2 assessment. Its objective is to demonstrate that an organization’s systems and the data stored on them are protected against physical damage, unauthorized access, and unauthorized disclosure. Within the Security Trust Services Criteria there are nine Control Components, each with multiple Points of Focus.

• CC1: Control Environment
• CC2: Communication and Information
• CC3: Risk Assessment
• CC4: Monitoring Activities
• CC5: Control Activities
• CC6: Logical and Physical Access Controls
• CC7: System Operations
• CC8: Change Management
• CC9: Risk Mitigation

Each Point of Focus is required to have at least two control activities so that if one control activity fails, the Point of Focus is still supported by at least one other control activity. For example, a logical access control with two control activities would be a username and password combination supported by two factor authentication.

Availability

For organizations pursuing SOC 2 in healthcare, compliance with the Availability Trust Services Criteria requires little more than compliance with the Administrative Safeguards of the Security Rule (§164.308) relating to data backups, environmental controls to safeguard physical backups, data recovery controls and ensuring that systems have the capacity to manage demand.

Confidentiality

The objective of the Confidentiality Trust Services Criteria is to ensure that PHI maintained in healthcare systems is protected. Omitting overlapping and duplicated Points of Focus, the four most relevant to healthcare organizations relate to data classification and retention, the protection of sensitive information, the encryption of data, and the disposal of data.

Processing Integrity

Although this Trust Services Criteria has been amended to align with the EU-US Data Privacy Framework and the EU’s General Data Protection Regulation, the requirement to ensure data processing is complete, valid, accurate, timely, and authorized aligns with HIPAA’s Technical Safeguards for the integrity of PHI so is worth reviewing.

Privacy

The Privacy Control Components and Points of Focus closely align with HIPAA Privacy Rule standards relating to privacy policies, privacy management, and breach notification. It is not necessary for organizations to comply with the Privacy Trust Services Criteria to achieve SOC 2 in healthcare, but it would be unusual for it to be omitted from the point of view of a business partner or a regulator.

SOC 2 and HIPAA

From the examples provided above, it is easy to see a close relationship between SOC 2 and HIPAA security standards. However, when you review the Control Components and Points of Focus of the privacy Trust Services Criteria, there is an equally close relationship between SOC 2 and HIPAA privacy standards – particularly in the Privacy Management Framework Control Component.

In the context of SOC 2 in healthcare, the contents of the Privacy Management Framework include (but are not limited to):

• Policies and procedures for the creation, collection, use and transmission of PHI.
• Risk analyses for identifying, classifying, and prioritizing vulnerabilities and risks to PHI.
• Procedures to obtain individuals’ authorizations for uses and disclosures when necessary.
• Procedures to prevent, detect, and mitigate the consequences of data breaches.
• Procedures to notify individuals and the relevant authorities in the event of a data breach.
• The provision of a Notice of Privacy Practices and procedures to notify individuals of changes.
• Procedures for responding to access requests and requests for copies of PHI.
• Procedures for amending PHI when requested and informing third parties when necessary.
• Procedures for maintaining and providing on request an accounting of disclosures.
• Procedures for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from individuals.

The Benefits of SOC 2 in Healthcare

The benefits of SOC 2 in healthcare vary depending on what an organization is trying to achieve by going through the SOC 2 process. For example, a business associate may need to prove it has measures in place to protect the privacy and security of PHI before entering into a Business Associate Agreement with a covered entity. In such cases, it may only be necessary for the business associate to demonstrate SOC 2 Type 1 compliance.

Alternatively, a healthcare organization may wish to demonstrate that it complies with SOC 2 Type 2 to qualify for reduced cybersecurity insurance rates, or it may pursue an SOC 2 in healthcare audit report to demonstrate compliance with a recognized security framework. Being able to demonstrate at least one years’ compliance with a recognized security framework could help mitigate regulatory penalties for violations of HIPAA.

Even if no direct motive exists for pursuing SOC 2 in healthcare, the process of determining what Trust Services Criteria, Control Components, and Points of Focus apply can help organizations identify and address potential privacy and security risks to increase their compliance posture. It is important to be aware there are no passes or fails in a SOC2 audit. The auditor compiling the SOC 2 audit report only records a “qualified opinion”.

SOC 2 Certification vs. SOC 2 “Ready”

Because organizations can select which Trust Services Criteria, Control Components, and Points of Focus they wish to include in an SOC 2 attestation, there is no such thing as an SOC 2 certification. The term “certification” usually refers to an SOC 2 audit report which – as discussed above – does not have passes or fails. A more appropriate term  to use is SOC 2 “ready” which, in the context of SOC 2 in healthcare, means being ready for an SOC 2 audit.

Being SOC 2 ready is the ideal state for a healthcare organization to aim for and maintain because, even if the organization does not undergo an SOC 2 audit, it implies the healthcare organization is complying with HIPAA. If your organization requires help with identifying which Trust Services Criteria, Control Components, and Points of Focus apply, or requires advice about how to become SOC 2 ready, it is recommended you speak with an SOC 2 compliance professional.

The post What is SOC 2 in Healthcare? appeared first on HIPAA Journal.

The HIPAA Technical Safeguards consist of five Security Rule standards that are designed to protect ePHI and control who has access to it. All covered entities and business associates are required to comply with the five standards or adopt equally effective measures. However, evidence suggests many covered entities and business associates fail to comply with the HIPAA Technical Safeguards.

Despite advances in technology over the past twenty years, the HIPAA Technical Safeguards (45 CFR §164.312) have remained unchanged since their publication in February 2003. This is not due to lax rulemaking by the Department of Health & Human Services (HHS), but rather testament to the work that went into fine-tuning the standards between the publication of the Proposed Security Rule in 1998 and the publication of the Final Security Rule five years later.

Consequently, it can be beneficial to go back to the Federal Register entry for the Final Security Rule in order to review the analyses published alongside the standards and implementation specifications. This can help covered entities and business associates better understand why the HIPAA Technical Safeguards exist, what their objectives are, and how HHS anticipated covered entities and business associates could comply with them.

The HIPAA Technical Safeguards – the Five Standards

• Access Controls
• Audit Controls
• Integrity Controls
• Authentication Controls
• Transmission Security

Access Controls

The access controls standard requires covered entities and business associates to implement technical policies and procedures to only allow access to ePHI by authorized members of the workforce and software systems that have been granted access rights according to the Information Access Management Standard of the Administrative Safeguards (§164.308(a)(4)). The policies and procedures must meet the requirements of four implementation specifications:

• Unique user identification (Required). Assign unique names and/or numbers to identify users and track user activity.
• Emergency access procedures (Required). Develop (and test) procedures for accessing ePHI during an emergency.
• Automatic logoff (Addressable). Implement procedures that log users out of systems and devices after a period of inactivity.
• Encryption and decryption (Addressable). Implement procedures for the encryption and decryption of ePHI at rest.

When you review the analysis of this standard, it is notable that HHS deleted language relating to “context-based access”, “role-based access”, and “user-based access” and commented that any appropriate access control mechanism is allowed.

It is also notable that HHS changed the implementation specifications relating to automatic logoff and encryption to “Addressable” to allow other forms of (equally effective) inactivity lockout, and to base the adoption of encryption on the outcome of a risk assessment.

Audit Controls

The audit controls standard is a good example of why it can be beneficial to review the analysis of the Final Security Rule. This is because this standard requires the implementation of hardware, software, and/or procedural mechanisms that record access to – and activity in – information systems that contain or use ePHI.

At face value, the purpose of this standard could be interpreted as providing a means to retrospectively review system access and activity following a data breach – which does not align with the objectives of the HIPAA Technical Safeguards “to protect ePHI and control who has access to it.”

However, the analysis references two NIST Special Publications – 800-14 and 800-33 (now withdrawn) – which both advocate the use of automated audit controls to prevent unauthorized access or unauthorized activity as it happens, rather than review these events retrospectively.

At the time (in 2003), the availability of automated audit controls was limited. However, due to developments in cloud computing, solutions such as AWS CloudTrail are relatively inexpensive to implement and simple to configure, and can add an additional layer of defense against data breaches.

Integrity Controls

The integrity controls standard – that covered entities and business associates implement policies and procedures to protect ePHI from improper alteration or destruction – appears to imply that members of the workforce are prevented from typing in the wrong information or inadvertently pressing the delete key.

While this standard can be complied with in part by assigning members of the workforce least privilege or read-only access to ePHI whenever possible, this standard was originally going to be called the “data authentication” standard and would require covered entities and business associates to implement measures such as error correcting memory to prevent data corruption.

Understanding the original intention of the standard helps put the single implementation specification – that mechanisms should be implemented to corroborate that ePHI has not been altered or destroyed in an unauthorized manner – into context. Nonetheless, it is still advisable to assign members of the workforce least privilege or read-only access to ePHI whenever possible.

Authentication Controls

The authentications controls standard appears to repeat the requirements of the access controls standard inasmuch as it requires covered entities and business associates to implement procedures to verify that a person or entity seeking access to electronic PHI is the one claimed. Therefore, issuing each authorized user with a unique password or PIN should satisfy this requirement.

However, when you review the analysis of this standard, HHS comments that covered entities and business associates should verify user IDs using tools such as electronic signatures, call backs, and soft tokens (biometric 2FA would also be an option in 2023). Therefore, it is necessary to do more than issue each user with unique user IDs to comply with this standard.

Transmission Security

The transmission security standard is the sole example of when the HIPAA Technical Safeguards should have been updated to reflect advances in technology. This standard – to guard against unauthorized access to ePHI transmitted over an electronic communications network – was toned down from what was originally proposed due to “switched, point-to-point connections, for example, dial-up lines, have a very small probability of interception”.

HHS also reconsidered the strength of the two implementation specifications relating to integrity controls and encryption because, at the time, there were no interoperable solutions for encrypting email communications. However, as most electronic transmissions are now conducted over the Internet, and as most email services support end-to-end encryption, covered entities and business associates should implement the specifications or equally effective alternatives.

How Organizations Fail to Comply With the HIPAA Technical Safeguards

Despite there being only five standards in the HIPAA Technical Safeguards, many covered entities and business associates struggle to comply with them. There is evidence of this in the HHS Breach Report Archive  – a database of almost 5,000 resolved HIPAA data breaches affecting 500 or more individuals that includes descriptions of how the breaches occurred

Many data breaches are attributable to the misuse or sharing of passwords, the failure to implement logoff controls, or the failure to encrypt data at rest. Many more could have been avoided with automated audit controls, while the failure to assign members of the workforce least privilege or read-only access led to the unauthorized disclosure of tens of thousands of records.

Unfortunately, this might only be the tip of the iceberg. According to HHS’ most recent report to Congress, the agency receives more than 60,000 notifications each year relating to breaches affecting fewer than 500 individuals. While the number of individuals affected by these breaches may not match those recorded on the database, it is fair to assume the causes of the data breaches are much the same as those which are publicly accessible.

Due to the recent restructuring of HHS’ Office for Civil Rights, and the proposed introduction of settlement sharing, it is likely there will be an increase in enforcement action against covered entities and business associates that fail to comply with the HIPAA Technical Safeguards. Organizations that are unsure whether their current efforts meet the requirements of the HIPAA Technical Safeguards are advised to seek professional compliance advice.

The post What are the HIPAA Technical Safeguards? appeared first on HIPAA Journal.

A HIPAA compliant home office is a working environment set up to support HIPAA compliance when a covered entity, business associate, or a member of either’s workforce works from home. Because of the different functions that can be performed from – and services that can be provided by – a home office, the requirements for HIPAA compliance can vary considerably.

What is a Home Office in Healthcare?

Although a home office is most often considered to be a remote working environment “in a location other than an employer’s central workplace”, a home office in healthcare could be the main working environment for a solo healthcare practitioner, a part-time employee of a covered entity, or a home business that provides medical transcription services as a business associate.

Regardless of whether a home office is a remote or a main working environment, is used full-time or part-time, or by an individual or a team, a home office has to be set up to comply with HIPAA whenever the function being performed in – or service being provide by – a home office involves the creation, receipt, maintenance, or transmission of Protected Health Information (PHI).

What Might a Home Office be Used For?

Working from home has become increasingly viable for a range of professions, including many in healthcare. A home office in healthcare can be used to perform many different functions for patients or to provide a range of services to covered entities and business associates. Examples of how a home office might be use for a healthcare function or service include:

• Telemedicine Provider
• Medical Transcriptionist
• Medical Coder/Biller
• Healthcare IT Specialist
• Behavioral Health Professional
• Epidemiologist
• Health Coach
• Patient Navigator
• Biostatistician
• Clinical Research Coordinator
• Medical Educator or E-Learning Specialist
• Medical Customer Service Representative

Some of these home-based functions and services can be subject to state or local employment regulations, while others may require an employee to work from home some of the time and the employer’s central workplace at other times. Nonetheless, whatever the working arrangement, whenever a home office is used to create, receive, maintain, or transmit PHI – in any media or format – it is necessary the home office is a HIPAA compliant home office.

The Requirements for a HIPAA Compliant Home Office

The requirements for a HIPAA compliant home office consist of much more than some people think. This is because the aim of the Administrative Simplification Regulations is to protect the privacy of individually identifiable health information and ensure the confidentiality, integrity, and availability of electronic PHI regardless of where the information is created, received, stored, or transmitted.

Therefore, it does not matter whether the functions being performed and the services being provided take place in a home office, a healthcare facility, or a secure data center. The requirements for HIPAA compliance are the same. This means the same policies, procedures, and safeguards have to be implemented, and the same penalties can be applied for violations of HIPAA.

The requirements for a HIPAA compliant home office will mean different things to different types of home workers. For example:

• A solo healthcare practitioner will have to comply with all applicable provisions, standards, and implementation specifications of the Administrative Simplification Regulations
• A home business operating as a business associate may only have to comply with the applicable standards of the Privacy Rule and the Security and Breach Notification Rules.
• An employee of a covered entity or business associate will have to comply with their employer’s policies and procedures – which may be different from in the central workplace because of the unique threats of home working.

Consequently, for some home workers, the requirements for a HIPAA compliant home office may include conducting an audit to determine where and how PHI is created, received, stored, or transmitted, conducting a risk assessment to identify potential impermissible uses and disclosures of PHI and security vulnerabilities, and developing procedures for notifying individuals and HHS’ Office for Civil Rights in the event of a data breach.

For homeworkers that maintain PHI in the home office – in any media or format – the requirements for a HIPAA compliant home office may include installing a safe or lockable file cabinet to keep paper records and data backups, developing a continuity of operations plan, and ensuring all devices used to store electronic PHI – including mobile devices – are PIN-locked and have automatic logoff activated to prevent unauthorized access to PHI.

What are the Unique Threats of Home Working?

Home working expands the cyberattack surface, and while cyberattacks are not unique to home working, home offices can be more vulnerable to an attack due to a lack of advanced security defenses and – when a home office is a remote office – less oversight by corporate security teams. In addition to the increased level of vulnerability, there will likely be less support to help home workers respond to and recover from a successful attack.

Other than the cybersecurity threats, home workers may be subject to distractions (children, pets, visitors, etc.) which can result in paper records or electronic devices being left unattended. There may also be times when they forget to lock away paper records and data backups, forget to keep device screens directed away from people who might see what is on them, or carelessly make a comment that constitutes an impermissible disclosure of PHI.

In many cases, one of the most important unique threats of home working is the ease with which it is possible to develop non-compliant practices “to get the job done”. The non-compliant practices can range from failing to provide a patient with a Notice of Privacy Practices, to installing software without the capabilities to support HIPAA compliance, to failing to enter into a Business Associate Agreement before storing PHI in a cloud storage service.

Conclusion: Ensure Your Home Office is HIPAA Compliant

No matter how you use your home office, if the function you perform or the service you provide involves the creation, receipt, storage, or transmission of PHI, you have to have a HIPAA compliant home office. If you fail to ensure your home office is HIPAA compliant, it is more likely you will be the victim of a cyberattack or other HIPAA violation for which the financial penalties can be substantial.

If you are unsure of the home office compliance requirements – either as an individual or an employer with a remote working team – it is recommended you review our HIPAA compliance checklist to better understand which provisions of HIPAA may be applicable. Alternatively, it is advisable to seek professional compliance advice about which standards of HIPAA you are required to comply with and how best to comply with them.

The post What is a HIPAA Compliant Home Office? appeared first on HIPAA Journal.

HIPAA-regulated entities must ensure that protected health information (PHI) is safeguarded against unauthorized access, but many covered entities and business associates do not know how to secure healthcare data properly and leave sensitive information exposed.

The HIPAA Security Rule

The HIPAA Security Rule established national standards to protect individuals’ electronic personal health information (ePHI) that is created, received, used, or maintained by HIPAA-covered entities and their business associates. The Security Rule requires appropriate administrative, physical, and technical safeguards to be implemented to ensure the confidentiality, integrity, and availability of ePHI. All regulated entities must assess security risks throughout their organziation and implement a range of different safeguards to protect against unauthorized ePHI access, and ensure all risks are reduced to a low and acceptable level.

How to Protect Healthcare Data and Comply with HIPAA

The HIPAA Security Rule was developed to be flexible to ensure that it applies to covered entities of all types and sizes and includes required implementation specifications that must be implemented by all regulated entities, and addressable implementation specifications, which require an assessment to determine if the specification is reasonable and appropriate. If not, the Security Rule permits an alternative mechanism to be implemented to meet the standard addressed by that specification.

Administrative Safeguards

Administrative safeguards under HIPAA are defined as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information.”

Administrative safeguards include security management processes to prevent, detect, contain, and correct security violations. These include a comprehensive, organization-wide risk analysis to identify all risks and vulnerabilities to ePHI, risk management processes to reduce risks and vulnerabilities to a low and acceptable level, a sanctions policy, and information system activity reviews.

Staff members must be assigned responsibility for security, policies and procedures must be implemented to ensure workforce security, and a security awareness and training program is required for all members of the workforce. Administrative safeguards also include authorization, supervision, information access management, and contingency planning.

Physical Safeguards

HIPAA defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

Physical safeguards include facility access controls to restrict access to physical PHI and electronic systems where ePHI is stored, contingency operations, facility security plans, access controls and validation procedures, and maintenance records.

Physical safeguards are required for workstation use and workstation security, with policies and procedures implemented to ensure that job functions can be performed in a secure way, prevent inappropriate use of computers, and restrict access to authorized users. Device and media controls should be implemented that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of the devices within the facility.

Technical Safeguards

HIPAA defines technical safeguards “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Technical safeguards include hardware, software, and other technology that protects and limits access to ePHI through access controls, audit controls, integrity controls, authentication, and transmission security.

Access controls are required to restrict access to ePHI to authorized individuals only, audit controls are necessary for monitoring activity on systems containing ePHI, integrity controls prevent the improper alteration or destruction of ePHI, and transmission security ensures that ePHI is protected when it is transmitted over an electronic network.

The HIPAA Security Rule does not specify the specific technologies that should be used to secure healthcare data and restrict access. HIPAA-regulated entities have the flexibility to implement security measures to comply with each standard and achieve its objectives. The HHS Security Series provides guidance on the administrative safeguards, physical safeguards, and the technical safeguards of the HIPAA Security Rule.

The Insider Threat Problem in Healthcare

Security Rule compliance requires ePHI to be safeguarded to ensure the confidentiality, integrity, and availability of ePHI and many of the implementation specifications are concerned with preventing access to ePHI by unauthorized third parties; however, threats can originate from within an organziation. Employees, contractors, interns, and other staff members can be just as dangerous as outside actors, in fact some of the most damaging incidents have been caused by insiders.

According to Verizon’s Data Breach Investigations Report (DBIR), insider incidents are on the rise. For several years, healthcare was the only industry where insiders caused more breaches than external actors. While the situation is improving, the 2023 DBIR indicates 35% of healthcare data breaches were caused by insiders.

Insider threats take many forms and include careless and negligent workers, where there is no conscious decision to act inappropriately. Disgruntled employees pose a significant threat and perform deliberate actions to cause harm to their organziation. Malicious insiders abuse their privileges for personal or financial gain, and threat actors often recruit or coerce individuals into stealing data or performing other actions such as installing malware. Insider threats are one of the biggest security challenges to address in healthcare. Insiders usually have legitimate access to ePHI and knowledge of internal systems and data locations, and their actions can be difficult to identify as cybersecurity solutions such as intrusion detection systems are primarily focused on detecting and blocking external threats.

Securing healthcare data against insider threats and detecting insider threats promptly requires a combination of measures including security policies, screening of new hires, user activity monitoring, logging, auditing, incident detection and response, user and entity behavior analytics, and employee education. Malicious insider threats are far less common than negligent and careless employees, which often cause the most harm. Accidental data leaks and employee errors are by far the largest risk and cause the most data breaches. Oftentimes, these incidents are the result of unclear security policies, employees’ lack of awareness of policies, and a failure to provide security awareness training. Improving education is vital in combatting these incidents. Security policies should be easy to understand, security awareness training should be provided regularly, employees must be made aware of the HIPAA Rules and the sanctions policy for violations.

Risk can be reduced through administrative safeguards, such as ensuring employees have appropriate access rights to ePHI and systems containing ePHI. Audits should be performed of access rights to check who has access to data and systems, and to ensure that the rights are appropriate. Detecting incident incidents quickly is vital. One of the reasons why insider breaches are so harmful is they often go undetected for long periods. Having the right software in place is critical in this regard. For instance, Safetica offers a software solution for healthcare organizations that can help with the discovery of ePHI, restrict whether data can be shared with third parties, control and monitor employee access to ePHI, and rapidly detect unauthorized access and employee errors that may expose ePHI, providing insider threat and data leak protection.  Safetica can limit file operations with personal information and ePHI, such as uploading, copying, printing, and even taking screenshots, all of which feature in the list of common HIPAA violations. Without systems in place to manage ePHI, unauthorised access to medical records can persist for years without detection. According to Safetica CTO Zbyněk Sopuch, “One of the key use cases of utilising data loss prevention tools like Safetica in healthcare settings is to ensure that access to sensitive ePHI is given only to the right personnel by monitoring and controlling the flow of data, preventing unauthorised access while safeguarding sensitive information and staying in compliance with HIPAA regulations.” Systems like Safetica provide immediate alerts for data security incidents. It has been found that real time alerts, which has been  proven to reduce repeat offences by staff by 95%. 

Securing healthcare data is complex and involves implementing robust encryption protocols, strict access controls, regular security audits, up-to-date software patching, comprehensive staff training in data handling and privacy regulations, utilizing strong authentication methods, employing intrusion detection systems, and maintaining physical security measures to prevent unauthorized access or breaches and ensure the confidentiality, integrity, and availability of sensitive patient information.

The post How to Secure Healthcare Data appeared first on HIPAA Journal.

What information hospitals can give over the phone depends on the purpose of the phone call, the recipient of the information, and any restrictions or authorizations in force at the time. The phone system being used can also impact what information hospitals can give over the phone.

The most common reasons for asking the question what information can hospitals give over the phone are:

• Healthcare providers want to make sure they comply with HIPAA,
• Patients want to know if their privacy rights have been violated, or
• Families want the maximum information possible about a loved one.

Unfortunately, there is no A, B, and C answer to the question what information can hospitals give over the phone because patients have the right to restrict some or all disclosures and restrict who information is shared with. Additionally, patients have the right to authorize disclosures beyond those permitted by the Privacy Rule to individuals who enquire about the patient’s health.

Therefore, although §164.510 of the Privacy Rule permits hospitals to disclose directory information to individuals who enquire about a patient by name, there are many scenarios in which a request for information could be denied (including because a healthcare provider believes the disclosure is not in the patient’s best interest) or in which it is possible to disclose more than directory information.

What is Directory Information?

Directory information – in the context of what information can hospitals give over the phone – consists of the name of the patient, the location of the patient in the healthcare facility, the patient’s religious affiliation, and the patient’s condition described in general terms that does not communicate specific medical information about the individual.

Hospitals cannot provide any information over the phone about a patient’s past medical history if it is unrelated to the current medical condition, but can discuss treatment plans, drugs, and therapies with a caregiver over the phone provided the identity of the caregiver is verified. Note: some hospitals may require identity verification for any individual enquiring about a patient’s condition even though this is not required by HIPAA.

The Right to Restrict or Authorize Information

The right to restrict what information hospitals can give over the phone not only appears in §164.510 of the Privacy Rule. §164.522 gives patients the right to request privacy protections for PHI; and, although hospitals do not have to agree to most requests, the failure to agree to justifiable requests for privacy protections could result in a complaint to HHS’ Office for Civil Rights.

With regards to patient authorizations, in most cases authorizations are initiated by a covered entity to facilitate a use or disclosure of PHI not permitted by the Privacy Rule. However, there is nothing in the Privacy Rule that prevents a patient authorizing the disclosure of PHI to friends or family members over the phone – although hospitals need to be conscious of the fact that a patient also has the right to revoke an authorization at any time.

What Information Can Hospitals Give Over the Phone for TPO Purposes?

Hospitals can make disclosures of PHI over the phone for treatment, payment, and healthcare operations (TPO). However, how much PHI can be disclosed in a phone call depends on the purpose of the phone call. For example, there are no limitations on what information can be provided to a healthcare provider for the treatment of a patient; but, if the phone call is to a health plan to request authorization for the treatment, the minimum necessary standard applies.

It is also the case that restrictions and authorizations can apply to what information hospitals can give over the phone for TPO purposes. For example, a healthcare provider cannot refuse a request from a patient to restrict PHI disclosures to a health plan if the disclosures relate to a healthcare service the patient (or somebody on behalf of the patient) has paid for privately.

Why the Phone System being Used Might also Matter

Phone calls made by hospitals are either made over a Public Switched Telephone Network (PSTN) or over a Voice over Internet Protocol (VoIP) system. If using a VoIP system, it is necessary for a Business Associate Agreement to be in place with the software vendor before PHI is disclosed in a phone call. The same requirement does not apply to PSTN phone services.

If a hospital has deployed a VoIP system, and a Business Associate Agreement is not in place with the vendor of a VoIP system, the hospital is not allowed to disclose PHI over the phone. Note: some healthcare telephone communications are possible with patients under the FCC’s TCPA Omnibus Declaratory Ruling and Order unless a patient has rescinded their consent to be contacted by phone.

Conclusion: Why it is Important to Know What Information Hospitals Can Give over the Phone

The reasons it is important to know what information hospital can give over the phone are the same as the reasons for asking the question what information can hospitals give over the phone:

• Healthcare providers want to make sure they comply with HIPAA,
• Patients want to know if their privacy rights have been violated, and
• Families want the maximum information possible about a loved one.

The failure to comply with HIPAA, a violation of a patient’s privacy rights, or refusing to give families information that a patient has authorized can result in complaints to HHS’ Office for Civil Rights and a potential compliance investigation. To mitigate the risk of an investigation and the disruption this will cause, hospitals should develop policies and procedures for giving information over the phone.

The post What Information Can Hospitals Give Over the Phone? appeared first on HIPAA Journal.

When determining if telling a story about a patient is a HIPAA violation, it is necessary to take into account who is telling the story, why the story is being told, and what information about the patient is revealed in the story.

One of the objectives of the Privacy Rule is to protect patient privacy. The Privacy Rule tries to achieve this objective by stipulating which uses and disclosures of Protected Health Information (PHI) are permissible, which a patient should be given an opportunity to object to, and which require an authorization from the patient or their personal representative.

However, the Privacy Rule does not apply to everybody. If a healthcare provider is not a covered entity, a member of a covered entity’s workforce, or a member of a business associate’s workforce, telling a story about a patient is not a HIPAA violation – even if health information about the patient is disclosed because HIPAA does not apply to the healthcare provider.

Additionally, if an employee of a contractor for whom no Business Associate Agreement is necessary (i.e., a member of an agency’s environmental services team) reveals that they saw a famous person entering a healthcare facility for treatment, telling the story about the patient is not a HIPAA violation because the employee is not required to comply with the Privacy Rule.

Even when a healthcare provider or workforce member is required to comply with the Privacy Rule, there are still many circumstances when telling a story about a patient is not a HIPAA violation. This article explains some of the circumstances in which telling a story about a patient is not a HIPAA violation, but other circumstances may apply depending on the nature of the healthcare provider’s activities.

Why the Story is Being Told Matters

If a story about a patient is being told for a permissible use of PHI, the telling of the story is not a HIPAA violation. However, for some permissible uses of PHI, the minimum necessary standard applies; whereas, in other permissible uses, there is no limit on the amount of PHI that can be disclosed. For example:

• If a story about how a patient sustained their injuries is being told by a healthcare provider to a health plan in order to obtain an authorization for treatment, the minimum necessary standard applies even if both the healthcare provider and the health plan are covered entities under HIPAA.
• If a story about how a patient sustained their injuries is being told by a healthcare provider to another healthcare provider in order to provide treatment to the patient, the minimum necessary standard does not apply even if the two healthcare providers work for different covered entities.

Even for the same permissible use there can be times when telling a story about a patient is a HIPAA violation and times when it is not. For example, if a healthcare facility runs a training course for nursing students, trainees, or practitioners PHI can be disclosed permissibly as the training course is covered under “health care operations”.

If more than the minimum necessary PHI is disclosed in the training course it is a violation of HIPAA, unless the patient has authorized the healthcare facility to disclose more than the minimum necessary to add context to the training – in which case it is not. Consequently, it is often difficult to determine whether telling a story about a patient is a HIPAA violation without knowing the full facts.

Why What Information is Revealed Matters?

In answer to the question, is telling a story about a patient a HIPAA violation if no PHI is revealed, most people would say “no”. However, if the events of the story could be used to identify the patient, and the story is not being told for a permissible use of PHI, this answer is incorrect. To find out why, you have to review the definition of “individually identifiable health information” in §160.103 of the HIPAA General Rules. The [abridged] definition states:

Individually Identifiable Health Information is health information created or received by a health care provider, health plan, employer, or health care clearinghouse [that] relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual

(i) that identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Therefore, if a healthcare provider told a story about a patient which contained no specific individually identifiable health information, the telling of the story could still be a HIPAA violation if the events related in the story could be used to identity a patient. Even if the story is embellished to make it an untruthful anecdote, the disclosure of PHI could be considered an impermissible use and a notifiable breach if the subject of the story can still be identified as a patient.

Conclusion: Is Telling a Story about a Patient a HIPAA Violation or Not?

There is no straightforward answer to the question, is telling a story about a patient a HIPAA violation or not because of the number of circumstances in which telling a story is not a HIPAA violation, and because of the issue of whether any information revealed in a story might be used to identify the individual. Additionally, as has been shown above, it can be difficult to ascertain whether a violation has occurred without knowing the full facts.

One scenario that has not yet been discussed is when a patient requests restrictions on the uses and disclosures of their PHI as they are allowed to do under §164.522 of the Privacy Rule. If a patient has exercised their right to request privacy protections, the only time it is possible to talk about the patient without violating HIPAA is when the nature of the discussion is an exempted use such as when PHI is required for emergency treatment or a disclosure is required by law.

Although the distinction between what constitutes a HIPAA violation and what doesn’t may be clear to a trained workforce of compliant healthcare professionals with knowledge of restrictions and authorizations, the distinction may not be clear to the subject of the story or to anybody else who hears it and knows the identity of the patient – potentially resulting in complaints to HHS´ Office for Civil Rights for alleged impermissible disclosures of PHI and violations of HIPAA.

Although in some circumstances the complaints will be unjustified, if HHS´ Office for Civil Rights decides to investigate a complaint, the investigation can be disruptive. Therefore, it is often best to prohibit the telling of stories about patients for any unnecessary reasons. This prohibition should be notified to members of the workforce during HIPAA training, along with the reasons why any story telling about a patient could be – or could be perceived to be – a HIPAA violation.

Is Telling a Story about a Patient a HIPAA Violation FAQs

Does talking about a patient violate HIPAA?

Talking about a patient violates HIPAA if there is no permissible reason for the patient to be discussed and, during the discussion, information about the patient is disclosed that could be used to identify the individual. When there is a permissible reason for talking about a patient, the amount of PHI disclosed must be kept to the minimum necessary unless the reason for talking about the patient is exempted from the minimum necessary standard or the patient has authorized the disclosure.

Can you talk about a patient without saying their name?

You can talk about a patient without saying their name unless any information disclosed in the conversation could be used to identify the individual. This would be a violation of HIPAA unless the reason for talking about a patient is a permissible disclosure – in which case it would not matter whether the patient’s name was mentioned or not.

Is it a HIPAA violation to talk about a patient without identifiers?

It can be a HIPAA violation to talk about a patient without identifiers if the nature of the discussion would be impermissible under the Privacy Rule and the information disclosed in the discussion could be used to identify the individual. With regards to this question, it is important to be aware that the so-called “18 HIPAA identifiers” are not what constitute PHI. Any information that could be used to identify an individual that is maintained in the same designated record set as their health information assumes Protected Health Information status.

How can you talk about a patient without violating HIPAA?

You can talk about a patient without violating HIPAA if you talk about the patient for a permissible reason. However, when you talk about a patient for a permissible reason, you also have to be aware of whether the minimum necessary standard applies and whether a patient has requested the disclosure of their health information is restricted.

Can doctors talk about patients without using names?

Theoretically, doctors can talk about patients without using names. However, if the doctor is a covered entity or a member of a covered entity’s workforce, and the information disclosed in the conversation could be used to identify the patient, talking about patients without using their names is still a violation of HIPAA.

Can a doctor discuss a patient with a family member?

A doctor can discuss a patient with a family member provided that – wherever possible – the patient has been given the opportunity to object and the identity of the family member is verified. In most circumstances, the doctor is only allowed to disclose the minimum necessary PHI to the family member unless the patient has given their authorization for a more comprehensive disclosure.

Is saying a patient name a HIPAA violation?

Saying a patient name can be a HIPAA violation depending on who is saying the patient name, who the patient name is being said to, and the reason for saying the patient name. In most circumstances, saying a patient’s name by itself is not a HIPAA violation when the name does not relate to the patient’s health condition, treatment for the condition, or payment for the treatment. However, there are some circumstances in which saying a patient name is a HIPAA violation. For example:

Nurse 1: “Who is that in bed 4 with the broken leg?

Nurse 2: “That is Mr. Jones”.

The post Is Telling a Story about a Patient a HIPAA Violation? appeared first on HIPAA Journal.

The HHS OIG Exclusions List is a database of individuals and organizations that are prohibited from participating in federal health care programs. Healthcare providers participating in federal health care programs are advised to regularly check the HHS OIG Exclusions List to avoid penalties for non-compliance with §1128 of the Social Security Act. This article answers the following:

• What is the HHS Office of Inspector General?
• What is the HHS OIG Exclusions List?
• How is the OIG Exclusions List populated?
• Why check the OIG list for exclusions?
• What are the penalties for engaging excluded entities?
• How can providers mitigate the risk of a penalty?
• What other lists should be checked for exclusions?
• Conclusion: The importance of regularly checking for exclusions

What is the HHS Office of Inspector General?

The HHS Office of Inspector General (OIG) is a team of investigators, auditors, analysts, attorneys and cybersecurity specialists within the Department of Health and Human Services (HHS). The team’s roles are to investigate and audit the Department’s operations to prevent fraud, waste, and abuse within the Department, and also to audit and investigate potential crimes against the Department.

HHS was one of the first Departments to have an Office of Inspector General in 1976 due to billions of dollars being lost each year to Medicaid fraud. At the time there was a ten-year backlog of uninvestigated cases, so Congress passed Public Law 94-505 to create an independent unit with adequate resources to clear the backlog and implement measures to detect future fraud and abuse.

Subsequent Acts of Congress increased the OIG’s regulatory authority to prevent crimes against the Department. The False Claims Amendment Act in 1986 lowered the bar for proof of fraud and increased the fines the OIG could impose, while the Health Insurance Portability and Accountability Act (HIPAA) in 1996 established the Health Care Fraud and Abuse Control (HCFAC) Program.

HCFAC gave HHS’ OIG the resources to enforce §1128 of the Social Security Act. This section relates to the “Exclusion of Certain Individuals and Entities from Participation in Medicare and State Health Care Programs”, which – although effective since the passage of the Medicare-Medicaid Anti-Fraud and Abuse Amendments in 1977 – had never been properly enforced due to a lack of resources.

What is the HHS OIG Exclusions List?

The HHS OIG Exclusions List is the name given to the list of individuals and organizations excluded from participating in federal health care programs under section 1128 (and subsequently section 1156) of the Social Security Act. The list now covers more than just Medicare and State Health Care Programs, and includes programs such as CHIP, TRICARE, and Veterans Affairs.

Also known as the OIG’s List of Excluded Individuals and Entities (LEIE), the HHS OIG Exclusions List contains details such as the excluded individual’s or organization’s address, National Provider Number, Unique Physician Identification Number, date of birth, job description, the date of exclusion, and the reason for exclusion – referring to the relevant clause of §1182 of the Social Security Act.

There are a number of reasons why an individual or organization may be included on HHS OIG Exclusion List. Some of these reasons attract a mandatory exclusion (i.e., required by law). Others are known as “permissive exclusions”, which are discretionary and which – in most cases – give individuals or organizations 30 days advance notice to appeal against inclusion on the list.

What the LEIE list does not show is the length of exclusion (most exclusions are not permanent). If an individual or organization does not request that their name is removed from the list once the period of exclusion is finished, it will remain on the HHS OIG Exclusions List indefinitely – potentially complicating searches when multiple entries exist for individuals with identical names.

How is the HHS OIG Exclusions List Populated?

The OIG Exclusions List is populated from several sources. Most mandatory exclusions on the LEIE list originate from enforcement actions taken by the HHS OIG or DOJ which result in a felony conviction. Enforcement actions taken by the HHS OIG and other federal agencies which result in misdemeanor convictions usually appear as permissive exclusions. These do not have a right of appeal.

In addition to HHS OIG enforcement actions, Medicare Fraud Control Units (MFCUs) operate in every state and territory. MFCUs have the authority to investigate and prosecute Medicaid provider fraud and patient abuse or neglect; and, when MFCU prosecutions result in a conviction, the individuals or organizations responsible for the fraud, abuse, or neglect are added to the HHS OIG Exclusions List.

Additionally, every state and territory have its own Office of Inspector General (or equivalent), its own laws regarding exclusions, and its own exclusion database. In some states, an exclusion at the federal level automatically triggers a state-level exclusion, but this does not always work in reverse because an event that constitutes a state violation may not constitute a federal violation.

Other excludable events can be reported to HHS OIG by healthcare providers, licensing authorities, and law enforcement agencies. However, these events can take some time to be added to the LEIE list because of factors such as the right of appeal. In some cases, exclusions reported to HHS OIG from these sources can take up to two years to appear on the HHS OIG Exclusions List.

Why Check the OIG List for Exclusions?

The reason healthcare providers are advised to check the OIG list for exclusions is that §1128A of the Social Security Act prohibits individuals and organizations that appear on the OIG Exclusions List from providing goods or services to providers that participate in federal health care programs. Excluded individuals are also prohibited from working for a participating healthcare provider in any capacity.

Healthcare providers that acquire goods or services from an excluded supplier – including prescribed medical items – will not only have their claims rejected by the federal health care program (which means they will have to absorb the cost themselves), but may also be subject to a civil monetary penalty, damages (described in the next section), and inclusion on the OIG LEIE list themselves!

With regards to excluded individuals, the prohibitions not only apply to individuals working in a medical capacity (including volunteers). If a participating healthcare provider employs an excluded individual in an administrative or environmental role – or subcontracts an excluded individual via an agency – this also qualifies as a violation of §1128 of the Social Security Act.

Importantly, pleading ignorance of an organization’s or an individual’s exclusion is no defense against a penalty for engaging – or engaging with – an excluded entity. The HHS OIG Exclusions List has been online and well-publicized since 1999, and the penalty clauses of §1128A of the Social Security Act apply to persons “who knew or who should have known” they were engaging an excluded entity.

What are the Penalties for Engaging an Excluded Entity?

The penalties for engaging an excluded entity or engaging with an excluded entity (for example, acquiring goods or services from an excluded supplier) are listed in §1128A of the Social Security Act. Last updated by the Bipartisan Budget Act of 2018 (and therefore likely to change in the near future), the current penalties for engaging – or engaging with – an excluded individual are:

• A civil monetary penalty of up $20,000 for each item or service claimed, per violation occasion.
• Assessed damages of up to three times the amount claimed for each item or service (no limit).
• Potential addition to state and HHS OIG Exclusion Lists depending on the nature of the violation(s).

The penalties for engaging – or engaging with – an excluded entity can be significant if a relationship with an excluded entity continues for many years. For example, in 2022, a Connecticut psychiatric practice entered into a settlement agreement of $310,874 for employing an excluded individual as its clinical director for five years and using federal reimbursement to pay the individual’s salary.

More recently, in June 2023, the Chinese American Planning Council Home Attendant Program in New York entered into a settlement agreement of $866,339 with HHS OIG for employing a personal assistant who was excluded from participation in the New York Medicaid program. HHS OIG alleged that the organization had billed New York Medicaid for services furnished by the personal assistant.

How can Providers Mitigate the Risk of a Penalty?

Providers can mitigate the risk of a penalty by frequently checking exclusion lists for individuals and organizations prohibited from providing goods and services to healthcare providers. HHS OIG recommends “providers should check the LEIE prior to employing or contracting with persons and periodically check the LEIE to determine the exclusion status of current employees and contractors”.

As well as checking the exclusion status of prospective and existing employees and contractors, it is important healthcare providers develop policies relating to the frequency of screening existing employees and contractors, the responsibility for screening, and which databases to check. These policies must be documented along with the results of database checks and positive identifications.

Any excluded individuals or organization identified in a database check that are already employed or providing goods and services to the healthcare provider should be reported to HHS OIG via the Health Care Fraud Self-Disclosure Protocol in order to mitigate the risk of a penalty. Naturally, if a prospective employee or contractor (or a member of a contractor’s workforce) matches an entry on an exclusion database, the prospective employee or contractor should not be engaged.

The challenge with mitigating the risk of a penalty is that the HHS OIG Exclusions List is not the only database healthcare providers should be checking. Depending on a provider’s location and the nature of their operations, it may be necessary to check multiple state and federal databases to identify individuals and organizations excluded from providing goods and services.

What Other Lists should be Checked for Exclusions?

Other federal lists healthcare providers may need to check for exclusions – depending on the nature of their operations – include (but are not limited to) the Medicare Exclusion Database, the GSA’s System for Award Management database, and the National Practitioner Data Base. It is also advisable to check local state exclusion lists for location-specific exclusions.

The Medicare Exclusion Database (MED)

The Medicare Exclusion Database includes data about individuals and entities that have been precluded from billing Medicare due to being assessed a penalty, owing an outstanding debt, or being subject to a Medicare payment suspension for (for example) fraudulent billing, overcharging, providing substandard care, or non-compliance with CMS rules and regulations.

An entity that appears on CMS’ Medicare Exclusion Database might not appear on the HHS OIG Exclusions List depending on the reason for being excluded. Therefore, although engaging – or engaging with – an entity that only appears on the Medicare Exclusion Database will not attract a penalty, it could mean a healthcare provider will not get paid for services billed to Medicare.

The System for Award Management (SAM) Database

The General Services Administration’s (GSA) System for Award Management (SAM) database is a procurement repository that healthcare providers can use to determine the eligibility of individuals and entities to participate in federal programs. The database not only includes contractors approved to do business with the federal government, but also contractors excluded from federal programs.

Excluded contractors that appear on the SAM database would have previously appeared in the Excluded Parties List System (EPLS). However, this system was integrated into the SAM database – effectively making it easier to search a single database. Like the MED database, inclusion on the SAM database does not guarantee an excluded entity will appear on the HHS OIG Exclusions List.

The National Practitioner Data Bank (NPDB)

The National Practitioner Data Bank is an information clearinghouse that lists adverse actions taken by licensing agencies against health care practitioners and health care entities, adverse privileging actions, and any negative actions or findings taken against health care practitioners or entities by Quality Improvement Organizations and Private Accreditation Organizations.

In 2013, the NPDB was merged with the Healthcare Integrity and Protection Data Bank (HIPDB) which was created by HIPAA to provide information on adverse licensing and certification actions, healthcare-related criminal convictions, civil judgments, exclusions from Federal or State health care programs, and other decisions. This information is now available via the NPBD database.

Conclusion: The Importance of Regularly Checking for Exclusions

While most healthcare providers will be aware of the HHS OIG Exclusions List, and likely check it before employing new hires or entering into contracts with new vendors, it is important to continue regularly checking the database because exclusions that originate from outside the Office of Inspector General or an MCFU can take up to two years to appear on the HHS OIG Exclusions List.

Furthermore, as well as checking the LEIE list and any other lists relevant to their activities, healthcare providers should develop policies for the frequency of screening, and procedures for when a database check results in a positive match. The policies, checks, and any self-disclosure reports should be documented to mitigate the risk of a penalty for non-compliance.

Indeed, the penalties for engaging – or engaging with – an excluded individual or organization can be significant if checks are not performed and a relationship with an excluded individual is allowed to continue. Six-figure civil monetary penalties are not uncommon and healthcare providers also run the risk of themselves being added to the HHS OIG Exclusions List.

Therefore, the importance of frequently checking for exclusions cannot be understated. Although not mandatory (except for State Medicaid agencies), the “should have known” clause in §1128A of the Social Security Act means there is no justifiable defense for healthcare providers that fail to check all applicable databases. If any healthcare provider is unsure of its exclusion responsibilities under §1128 of the Social Security Act, it is recommended to seek professional compliance advice.

The post What is the HHS OIG Exclusions List? appeared first on HIPAA Journal.

HIPAA enforcement discretion occurs when the Secretary for Health and Human Services (HHS) announces the Department will exercise discretion in the enforcement of HIPAA Rules. The discretion can be temporary or permanent, region-specific or nationwide, or apply to some Rules but not others. Recent examples of when HIPAA enforcement discretion has been announced include:

• 2023 – Typhoon Mawar in Guam
• 2022 – Hurricane Ian in Florida and South Carolina
• 2022 – Kentucky Flooding Public Emergency
• 2021 – Texas Winter Storms Emergency
• 2021 – The HIPAA “Safe Harbor” Law
• 2020 – Wildfires in California and Oregon
• 2020 to 2023 – The COVID-19 Pandemic
• 2020 – Puerto Rico Earthquakes
• 2019 – Hurricane Dorian (Multiple States)
• 2018 – Hurricane Michael in Florida and Georgia

Most HIPAA Enforcement Discretion is Temporary and Region Specific

Under §1135 of the Social Security Act, the HHS Secretary has the authority to issue a Notice of Enforcement Discretion if the President declares an emergency or disaster and the Secretary declares the event a public health emergency. Typically, Notices of Enforcement Discretion last between 72 hours and 60 days, are state or region-specific and apply to specific provisions of the HIPAA Rules.

The Secretary can waive requirements or announce enforcement discretion in many different areas of healthcare. For example, the Secretary can waive the requirements for out-of-state healthcare professionals to be licensed before being allowed to practice, or exercise discretion when investigating violations of the physician self-referral law (§1877 of the Social Security Act).

In the context of HIPAA enforcement discretion, the Secretary can waive sanctions and penalties that result from non-compliance with the following standards of the Privacy Rule:

• 164.510 – Uses and disclosures of Protected Health Information requiring an opportunity for the individual to agree or object.
• 164.520 – The requirement to distribute a HIPAA Notice of Privacy Practices and obtain acknowledgment of receipt.
• 164.522 – The rights to request privacy protections for Protected Health Information and request confidential communications.

When the Secretary issues a Notice of HIPAA Enforcement Discretion, it only applies to the emergency area for the emergency period specified in the public health emergency declaration, and only to hospitals that have initiated a disaster protocol. A Notice of HIPAA Enforcement Discretion issued in these circumstances does not apply to health plans or business associates.

Nationwide Discretion Announced during the COVID-19 Pandemic

During the COVID-19 pandemic, healthcare providers had to deal with a nationwide public health crisis, the likes of which had never been seen before. The 2019 Novel Coronavirus (SARS-CoV-2) that caused COVID-19 forced healthcare providers to change normal operating procedures and workflows, reconfigure hospitals to segregate patients, open testing centers outside their usual facilities, work with new providers and vendors, and rapidly expand telehealth services.

To ensure the flow of essential healthcare information was not impeded by the HIPAA regulations during the public health emergency, the HHS’ Office for Civil Rights (OCR) issued multiple nationwide Notices of HIPAA Enforcement Discretion and announced that penalties and sanctions for noncompliance with certain provisions of the HIPAA Rules would not be imposed on healthcare providers for the good faith provision of healthcare services during the COVID-19 public health emergency.

Notice of Enforcement Discretion Covering Telehealth Remote Communications

With hospitals having limited capacity, and social distancing and self-isolation measures in place, healthcare providers rapidly expanded their telehealth and virtual care capabilities. The Centers for Medicare and Medicaid Services (CMS) also temporarily expanded telehealth options for all Medicare and Medicaid recipients.

To support healthcare providers, OCR announced a Notice of Enforcement Discretion covering telehealth remote communications for the duration of the public health emergency. Although some of the platforms used for providing these services were not fully compliant with HIPAA, OCR said it will not be imposing penalties for the use of these platforms during the public health emergency provided those platforms were non-public-facing.

Notice of Enforcement Discretion Covering Uses and Disclosures of PHI by Business Associates for Public Health and Health Oversight Activities

The HIPAA Privacy Rule only permits business associates of HIPAA-covered entities to use and disclose PHI for public health and health oversight activities if it is specifically stated that they can do so in a business associate agreement (BAA) with a HIPAA-covered entity. Even in such cases, disclosures of PHI should be restricted to the minimum necessary amount to achieve the objective of the disclosure.

On April 2, 2020, OCR issued a Notice of HIPAA Enforcement Discretion stating penalties would not be imposed on business associates for good faith disclosures of PHI for public health purposes to agencies such as the Centers for Disease Control and Prevention (CDC), CMS, state and local health authorities, and state emergency operations centers. In all cases, any use or disclosure of PHI must be reported to the covered entity within 10 days of the use or disclosure occurring.

Notice of HIPAA Enforcement Discretion for Community-Based Testing Sites

Additionally, enforcement discretion was exercised by OCR in connection with good faith participation in the operation of COVID-19 testing sites such as walk-up, drive-through, and mobile sites. The Notice of Enforcement Discretion covered all activities in testing centers that support the collection of specimens and testing of individuals for COVID-19.

Reasonable safeguards had to be implemented to protect patient privacy and the security of any PHI used or collected at these sites. The Notice did not apply to health plans or healthcare clearinghouses when they were performing health plan and clearinghouse functions, nor to healthcare providers or business associates that were not performing COVID-19 Community-Based Testing Site activities, even if those activities were performed at the testing sites.

Notice of Enforcement Discretion Covering Online or Web-Based Scheduling Applications for Scheduling of COVID-19 Vaccination Appointments

On January 19, 2021, OCR announced it would be exercising enforcement discretion and would not impose penalties or sanctions on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in connection with the good faith use of online or web-based scheduling applications (WBSAs) for scheduling COVID-19 vaccination appointments.

While HIPAA penalties would not be imposed, OCR encouraged HIPAA-covered entities and business associates to ensure that reasonable safeguards were implemented to ensure the privacy and security of healthcare data, such as the use of encryption, limiting data input into systems to the minimum necessary information, and activating all available privacy settings.

Sharing PHI About COVID-19 Patients with First Responders

As well as publishing several Notices of HIPAA Enforcement Discretion at the start of the COVID-19 public health emergency, OCR confirmed that the Privacy Rule permitted the sharing of PHI with first responders such as law enforcement, paramedics, public safety agencies, and others under certain circumstances, without first obtaining a HIPAA authorization from a patient.

OCR also confirmed that the HIPAA Privacy Rule permits disclosures of PHI for the provision of treatment (e.g., by a skilled nursing facility to medical transport personnel), when required to do so by law (such as to comply with state infectious disease reporting requirements), and to prevent or control disease, injury, or disability. The latter included disclosures for public health surveillance, and to public health authorities to help prevent or control the spread of disease.

PHI could – and still can – be disclosed to first responders who may be at risk of infection and to help prevent or lessen a serious and imminent threat to the health and safety of a person or the public. OCR explained that it is permissible to “disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.”

Enforcement Discretion to be Applied when Calculating Violation Penalties

In January 2021, an amendment to the HITECH Act instructed the HHS Secretary to exercise HIPAA enforcement discretion and take into consideration certain recognized security practices when determining potential fines and/or the length and extent of a corrective action plan or an audit in the event of a data breach.

To qualify for HIPAA enforcement discretion, an investigated covered entity or business associate must be able to demonstrate at least twelve months prior compliance with a recognized security framework. Although covered entities and business associates can implement a security framework that best meets the needs of the organization, OCR has recommended:

• The National Institute of Standards and Technology (NIST) Cybersecurity Framework,
• Section 405(d) of the Cybersecurity Act of 2015, or
• Other programs that address cybersecurity which are explicitly recognized by statute or regulation.

Despite the amendment coming into force more than two years ago, OCR has not yet published details of how discretion will be applied in the context of the HIPAA Enforcement Rule. In June 2022, the agency issued a Request for Information asking for comments from stakeholders on how HIPAA enforcement discretion should best be applied in such circumstances and has published a video detailing how HIPAA-regulated entities can demonstrate they have implemented recognized security practices, but has yet to publish a Notice of Proposed Rulemaking – the next step before any Rule is finalized.

Conclusion:

HIPAA compliance can be challenging at the best of times; but, during a public health emergency, compliance becomes more difficult – no matter how well prepared a healthcare provider is. The Department of Health and Human Services recognizes the issues that can occur when healthcare providers are prevented from delivering the best possible healthcare because of regulatory barriers and will exercise HIPAA enforcement discretion as and when necessary.

Nonetheless, it is important for covered entities – and business associates where applicable – to understand which Privacy Rule standards are subject to enforcement discretion, and which are not. It is also important for both covered entities and business associates to review their current Security Rule compliance in order to ensure they protect PHI from unauthorized and impermissible disclosures using a recognized security framework.

Healthcare providers who require further information about HIPAA compliance, which standards may be subject to HIPAA enforcement discretion, and what constitutes a recognized security framework should seek professional compliance advice.

The post What is HIPAA Enforcement Discretion? appeared first on HIPAA Journal.