The information risk management, standards, and certification body, HITRUST, has announced that it will be releasing a new version of its popular cybersecurity framework this month. Version 11 of the HITRUST CSF includes several improvements to ensure the framework stays relevant, with improved mitigations against evolving and emerging cyber threats, while reducing the burden on healthcare organizations for certification.
The HITRUST CSF is a risk management and compliance framework that healthcare organizations can adopt to reduce the burden and complexity of achieving HIPAA compliance and effectively manage and reduce risks to private and confidential information, including protected health information (PHI). To better protect against emerging and evolving cyber threats, the new version of the HITRUST CSF enables the entire HITRUST assessment portfolio to leverage cyber threat-adaptive controls, appropriate for each level of assurance. Control mappings have been improved as has the precision of specifications, which reduces the level of effort required for HITRUST Certification. HITRUST says the updated version of the CSF reduces the effort required to achieve and maintain HITRUST Implemented, 1-year (i1) Certification over two years by up to 45%.
In the updated version, all HITRUST assessments are subsets or supersets of each other, which means organizations can reuse the work in lower-level HITRUST assessments to progressively achieve higher assurances by sharing common control requirements and inheritance. HITRUST also says CSF v11 is fully integrated across Microsoft Azure, Dynamics 365, Microsoft 365, and Power Platform, and that it is collaborating with various partners and healthcare organizations to introduce advanced capabilities to improve clarity on compliance requirements.
The new HITRUST CSF also sees two new authoritative sources added – NIST SP 800-53, Rev 5, and Health Industry Cybersecurity Practices (HICP) standards – and AI-based standards development capabilities have been developed to aid its assurance experts in mapping and maintaining authoritative sources. The latter will reduce mapping and maintenance efforts by up to 70% and will make it easier to add more authoritative sources in future releases.
“There is no question that frameworks need to stay relevant with current and emerging threats so organizations can conduct assessments as efficiently as possible and provide practical, yet meaningful, assurances to stakeholders,” said Andrew Russell, VP of Standards, HITRUST. “The investments we’ve made in our AI-based standards development platform have dramatically improved our ability to assess threat-adaptive mitigations, add authoritative sources, and reduce redundancies, allowing organizations to achieve the same level of assurance with less effort.”
It has been more than 25 years since the Health Insurance Portability and Accountability Act (HIPAA) was introduced, but there is still some confusion about HIPAA compliance, what the legislation does for patients, who is required to comply with HIPAA Rules, and what does HIPAA cover.
Who Does HIPAA Cover?
HIPAA is a federal law that led to the introduction of standards in healthcare relating to patient privacy and the protection of medical data. HIPAA covers most healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities. Some HIPAA standards also apply to vendors of personal health records (PHRs), PHR-related entities, and service providers to PHR vendors and PHR-related entities.
Healthcare providers include hospitals, clinics, physicians, nursing homes, pharmacies, chiropractors, dentists, and psychologists. Health plans include health insurers, company health plans, HMOs, and government programs that pay for healthcare such as Medicaid and Medicare. Healthcare clearinghouses are organizations that transform nonstandard health data into a standard format. A business associate is an individual or entity that performs functions for a HIPAA covered entity that requires the use or disclosure of protected health information.
What Does HIPAA Cover?
The HIPAA Privacy Rule covers all individually identifiable health information that is created, stored, maintained, or transmitted by a HIPAA covered entity or business associate of a HIPAA covered entity. The HIPAA Privacy Rule applies to all forms of health information, including paper records, films, and electronic health information – even spoken information.
This information is classed as protected health information when it contains identifiers that would allow a patient or health plan member to be identified. HIPAA does not include information in employment records, even if that information is included in the HIPAA definition of individually identifiable health information or protected health information.
If individually identifiable health information is stripped of all identifiers, it is no longer considered to be protected health information. Information on HIPAA identifiers and de-identification of health data can be found here.
What Does HIPAA Protect?
HIPAA protects the privacy of individually identifiable health information relating to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Additionally, HIPAA protects any information maintained in the same designated record set that could be used to identify the individual to who the health information relates. This is why items sometimes classified as protected health information have nothing to do with the individual´s health (for example, IP addresses, vehicle registration numbers, email addresses, etc.).
How HIPAA Protects Patient Information
HIPAA protects patient information by establishing what uses and discloses of patient information are permissible and when an authorization is required before patient information can be used or disclosed. HIPAA also stipulates that Covered Entities and Business Associates must maintain an accounting of disclosures that a patient can obtain a copy of on request.
In addition, measures must be in place to prevent unnecessary and unauthorized disclosures. These measures range from the Minimum Necessary Standard of the Privacy Rule to the Administrative, Physical, and Technical Safeguards of the Security Rule and include the contents of Business Associate Agreements when PHI is shared with a Business Associate or subcontractor.
How Does HIPAA Protect Patients?
HIPAA protects patients by mitigating the risk of their personal health information being misused or stolen to commit identity theft and fraud. Health and other individually identifiable information can be used to fraudulently obtain healthcare, loans, and tax refunds in patients´ names – which, in some cases, patients may be liable for either directly or via increased health insurance premiums.
HIPAA also protects patients by enabling individuals to take more control of healthcare data. Not only does the opportunity to review and correct health information reduce the chances of a misdiagnosis being made; but, as patients now have the right to request PHI is transferred to another healthcare provider, they can also choose which healthcare provider best meets their needs.
How Does HIPAA Benefit Patients?
Research shows that, when patients trust their health information is being protected, they are more willing to share intimate details with healthcare providers. Having more information available enables healthcare providers to make better informed decisions, make more accurate diagnoses, and determine the best course of treatment – resulting in better patient outcomes.
Further research shows that when patients trust their healthcare providers, they tend to engage more with preventative services, participate in healthy activities (or reduce unhealthy activities), and are more likely to comply with prescribed treatments. This helps reduce the severity of illnesses and accelerates recovery – again benefitting patients by improving patient outcomes.
What HIPAA Does Not Cover
It was mentioned previously that vendors of PHRs (etc.) only have to comply with some HIPAA standards – namely those in the Breach Notification Rule. This means that if an individual uses a health app that collects health data (i.e., from a fitness tracker), and the data is stored on the vendor´s servers, the privacy and security provisions of HIPAA do not apply.
It is also the case that banks and payment processors are exempted from HIPAA compliance. Therefore, any health information shared with a payment processor (i.e., the reason for a payment to a clinic) is not protected by HIPAA. For this reason, while Covered Entities can accept payments from any source, it is better for the individual to initiate the payment rather than a healthcare provider to request payment or raise an invoice via an unsecure service such as PayPal.
What Does HIPAA Cover? FAQs
Why does HIPAA cover most healthcare providers, and not all?
Healthcare providers are covered by HIPAA only if they conduct electronic transactions for which the Department of Health and Human Services has developed standards (i.e., claims eligibility checks, treatment authorizations, billing, etc.). If a healthcare provider does not conduct these transactions electronically, or does not conduct them at all (i.e., because patients are billed directly), they are not Covered Entities under HIPAA.
Are all health insurance companies covered by HIPAA?
Insurance companies that provide health insurance as a primary benefit of insurance are covered by HIPAA. However, insurance companies that provide health insurance as a secondary benefit (i.e., secondary to auto insurance to cover hospital treatment in the event of an accident), are not Covered Entities under HIPAA.
Why does HIPAA not cover health information maintained in employment records?
HIPAA does not cover health information maintained in employment records – even when the employer is a Covered Entity – because the information is not used by the employer to conduct electronic transactions for which the Department of Health and Human Services has developed standards.
Why is it better for a patient to initiate a payment?
Banks and payment processors are exempt from HIPAA for the purpose of processing payments. If they engage in activities beyond payment processing (i.e., performing accounts receivable functions on behalf of a Covered Entity) they qualify as Business Associates. Therefore, it is simpler when patients are required to pay (or co-pay) for treatment that they initiate the payment, rather than a Covered Entity having to enter into a Business Associate Agreement with each financial institution.
Why is PayPal described as an unsecure service?
PayPal is not unsecure in terms of keeping customers´ money safe. However, with regards to HIPAA compliance, PayPal shares customer data with hundreds of third parties, so there is no way of knowing how PHI is used or disclosed once it is disclosed to PayPal (Note: PayPal will not sign a Business Associate Agreement so cannot be used for anything other than payment processing).
The issue of how to secure patient information and PHI is challenging because HIPAA does not require all patient information to be secured. Additionally, if Protected Health Information (PHI) is secured too much, it can prevent the flow of information needed to perform treatment, payment, and healthcare operations efficiently.
To best explain how to secure patient information and PHI, it is necessary to distinguish between what is patient information and what is PHI. The easiest way to do this is by defining PHI first, because any remaining information relating to a patient that is not PHI does not need to be secured under HIPAA – although other privacy and security laws may apply.
What is PHI? And What is Not PHI?
The Administrative Simplification Regulations defines PHI as individually identifiable health information “transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium”. To understand why some patient information might not be PHI, it is necessary to review the definition of individually identifiable health information:
“Information […] collected from an individual […] that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or […] can be used to identify the individual.”
These definitions suggest any information that does not relate to a patient´s condition, treatment for the condition, or payment for the treatment is not protected by the privacy and security standards. However, this is not the case.
Individually identifiable health information protected by the privacy and security standards is maintained in one or more “designated record sets”, and any identifying non-health information added to a designated record set assumes the same privacy and security protections. Therefore:
“Mr. Jones has a broken leg” is PHI because it identifies the patient and relates to a present health condition.
If Mr. Jones´ address, the name of his wife, and their telephone number are added to the designated record set, it is also PHI.
However, if a separate record of Mr. Jones´ wife and telephone number is maintained outside the designated record set (i.e., for contact purposes) it is not PHI because the separate record does not contain any health information.
In conclusion, some patient information can be both protected and not protected depending on where it is maintained. This doesn´t make it any easier to explain how to secure patient information and PHI, but it is important to be aware that not all patient information is PHI all the time.
How to Secure Patient Information that is PHI
To say PHI has to be secured is misleading because it implies Protected Health Information has to be locked away in fortress-like environment, whereas the Privacy Rule allows “permissible” uses and disclosures for a variety of reasons. Therefore, although it is important to apply access controls to ensure only authorized personnel can use or disclose PHI, it is not necessary for PHI to be “secured”.
With regards to electronic PHI (ePHI), Covered Entities and Business Associates have to take greater care about how it is protected because healthcare data is highly sought after by cybercriminals. Consequently, many compliance experts suggest organizations adopt a defense in depth strategy that includes as a minimum:
A firewall to prevent unauthorized access to networks and data
A spam filter to block malicious emails harboring malware
A web filter to prevent staff accessing malicious websites
An antivirus solution to detect malware from other sources
Data encryption on all workstations and portable devices
Encryption to protect data in transit – encrypted email for instance
An intrusion detection system that monitors for irregular network activity
Auditing solutions that monitor for improper accessing of PHI
Disaster recovery controls to ensure continued access to data in the event of an emergency
Extensive backups to ensure PHI is recoverable in the event of an emergency
Security solutions allowing the remote deletion of data stored on mobile devices in the event of loss or theft
Security awareness and anti-phishing training for all members of the workforce
Physical controls to prevent data and equipment theft
Good patch management policies to ensure software is kept up to date and free from vulnerabilities
Informing Patients that Health Information is Protected
Although protecting PHI is a requirement of HIPAA, it can be beneficial to highlight to patients that the security of health information is taken seriously. Research has shown that, when patients trust their health information is being protected, they are more willing to share intimate details about themselves with healthcare providers.
Having more information about a patient´s condition enables healthcare providers to make better informed decisions and more accurate diagnoses to determine the best course of treatment. This in turn leads to better patient outcomes and a reduction in patient readmissions, which can reflect in higher satisfaction scores from patients and their families.
Informing patients that health information is secured doesn´t have to go into details – a few lines of text added to a Notice of Privacy Practices is often sufficient. The important thing to remember is that if an organization claims that health information is protected but fails to implement the necessary standards to secure patient information – and a data breach occurs – this could discredit the organization and will likely be taken into account by an investigation into the data breach.
How to Secure Patient Information FAQs
What privacy and security laws apply other than HIPAA?
Many states now have privacy and/or data security laws with stronger patient protections than HIPAA. Some laws may only apply to certain types of data (i.e., Illinois´ Biometric Information Privacy Act), while others apply across state borders to protect the personal data of any citizen of the state wherever they are (i.e., Texas´ Medical Records Privacy Act).
What can happen if you secure too much information?
Securing too much information can negatively impact healthcare operations. For example, a nursing assistant needs to phone Mr. Jones´ wife urgently but cannot not access the telephone number because they do not have the right credentials to access the designated record set in which the telephone number has been secured.
Not only will the lack of access result in a delay in contacting Mr. Jones´ wife, but the nursing assistant will have to find a colleague with the right credentials to access the designated record set and interrupt what they were doing in order to get the phone number to make the call – an unnecessarily waste of resources.
What are the Administrative Simplification Regulations?
The Administrative Simplification Regulations are the section of the Public Welfare regulations (45 CFR) containing most of the standards that HIPAA Covered Entities and Business Associates have to comply with – i.e., the Privacy Rule, the Security Rule, and the Breach Notification Rule. The Department of Health and Human Services has compiled an unofficial version of the text here.
What are the permissible uses and disclosures of PHI?
The permissible uses and disclosures allowed by the Privacy Rule generally relate to uses and disclosures for treatment, payment, and healthcare operations. However, other uses and disclosures are allowed when (for example) they are covered by a Business Associate Agreement with a third party organization or when a patient has authorized the use or disclosure.
How can a patient check health information is being protected?
Patients can request an accounting of disclosures from their health plan or healthcare provider which should list the times when PHI has been disclosed for purposes other than those permitted by the Privacy Rule in the previous six years. Although it is no guarantee of data security, the accounting of disclosures can be a good indicator of an organization´s HIPAA compliance.
HIPAA is important because, due to the passage of the Health Insurance Portability and Accountability Act, the Department of Health and Human Services was able to develop standards that protect the privacy of individually identifiable health information and the confidentiality, integrity, and availability of electronic Protected Health Information.
HIPAA was introduced in 1996, primarily to address one particular issue: Insurance coverage for individuals between jobs and with pre-existing conditions. Without HIPAA, employees faced a potential loss of insurance coverage between jobs. Because of the cost of HIPAA’s primary objective to health insurance companies – and the risk that the cost would be passed onto employers and individuals as higher premiums, Congress instructed the Secretary for Health and Human Services to develop standards that would reduce healthcare insurance fraud and simplify the administration of healthcare transaction.
Due to the increased number of transactions being conducted electronically, standards were also developed to protect the confidentiality, integrity, and availability of electronic Protected Health Information when it was collected, received, maintained and transmitted between healthcare providers, health plans, and health care clearinghouses. Further standards were developed to protect the privacy of individually identifiable health information (in any format) and to give individuals increased rights and control over their health information. The standards became known respectively as the HIPAA Security Rule and HIPAA Privacy Rule.
Why is HIPAA Important for Healthcare Organizations?
HIPAA introduced a number of important benefits for the healthcare industry to help with the transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely.
The standards for recording health data and electronic transactions ensures everyone is singing from the same hymn sheet. Since all HIPAA-covered entities must use the same code sets and nationally recognized identifiers, this helps enormously with the transfer of electronic health information between healthcare providers, health plans, and other entities.
Why is HIPAA Important for Patients?
Arguably, the greatest benefits of HIPAA are for patients. HIPAA compliance is important because it ensures healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities must implement multiple safeguards to protect sensitive personal and health information.
While no healthcare organization wants to expose sensitive data or have health information stolen, without HIPAA there would be no requirement for healthcare organizations to safeguard data – and no repercussions if they failed to do so.
HIPAA established rules that require healthcare organizations to control who has access to health data, restricting who can view health information and who that information can be shared with. HIPAA helps to ensure that any information disclosed to healthcare providers and health plans, or information that is created by them, transmitted, or stored by them, is subject to strict security controls. Patients are also given control over who their information is released to and who it is shared with.
HIPAA is important for patients who want to take a more active role in their healthcare and want to obtain copies of their health information. Even with great care, healthcare organizations can make mistakes when recording health information. If patients are able to obtain copies, they can check for errors and ensure mistakes are corrected.
Obtaining copies of health information also helps patients when they seek treatment from new healthcare providers – information can be passed on, tests do not need to be repeated, and new healthcare providers have the entire health history of a patient to inform their decisions. Prior to the Introduction of the HIPAA Privacy Rule, there was no requirements for healthcare organizations to release copies of patients’ health information.
Why is HIPAA Important? FAQs
What might happen to healthcare data if it were not protected by HIPAA?
What might happen to healthcare data if it were not protected by HIPAA is that it could be stolen and used to commit healthcare fraud. Healthcare data is a valuable commodity on the black market because it can be used by uninsured or underinsured individuals to obtain expensive healthcare treatment. Healthcare fraud results in increased insurance costs, which are passed down to employers and individuals in the form of increased insurance premiums.
What are the financial benefits for healthcare providers of complying with HIPAA?
The financial benefits for healthcare providers of complying with HIPAA include better patient outcomes and higher satisfaction scores, increased staff morale and employee retention rates, and fewer readmissions – a key factor in avoiding CMS payment penalties under the Hospitals Readmissions Reduction Program and other value-based initiatives.
Why is it important for healthcare professionals to comply with HIPAA?
It is important for healthcare professionals to comply with HIPAA to build a culture of trust with patients. If a patient feels any confidential information shared with a healthcare professional will remain confidential, they are more likely to be more forthcoming about health issues and the symptoms they are experiencing.
With more information available to them, healthcare professionals can make better informed diagnoses and treatment decisions. This results in better patient outcomes, which leads to higher morale. Effectively, by complying with HIPAA, healthcare professionals enjoy more rewarding experiences and get more from their vocation.
If patients are unable to exercise their patients´ right allowed by HIPAA, what might happen?
If patients are unable to exercise their patients’ rights allowed by HIPAA, the likely outcome will be a complaint to the Privacy Officer or HHS’ Office for Civil Rights. This could result in a significant financial penalty and a time-consuming corrective action plan.
Allowing patients to exercise their rights under HIPAA is important because it´s not unheard of for mistakes to be made with patients´ records that can result in misdiagnoses, the wrong treatment being provided, or the wrong medication being prescribed.
By giving patients the right to inspect their medical records and make corrections when necessary, the risks of incorrect diagnoses, treatments, and medications are mitigated. Additionally, having access to their records helps patients take more responsibility for their own wellbeing.
How do patients control who their information is released to and shared with?
Patients control who their information is released to and shared with by having the right to request privacy protection for protected health information (45 CFR §164.522). This right enables patients to request restrictions on how PHI is used and disclosed for treatment, payment, and health care operations, and also for involvement in the individual’s care and notification purposes.
Why is the HIPAA Privacy Rule important?
The HIPAA Privacy Rule is important because it sets a “federal floor” of privacy protections and rights for individuals to control healthcare data. This means that Covered Entities throughout the country must comply with the HIPAA Privacy Rule unless a state law offers more stringent privacy protections or greater rights for individuals.
How does HIPAA protect sensitive health information?
HIPAA protects sensitive health information via regulations, standards, and implementation specifications. Covered entities and business associates are required to comply with applicable regulations, standards, and implementation specifications or potentially face a civil monetary penalty from HHS’ Office for Civil Rights – even if no breach of unsecured PHI has occurred.
Who must comply with HIPAA rules?
Entities that must comply with HIPAA Rules include health plans, health care clearinghouses, and healthcare providers that conduct electronic transactions for which the Department of Health and Human Services has developed standards (collectively known as “covered entities”). Businesses that provide services for or on behalf of covered entities that involve the use of disclosure of Protected Health Information are also required to comply with applicable HIPAA Rules.
Why is the HIPAA Breach Notification Rule important?
The HIPAA Breach Notification Rule is important because it requires covered entities and business associates to notify individuals when unsecured PHI has been accessed impermissibly so that individuals can take steps to protect themselves against theft and fraud. The Rule is also important because it makes covered entities and business associates accountable for shortcomings in their compliance efforts.
How does HIPAA support the digitization of health records?
HIPAA supports the digitalization of health records by laying the foundations of a cybersecurity framework to protect electronic health records from unauthorized access. The framework enabled Congress to incentivize the digitalization of health records via the Meaningful Use Program (now the Promoting Interoperability Program), which in turn improved the flow of health information between healthcare providers.
How has HIPAA evolved to meet the changing needs of health information technology?
HIPAA has evolved to meet the changing needs of health information technology via several HIPAA updates. The biggest recent HIPAA update was the Omnibus Final Rule in 2013. However, multiple changes to HIPAA have been proposed since 2020 onward, which would support the further evolution of HIPAA to meet the changing needs of health information technology.
How is compliance with HIPAA enforced?
Compliance with HIPAA is enforced by two offices within the Department for Health and Human Services – the Office of Civil Rights (responsible for compliance with Parts 160 and 164 of the HIPAA Administrative Simplification Regulations) and the Centers for Medical and Medicaid Services (responsible for compliance with Part 162). The Federal Trade Commission also enforces compliance with HIPAA for health appliance vendors that do not qualify as HIPAA covered entities, but who are required to comply with the Breach Notification Rule under Section 5 of the FTC Act.
What happens if you violate HIPAA depends on the nature and consequences of the violation, the motive for the violation, and whether you knew – or should have known – that the violation was indeed a violation. What happens if you violate HIPAA can also depend on if or how the violation is identified.
To help explain the many different factors that can influence what happens when you violate HIPAA, we will use as an example a healthcare employee who shares their EHR login credentials in the belief that a junior colleague wants to access a patient´s file in order to phone the patient´s family with an update.
If the junior colleague only uses the login credentials to obtain a phone number and phone the patient´s family with an update – and the patient has not objected to this information being shared with their family – no harm has occurred and there has been no impermissible use or disclosure of PHI.
Nonetheless, although the motive for sharing the EHR login credential is well meaning (and the healthcare employee does not have to stop what they are doing to retrieve the information for the colleague), the action is a violation of HIPAA because each member of the workforce must be assigned a unique user identifier to track user activity when they have access to PHI (§164.312).
What Happens if You Violate HIPAA Like This?
This will depend on whether the violation is identified, how it is identified, and whether either party knew that sharing login credentials is a violation of HIPAA. Possibly one of the worst outcomes from the event is that it is not identified because this may lead to further compliance shortcuts being taken which – if unchecked – could lead noncompliance becoming a “cultural norm”.
If the violation is identified by a senior employee or an alert member of the IT team, it will likely be reported to the compliance officer. What happens then depends on whether either employee has been told that sharing login credentials is a violation of HIPAA via HIPAA training. If so, both could face sanctions depending on the consequences of the violation.
The consequences of the violation can vary between no harm occurring at all to an impermissible disclosure of PHI if, for example, the message was left with a non-family member due to a lack of identity verification. The latter example could lead to the patient making a compliant to the healthcare facility or HHS´ Office for Civil Rights (OCR).
If a complaint is made to OCR, and the agency decides to conduct a compliance review, the consequences could consist of a corrective action plan to prevent login credentials being shared in the future; or, if the violation was attributable to a lack of training, the review could escalate to a full investigation – during which other areas of non-compliance may be identified.
If other areas of non-compliance are identified, the consequences of a well-meaning action could result in the healthcare facility being issued with a civil monetary penalty. Further civil monetary penalties could be issued by a State Attorney General or by a civil court if the impermissible disclosure of PHI resulted in the patient suffering personal harm (i.e., identity theft).
Criminal Penalties for Sharing Passwords in Violation of HIPAA
In addition to sanctions, the healthcare worker and the junior colleague could also face criminal penalties if their employer has a policy prohibiting the sharing of login credentials. This is because “a person who knowingly […] uses or causes to be used a unique health identifier […] shall be considered to have obtained or disclosed individually identifiable health information without authorization” – an offence under §1177 of the Social Security Act.
In this case, the healthcare worker “caused” the login credentials to be used by sharing them with the junior colleague, while the junior colleague “used” them. It is also important that the employer has a policy prohibiting the sharing of login credentials, otherwise the two employees could claim they did not do so knowingly (in which case, the employer could be sanctioned by OCR for failing to conduct a risk assessment and develop policies prohibiting password sharing).
The criminal penalties for sharing passwords in violation of HIPAA depend on the motive for knowingly and wrongfully disclosing individually identifiable health information. Just doing it could, in theory, attract a fine of up to $50,000 and a jail sentence of up to a year. In the event that the junior colleague obtained the patients health information and disclosed it someone else, they could receive:
A fine of up to $100,000 and up to five years in jail if the offense was committed under false pretenses, or
A fine of up to $250,000 and up to ten years in jail if the offense was committed to sell, transfer, or use the PHI for commercial advantage, personal gain, or malicious harm.
While it might seem this is an extreme example of what happens if you violate HIPAA, it is important to be aware the laws exist that enable these consequences to transpire. Therefore, it is important for HIPAA Covered Entities and Business Associates to conduct comprehensive risk assessments, develop policies to mitigate risks from all foreseeable threats, and train all members of the workforce on the policies. Thereafter, it is important for workforces to comply with the policies.
What Happens if You Violate HIPAA? FAQs
Do other types of HIPAA violations have the same consequences?
All violations of HIPAA that contravene an employer´s HIPAA policies will likely attract sanctions, while those that result in a complaint being made to OCR could result in enforcement action. Violations that involve the knowing and wrongful disclosure of PHI have to be notified by a Covered Entity to OCR, who then review the case and refer it to the Department of Justice.
Is it only Security Rule violations that attract sanctions?
No. While the scenario above relates to a Security Rule violation, the violation of any Privacy Rule policy that results in the knowing and wrongful disclosure of PHI could have the same outcome. The important consideration is whether a policy exists to explain it is a violation, and that the workforce has been informed of the policy – and the sanctions for violating the policy – via HIPAA training.
Why do Covered Entities have to notify violations to OCR?
Under the Breach Notification Rule, Covered Entities have to notify OCR (and affected individuals) when there has been an impermissible disclosure of unsecured PHI. A knowing and wrongful disclosure of PHI qualifies as an impermissible disclosure of unsecured PHI because the Covered Entity has no control over how the disclosed PHI will be further used or disclosed.
Why might a patient complain if they have consented to family members being contacted?
If the patient has consented to family members being contacted, but individually identifiable health information is disclosed to a third party, the patient could complain the disclosure is a violation of their privacy rights. Consequently, it is important healthcare professionals verify the identity of the person they are speaking with before disclosing Protected Health Information.
Has anybody ever been jailed for violating HIPAA?
Yes. The following links are just a few examples of employees receiving custodial sentences for impermissibly obtaining and disclosing Protected Health Information.
Avalon Healthcare has agreed to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws with the Oregon and Utah Attorneys General that were uncovered during an investigation of a 2019 breach of the personal and protected health information of 14,500 of its employees and patients.
Avalon Healthcare is part of the Avalon Health Care Group and provides skilled nursing, therapy, senior living, assisted living, and other medical services throughout Oregon, Utah, California, Nevada, Washington, and Hawaii. In July 2019, an employee responded to a phishing email and disclosed credentials that allowed an email account to be accessed by unauthorized individuals. The account contained sensitive information such as names, addresses, Social Security numbers, dates of birth, driver’s license numbers, medical treatment information, and some financial information. It took 10 months from the date of the breach for the incident to be reported to the HHS and state attorneys general, and for affected individuals to be notified.
Oregon Attorney General Ellen Rosenblum and Utah Attorney General Sean Reyes launched an investigation into the data breach that focused on the email security practices at Avalon Healthcare and compliance with the HIPAA Security and Breach Notification Rules and state data breach notification statutes. The HIPAA Breach Notification Rule requires notifications to be issued about breaches of protected health information without undue delay and no more than 60 days from the date of the breach. In Oregon, data breach notifications must be issued in the most expeditious manner, and no later than 45 days after the date of discovery of the breach. The investigation uncovered potential violations of the Oregon Unlawful Trade Practices Act and HIPAA with respect to breach notifications and data security. Avalon Healthcare agreed to settle the case to avoid further controversy and expense.
Under the terms of the settlement, Avalon Healthcare has agreed to comply with the requirements of state laws and HIPAA and will develop, implement, and maintain an information security program that includes reasonable data security practices to ensure all personal information and protected health information is adequately protected. An individual will be designated as having overall control of the information security program and a HIPAA compliance officer will be appointed. The information security program will include logging and monitoring of the network, multi-factor authentication, email filtering, and at least twice-yearly security awareness training for the workforce. Security awareness training must cover phishing and social engineering, and include phishing simulation exercises. Avalon Healthcare has also agreed to develop, implement, maintain, and test a data incident response plan and to implement and maintain a risk assessment and risk management program. Avalon Healthcare will also revise its email data retention policies to ensure that data is only kept in email accounts for as long as there is a legal basis to retain the information and all emails containing PHI will be encrypted.
In addition to the commitment to compliance with HIPAA and state laws, Avalon Healthcare will pay a $200,000 financial penalty, which will be split equally between the Oregon and Utah state attorneys general and will be used to pay for legal fees, investigation costs, and the future enforcement of compliance with HIPAA and state laws.
“Companies, like Avalon, that retain consumers’ protected health information, have a duty to keep this data safe from unauthorized access,” said Attorney General Rosenblum. “Avalon dealt with the personal health-related information of some of our most vulnerable residents. Close to 2,000 Oregonians assumed—incorrectly—their information was safe with Avalon. Data breaches continue to be a problem in Oregon, and we are committed to working with companies to make sure they have the highest data privacy safeguards in place.”
November was a relatively quiet month for healthcare data breaches with 31% fewer breaches reported than the previous month. November’s total of 49 breaches of 500 or more records was also well below the 12-month average of 58 breaches a month. 643 healthcare data breaches have been reported to the HHS’ Office for Civil Rights so far in 2022, which makes this year the second worst year to date for healthcare data breaches.
Despite the fall in reported breaches, the number of breached records increased by 10% from October. November was the worst month of 2022 in terms of the number of breached healthcare records, with 6,904,441 records exposed or impermissibly disclosed – Well above the 12-month average of 3.99 million records a month. So far in 2022, 44,852,648 healthcare records have been breached.
Largest Healthcare Data Breaches in November
17 breaches of 10,000 or more records were reported to OCR in November, five of which involved more than half a million records and three incidents involved the impermissible disclosure of more than 1 million records. The largest data breach was a hacked network server at the Pennsylvania-based business associate Connexin Software – A provider of electronic medical records to pediatric practices. An unauthorized individual gained access to an offline set of patient data that was used for data conversion and troubleshooting. The records of 2,216,365 patients were exposed and potentially stolen.
The Indiana-based healthcare provider, Community Health Network, reported an impermissible disclosure of the protected health information of up to 1.5 million patients. Tracking code had been added to its website that resulted in patient information being transferred to third parties such as Meta and Google, without obtaining consent from patients or having a business associate agreement in place. Several healthcare providers have reported similar breaches this year, prompting OCR to issue a warning to HIPAA-regulated entities this month over the use of tracking technologies on websites and mobile applications.
Doctors’ Center Hospital in Puerto Rico suffered a ransomware attack that exposed the protected health information of up to 1,195,220 patients. Major ransomware attacks were also reported by the Michigan-based prosthetics and orthotics provider, Wright & Filippis, and Health Care Management Solutions in West Virginia.
Name of Covered Entity
State
Covered Entity Type
Individuals Affected
Type of Breach
Cause of Data Breach
Connexin Software, Inc.
PA
Business Associate
2,216,365
Hacking/IT Incident
Hacking of network server
Community Health Network, Inc. as an Affiliated Covered Entity
IN
Healthcare Provider
1,500,000
Unauthorized Access/Disclosure
Website tracking code transmitted PHI to third parties
Doctors’ Center Hospital
PR
Healthcare Provider
1,195,220
Hacking/IT Incident
Ransomware attack
Wright & Filippis LLC
MI
Healthcare Provider
877,584
Hacking/IT Incident
Ransomware attack
Health Care Management Solutions, LLC
WV
Business Associate
500,000
Hacking/IT Incident
Ransomware attack on subcontractor of CMS business associate
Gateway Rehabilitation Center
PA
Healthcare Provider
130,000
Hacking/IT Incident
Hacking of network server
Mena Regional Health System
AR
Healthcare Provider
84,814
Hacking/IT Incident
Hacking of network server
Dallam Hartley Counties Hospital District
TX
Healthcare Provider
69,835
Hacking/IT Incident
Hacking of network server (data theft confirmed)
Consumer Directed Services in Texas, Inc.
TX
Healthcare Provider
56,728
Hacking/IT Incident
Hacking incident at a business associate
Stanley Street Treatment and Resources, Inc.
MA
Healthcare Provider
45,785
Hacking/IT Incident
Hacking of network server (data theft confirmed)
South Walton Fire District
FL
Healthcare Provider
25,331
Hacking/IT Incident
South Walton Fire District
Rosenfeld VanWirt, PC
PA
Business Associate
18,719
Hacking/IT Incident
Hacking incident affecting multiple affiliates of the Lehigh Valley Health Network
CCA Health Plans of California, Inc d/b/a CCA Health CA
CA
Health Plan
14,631
Hacking/IT Incident
Hacking of network server (data theft confirmed)
CareFirst Administrators
MD
Health Plan
14,538
Hacking/IT Incident
Phishing attack on business associate
Work Health Solutions
CA
Healthcare Provider
13,157
Hacking/IT Incident
Phishing attack
New York-Presbyterian Hospital
NY
Healthcare Provider
12,000
Hacking/IT Incident
Hacking of network server
Epic Management LLC
TN
Healthcare Provider
10,862
Hacking/IT Incident
Unauthorized email account access
Causes of November Data Breaches
All but one of the 17 data breaches of 10,000 or more records were due to hacking incidents, several of which were ransomware attacks. Many hacking incidents involve ransomware, although it is common for HIPAA-regulated entities not to disclose the exact nature of these attacks. It is therefore difficult to determine the extent to which ransomware is used in cyberattacks on the healthcare industry. 5,374,670 records were exposed or stolen in these hacking incidents – 77.8% of all records breached in November. The average breach size was 134,367 records and the median breach size was 7,158 records.
There were 8 unauthorized access/disclosure incidents reported that involved the records of 1,521,788 individuals. The majority of those records were impermissibly disclosed by one healthcare provider. The average breach size was 190,224 records and the median breach size was 2,275 records. There was also one theft incident reported involving the records of 7,983 individuals. In the majority of reported incidents, the breached protected health information was located on network servers. There were also 7 incidents involving breaches of email data, and four incidents involving electronic health records.
HIPAA-Regulated Entities Affected by Data Breaches
Healthcare providers were the worst affected entities in November, with 26 reported breaches, one of which occurred at a business associate but was reported by the healthcare provider. 6 data breaches were reported by health plans, with one of those breaches occurring at a business associate. Business associates self-reported 17 breaches in November. The pie chart below shows the breakdown of data breaches based on where they occurred, rather than the entities reporting the data breaches.
Healthcare Data Breaches by State
Data breaches were reported by HIPAA-regulated entities in 18 states and Puerto Rico. Pennsylvania was the worst affected state with 12 breaches, which involved 34.8% of the month’s breached records. 10 of those breaches were due to a hacking incident involving healthcare providers that are part of the Lehigh Valley Health Network. HIPAA-regulated entities in California reported 6 breaches, but these were relatively minor, only involving the protected health information of 41,382 patients.
Georgia, Michigan, New Jersey, Nevada, Oregon, Washington, West Virginia, and Puerto Rico
1
HIPAA Enforcement Activity in November
No civil monetary penalties or settlements were announced by OCR in November. Even so, 2022 has seen more HIPAA enforcement actions than in any other year since OCR was given the authority to enforce HIPAA compliance. The majority of the financial penalties in 2022 have been imposed for violations of the HIPAA right of access, and 55% of the year’s enforcement actions over HIPAA violations were on small healthcare providers.
In November, the state of Massachusetts announced that Aveanna Healthcare had been fined $425,000 for a breach of the PHI of 166,000 individuals, 4,000 of whom were Massachusetts residents. Aveanna Healthcare had suffered a phishing attack, with the Massachusetts Attorney General discovering a lack of safeguards such as multi-factor authentication and security awareness training.
The Secretary of the Department of Health and Human Services (HHS) has proposed a new rule that will require the adoption of standards for healthcare attachments transactions and electronic signatures used in conjunction with those transactions to support healthcare claims and prior authorization transactions. The new rule will implement the requirements of the Administrative Simplification Requirements of HIPAA and the Affordable Care Act and will apply to all health plans, healthcare clearinghouses, and healthcare providers that currently lack an efficient, uniform method of sending attachments.
Currently, when making coverage decisions about healthcare services, health plans often require additional information that cannot be added to the specified fields or data elements of the adopted prior authorization request or healthcare claims transaction. Currently, this information is sent through the mail or by fax and is subject to manual processes that consume considerable time and resources. At present, there are no adopted HIPAA standards, implementation guides, or operating rules covering healthcare attachments or electronic signatures. The proposed rule will support electronic transmissions of this type of information.
“We believe that the health care industry has long anticipated the adoption of a set of HIPAA standards for the electronic exchange of clinical and administrative data to support electronic health care transactions, such as prior authorization of services and claims adjudication, and the standards we are proposing to adopt are an important step in reducing provider burden,” explained the HHS.
The Administrative Simplification Rules of HIPAA called for standard-setting organizations (SSOs) to develop standard code sets for electronic healthcare transactions, and some of these have previously been implemented as part of the Transactions and Code Sets final rule. A rule was also proposed in 2005 – The HIPAA Administrative Simplification: Standards for Electronic Health Care Claims Attachments; Proposed Rule – that required the adoption of standards for health care claims attachment standards for specific service areas, including ambulance services, clinical reports, emergency department, laboratory results, medications, and rehabilitation services; however, based on the comments received, the HHS chose not to finalize that rule.
The American Hospital Association (AHA) has announced its support for the proposed rule and the adoption of a new HIPAA standard for attachments and electronic signatures, as this will ease the burden on providers,/ Currently, the lack of a HIPAA standard for attachment transactions slows down claims processing, leading to delays to payments and patient care, and contributes to provider burnout. “The AHA supports establishing a standard for attachments to reduce the administrative burdens facing clinicians, and we look forward to providing robust commentary after analyzing the rule’s specifics,” said Terrence Cunningham, AHA director of administrative simplification policy.
The proposed rule is scheduled to be published in the Federal Register on December 21, 2022. Comments on the proposed rule must be submitted by March 21, 2022.
The Orlando, FL-based primary care provider, Health Specialists of Central Florida Inc. (HSCF), has paid a $20,000 financial penalty to settle a HIPAA Right of Access case with the HHS’ Office for Civil Rights.
OCR launched an investigation in response to a November 22, 2019, complaint from a woman who had not been provided with a copy of her deceased father’s medical records. The initial request was made in writing on August 29, 2019, and an Authorization for Release of Medical Record Information form was provided to HSCF along with a copy of the original Letters of Administration. It took multiple requests and almost 5 months for all of the requested medical records to be provided. The complete set of records was received by the woman on January 27, 2020.
The HIPAA Right of Access requires healthcare providers to provide a copy of the requested medical records within 30 days of the request being submitted. In certain circumstances, a 30-day extension is applicable. OCR determined that the delay in providing the requested records was a violation of the HIPAA Right of Access. In addition to paying a $20,000 financial penalty, HSCF has agreed to undertake a corrective action plan, which involves developing, implementing, and maintaining HIPAA Privacy Rule policies and procedures concerning the HIPAA Right of Access, distributing those policies and procedures to staff members, and providing training on those policies and procedures. HSCF will also be monitored by OCR for a period of two years from the date of the settlement.
“The right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously. We will continue to ensure that health care providers and health plans take this right seriously and follow the law,” said OCR Director, Melanie Fontes Rainer, announcing the settlement. “Today’s announcement speaks to the importance of accessing information and regulated entities taking steps to implement procedures and workforce training to ensure that they are doing all they can to help patients access.”
The HIPAA Right of Access enforcement initiative was launched by OCR in the fall of 2019. Since then, $2,423,650 has been paid by healthcare providers to resolve HIPAA Right of Access violations in 42 enforcement actions. The fines range from $3,500 to $240,000.
