HIPAA Compliance News

Banner Health Settles Alleged HIPAA Security Rule Violations for $1.25 Million

The HHS’ Office for Civil Rights has announced its second financial penalty of 2023 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Banner Health has agreed to pay a financial penalty of $1,250,000 and adopt a corrective action plan to resolve the alleged HIPAA Security Rule violations.

Phoenix, AZ-based Banner Health is one of the largest non-profit health systems in the United States. The health system includes 30 hospitals and more than 69 affiliated healthcare facilities in 6 U.S. states and employs more than 50,000 individuals.  On July 13, 2016, Banner Health detected a security breach, with the subsequent investigation confirming hackers gained access to its systems on June 17, 2016. The hackers were able to access systems containing the protected health information (PHI) of 2.81 million individuals, including names, addresses, dates of birth, Social Security numbers, claims information, lab results, medications, diagnoses, and health insurance information. After being informed about the impermissible disclosure of PHI, OCR initiated a review of HIPAA Security Rule compliance to determine if noncompliance was a contributory factor to the data breach.

OCR’s investigators determined that Banner Health had failed to conduct an accurate and thorough analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI. The administrative safeguards of the HIPAA Security Rule include a requirement to conduct regular reviews of information system activity to identify unauthorized access to PHI. OCR determined that Banner Health had not implemented sufficient procedures to conduct regular reviews.

The HIPAA Security Rule requires covered entities to implement technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Banner Health failed to implement sufficient procedures to verify the identity of persons seeking access to ePHI to ensure they are who they claim to be, and insufficient technical security measures had been implemented to protect against unauthorized access to ePHI transmitted over an electronic communications network.

OCR said its investigators found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across the Banner Health organization, which was a serious concern given the size of the covered entity, and the HIPAA violations were sufficiently severe to warrant a financial penalty. In addition to paying a financial penalty, Banner Health has agreed to adopt a corrective action plan (CAP) that includes the requirement to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization and develop a risk management plan to address any vulnerabilities identified by the risk analysis. Policies and procedures must be developed, implemented, and distributed to the workforce covering risk analyses, risk management, system activity reviews, authentication processes, and security measures to protect against unauthorized PHI access. OCR will monitor Banner Health for compliance with the CAP for 2 years.

“Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals,” said OCR Director Melanie Fontes Rainer. “It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. The Office for Civil Rights provides help and support to health care organizations to protect against cyber security threats and comply with their obligations under the HIPAA Security Rule. Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

The post Banner Health Settles Alleged HIPAA Security Rule Violations for $1.25 Million appeared first on HIPAA Journal.

Early Bird Registration For National HIPAA Summit 2024 Ends 22nd December

The National HIPAA Summit is a leading forum on healthcare EDI, privacy, cybersecurity, and HIPAA compliance.

The 22nd December deadline for early bird registration for the Virtual 41st National HIPAA Summit is fast approaching. You can register as a HIPAA Journal reader also receive $100 off the registration fee by entering “HIPAAJournal” on the registration page.  (This is not a sponsored post or paid sponsorship or affiliate link)

HIPAA Summit

The event provides a tremendous opportunity for learning through HIPAA workforce training sessions and keynote speeches from top government officials and leading industry professionals. You can download a PDF of the HIPAA Summit Agenda here.

Attendees will gain valuable insights into health information privacy, healthcare cybersecurity, HIPAA enforcement, and a wealth of information to help them maintain HIPAA compliance and take healthcare data privacy and security to the next level.

This year, the HIPAA Summit is being co-chaired by:

  • Adam Greene, JD, MPH – Partner and Co-chair, Health Information & HIPAA Practice, Davis Wright Tremaine LLP, HIPAA Summit Distinguished Service Award Winner, Former Senior Health Information Technology and Privacy Specialist, Office for Civil Rights, HHS, Washington, DC
  • Kirk J. Nahra, JD – Partner and Co-chair of the Privacy and Cybersecurity Practice, Wilmer Hale, Adjunct Professor, American University Washington College of Law, Washington, DC
  • Iliana Peters, JD, LLM – Shareholder, Polsinelli, Former Acting Deputy Director, Health Information Privacy, Office for Civil Rights, US Department of Health and Human Services, Washington, DC
  • Robert M. Tennant, MA – Vice President, Federal Affairs, Workgroup for Electronic Data Interchange (WEDI); Former Director, HIT Policy, Medical Group Management Association; Washington, DC

Government Keynote Speakers

  • Nicholas Heesters, MEng, JD, CIPP – Senior Advisor for Cybersecurity, Office for Civil Rights, US Department of Health and Human Services, Philadelphia, PA
  • Melanie Fontes Rainer, MSME, JD – Director, Office for Civil Rights, HHS; Former Senior Advisor, Healthcare to Attorney General, CA DOJ; Former Chief of Staff, Medicare-Medicaid Coordination Office, Centers for Medicare & Medicaid Services, Washington, DC
  • J. Ronnie Solomon, JD – Attorney, Division of Privacy and Identity Protection, Federal Trade Commission, Washington, DC.
  • Micky Tripathi, MPP, PhD – National Coordinator for Health Information Technology, US Department of Health and Human Services; Affiliate, Berkman Klein Center for Internet & Society, Harvard University, Washington, DC

 

The post Early Bird Registration For National HIPAA Summit 2024 Ends 22nd December appeared first on HIPAA Journal.

2022 Healthcare Data Breach Report

For the first time since 2015, there was a year-over-year decline in the number of data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), albeit only by 1.13% with 707 data breaches of 500 or more records reported. Even with that reduction, 2022 still ranked as the second-worst-ever year in terms of the number of reported breaches.

As the year drew to an end, data breach numbers started to decline from a high of 75 data breaches in October. Time will tell whether this trend will continue in 2023, although the lull in data breaches appears to have continued so far this year with an atypically low number of breaches currently showing on the OCR data breach portal this month.

In addition to the slight reduction in reported data breaches, there was also a drop in the number of breached records, which fell by 13.15% from 54.09 million records in 2021 to 51.9 million records in 2022.

The theft of protected health information places patients and health plan members at risk of identity theft and fraud, but by far the biggest concern is the threat to patient safety. Cyberattacks on healthcare providers often cause IT system outages, which in many cases have lasted several weeks causing considerable disruption to patient care. While there have not been any known cases of cyberattacks directly causing fatalities, the lack of access to patient data causes diagnosis and treatment delays that affect patient outcomes. Multiple studies have identified an increase in mortality rates at hospitals following ransomware attacks and other major cyber incidents.

 

These cyberattacks and data breaches result in huge financial losses for healthcare organizations. The 2022 IBM cost of a data breach report indicates the average cost of a healthcare data breach increased to an all-time high of $10.1 million in 2023, although data breaches can be significantly more expensive. In addition to the considerable breach remediation costs, security must be improved, cyber insurance premiums increase, and it is now common for multiple class action lawsuits to be filed following data breaches. There is also a risk of financial penalties from regulators.

The largest ever healthcare data breach, suffered by Anthem Inc in 2015, affected 78.8 million members and cost the health insurer around $230 million in clean-up costs, $115 million to settle the lawsuits, $39.5 million to settle the state attorneys general investigation, and $16 million to resolve the OCR investigation. Even much smaller data breaches can prove incredibly costly. Scripps Health suffered a data breach of 1.2 million records in 2021 due to a ransomware attack. The attack caused losses in excess of $113 million due to lost business ($92 million) and the clean-up costs ($21 million). There are also several lawsuits outstanding and there could be regulatory fines.

Largest Healthcare Data Breaches in 2022

There were 11 reported healthcare data breaches of more than 1 million records in 2022 and a further 14 data breaches of over 500,000 records. The majority of those breaches were hacking incidents, many of which involved ransomware or attempted extortion. Notable exceptions were several impermissible disclosure incidents that resulted from the use of pixels on websites. These third-party tracking technologies were added to websites to improve services and website functionality, but the data collected was inadvertently transmitted to third parties such as Meta and Google when users visited the websites while logged into their Google or Facebook accounts. The extent to which these tracking technologies have been used by healthcare organizations prompted OCR to issue guidance on these technologies, highlighting the considerable potential for HIPAA violations.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
OneTouchPoint, Inc. WI Business Associate 4,112,892 Ransomware attack
Advocate Aurora Health WI Healthcare Provider 3,000,000 Pixel-related impermissible disclosure via websites
Connexin Software, Inc. PA Business Associate 2,216,365 Hacking incident and data theft
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking incident and data theft
Professional Finance Company, Inc. CO Business Associate 1,918,941 Ransomware attack
Baptist Medical Center TX Healthcare Provider 1,608,549 Malware infection
Community Health Network, Inc. as an Affiliated Covered Entity IN Healthcare Provider 1,500,000 Pixel-related impermissible disclosure via websites
Novant Health Inc. on behalf of Novant Health ACE & as contractor for NMG Services Inc. NC Business Associate 1,362,296 Pixel-related impermissible disclosure via websites
North Broward Hospital District d/b/a Broward Health (“Broward Health”) FL Healthcare Provider 1,351,431 Hacking incident and data theft
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Hacking incident and data theft
Doctors’ Center Hospital PR Healthcare Provider 1,195,220 Ransomware attack
Practice Resources, LLC NY Business Associate 942,138 Hacking incident and data theft
Wright & Filippis LLC MI Healthcare Provider 877,584 Ransomware attack
Partnership HealthPlan of California CA Health Plan 854,913 Hacking incident and data theft
MCG Health, LLC WA Business Associate 793,283 Hacking incident and data theft
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Ransomware attack
SightCare, Inc. AZ Health Plan 637,999 Hacking incident and data theft
CommonSpirit Health IL Business Associate 623,774 Ransomware attack
Metropolitan Area EMS Authority dba MedStar Mobile Healthcare TX Healthcare Provider 612,000 Ransomware attack
Wolfe Clinic, P.C. IA Healthcare Provider 542,776 Ransomware attack
Morley Companies, Inc. MI Business Associate 521,046 Ransomware attack
Adaptive Health Integrations ND Healthcare Provider 510,574 Adaptive Health Integrations
Christie Business Holdings Company, P.C. IL Healthcare Provider 502,869 Hacking incident and data theft
Health Care Management Solutions, LLC WV Business Associate 500,000 Hacking incident and data theft
OakBend Medical Center / OakBend Medical Group TX Healthcare Provider 500,000 Ransomware attack

While 2022 saw some very large data breaches reported, the majority of reported data breaches were relatively small. 81% of the year’s data breaches involved fewer than 50,000 records, and 58% involved between 500 and 999 records.

Hacking incidents dominated the breach reports with 555 of the 707 reported breaches (71.4%) classified as hacking/IT incidents, which accounted for 84.6% of all breached records in 2022. The average breach size was 79,075 records and the median breach size was 8,871 records. There were 113 reported unauthorized access/disclosure breaches reported in 2022, accounting for 14.5% of the breached records. The average breach size was 66,610 records due to some large pixel-related data breaches, and the median breach size was 1,652 records.

Theft (23 breaches) and loss (12 breaches) incidents were reported in relatively low numbers, continuing a downward trend from these once incredibly common data breaches. The downward trend is due to better control of devices and the use of encryption. The average breach size was 13,805 records and the median breach size was 1,704 records. There were four incidents involving the improper disposal of devices containing PHI and physical records. The average breach size was 1,772 records and the median was 1,021 records.

The high number of hacking incidents is reflected in the chart below, which shows the location of breached protected health information. Compromised email accounts remain a major source of data breaches, highlighting the importance of multi-factor authentication and training employees on how to recognize the signs of phishing.

Which Entities Suffered the Most Data Breaches?

The raw data on the OCR breach portal does not accurately reflect the extent to which business associate data breaches are occurring. When you factor in business associate involvement it is possible to gain a more accurate gauge of the extent to which data breaches are occurring at business associates. In 2022, 127 data breaches were self-reported by business associates, but there were 394 reported data breaches where business associates were involved – That’s a 337% increase since 2018. Last year, data breaches at business associates outnumbered data breaches at healthcare providers for the first time.

Several major business associate data breaches were reported to OCR in 2022, with some of the data breaches affecting several hundred healthcare organizations. A data breach at the debt collections company, Professional Finance Company, affected 657 of its healthcare clients and involved more than 1.91 million healthcare records. Eye Care Leaders, a provider of electronic health records to eye care providers, suffered a cyberattack that affected at least 41 eye care providers and exposed the data of almost 3.65 million patients.

The graph below shows the sharp increase in data breaches at business associates in recent years. There are several reasons for the increase. Hackers have realized the value of conducting attacks on business associates. One successful attack can provide access to the data, and sometimes networks, of all of the vendor’s clients. Healthcare organizations are now using more vendors to manage administrative functions and risk increases in line with the number of vendors. As more vendors are used, it becomes harder to monitor cybersecurity at the vendors. Managing third-party risk is one of the biggest challenges for healthcare organizations in 2023.

Data breaches by HIPAA-regulated entity type, 2009 to 2022

 

Where Did the Data Breaches Occur?

Healthcare data breaches were reported by HIPAA-regulated entities in 49 states, Washington D.C., and Puerto Rico in 2022. Alaska was the only state to survive the year with no reported data breaches. In general, the most populated states suffer the most data breaches. In 2022, the 10 most populated U.S. states all ranked in the top 15 worst affected states, although it was New York rather than California that topped the list with 68 reported breaches.

State Breaches
New York 68
California & Texas 52
Florida & Pennsylvania 38
New Jersey 27
Georgia 26
Michigan, Virginia & Washington 24
Ohio 23
Illinois & North Carolina 22
Tennessee 17
Arizona & Maryland 16
Massachusetts & Wisconsin 15
Colorado 14
Connecticut, Indiana & Missouri 13
Alabama 11
Kansas, Oklahoma & South Carolina 9
Arkansas, New Hampshire & West Virginia 8
Nebraska & Oregon 7
Minnesota 6
Utah 5
Delaware, Nevada & Rhode Island 4
Hawaii, Kentucky, Louisiana, Mississippi, Montana, South Dakota, % Vermont 3
Iowa, Idaho, Maine, New Mexico, and Washington D.C. 2
North Dakota & Wyoming 1
Alaska 0

HIPAA Enforcement in 2022

HIPAA is primarily enforced by OCR, with state attorneys general also assisting with HIPAA enforcement. OCR imposed more financial penalties for HIPAA violations in 2022 than in any other year to date, with 22 investigations resulting in settlements or civil monetary penalties.

OCR has limited resources for investigations but does investigate all breaches of 500 or more records. That task has become increasingly difficult due to the increase in data breaches, which have tripled since 2010. Despite the increase in data breaches, OCR’s budget for HIPAA enforcement has hardly increased at all, aside from adjustments for inflation. As of January 17, 2022, OCR had 882 data breaches listed as still under investigation. 97% of all complaints and data breach investigations have been successfully resolved.

Some investigations warrant financial penalties, and while the number of penalties has increased, the penalty amounts for HIPAA violations have been decreasing. Most of the financial penalties in 2022 were under $100,000.

HIPAA Settlements and Civil Monetary Penalties 2008-2022

Since 2019, the majority of financial penalties imposed by OCR have been for HIPAA right of access violations, all of which stemmed from complaints from individual patients who had not been provided with their medical records within the allowed time frame. OCR continues to pursue financial penalties for other HIPAA violations, but these penalties are rare.

2022 HIPAA Settlements and Civil Monetary Penalties

Regulated Entity Penalty Amount Type of Penalty Reason
Health Specialists of Central Florida Inc $20,000 Settlement HIPAA Right of Access failure
New Vision Dental $23,000 Settlement Impermissible PHI disclosure, Notice of Privacy Practices, releasing PHI on social media.
Great Expressions Dental Center of Georgia, P.C. $80,000 Settlement HIPAA Right of Access failure (time/fee)
Family Dental Care, P.C. $30,000 Settlement HIPAA Right of Access failure
B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental $25,000 Settlement HIPAA Right of Access failure
New England Dermatology and Laser Center $300,640 Settlement Improper disposal of PHI, failure to maintain appropriate safeguards
ACPM Podiatry $100,000 Civil Monetary Penalty HIPAA Right of Access failure
Memorial Hermann Health System $240,000 Settlement HIPAA Right of Access failure
Southwest Surgical Associates $65,000 Settlement HIPAA Right of Access failure
Hillcrest Nursing and Rehabilitation $55,000 Settlement HIPAA Right of Access failure
MelroseWakefield Healthcare $55,000 Settlement HIPAA Right of Access failure
Erie County Medical Center Corporation $50,000 Settlement HIPAA Right of Access failure
Fallbrook Family Health Center $30,000 Settlement HIPAA Right of Access failure
Associated Retina Specialists $22,500 Settlement HIPAA Right of Access failure
Coastal Ear, Nose, and Throat $20,000 Settlement HIPAA Right of Access failure
Lawrence Bell, Jr. D.D.S $5,000 Settlement HIPAA Right of Access failure
Danbury Psychiatric Consultants $3,500 Settlement HIPAA Right of Access failure
Oklahoma State University – Center for Health Sciences (OSU-CHS) $875,000 Settlement Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
Dr. Brockley $30,000 Settlement HIPAA Right of Access
Jacob & Associates $28,000 Settlement HIPAA Right of Access, notice of privacy practices, HIPAA Privacy Officer
Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., $50,000 Civil Monetary Penalty Impermissible disclosure on social media
Northcutt Dental-Fairhope $62,500 Settlement Impermissible disclosure for marketing, notice of privacy practices, HIPAA Privacy Officer

HIPAA enforcement by state attorneys general is relatively rare. Only three financial penalties were imposed in 2022 by state attorneys general. In these cases, penalties were imposed for violations of the HIPAA Rules and state laws.

State Regulated Entity Penalty Penalty Type Reason
Oregon/Utah Avalon Healthcare $200,000 Settlement Lack of safeguards and late breach notifications
Massachusetts Aveanna Healthcare $425,000 Settlement Lack of safeguards against phishing
New York EyeMed Vision Care $600,000 Settlement Multiple security failures

The post 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

HIPAA Updates and HIPAA Changes in 2023-2024

HIPAA updates and HIPAA changes happen more frequently than many people are aware of because of the nature of the update or because of their minor impact on HIPAA compliance. A major update to HIPAA is long overdue, and steps were taken in December 2020 to address the need for HIPAA changes and HIPAA updates when HHS’ Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking that proposed multiple changes to the HIPAA Privacy Rule.

In addition, there has also been a proposed update to align 42 CFR Part 2 – the Confidentiality of Substance Use Disorder Patient Records regulations – more closely with HIPAA, and proposals to change the conditions under which PHI relating to reproductive healthcare can be used or disclosed. The Part 2 and reproductive health changes are expected to be finalized in 2024, while new proposed Security Rule standards for cybersecurity should be announced in 2024 and implemented in 2025.

We discuss all the HIPAA updates since the inception of HIPAA and this information can be used in conjunction with our HIPAA checklist to understand what is required to ensure compliance.

Please use the form on this page to arrange your free copy of the checklist.

Major HIPAA Updates in the Past 25 Years

Since HIPAA was signed into law there have been a few major HIPAA updates. The HIPAA Privacy and Security Rules were introduced which limited uses and disclosures of protected health information, gave patients new rights over their healthcare data, and introduced a set of minimum security standards.

Those HIPAA updates were followed by the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which saw the introduction of the Breach Notification Rule in 2009 and the Omnibus Final Rule in 2013. Such major HIPAA updates placed a significant burden on HIPAA-covered entities and considerable time and effort were required to introduce new policies and procedures to ensure continued HIPAA compliance.

There have been two minor HIPAA Privacy Rule changes since 2013 – the first, in 2014, allowed patients to have access to test reports to align the Privacy Rule with the Clinical Laboratory Improvement Amendments. The second HIPAA Privacy Rule change, in 2016, allowed covered entities to disclose PHI to the National Instant Criminal Background Check System.

The most commonly updated section of HIPAA is Part 162 of the Administrative Simplification Regulations. Part 162 HIPAA updates are most often made by CMS to existing standards – for example, the 2020 change relating to Schedule II drug refills. However, a proposed Part 162 HIPAA change expected to be finalized in 2024 could have wider implications.

HIPAA Changes in 2024

HIPAA Updates and HIPAA ChangesOver the past few years, there have been increasing calls for HIPAA changes to decrease the administrative burden on HIPAA-covered entities, but the HIPAA 2024 rules and regulations are currently much the same as they were in 2013. OCR responded to feedback from healthcare industry stakeholders by issuing a request for information (RFI) in December 2018 on potential changes to the HIPAA Rules. OCR sought comments from HIPAA-covered entities about possible changes to HIPAA Rules in 2019 and beyond, which are mostly concerned with the easing of certain administrative requirements and the removal of certain provisions of the HIPAA Privacy Rule that have been limiting or discouraging the coordination of care. The comment period closed on February 12, 2019.

OCR asked 54 different questions in its RFI. Some of the main aspects that were under consideration were:

  • Patients’ right to access and obtain copies of their protected health information and the time frame for responding to those requests (Currently 30 days)
  • Removing the requirement to obtain written confirmation of receipt of an organization’s notice of privacy practices
  • Promotion of parent and caregiver roles in care
  • Easing of restrictions on disclosures of PHI without authorization
  • Possible exceptions to the minimum necessary standard for disclosures of PHI
  • Changes to HITECH Act requirements for the accounting of disclosures of PHI for treatment, payment, and healthcare operations
  • Encouragement of information sharing for treatment and care coordination
  • Changing the Privacy Rule to make sharing PHI with other providers mandatory rather than permissible.
  • Expansion of healthcare clearinghouses’ access to PHI
  • Addressing the opioid crisis and serious mental illness

In 2019, then OCR Director, Roger Severino, said, “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”

The aim of the HHS is to implement changes that will make compliance less of a burden without negatively affecting patient privacy or decreasing the security of individuals’ protected health information (PHI). There are no planned changes to the HIPAA Security Rule in this RFI, but several HIPAA Privacy Rule changes have been proposed.

It has been suggested that in many of the areas covered by the RFI, the best solution may not be HIPAA rule changes. Guidance was issued in 2022 and 2023, and it is likely further HIPAA guidance will be issued in 2024 to tackle some of the issues currently experienced with HIPAA compliance by clearing up misconceptions and correcting false interpretations of the HIPAA requirements. However, changes to HIPAA in 2024 are now likely to be implemented, although it may take until 2025 for all the changes to become effective.

Proposed HIPAA Privacy Rule Changes in 2024

OCR issued a Notice of Proposed Rulemaking on December 10, 2020, that detailed the HIPAA changes to the Privacy Rule due to be implemented, based on the responses to its December 2018 RFI. The proposed changes are limited, and several HIPAA Privacy Rule changes that healthcare industry stakeholders have been campaigning for have not been included. Most of the proposed HIPAA changes are relatively minor tweaks to strengthen patient access to PHI, facilitate data sharing, and ease the administrative burden on HIPAA-covered entities.

In 2021, OCR sought feedback on the proposed HIPAA changes for 60 days from the date of publication in the Federal Register, with the comment period extended for a further 45 days to give healthcare industry stakeholders more time to review the proposed changes and provide their feedback. OCR has read the comments and the publication of the Final Rule is now imminent.

The proposed updates to the HIPAA Privacy Rule are as follows:

  • Allowing patients to inspect PHI in person and take notes or photographs of their PHI.
  • Changing the maximum time to provide access to PHI from 30 days to 15 days.
  • Restricting the right of individuals to transfer ePHI to a third party to only ePHI that is maintained in an EHR.
  • Confirming that an individual is permitted to direct a covered entity to send their ePHI to a personal health application if requested by the individual.
  • Stating when individuals should be provided with ePHI without charge.
  • Requiring covered entities to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
  • The Armed Forces’ permission to use or disclose PHI to all uniformed services has been expanded.
  • A definition has been added for electronic health records.
  • Wording change to expand the ability of a covered entity to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.” (currently it is when harm is “serious and imminent.”)
  • A pathway has been created for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
  • Covered entities will not be required to obtain a written acknowledgment from an individual that they have received a Notice of Privacy Practices.
  • HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
  • HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
  • The definition of healthcare operations has been broadened to cover care coordination and case management.
  • Covered healthcare providers and health plans will be required to respond to certain records requests from other covered healthcare providers and health plans when individuals direct those entities to do so when they exercise the HIPAA right of access.
  • Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
  • The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.

The Proposed HIPAA Changes Will Create Challenges for Healthcare Providers

HIPAA UpdatesThe pending HIPAA updates are intended to ease the administration burden on HIPAA-covered entities, although in the short term, the burden will be increased. Updates will need to be made to policies and procedures and changes will be required for notices of privacy practices, although there will not, at least, be the requirement to obtain written acknowledgment that updated NPPs have been received.

What is certain is HIPAA officers and other compliance staff will have a busy few months when the Final Rule is published. OCR will provide sufficient notice before the 2024 HIPAA changes take effect and become enforceable, but there will likely be a lot of work to be done. It will be important to create a plan for making all of the required changes to ensure they are fully implemented ahead of the compliance deadline.

When the Final Rule is published, there will be a requirement to change policies and procedures where necessary, and that will require retraining of employees. HIPAA requires training to be provided to the workforce during or soon after onboarding, and after any material change in policies and procedures. HIPAA training may not need to be provided to the entire workforce, but a significant number of employees will need to be trained, and that is likely to place a considerable burden on covered entities and has the potential to cause workflow disruptions.

Improved access to medical records could pose problems for healthcare providers, who will need to ensure they have sufficient staffing and efficient procedures for verifying identities and providing copies of records – especially as the time frame for providing those records will be shortened from 30 days to 15 days. The extension will also be shortened to 15 days, giving healthcare organizations a maximum of 30 days to provide the requested records.

The definition of EHRs has also been updated to include billing records, and these will need to be provided to patients who request a copy of their PHI. That has the potential to make it more time-consuming to provide copies, as billing records are often kept in different systems than healthcare records. It may be necessary to access two different systems in order to provide patients with a copy of their records.

It will be easy for bottlenecks to occur and important not to get into a situation where 15 day extensions are regularly required. There could well be a need to prioritize requests to make sure patients who urgently need a copy of their records get them in a timely manner. Bear in mind that OCR is laser-focused on healthcare providers that fail to provide patients with timely access to their medical records.

Another of the changes related to patient access is the requirement to allow patients to take notes and photographs of their PHI. There will need to be designated places where patients can inspect PHI privately and, if required, take photographs. Healthcare providers will need to implement safeguards to ensure patients are not taking photographs of PHI they are not authorized to see.

The proposed HIPAA changes prohibit covered entities from imposing unreasonable measures on individuals exercising their right of access, including unreasonable identity verification requirements. That has the potential to cause problems for healthcare providers.

A definition has also been proposed for a personal health application. If finalized, patients must be allowed to have their records sent to a personal health application of their choosing. However, there may be privacy risks associated with doing so, and patients will need to be made aware of those risks. That will add an additional burden on healthcare providers, who may not necessarily have the required information to determine whether there is a privacy and security risk.

Proposed Part 2 and HIPAA Changes in 2024

In November 2022, OCR and the Substance Abuse and Mental Health Services Administration (SAMHSA) issued a Notice of Proposed Rulemaking (NPRM) which sees both Part 2 and HIPAA changes to better align these regulations.

Part 2 protects patient privacy and records related to treatment for substance use disorder (SUD) with HIPAA applying to protected health information. SUD records are treated differently as they are highly sensitive and require greater protection and restrictions than other health information covered by the HIPAA Privacy Rule. While these additional protections are important, they can hamper care coordination due to the barriers that they put in the way of information sharing.

The proposed changes are intended to ease the complexity of compliance with HIPAA and Part 2, break down barriers to information sharing, and improve care coordination, without removing protections for patients. The update expands patient rights regarding the uses and disclosures of their SUD records.

The key changes that were proposed are:

  • Single patient consent for all future uses and disclosures of SUD records for treatment, payment, and healthcare operations.
  • Permitted to redisclose SUD records in accordance with the HIPAA Privacy Rule
  • Patients will be able to obtain an accounting of disclosures of their SUD records and request restrictions on certain disclosures
  • Expansion of prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings
  • Part 2 programs must establish a complaints process about Part 2 violations and must not require patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
  • The breach notification requirements will apply to Part 2 records, which will be covered by the HIPAA Breach Notification Rule.
  • The HIPAA Privacy Rule Notice of Privacy Practices requirements have been updated to address uses and disclosures of Part 2 records and individual rights with respect to those records.
  • The HHS will be able to impose civil money penalties for violations of Part 2, in line with HIPAA and the HITECH Act

The NPRM was issued in November 2022 and there is a 60-day comment period, so it is highly likely that the final rule will be issued in 2024. Covered entities will then be given time to implement the changes before they become enforceable.

HITECH Act Updated in 2021 Regarding Recognized Security Practices

Many healthcare industry stakeholders had been campaigning for the addition of a safe harbor for HIPAA-covered entities and business associates that have adopted a common security framework and have implemented industry-standard security best practices, yet still experienced a data breach. It is not possible to prevent all cyberattacks and data breaches, and it is unfair to punish HIPAA-regulated entities for impermissible disclosures of ePHI when they have made all reasonable efforts to secure their systems.

A bill was proposed in 2020 that called for the HHS to consider the recognized security practices that have been adopted by HIPAA-regulated entities, that have been in place for the 12 months prior to a data breach occurring when deciding on financial penalties and other sanctions. The bill, HR 7898, was signed into law by President Trump on January 5, 2021.

The purpose of the bill is to encourage healthcare organizations to invest in security and adopt a recognized security framework by providing an incentive. The HITECH Act update has not created a safe harbor for HIPAA-regulated entities that have adopted a security framework and have implemented industry-standard security best practices, but OCR will consider the efforts made with respect to security when making determinations in its investigations of complaints and data breaches.

HIPAA-regulated entities that are able to demonstrate they have adopted recognized security practices will benefit from a decrease in the length and extent of audits and investigations of data breaches, and OCR will consider recognized security practices as a mitigating factor to reduce any financial penalties that would otherwise have been applied.

In 2022, in response to another request for information, OCR published a video that explains what recognized security practices are and the evidence that can be submitted to prove they have been in place. OCR said that when investigations are launched, OCR will write to the HIPAA-regulated entity and provide an opportunity for evidence of recognized security practices to be submitted.

HIPAA Fines and Settlements Due to be Shared with Victims of HIPAA Violations

In addition to requesting information on recognized security practices, OCR sought comments on how to implement a requirement of the HITECH Act regarding financial penalties and settlements for HIPAA violations. Section 13410(c)(1) of the HITECH Act requires OCR to share a portion of the funds it receives from its HIPAA enforcement activities with the victims of HIPAA violations. This is important, as there is no private cause of action in HIPAA, which means individuals cannot sue HIPAA-regulated entities for HIPAA violations that have resulted in harm being caused.

The problem for OCR – which is why this requirement has not been implemented to date – is the difficulty in implementing a fair method of determining what victims should receive. In its April 6, 2022, RFI, OCR requested comments to help OCR with establishing a methodology under which an individual who is harmed by an offense punishable under HIPAA may receive a percentage of any civil money penalty or monetary settlement collected with respect to the offense.

The Government Accountability Office (GAO) has shared a methodology for sharing funds, but OCR is seeking comment on any alternative methodologies. The main problem, however, is identifying the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, as “harm” is not defined by statute.

No timescale has been provided on when a Notice of Proposed Rulemaking will be issued in this regard, or when funds will start to be shared with victims of HIPAA violations. These HIPAA changes could occur in 2024, but it may be some years before this HITECH Act requirement is implemented.

HIPAA Changes Due to the 2019 Novel Coronavirus (SARS-CoV-2) and COVID-19

HIPAA Updates HIPAA ChangesIn response to the 2019 Novel Coronavirus pandemic, the HHS announced major changes to the enforcement of HIPAA compliance in 2020, which will remain in place for the duration of the nationwide COVID-19 public health emergency or until the Secretary of the HHS declares the public health emergency is over. These “unprecedented HIPAA flexibilities” were announced in March and April by means of Notices of Enforcement Discretion and are intended to ease the burden on healthcare organizations and business associates that are having to overcome major challenges testing and treating COVID-19 patients. The changes to HIPAA enforcement have been introduced to ensure that HIPAA compliance does not get in the way of the provision of high-quality patient care.

On April 11, 2023, OCR announced that the Secretary of the Department of Health and Human Services will not be renewing the COVID-19 Public Health Emergency, which is due to expire on May 11, 2023. That means the flexibilities introduced through the following Notifications of Enforcement Discretion will come to an end at 11:59 pm on May 11, 2023. From that date and time there will be no further flexibilities and non-compliance will be penalized in the same manner as before the COVID-19 pandemic. There is one exception concerning telehealth. OCR will implement a 90-day transition period, where the flexibilities will continue until 11:59 pm on August 11, 2023, and fines will not be issued with regard to the good faith provision of telehealth services up to that date.

Notification of Enforcement Discretion for Telehealth Remote Communications

The first Notice of Enforcement Discretion was announced by OCR on March 17, 2020. The coronavirus pandemic has seen social distancing measures introduced, and with hospitals dealing with huge numbers of cases, Americans are being encouraged to remain indoors. In order to continue to provide quality care to patients while reducing the risk of patients transmitting or contracting COVID-19, telehealth services have been expanded. The CMS has also expanded telehealth to include all Medicare and Medicaid beneficiaries.

To help ensure that patients receive the care they need, OCR has announced that it will not impose sanctions and penalties on healthcare providers in association with the good faith provision of telehealth services for the purpose of diagnosis and treatment, regardless of whether the telehealth services are directly related to COVID-19. OCR will not impose penalties on healthcare providers in relation to the use of everyday communication technologies for providing those services, even if the platforms used are not completely compliant with HIPAA. For instance, it is permissible to use Skype (rather than Skype for Business), FaceTime, Google Hangouts Video, and Zoom. It is not permitted to use public-facing platforms to provide these services, such as Facebook Live and TikTok.

“We are empowering medical providers to serve patients wherever they are during this national public health emergency,” said Roger Severino, OCR Director. “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”

This Notification of Enforcement Discretion will end at 11:59 pm on May 11, 2023. The ‘grace period’ will last for 90 days, so the hard date for compliance is 11:59 pm on August 11, 2023.

Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities

The second Notice of Enforcement Discretion was announced by OCR on April 2, 2020, and concerns uses and disclosures of PHI by business associates of HIPAA-covered entities for reasons related to public health and health oversight activities. HIPAA does not permit business associates to disclose PHI for public health and health oversight activities unless it is stated that they can do so in their business associate agreement (BAA) with a HIPAA-covered entity.

Under the Notice of Enforcement Discretion, OCR will not impose sanctions and penalties on business associates or their covered entities for these uses and disclosures to the likes of Federal public health authorities and health oversight agencies, such as the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers. Should such a use or disclosure occur, the business associate must notify the covered entity within 10 days of the use or disclosure.

“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” said Roger Severino. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”

This Notification of Enforcement Discretion will end at 11:59 pm on May 11, 2023.

Notification of Enforcement Discretion for Community-Based Testing Sites

The third Notice of Enforcement Discretion was announced by OCR on April 9, 2020 – backdated to March 13, 2020 – and concerns the good faith participation in the operation of COVID-19 testing centers. OCR will be exercising enforcement discretion and will not impose sanctions and penalties on healthcare providers, including pharmacies, and business associates that participate in the operation of COVID-19 testing sites such as mobile testing centers, walk-up facilities, and drive-through testing centers that only provide COVID-19 specimen collection or testing services to the public.

“We are taking extraordinary action to help the growth of mobile testing sites so more people can get tested quickly and safely,” said Roger Severino.  “President Trump has ordered the federal government to use every tool available to help save lives during this crisis, and this announcement is another concrete example of putting the President’s directive into action.”

This Notification of Enforcement Discretion will end at 11:59 pm on May 11, 2023.

Notice of Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for Scheduling of COVID-19 Vaccination Appointments

OCR announced a further Notice of Enforcement Discretion on January 19, 2021, that concerns the scheduling of appointments for COVID-19 vaccinations. OCR said financial penalties and sanctions would not be imposed on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in relation to the good faith use of online or web-based scheduling applications (WBSAs) for scheduling appointments for COVID-19 vaccinations.

WBSAs that would not be fully compliant with the HIPAA Rules under normal circumstances can be used for scheduling COVID-19 vaccination appointments without penalty, although it is not permitted to use a WBSA that does not incorporate reasonable security safeguards to ensure the privacy and security of ePHI and the Notice of Enforcement Discretion does not apply if the solution provider has prohibited the use of the WBSA for scheduling healthcare appointments.

OCR explained that the Notice of Enforcement Discretion does not apply to the use of a WBSA for anything other than scheduling COVID-19 vaccination appointments, such as arranging appointments for other medical services or for screening individuals for COVID-19 prior to arranging an in-person healthcare visit.

OCR encourages HIPAA-covered entities and their business associates to implement reasonable safeguards to ensure the privacy and security of healthcare data, such as adhering to the minimum necessary standard when inputting data, using encryption if available, and ensuring all privacy settings in the WBSA are activated.

OCR will be exercising enforcement discretion retroactive to December 11, 2020. This Notification of Enforcement Discretion will end at 11:59 pm on May 11, 2023.

HIPAA Penalties Could Officially Change in 2024

A HIPAA change occurred in 2019 concerning the penalties for HIPAA violations. OCR issued a Notice of Enforcement Discretion in 2019 which stated that OCR has adopted a new penalty structure for non-compliance with HIPAA Rules after a reevaluation of the requirements of the HITECH Act.

The HITECH Act called for penalties for HIPAA violations to be increased and, in 2013, the HHS implemented a new HIPAA penalty structure with minimum and maximum penalties set for the four penalty tiers, based on the level of culpability. In each category, a maximum penalty of $1.5 million, per violation category, per year was set. The HHS reviewed the language of the HITECH Act in 2019 and interpreted the requirements of the HITECH Act differently. “Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits.”

Rather than a maximum penalty of $1.5 million per year in all four categories, the maximum fine was reduced in the first three tiers.  The current minimum and maximum penalties, adjusted for inflation, can be found here.

Currently, OCR is using the new penalty structure, as detailed in the Notice of Enforcement Discretion published in the Federal Register. While that remains in effect indefinitely, the new penalty structure is not legally binding and can be changed at any time. It is possible that this change to HIPAA will be made official in 2024, although first, a Notice of Proposed Rulemaking will need to be issued. OCR is more likely to continue to use its new interpretation under its Notice of Enforcement Discretion without making it official.

OCR has been pushing Congress to increase the maximum penalties for HIPAA violations as the total funds from OCR’s enforcement actions decreased significantly when the new penalty structure was introduced. OCR’s budget is extremely stretched as funding for the department has remained flat for years despite increasing numbers of hacking incidents and data breaches which has significantly increased OCR’s workload.

As well as the expected HIPAA updates in 2024, OCR will continue to issue HIPAA guidance in 2024 to explain how HIPAA applies in certain situations and to clear up confusion about the requirements of HIPAA. However, what originally starts as guidance could evolve into new HIPAA rulemaking. An example of this is OCR’s response to the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization and the overturning of Roe v Wade, which removed the federal right to an abortion. OCR originally confirmed, through guidance, how the HIPAA Privacy Rule applies to disclosures of reproductive health information, but has since published an NPRM to tackle evolving issues related to this case.

Proposed Changes to Privacy Rule for Reproductive Health Care

According to the NPRM, issues relating to currently permissible uses and disclosures of PHI have evolved due to an increasing number of women in anti-abortion states travelling to other states to have “legal” terminations. Under §164.512(e) of the Privacy Rule, covered entities are permitted to disclose PHI for civil, criminal, or administrative proceedings.

Some states have enacted anti-abortion legislation that criminalizes the facilitation of a termination regardless of where it takes place. Courts in these states could subpoena PHI from covered entities in neighboring “legal” states in pursuit of a criminal conviction against any person who has assisted an individual in obtaining an abortion – including the covered entity.

OCR is concerned that the fear of PHI being disclosed for a procedure considered legal in the location where the procedure was administered could discourage patients from sharing important information with their healthcare providers and dissuade some healthcare providers from performing terminations for out-of-state citizens.

To address these concerns, OCR is proposing changes to the HIPAA Privacy Rule that include the creation of a new category of PHI – “reproductive health care” – and placing limitations on how it can be used and disclosed. These limitations are similar to those for genetic information inasmuch as it will not be possible to disclose reproductive health care records without an attestation it will not be used impermissibly.

The proposals will not only cover terminations, but other reproductive healthcare information, such as the provision of contraceptives (or the provision of contraception advice), fertility treatments, and pregnancy screening. Miscarriage management will also be included in the new category of PHI, as will diagnoses and treatments of conditions related to the reproductive system – even if the recipient of the diagnoses and treatments is not of reproductive age.

Other measures proposed in the NPRM include a new category of uses and disclosures – “Attested uses and disclosures” – which may well be used to align the HIPAA Privacy Rule with Part 2 privacy requirements. Under the new category, recipients of PHI will have to attest that it will not be further used or disclosed for prohibited purposes – i.e., in the case of reproductive health care, to support a civil, criminal, or administrative investigation or proceeding.

Covered entities are already being alerted to the fact that, if the proposals are finalized, any false attestations will be considered notifiable data breaches, while the person(s) that further disclose attested PHI will be in violation of §1177 of the Social Security Act for the wrongful disclosure of individually identifiable health information. Violations of this section are considered to be criminal violations carrying a maximum penalty of up to ten years in jail and a fine of up to $250,000.

HIPAA Security Rule Changes Proposed in Concept Paper

In December 2023, HHS published a Healthcare Sector Cybersecurity Strategy which proposes a framework to help the healthcare sector address cybersecurity threats. The framework is built on the development of cybersecurity goals for the healthcare sector, the incentivization of hospitals to adopt cybersecurity practices, and penalties for those that fail to meet cybersecurity goals.

The penalties will consist of disbarment from Medicare and Medicaid programs for any hospital CMS considers not to have complied with the yet-to-be-produced goals, and civil monetary penalties imposed by HHS’ Office for Civil Rights for any covered entity or business associate that fails to comply with yet-to-be-published Security Rule standards.

In a document outlining the Strategy, HHS states it will begin updating HIPAA Security Rule standards in the Spring of 2024, while working with Congress to increase the civil monetary penalties for HIPAA violations and increase the resource available to investigate potential violations and conduct “proactive audits”. This implies there could also be a 2024 HIPAA audit program on the horizon.

Other HIPAA Rule Changes May Lead to Future Updates

HIPAA rule changes are not exclusive to the Privacy, Security, and Breach Notification Rules. There have been a number of HIPAA rule changes relating to transaction code sets and identifiers (Part 162 of the HIPAA Administrative Simplification Regulations). Usually, these rule changes have a limited impact on covered entities and business associates; however, a proposed HIPAA rule change published in December 2022 could have implications for many day-to-day healthcare operations.

The proposed HIPAA rule change was published by CMS to resolve an issue concerning healthcare attachment transactions. These transactions occur when a health plan needs further information from a healthcare provider to authorize a treatment or pay a bill. Healthcare providers can also provide further information when submitting an authorization request or bill to accelerate treatment and/or payment.

The issue exists because further information cannot be “attached” to an existing transaction and has to be faxed or mailed separately. To resolve the issue, CMS is proposing three new transaction codes. However, in order to authenticate users, ensure the integrity of the attachment, and guarantee nonrepudiation, attachments transmitted using the new codes will have to be digitally signed. To address this issue, CMS has proposed a standard for acceptable e-signatures.

Compliance with the e-signature standard is only necessary when covered entities use the transaction codes to submit attachments electronically. There is no requirement to digitally sign attachments when they are faxed or sent through the mail. It is considered that, like most previous Part 162 HIPAA rule changes, the proposals will have a limited impact on covered entities and business associates.

However, the possibility exists that the proposed standard may be extended to other transactions in the future, and then to day-to-day healthcare operations. As this article discusses, there are a number of ways in which e-signatures are used in day-to-day healthcare operations; and, if the e-signature requirements are rolled out across the rest of the Administrative Simplification Regulations, covered entities and business associates may have to make some significant procedural changes.

FAQs

If HIPAA settlement sharing is introduced, will that result in more fines being issued?

If HIPAA settlement sharing is introduced, it is unlikely to result in more fines being issued by HHS’ Office for Civil Rights. Although the agency may come under pressure to pursue more settlements, there has been no indication that the current policy of voluntary compliance wherever possible will be reviewed.

How was HIPAA updated by the Omnibus Final Rule in 2013?

When HIPAA was updated by the Omnibus Final Rule in 2013, the major changes included further limiting permissible uses and disclosures of PHI, expanding patients’ rights, and making business associates directly liable for HIPAA violations attributable to their non-compliance. The Omnibus Final Rule also confirmed the new violation penalty structure imposed by the HITECH Act.

When was HIPAA last updated?

HIPAA was last updated in 2020 when the Centers for Medicare and Medicaid Services (CMS) published the Interoperability and Patient Access Final Rule. Although some provisions of this Final Rule have since been rescinded or delayed, or are subject to review, CMS is pushing forward with giving patients more choices about how they access PHI despite concerns about security risks.

What were the changes in 2017 that impacted HIPAA compliance?

The changes in 2017 that impacted HIPAA compliance relate to changes in 42 CFR Part 2 of the Public Welfare Code. These changes placed stricter conditions on the uses and disclosures of PHI when a patient is suffering a substance abuse disorder (SUD) and impact HIPAA compliance for providers in this field of healthcare who may have to have a three-tier structure for protecting SUD-related PHI, other PHI, and non-protected personal information.

Where is the best place to find changes to the HIPAA standards?

The best place to find changes to the HIPAA standards in the Administrative Simplification Regulations is the HHS’ Office for Civil Rights website. The website provides the opportunity for visitors to register for a “Weekly News Digest” that will deliver new about Proposed Rules, Interim Rules, and Final Rules straight to your email inbox.

How will HHS announce HIPAA changes in 2024?

HHS will announce HIPAA changes in 2024 via one or more Final Rules published in the Federal Register. Once a Final Rule is published in the Federal Register, HHS will publish a News Release on its website. HHS News Releases are usually widely reported in trade publications and on compliance websites, so it is unlikely that a major change to HIPAA in 2024 will go unnoticed.

Where can compliance officers find the latest version of HIPAA?

Compliance officers can find the latest version of the HIPAA Administrative Simplification Regulations on the eCFR website (https://www.ecfr.gov/). The Administrative Simplification Regulations are in three Parts – 45 CFR 160, 162, and 164. Part 164 includes the Security Rule (Subpart C), the Breach Notification Rule (Subpart D), and the Privacy Rule (Subpart E), but compliance officers should not omit to review other Parts of the Title to identify any other standards that apply.

Will There be an Omnibus HIPAA Final Rule 2024?

It is unlikely there will be an Omnibus Final Rule 2024 due to the volume and variety of new regulations being proposed. While it may be possible that proposed changes to the HIPAA Privacy Rule are amalgamated with proposed changes to 42 CFR Part 2, other proposals – such as electronic signatures, attestations, and interoperability – may be introduced separately and then expanded to other areas of HIPAA in subsequent rule making.

The post HIPAA Updates and HIPAA Changes in 2023-2024 appeared first on HIPAA Journal.

Washington Attorney General Sues Plastic Surgery Provider for HIPAA Violations and Falsely Inflating Online Ratings

Washington Attorney General Bob Ferguson is suing a plastic surgery provider for falsely inflating online ratings, bribing, and threatening patients, and alleges the actions of the practice violated the Health Insurance Portability and Accountability Act (HIPAA) Rules.

The lawsuit was filed in the U.S. District Court for the Western District of Washington against the Seattle plastic surgery clinic Allure Esthetic and its owner Dr. Javad Sajan after receiving multiple complaints from patients and former employees. The complaints alleged the practice was bribing and threatening patients to prevent them from posting negative reviews on platforms such as Yelp and Google, and that patients were made to sign non-disclosure agreements (NDAs) before receiving treatment prohibiting them from publishing online reviews that could in any way harm the practice. The practice considered any review under 4 stars to be a negative review. Attorney General Ferguson said these practices falsely inflated its online reviews.

According to the lawsuit, more than 10,000 patients were made to sign the NDAs stating legal action would be taken in response to negative reviews. Patients who posted negative reviews were allegedly intimidated into removing the reviews and were told they would be sued for monetary damages if the reviews were not deleted. In some cases, patients were offered bribes for removing negative reviews, including cash and free services. Patients that accepted the payments or free services were required to sign a second NDA that stipulated they would be liable for $250,000 in damages if they posted any further negative reviews. Patients were required to pay a $100 consultation fee before being told they would be required to sign an NDA.

The lawsuit also alleges employees were ordered to post fake positive reviews online that included altered before and after photographs that made it appear the treatments were more successful than they actually were. A VPN was used for posting fake reviews to conceal the IP addresses of the office computers. The practice is also alleged to also applied for rebates on behalf of its patients without obtaining their consent, then kept the rebates. Hundreds of fake email accounts were created to register for rebate programs intended for real patients, which resulted in thousands of dollars of fraudulent rebates being paid to the practice each month.

The lawsuit alleges that between 2017 and 2019, the NDAs required patients to contact the practice prior to publishing any online review under 4 stars, with the NDAs stating patients would be liable to “pay monetary damages to the practice for any losses” if negative reviews were not removed. The NDAs also stated that patients must waive their HIPAA privacy rights, stating consumers must “allow a response [to the review] from the practice with any personal health information” if they post a negative review. The HIPAA Privacy Rule prohibits covered entities from conditioning treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization to disclose protected health information. That wording was changed in 2019, but the NDAs continued to be required until March 2022.

In addition to the alleged HIPAA violations, the practice and owner are alleged to have violated the Washington State Consumer Protection Act (CPA) and the Consumer Review Fairness Act (CRFA). The lawsuit asks the court to invalidate the NDAs,  require the practice to write to all patients to inform them that the NDAs are invalid, and block the practice from using NDAs in the future. Monetary damages of up to $7,500 are sought per violation and the court has been asked to order the practice to pay restitution to patients for the $100 consultation fees and return any rebates that are owed to customers.

“Patients rely on reviews to determine if a healthcare provider is right for them and using legal threats and bribes to manipulate those reviews is deceptive and harms Washingtonians. We are taking action to stop these unethical and illegal practices,” said AG Ferguson. “Threatening and bribing customers to prevent them from sharing the truth about their experience isn’t just wrong — it’s illegal.”

The post Washington Attorney General Sues Plastic Surgery Provider for HIPAA Violations and Falsely Inflating Online Ratings appeared first on HIPAA Journal.

Diagnostic Lab Settles Medical Record Access Case for $16,500

The HHS’ Office for Civil Rights (OCR) has announced its first HIPAA enforcement action of 2023, which serves as a reminder that individuals and their personal representatives must be provided with timely access to their medical records. Life Hope Labs, LLC, has agreed to settle the case and will pay a $16,500 penalty.

43 Enforcement Actions for HIPAA Right of Access Failures

The HIPAA Right of Access requires covered entities to provide a copy of an individual’s protected health information that is maintained in a designated record set within 30 days of receipt of that request. In certain circumstances, a delay of up to 30 days is permitted, provided the individual is notified about the reason for the delay and the individual is informed in that response when the request will be satisfied.

OCR launched a new HIPAA compliance initiative in the fall of 2019 targeting organizations that were not providing individuals and their personal representatives with a copy of the requested medical records in a timely manner, and organizations that were charging unreasonable fees for providing those records. Including the latest settlement, OCR has imposed financial penalties on 43 healthcare organizations for potential HIPAA Right of Access violations.

Life Hope Labs Enforcement Action

Life Hope Labs is a Sandy Springs, GA-based full-service diagnostic laboratory. On August 24, 2021, OCR received a complaint from the personal representative of a patient’s estate for the medical records of the decedent. The complainant alleged a request had been made with Life Hope Labs on July 7, 2021, but the records were not provided. It took Life Hope Labs seven months (225 days) from the initial request to provide those records. The complainant – the daughter of the decedent – received the complete set of records on February 16, 2022. OCR confirmed that the delay in providing the requested records was a violation of the HIPAA Right of Access, as detailed in 45 C.F.R. § 164.524.

Life Hope Labs agreed to settle the case with OCR and paid a $16,500 penalty to settle the potential HIPAA Right of Access violation, with no admission of wrongdoing. Under the terms of the settlement, Life Hope Labs is required to adopt a corrective action plan that includes the requirement to develop, maintain, and revise, as necessary, written policies regarding the HIPAA Privacy Rule, including the right of patients to access and obtain a copy of their PHI and to distribute those policies to all members of the workforce. HIPAA training on those policies must also be provided to all new staff members within 30 days of commencing employment. The settlement also includes two years of monitoring.

“Access to medical records, including lab results, empowers patients to better manage their health, communicate with their treatment teams, and adhere to their treatment plans. The HIPAA Privacy Rule gives individuals and personal representatives a right to timely access their medical records from all covered entities, including laboratories,” said OCR Director Melanie Fontes Rainer. “Laboratories covered by HIPAA must follow the law and ensure that they are responding timely to records access requests.”

The post Diagnostic Lab Settles Medical Record Access Case for $16,500 appeared first on HIPAA Journal.

HITRUST Cybersecurity Framework Gets 2023 Update

The information risk management, standards, and certification body, HITRUST, has announced that it will be releasing a new version of its popular cybersecurity framework this month. Version 11 of the HITRUST CSF includes several improvements to ensure the framework stays relevant, with improved mitigations against evolving and emerging cyber threats, while reducing the burden on healthcare organizations for certification.

The HITRUST CSF is a risk management and compliance framework that healthcare organizations can adopt to reduce the burden and complexity of achieving HIPAA compliance and effectively manage and reduce risks to private and confidential information, including protected health information (PHI). To better protect against emerging and evolving cyber threats, the new version of the HITRUST CSF enables the entire HITRUST assessment portfolio to leverage cyber threat-adaptive controls, appropriate for each level of assurance. Control mappings have been improved as has the precision of specifications, which reduces the level of effort required for HITRUST Certification. HITRUST says the updated version of the CSF reduces the effort required to achieve and maintain HITRUST Implemented, 1-year (i1) Certification over two years by up to 45%.

In the updated version, all HITRUST assessments are subsets or supersets of each other, which means organizations can reuse the work in lower-level HITRUST assessments to progressively achieve higher assurances by sharing common control requirements and inheritance. HITRUST also says CSF v11 is fully integrated across Microsoft Azure, Dynamics 365, Microsoft 365, and Power Platform, and that it is collaborating with various partners and healthcare organizations to introduce advanced capabilities to improve clarity on compliance requirements.

The new HITRUST CSF also sees two new authoritative sources added – NIST SP 800-53, Rev 5, and Health Industry Cybersecurity Practices (HICP) standards – and AI-based standards development capabilities have been developed to aid its assurance experts in mapping and maintaining authoritative sources. The latter will reduce mapping and maintenance efforts by up to 70% and will make it easier to add more authoritative sources in future releases.

“There is no question that frameworks need to stay relevant with current and emerging threats so organizations can conduct assessments as efficiently as possible and provide practical, yet meaningful, assurances to stakeholders,” said Andrew Russell, VP of Standards, HITRUST. “The investments we’ve made in our AI-based standards development platform have dramatically improved our ability to assess threat-adaptive mitigations, add authoritative sources, and reduce redundancies, allowing organizations to achieve the same level of assurance with less effort.”

The post HITRUST Cybersecurity Framework Gets 2023 Update appeared first on HIPAA Journal.

What Does HIPAA Cover?

It has been more than 25 years since the Health Insurance Portability and Accountability Act (HIPAA) was introduced, but there is still some confusion about HIPAA compliance, what the legislation does for patients, who is required to comply with HIPAA Rules, and what does HIPAA cover.

Who Does HIPAA Cover?

HIPAA is a federal law that led to the introduction of standards in healthcare relating to patient privacy and the protection of medical data. HIPAA covers most healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities. Some  HIPAA standards also apply to vendors of personal health records (PHRs), PHR-related entities, and service providers to PHR vendors and PHR-related entities.

Healthcare providers include hospitals, clinics, physicians, nursing homes, pharmacies, chiropractors, dentists, and psychologists. Health plans include health insurers, company health plans, HMOs, and government programs that pay for healthcare such as Medicaid and Medicare. Healthcare clearinghouses are organizations that transform nonstandard health data into a standard format. A business associate is an individual or entity that performs functions for a HIPAA covered entity that requires the use or disclosure of protected health information.

What Does HIPAA Cover?

The HIPAA Privacy Rule covers all individually identifiable health information that is created, stored, maintained, or transmitted by a HIPAA covered entity or business associate of a HIPAA covered entity. The HIPAA Privacy Rule applies to all forms of health information, including paper records, films, and electronic health information – even spoken information.

This information is classed as protected health information when it contains identifiers that would allow a patient or health plan member to be identified. HIPAA does not include information in employment records, even if that information is included in the HIPAA definition of individually identifiable health information or protected health information.

If individually identifiable health information is stripped of all identifiers, it is no longer considered to be protected health information. Information on HIPAA identifiers and de-identification of health data can be found here.

What Does HIPAA Protect?

HIPAA protects the privacy of individually identifiable health information relating to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Additionally, HIPAA protects any information maintained in the same designated record set that could be used to identify the individual to who the health information relates. This is why items sometimes classified as protected health information have nothing to do with the individual´s health (for example, IP addresses, vehicle registration numbers, email addresses, etc.).

How HIPAA Protects Patient Information

HIPAA protects patient information by establishing what uses and discloses of patient information are permissible and when an authorization is required before patient information can be used or disclosed. HIPAA also stipulates that Covered Entities and Business Associates must maintain an accounting of disclosures that a patient can obtain a copy of on request.

In addition, measures must be in place to prevent unnecessary and unauthorized disclosures. These measures range from the Minimum Necessary Standard of the Privacy Rule to the Administrative, Physical, and Technical Safeguards of the Security Rule and include the contents of Business Associate Agreements when PHI is shared with a Business Associate or subcontractor.

How Does HIPAA Protect Patients?

HIPAA protects patients by mitigating the risk of their personal health information being misused or stolen to commit identity theft and fraud. Health and other individually identifiable information can be used to fraudulently obtain healthcare, loans, and tax refunds in patients´ names – which, in some cases, patients may be liable for either directly or via increased health insurance premiums.

HIPAA also protects patients by enabling individuals to take more control of healthcare data. Not only does the opportunity to review and correct health information reduce the chances of a misdiagnosis being made; but, as patients now have the right to request PHI is transferred to another healthcare provider, they can also choose which healthcare provider best meets their needs.

How Does HIPAA Benefit Patients?

Research shows that, when patients trust their health information is being protected, they are more willing to share intimate details with healthcare providers. Having more information available enables healthcare providers to make better informed decisions, make more accurate diagnoses, and determine the best course of treatment – resulting in better patient outcomes.

Further research shows that when patients trust their healthcare providers, they tend to engage more with preventative services, participate in healthy activities (or reduce unhealthy activities), and are more likely to comply with prescribed treatments. This helps reduce the severity of illnesses and accelerates recovery – again benefitting patients by improving patient outcomes.

What HIPAA Does Not Cover

It was mentioned previously that vendors of PHRs (etc.) only have to comply with some HIPAA standards – namely those in the Breach Notification Rule. This means that if an individual uses a health app that collects health data (i.e., from a fitness tracker), and the data is stored on the vendor´s servers, the privacy and security provisions of HIPAA do not apply.

It is also the case that banks and payment processors are exempted from HIPAA compliance. Therefore, any health information shared with a payment processor (i.e., the reason for a payment to a clinic) is not protected by HIPAA. For this reason, while Covered Entities can accept payments from any source, it is better for the individual to initiate the payment rather than a healthcare provider to request payment or raise an invoice via an unsecure service such as PayPal.

What Does HIPAA Cover? FAQs

Why does HIPAA cover most healthcare providers, and not all?

Healthcare providers are covered by HIPAA only if they conduct electronic transactions for which the Department of Health and Human Services has developed standards (i.e., claims eligibility checks, treatment authorizations, billing, etc.). If a healthcare provider does not conduct these transactions electronically, or does not conduct them at all (i.e., because patients are billed directly), they are not Covered Entities under HIPAA.

Are all health insurance companies covered by HIPAA?

Insurance companies that provide health insurance as a primary benefit of insurance are covered by HIPAA. However, insurance companies that provide health insurance as a secondary benefit (i.e., secondary to auto insurance to cover hospital treatment in the event of an accident), are not Covered Entities under HIPAA.

Why does HIPAA not cover health information maintained in employment records?

HIPAA does not cover health information maintained in employment records – even when the employer is a Covered Entity – because the information is not used by the employer to conduct electronic transactions for which the Department of Health and Human Services has developed standards.

Why is it better for a patient to initiate a payment?

Banks and payment processors are exempt from HIPAA for the purpose of processing payments. If they engage in activities beyond payment processing (i.e., performing accounts receivable functions on behalf of a Covered Entity) they qualify as Business Associates. Therefore, it is simpler when patients are required to pay (or co-pay) for treatment that they initiate the payment, rather than a Covered Entity having to enter into a Business Associate Agreement with each financial institution.

Why is PayPal described as an unsecure service?

PayPal is not unsecure in terms of keeping customers´ money safe. However, with regards to HIPAA compliance, PayPal shares customer data with hundreds of third parties, so there is no way of knowing how PHI is used or disclosed once it is disclosed to PayPal (Note: PayPal will not sign a Business Associate Agreement so cannot be used for anything other than payment processing).

The post What Does HIPAA Cover? appeared first on HIPAA Journal.

How to Secure Patient Information (PHI)

The issue of how to secure patient information and PHI is challenging because HIPAA does not require all patient information to be secured. Additionally, if Protected Health Information (PHI) is secured too much, it can prevent the flow of information needed to perform treatment, payment, and healthcare operations efficiently.

To best explain how to secure patient information and PHI, it is necessary to distinguish between what is patient information and what is PHI. The easiest way to do this is by defining PHI first, because any remaining information relating to a patient that is not PHI does not need to be secured under HIPAA – although other privacy and security laws may apply.

What is PHI? And What is Not PHI?

The Administrative Simplification Regulations defines PHI as individually identifiable health information “transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium”. To understand why some patient information might not be PHI, it is necessary to review the definition of individually identifiable health information:

“Information […] collected from an individual […] that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or […] can be used to identify the individual.”

These definitions suggest any information that does not relate to a patient´s condition, treatment for the condition, or payment for the treatment is not protected by the privacy and security standards. However, this is not the case.

Individually identifiable health information protected by the privacy and security standards is maintained in one or more “designated record sets”, and any identifying non-health information added to a designated record set assumes the same privacy and security protections. Therefore:

  • “Mr. Jones has a broken leg” is PHI because it identifies the patient and relates to a present health condition.
  • If Mr. Jones´ address, the name of his wife, and their telephone number are added to the designated record set, it is also PHI.
  • However, if a separate record of Mr. Jones´ wife and telephone number is maintained outside the designated record set (i.e., for contact purposes) it is not PHI because the separate record does not contain any health information.

In conclusion, some patient information can be both protected and not protected depending on where it is maintained. This doesn´t make it any easier to explain how to secure patient information and PHI, but it is important to be aware that not all patient information is PHI all the time.

How to Secure Patient Information that is PHI

To say PHI has to be secured is misleading because it implies Protected Health Information has to be locked away in fortress-like environment, whereas the Privacy Rule allows “permissible” uses and disclosures for a variety of reasons. Therefore, although it is important to apply access controls to ensure only authorized personnel can use or disclose PHI, it is not necessary for PHI to be “secured”.

With regards to electronic PHI (ePHI), Covered Entities and Business Associates have to take greater care about how it is protected because healthcare data is highly sought after by cybercriminals. Consequently, many compliance experts suggest organizations adopt a defense in depth strategy that includes as a minimum:

  • A firewall to prevent unauthorized access to networks and data
  • A spam filter to block malicious emails harboring malware
  • A web filter to prevent staff accessing malicious websites
  • An antivirus solution to detect malware from other sources
  • Data encryption on all workstations and portable devices
  • Encryption to protect data in transit – encrypted email for instance
  • An intrusion detection system that monitors for irregular network activity
  • Auditing solutions that monitor for improper accessing of PHI
  • Disaster recovery controls to ensure continued access to data in the event of an emergency
  • Extensive backups to ensure PHI is recoverable in the event of an emergency
  • Security solutions allowing the remote deletion of data stored on mobile devices in the event of loss or theft
  • Security awareness and anti-phishing training for all members of the workforce
  • Physical controls to prevent data and equipment theft
  • Good patch management policies to ensure software is kept up to date and free from vulnerabilities

Informing Patients that Health Information is Protected

Although protecting PHI is a requirement of HIPAA, it can be beneficial to highlight to patients that the security of health information is taken seriously. Research has shown that, when patients trust their health information is being protected, they are more willing to share intimate details about themselves with healthcare providers.

Having more information about a patient´s condition enables healthcare providers to make better informed decisions and more accurate diagnoses to determine the best course of treatment. This in turn leads to better patient outcomes and a reduction in patient readmissions, which can reflect in higher satisfaction scores from patients and their families.

Informing patients that health information is secured doesn´t have to go into details – a few lines of text added to a Notice of Privacy Practices is often sufficient. The important thing to remember is that if an organization claims that health information is protected but fails to implement the necessary standards to secure patient information – and a data breach occurs – this could discredit the organization and will likely be taken into account by an investigation into the data breach.

How to Secure Patient Information FAQs

What privacy and security laws apply other than HIPAA?

Many states now have privacy and/or data security laws with stronger patient protections than HIPAA. Some laws may only apply to certain types of data (i.e., Illinois´ Biometric Information Privacy Act), while others apply across state borders to protect the personal data of any citizen of the state wherever they are (i.e., Texas´ Medical Records Privacy Act).

What can happen if you secure too much information?

Securing too much information can negatively impact healthcare operations. For example, a nursing assistant needs to phone Mr. Jones´ wife urgently but cannot not access the telephone number because they do not have the right credentials to access the designated record set in which the telephone number has been secured.

Not only will the lack of access result in a delay in contacting Mr. Jones´ wife, but the nursing assistant will have to find a colleague with the right credentials to access the designated record set and interrupt what they were doing in order to get the phone number to make the call – an unnecessarily waste of resources.

What are the Administrative Simplification Regulations?

The Administrative Simplification Regulations are the section of the Public Welfare regulations (45 CFR) containing most of the standards that HIPAA Covered Entities and Business Associates have to comply with – i.e., the Privacy Rule, the Security Rule, and the Breach Notification Rule. The Department of Health and Human Services has compiled an unofficial version of the text here.

What are the permissible uses and disclosures of PHI?

The permissible uses and disclosures allowed by the Privacy Rule generally relate to uses and disclosures for treatment, payment, and healthcare operations. However, other uses and disclosures are allowed when (for example) they are covered by a Business Associate Agreement with a third party organization or when a patient has authorized the use or disclosure.

How can a patient check health information is being protected?

Patients can request an accounting of disclosures from their health plan or healthcare provider which should list the times when PHI has been disclosed for purposes other than those permitted by the Privacy Rule in the previous six years. Although it is no guarantee of data security, the accounting of disclosures can be a good indicator of an organization´s HIPAA compliance.

The post How to Secure Patient Information (PHI) appeared first on HIPAA Journal.