HIPAA Communication News

Dental Practice Fined $10,000 for PHI Disclosures on Yelp

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with Elite Dental Associates over the impermissible disclosure of multiple patients’ protected health information (PHI) when responding to patient reviews on the Yelp review website.

Elite Dental Associates is a Dallas, TX-based privately-owned dental practice that provides general, implant and cosmetic dentistry. On June 5, 2016, OCR received a complaint from an Elite patient about a social media HIPAA violation. The patient claimed the dental practice had responded to a review she left on Yelp and publicly disclosed some of the PHI.

When replying to the patient’s June 4, 2016 post, Elite disclosed the patient’s last name along with details of her health condition, treatment plan, insurance, and cost information.

The investigation confirmed that to be the case, but also found it was not the first time that PHI had been disclosed without authorization on the social media platform when responding to patient reviews. Further impermissible PHI disclosures were found on the Elite review page.

In addition to the impermissible disclosures of PHI, which violated 45 C.F.R. § 164.502(a), OCR determined Elite had not implemented policies and procedures relating to PHI, in particular the release of PHI on social media and other public platforms, in violation of 45 C.F.R. § 164.530(i). Elite was also discovered not to have included the minimum required content in its Notice of Privacy Practices as required by the HIPAA Privacy Rule (45 C.F.R. § 164.520(b)).

OCR agreed to a HIPAA violation fine of $10,000 and a corrective action plan (CAP) to resolve the alleged HIPAA violations and settle the case with no admission of liability. The three potential HIPAA violations could have attracted a substantially higher financial penalty; however, when considering an appropriate financial penalty, OCR took the financial position of the practice, its size, and Elite’s cooperation with the OCR investigation into account.

“Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino.  “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

This is the 4th OCR HIPAA settlement of 2019. In September, OCR fined Bayfront Health St Petersburg $85,000 for a HIPAA Right of Access failure. In May, two settlements were agreed to resolve multiple HIPAA violations at Medical Informatics Engineering ($100,000) and Touchstone Medical Imaging ($3,000,000).

The post Dental Practice Fined $10,000 for PHI Disclosures on Yelp appeared first on HIPAA Journal.

Senate Fails to Remove Ban on Funding of National Patient Identifier

The Department of Health and Human Services (HHS) is prohibited from using any of its budget to fund the development and implementation of a national patient identifier, but there was hope that the ban would finally be lifted this year.

The House of Representatives added an amendment to its Departments of Labor, Health, and Human Services, and Education, and Related Agencies Act of 2020 which removed the ban, which would allow the HHS to follow through on this requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

It now looks likely that the ban will remain in place for at least another year as the Senate Appropriations Subcommittee’s draft 2020 fiscal budget bill, released last Wednesday, has retained the text banning the HHS from acting on this HIPAA requirement.

The ban has been in place since 1999 and was introduced because of concerns over patient privacy. The ban has been written into the Congressional budget every year since and the proposed 2020 fiscal budget bill is no different.

The proposed fiscal budget bill includes the text, “None of the funds made available in this act may be used to promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider), until legislation is enacted specifically approving the 13 standard.”

The purpose of the national patient identifier is to make it easier for patients to be efficiently matched with their health records. Regardless of where a patient receives treatment, their health data will be tied to them through their unique national patient identifier code. The new identifier would help to ensure that patient information could flow freely between different healthcare organizations and it is seen by many healthcare industry stakeholders to be essential for full interoperability. A national patient identifier could help to improve patient privacy, patient safety, and eliminate considerable waste and misspending in healthcare.

For several years, industry associations such as the College of Healthcare Information Management Executives (CHIME), the American Health Information Management Association (AHMIA), and the Health Innovation Alliance (HIA) have been calling for the ban to be lifted.

HIA Executive Director Joel White has called the ban ‘antiquated’ and said studies have suggested that patients are matched with their records as little as 50% of the time. A national patient identifier would instantly solve that problem.

Efforts to have the ban removed have stepped up in recent years, and this year 56 healthcare stakeholder groups urged the Senate to remove the ban. Significant progress was made this year when the amendment receives strong bipartisan support in the House of Representatives.

Convincing the Senate to lift the ban is proving more difficult. As long as privacy concerns remain, the ban is unlikely to be lifted. One of the main issues is a single identifier would be used to tie medical records to an individual from birth until death, and that could allow unprecedented tracking of Americans through their health records. It could also potentially facilitate the sharing, use, and analysis of patient data without patient consent.

While the draft fiscal budget bill has not had the ban removed, it is possible that an amendment could be made at a later date. AHMIA and CHIME leaders remain hopeful that the Senate will follow the House’s lead and have the ban lifted this year.

The post Senate Fails to Remove Ban on Funding of National Patient Identifier appeared first on HIPAA Journal.

400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS

A recent investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks, has revealed 24.3 million medical images in medical image storage systems are freely accessible online and require no authentication to view or download the images.

Those images, which include X-rays, MRI, and CT scans, are stored in picture archiving and communications systems (PACS) connected to the Internet.

Greenbone Networks audited 2,300 Internet-connected PACS between July and September 2019 and set up a RadiAnt DICOM Viewer to access the images stored on open PACS servers.

Those servers were found to contain approximately 733 million medical images of which 399.5 million could be viewed and downloaded. The researchers found 590 servers required no authentication whatsoever to view medical images.

PACS use the digital imaging and communications in medicine (DICOM) standard to view, process, store, and transmit the images. In most cases, a DICOM viewer would be required to access the images, but in some cases, all that is required is a web browser or a few lines of code. Anyone with rudimentary computer expertise would be able to view and download the images.

The exposed PACS were located in 52 countries and the highest concentration of unprotected PACS were found in the United States. 187 unsecured servers were found in the United States. The exposed U.S. PACS contained 13.7 million data sets and 303.1 million medical images of around 5 million U.S. patients.

The researchers found more than 10,000 security issues on the audited systems, 20% of which were high-severity and 500 were critical and had a CVSS v3 score of 10 out of 10.

The images included personal and medical information such as patients’ names, dates of birth, scan date, scope of the investigation, type of imaging procedure performed, institute name, attending physicians’ names, and the number of generated images. Some of the images also contained Social Security numbers.

The types of patient information included on the images could be used for identity theft, medical identity theft, and insurance fraud. The data could also be used to extort money from patients or create highly convincing spear phishing emails.

While the investigation uncovered no evidence to suggest any of the exposed information had been copied and published online, the possibility of data theft could not be discounted.

PACS are designed to allow images to be accessed easily by healthcare professionals, but the systems often lack security controls to restrict access. It is the responsibility of healthcare delivery organizations (HDOs) to ensure safeguards are implemented to secure their PACS, but HDOs can face major challenges addressing vulnerabilities and securing their systems without negatively impacting workflows.

To help address the problem, the National Cybersecurity Center of Excellence (NCCoE) recently released new guidance for HDOs to help them improve security controls on PACS and mitigate risks without negatively impacting user productivity and system performance.

The post 400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS appeared first on HIPAA Journal.

Webinar: Social Media and HIPAA Compliance: Protecting Your Practice in the Digital Age

Social media is a potential minefield for HIPAA violations. One impulsive response to an online review could violate the privacy of a patient, breach HIPAA Rules, and leave and the practice at risk of a significant HIPAA violation penalty.

In the digital age, healthcare providers have to deal with a whole new set of privacy concerns. Social media cannot be avoided, so it is important to understand what must be done to protect the business.

“Proactively generating reviews and also responding to them effectively, in a timely manner is essential to marketing your practice. However, without proper precaution, health care providers could face serious privacy breaches and even HIPAA violations,” said Liam.

In the webinar, Liam will explain how healthcare providers can respond to reviews in a manner that minimizes legal risk, while remaining fully compliant with HIPAA regulations.

Register for our upcoming webinar to find out how to manage your online reputation–without risking your practice.

Webinar Details:

Date:    Tuesday, September 17th

Time:    2:00 pm ET/11:00 am PT

Register Here

The post Webinar: Social Media and HIPAA Compliance: Protecting Your Practice in the Digital Age appeared first on HIPAA Journal.

Study Confirms Why Prompt Data Breach Notifications Are So Important

When healthcare organizations experience a data breach it is understandable that breach victims will be upset and angry. Information is provided to healthcare organizations in the understanding that safeguards have been implemented to keep that information private and confidential.

When patients and health plan members learn that their sensitive, private information has been exposed or stolen, many choose to take their business elsewhere.

According to a new study* by the credit reporting agency Experian, if the breach response is properly managed and the breached entity is transparent and issues notifications promptly, customer churn rate can be kept to an absolute minimum.

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires notifications to be issued to breach victims ‘without unreasonable delay’ and no later than 60 days from the discovery of the breach. However, a majority of patients expect to be notified much more quickly. The study showed 73% of patients/plan members expect to be notified about a breach within 24 hours of the breach being discovered.

Prompt data breach notifications can make a big difference. Patients and plan members are likely to be much more forgiving if they are informed about a data breach promptly. 90% of respondents said they would be somewhat forgiving if they knew that the breached organization had a plan in place for communicating with patients in the event of a data breach, but many organizations are not prepared for the worst.

Previous research conducted by Experian suggests 34% of breach response plans do not include customer notification and only 52% of companies have a data breach crisis or communications plan in place. If the communications team is made aware in advance of notification requirements, the people responsible for the communications are mapped out, and approval processes are planned in advance, it will allow notifications to be issued much more quickly.

While incredibly fast breach notifications are expected, in practice it is often not possible to issue notifications in such a short time frame. A phishing attack that results in an email account being subjected to unauthorized access requires every email in that email account to be checked for PHI. It is not always possible to automate that search effectively and manual checks are often required. It is therefore important to start investigations promptly, yet 84% of businesses did not include forensic analysis in their breach response plans which can lead to delays in issuing notifications.

Slow and ineffective communication is likely to add insult to injury following a data breach. 66% of respondents said slow breach notification and poor communication would likely see them stop doing business with the breached entity, and 45% of respondents would not only seek an alternative service provider, they would also instruct their friends and family members to do the same.

*Data for the report came from an Experian survey of 1,000 adults in the United States by consultancy firm KRC Research in July 2019.

The post Study Confirms Why Prompt Data Breach Notifications Are So Important appeared first on HIPAA Journal.

Repurposing a Text Alert System for Business as a HIPAA Compliance Helpline

Due to a text alert system for business lacking the mechanisms for HIPAA compliance, the concept of using a system as a HIPAA compliance helpline may seem a little out of the box. However, there are good reasons for suggesting this secondary use of a text alert system, which can also have benefits in training personnel to become more HIPAA compliant.

In a medical environment, a text alert system for business is one of the most effective ways of alerting large numbers of personnel simultaneously to an emergency event. During the emergency event, the text alert system can also be used to coordinate emergency response and check on the wellbeing of personnel, and used for business continuity when other channels of communication are inoperative.

A text alert system for business is typically fast and reliable, and – because text messages sent through the system are recorded for review – the messages are accountable. This makes the system an ideal tool for internal communications during non-emergency events; and one potential non-emergency use of a text alert system for healthcare organizations is as a HIPAA compliance helpline.

The Purpose of a HIPAA Compliance Helpline

The purpose of a HIPAA compliance helpline is to be a source of information for personnel struggling with the complexities of the HIPAA Privacy Rule. Although most personnel will have undergone HIPAA compliance training, there may be times when situations arise that have not yet been covered by the training or – due to the complexity of HIPAA – the person is confused by the context of the situation.

In these circumstances, it can be useful to have a designated authority (i.e. a compliance officer) at the other end of a communications channel in order to provide answers to HIPAA-related questions. Because of the speed of text messaging, the person in need of guidance only need to text their question to the compliance officer and receive an appropriate answer almost immediately.

By using a text alert system for business in this way, the scenario is avoided in which a person is not sure about whether or not to disclose PHI to a third party, they ask a colleague who is equally unsure, and between them they arrive at an incorrect conclusion. In this respect, repurposing a text alert system for business as a HIPAA compliance helpline can avoid unintentional breaches of HIPAA.

The Secondary Benefit of Repurposing a Text Alert System for Business

Because a text alert system for business is not HIPAA compliant, the system cannot be used to communicate PHI. Therefore, requests for assistance about HIPAA-compliant uses, disclosures, and procedures should not reveal any personally identifiable information. However, the way in which the system is used by personnel will reveal a lot to compliance officers about who does – or does not – understand the HIPAA Privacy Rule.

In addition, there may be situations that arise that are unique to a location or medical service, and not covered by the general HIPAA guidelines. These situations can be incorporated into future HIPAA compliance training in order to address any potential confusion about them in advance. By using the conversations recorded by the text alert system for business, compliance officers can deliver more relevant training based on real-life examples in order to train personnel to be more HIPAA compliant.

In conclusion, a text alert system for business may not be HIPAA compliant, but it is the most effective way to communicate an emergency in compliance with the CMS´ Emergency Preparedness Rule. Healthcare organizations investing in a text alert system may only use it for training and for when an emergency occurs; but there are many other use cases in which organizations can extract additional value from the system. Using it as a HIPAA compliance helpline is just one of them.

The post Repurposing a Text Alert System for Business as a HIPAA Compliance Helpline appeared first on HIPAA Journal.

Preparing Emergency Text Notification for Business in a HIPAA Compliant Age

Businesses subject to HIPAA regulations have to take care when using emergency text notification systems to ensure Protected Health Information (PHI) is not disclosed without authorization. HIPAA compliance policies can be difficult to enforce during an emergency, but a little preparation can help mitigate the risk of a HIPAA breach.

Emergency text notification systems for business are an effective way to alert personnel to an emergency incident in healthcare environments (such as fires, active shooter events, and severe weather), especially when they are integrated with other alert systems such as sirens, visual alarms, and digital signage. However, in a healthcare environment, medical personnel are subject to HIPAA regulations which prohibit the unauthorized disclosure of Protected Health Information (PHI).

Under normal circumstances, it is difficult to think of many scenarios in which an emergency text notification for business would contain PHI. However, in a stressful emergency situation, the risk exists medical personnel might inadvertently disclose PHI while sending an emergency text notification, or that the notification might be received by individuals outside the healthcare environment who don´t appreciate the significance of the PHI and forward the notification to other individuals.

Emergency Text Notification Systems are Not HIPAA Compliant

Emergency text notification systems that send alerts via multiple communication channels are not HIPAA-compliant because the devices on which notifications are received do not have mechanisms to comply with the technical specifications of the HIPAA Security Rule – for example encryption, access controls, and automatic log-off. Furthermore, copies of SMS text messages, emails, and social media postings remain on service providers´ servers permanently with no means of retracting them.

Nonetheless, emergency text notification systems – especially those which integrate with other alarm systems – are the most effective way to comply with the Communication Plan requirements of the CMS´ Emergency Preparedness Rule. Depending on how the system is utilized, it can also be the most effective way of coordinating emergency response and ensuring business continuity during a long-term emergency. Therefore HIPAA covered entities need to take steps to mitigate the risk of a HIPAA breach.

How to Mitigate the Risk of a HIPAA Breach in an Emergency Text Notification

The best way to avoid accidental disclosures of PHI in an emergency text notification is to have notification templates prepared in advance. The CMS´ Emergency Preparedness Rule stipulates healthcare environments should plan responses to events such as pandemics, nuclear explosions, and natural incidents. It is a good idea not only to prepare notification templates for these types of events, but also for fires, active shooters, and the likely types of severe weather for the area.

In order to prevent individuals receiving emergency text notifications not intended for them, the personnel database should be segmented by role, location or other attribute in order to ensure the right people receive the right messages at the right time. In the event of an active shooter, for example, you only want the individuals in the immediate vicinity to initiate a lockdown. Alerting everyone else to the event may cause unnecessary panic that could hinder emergency response efforts.

The post Preparing Emergency Text Notification for Business in a HIPAA Compliant Age appeared first on HIPAA Journal.