HIPAA Compliance News

COVID-19 Public Health Emergency and HIPAA Telehealth Flexibilities Due to be Extended

Posted by HIPAA Journal

The Secretary of the Department of Health and Human Services, Xavier Becerra, is expected to extend the COVID-19 Public Health Emergency (PHE) today (October 13, 2022) for the 11th time. The COVID-19 PHE was first declared in January 2020 by then HHS Secretary, Alex Azar II, with the last extension issued by Becerra on July 15, 2022. That makes today the final day of the PHE should no further extension be declared. The extension, if confirmed, will last for a further 90 days, making the next deadline January 11, 2023.

Several flexibilities were introduced in response to the COVID-19 PHE, including changes to Medicare to expand coverage of telehealth services during the pandemic. Coverage was extended to include Medicare beneficiaries in any geographic region, not just beneficiaries in rural areas. Beneficiaries were permitted to remain in their homes for telehealth visits, the visits could be delivered via smartphones, and Medicare expanded the list of services that could be provided virtually.

The Department of Health and Human Services’ Office for Civil Rights also issued a Notice of Enforcement Discretion with respect to the good faith provision of telehealth services. “OCR will exercise its enforcement discretion and will not impose penalties for non-compliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency,” explained OCR in its COVID-19 telehealth guidance.

Under OCR’s Notice of Enforcement Discretion, healthcare providers are permitted to use “any non-public facing remote communication product that is available to communicate with patients,” even if the technology would not normally be permitted under HIPAA, such as if the provider will not enter into a business associate agreement with the healthcare provider.

“The Notification of Enforcement Discretion will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, including any extensions, whichever occurs first,” explained OCR. “OCR will issue a notice to the public when it is no longer exercising its enforcement discretion based upon the latest facts and circumstances.”

The HHS has previously committed to providing a 60-day notice to states before the expiration of the COVID-19 PHE or the termination of the HIPAA telehealth flexibilities to give them time to prepare. The HHS is also due to notify healthcare groups in advance to allow them to prepare their members. The absence of any such notifications makes it almost certain that a further extension will be announced. Should the decision be made not to extend the COVID-19 further past January 2023, the 60-day notice period will need to be issued by mid-November.

It is important for healthcare providers to be aware that while the COVID-19 public health emergency has been repeatedly extended, these extensions will not continue indefinitely. When the COVID-19 PHE is declared over, the HIPAA telehealth flexibilities will come to an end. It is therefore recommended that healthcare organizations prepare for the end of the COVID-19 PHE and start evaluating HIPAA-compliant telehealth solutions – Solutions that have the necessary safeguards to comply with the HIPAA Security Rule and are provided by vendors willing to enter into a business associate agreement. Healthcare providers should consider transitioning to those solutions ahead of the HHS announcement of the end of the COVID-19 PHE, or ensure that they develop a plan that can be implemented immediately when notice is provided that the PHE will end.

The post COVID-19 Public Health Emergency and HIPAA Telehealth Flexibilities Due to be Extended appeared first on HIPAA Journal.

Doctor Who Provided PHI to Pharma Sales Rep Pleads Guilty to Criminal Violations of HIPAA

Posted by HIPAA Journal

A former physician with practices in New Jersey, New York, and Florida has pleaded guilty to criminal violations of HIPAA for disclosing patients’ protected health information to a sales representative of a pharmaceutical firm, according to the U.S. Attorney’s Office of the District of New Jersey.

The Frank Alario, 65, of Delray Beach, Florida, pleaded guilty to disclosing patient information to sales rep, Keith Ritson, who promoted compound prescription medications and other medications to the patients. Compound prescription medications are medications mixed specifically for individual patients when standard FDA-approved medications are determined to not be appropriate, due to an allergy for example. Compound prescription medications are not approved by the FDA but can be legally prescribed by physicians.

The HIPAA Privacy Rule permits disclosures of patients’ protected health information for the purposes of treatment, payment, or healthcare operations; however, other disclosures are only permitted if consent to share information is provided by each patient. Ritson was an outside pharmaceutical representative who was not associated with Alario’s practices, and as such Ritson was not permitted to access the protected health information of Alario’s patients. Permission to disclose the information was not provided by patients.

Alario allowed Ritson to have significant access to his office, patients’ medical files, and other patient information, both inside and outside normal business hours. Ritson was given access to areas of Alario’s office that were restricted to staff members, such as areas with patient files and computers. In addition to allowing access to these areas, Ritson was allowed to look up patient information in files and on computers to identify patients who had insurance coverage that would pay for the compound medications. Ritson would then mark the files of patients whose insurance would pay for the medications so Alario would know which patients to prescribe the medications to.

In some cases, Ritson was allowed to be present during appointments. Alario gave patients the impression that Ritson was a member of staff or was affiliated with the medical practice and during those appointments sensitive health information would be directly disclosed to Ritson. The information obtained was then used to fill out prescription forms for medications, which would then be authorized by Alario, with Ritson receiving a commission on the prescribed prescriptions.

Alario and Ritson were both charged in an indictment for conspiring to violate HIPAA. Ritson’s charges are still pending, with his trial scheduled for November 7, 2022. Alario pleaded guilty and sentencing is scheduled for February 7, 2023. Alario faces a maximum of one year in jail and a $50,000 fine.

The post Doctor Who Provided PHI to Pharma Sales Rep Pleads Guilty to Criminal Violations of HIPAA appeared first on HIPAA Journal.

NIST Urged to Make HIPAA Security Rule Implementation Guidance More Usable by Small Providers

Posted by HIPAA Journal

The Health Sector Coordinating Council (HSCC) has urged the National Institute for Standards & Technology to provide tailored guidance for smaller and lesser-resourced healthcare organizations on implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and makes several other recommendations to improve the utility of its new HIPAA Security Rule implementation guidance.

Background

Recently, NIST issued a draft update (SP 800-66r2) to its 2008 publication: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and sought feedback from industry stakeholders ahead of the publication of the final version of the guidance.

SP 800-66r2 provides guidance for HIPAA-regulated entities on assessing and managing risks to ePHI, suggests activities that should be considered as part of an information security program, and provides several useful resources that HIPAA-regulated entities can use to help them implement the requirements of the HIPAA Security Rule.

HSCC is a private sector-led critical infrastructure advisory council of large, medium, and small health industry stakeholders, that works with government partners to identify and mitigate threats and vulnerabilities that have the potential to affect the ability of the sector to deliver healthcare services. HSCC has a Cybersecurity Working Group that represents 350 healthcare organizations that collaborate toward improving the cyber security and resiliency of the healthcare industry and patient safety.

HSCC Recommendations for Improving NIST HIPAA Security Rule Guidance

Improve the Structure to Better Meet the Needs of Smaller Healthcare Organizations

HSCC has made several recommendations for NIST to consider prior to releasing the final version of its guidance. One of the main issues is NIST has created a document that can be used by healthcare organizations of all sizes; however, HSCC suggests this one-size-fits-all approach has resulted in the guidance not being well adapted for smaller healthcare organizations, which are the ones that would benefit most from additional guidance on HIPAA Security Rule compliance.

The problem with the one-size-fits-all approach is the guidance document – which runs to 139 pages – provides detailed information, but much of that information is not relevant to smaller HIPAA-regulated entities. Resources have been shared to help HIPAA-regulated entities achieve compliance with the HIPAA Security Rule, but there are insufficient resources provided specifically for smaller healthcare organizations and suggests the suggested resources could be better organized to improve the utility of the publication.

Stress the Importance of Adopting Recognized Security Practices

HSCC draws attention to its publication, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HCIP) which was developed under the 405(d) Program and Task Group, to help organizations of all sizes manage cyber threats. HCIP has been developed to be scalable and has the flexibility to be easily used by smaller healthcare organizations, without prescribing to a single pathway for improving cyber posture. HSCC recommends this tool, and other similar resources should be referenced in its Security Rule guidance.

Now that H.R. 7898 (Public Law 116-321) has been signed into law, content should be included in the Security Rule guidance on how the adoption of recognized security practices provides benefits to healthcare organizations in the form of shorter compliance audits and fewer fines, altogether with information on how to implement the security best practices promulgated under section 405(d) of the Cybersecurity Act of 2015 by adopting the NIST Cybersecurity Framework (NIST CSF) and following the recommendations outlined in publications such as the HICP.

HCSS also recommends NIST should stress the importance of following cybersecurity best practices, and that by adopting those practices will help HIPAA-regulated entities with HIPAA Security Rule compliance, compliance with other Federal mandates, and how following these best practices can help to ensure business continuity and patient safety. HSCC has recommended NIST publish separate guidance for small- and mid-sized healthcare organizations with more tailored resources that stresses the importance of practicing good cyber hygiene.

HSCC also draws attention to the use of the terms ‘risk assessment’ and ‘risk analysis’ in the document, which are often used as synonyms, even though NIST has separate definitions for both. To avoid confusion, HSCC recommends NIST uses these terms consistently and clarifies when a risk analysis or risk assessment is required.

Help Small Healthcare Providers Prepare for the End of the COVID-19 PHE

HSCC has also drawn attention to the flexibilities introduced in response to the COVID-19 Public Health Emergency (PHE), specifically, the notice of enforcement discretion issued by OCR stating sanctions and penalties will not be imposed for the good faith use of communications technologies for providing telehealth services during the PHE, which would normally not be considered HIPAA-compliant. The guidance should make it clear that as the PHE winds down, healthcare providers should migrate to more secure methods of communication to better protect patient privacy and reduce cyber incidents.

The post NIST Urged to Make HIPAA Security Rule Implementation Guidance More Usable by Small Providers appeared first on HIPAA Journal.

Is Google Meet HIPAA Compliant?

Posted by HIPAA Journal

Google Meet is an advanced VoIP and videoconferencing service that can be used by healthcare providers to provide telehealth services, remote consultations, and virtual patient visits. But is Google Meet HIPAA compliant?

Google Meet is rapidly becoming the go-to videoconferencing service for organizations in all industries due to its integrations with other productivity tools in the Google Workspace Suite. However, if the service is used by healthcare providers to communicate Protected Health Information, certain measures must be put in place to make Google Meet HIPAA compliant.

First of all, before Google Meet is used to collect, share, or transmit Protected Health Information, a healthcare provider must subscribe to a Business Google Workspace or Cloud Identity account and sign Google´s Business Associate Addendum.  The Addendum provides information about which of Google´s services can be used in compliance with HIPAA and what the customers´ obligations are.

The BAA Alone Does Not Make Google Meet HIPAA Compliant

However, signing the Business Associate Addendum does not – by itself – make Google Meet HIPAA compliant. System administrators have to configure the service to support compliance – for example, by making Meet the default videoconferencing service in the organization to prevent workstations prompting calls via Hangouts, which is not HIPAA compliant when used in video mode.

It may also be necessary to make all Google Meet invites private in order to mask any PHI mentioned in the invites (i.e., patients´ names) and to control access to recordings of Meet videos, which are saved to Google Drive by default. It will certainly be necessary to develop policies on how to use Google Meet in compliance with HIPAA and train members of the workforce on the policies.

To help healthcare providers and their Business Associates use Google Meet in compliance with HIPAA, Google recently updated its Workspace and Cloud Identity Implementation Guide. The Guide not only provides advice on how to make Google Meet HIPAA compliant, but also all the services in the Workspace and Cloud identity services covered by the Business Associate Addendum.

Why HIPAA Compliance Matters in Telehealth

It has been claimed that healthcare professionals often mistakenly believe that communicating ePHI via any communication channel is in compliance with HIPAA when the communication is directly between a healthcare professional and a patient. This is not true, and there are many examples of unencrypted communications being intercepted or accessed impermissibly.

Consequently, it is important that Covered Entities and Business Associates implement a secure and HIPAA compliant solution such as Google Meet when providing telehealth services. However, it is equally important that the solution is configured to comply with the Technical Safeguards of the Security Rule, that only authorized users have access to the solution, and that system of monitoring Google Meet communications is implemented to prevent accidental or malicious breaches of ePHI.

The post Is Google Meet HIPAA Compliant? appeared first on HIPAA Journal.

3 Dental Practices Fined for HIPAA Right of Access Violations

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has agreed to settle three HIPAA investigations of potential HIPAA Right of Access violations by dental practices. All three of the investigations were initiated after complaints from patients about the failure of their dental practices to provide them with timely access to their medical records, with one of the cases also involving an allegation of overcharging for a copy of medical records.

A patient of the Georgia-based dental and orthodontics provider, Great Expressions Dental Center of Georgia, P.C. (GEDC-GA), filed a complaint with OCR in November 2020 after being told that she could not be provided with a copy of her medical records unless she paid a $170 copying fee. The HIPAA Right of Access does permit healthcare organizations to charge patients for providing a copy of their medical records, but the costs must be reasonable and cost-based.

OCR’s investigation confirmed that the patient was not provided with a copy of her records until February 2021, 15 months after the initial request. OCR also determined that GEDC-GA’s practice of assessing copying fees resulted in the patient being charged a fee that was not reasonable and cost-based. GEDC-GA chose to settle the case and paid an $80,000 penalty and implemented a robust corrective action plan to address noncompliance with the HIPAA Right of Access.

An investigation was launched into the Chicago, IL-based dental practice, Family Dental Care, P.C. following an August 8, 2020, complaint from a former patient who alleged she had not been provided with a complete set of her medical records. The former patient submitted a request for her complete records in May 2020, but only portions of those records were provided. The patient was not provided with her full records until October 2020, more than 5 months after the initial request was submitted. OCR determined there had been a failure to provide timely access to the requested medical records, which violated the HIPAA Right of Access. Family Dental Care chose to settle the case and paid a $30,000 financial penalty and implemented a corrective action plan to address the non-compliance.

On October 26, 2020, OCR received a complaint from a patient of B. Steven L. Hardy, D.D.S., LTD (doing business as Paradise Family Dental in Las Vegas, NV). The patient alleged to have requested a copy of her and her minor child’s medical records on multiple occasions, but the records had not been provided. The requests were made between April 11, 2020, and December 4, 2020, but the records were not provided until December 31, 2020, 8 months after the initial request was submitted. OCR determined the delay in providing the records violated the HIPAA Right of Access. Paradise chose to settle the case and paid a $25,000 financial penalty and implemented a corrective action plan to address the non-compliance.

“These right of access three actions send an important message to dental practices of all sizes that are covered by the HIPAA Rules to ensure they are following the law,” said OCR Director Melanie Fontes Rainer. “Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.”

The post 3 Dental Practices Fined for HIPAA Right of Access Violations appeared first on HIPAA Journal.

Are Phone Calls HIPAA Compliant?

Posted by HIPAA Journal

The answer to the question are phone calls HIPAA compliant can be dependent on who is making the call, what the call concerns and who the call is to.

Before discussing are phone calls HIPAA compliant, it is important to establish who HIPAA applies to. This is because almost two-thirds of complaints about HIPAA violations are rejected because they allege a violation has been committed by a business that is not subject to the HIPAA Rules. In such cases, HHS´ Office for Civil Rights has no jurisdiction to investigate complaints and so rejects them.

HIPAA applies to most health plans, health care clearinghouses, and healthcare providers (“Covered Entities”), and to Business Associates and subcontractors providing a service for on behalf of a Covered Entity. Healthcare-related calls from these sources to individuals are permissible provided the recipient has given their implied consent to receive a call and the call follows FTC guidelines.

Additionally, to make phone calls HIPAA compliant, Covered Entities and Business Associates are required to comply with the General Rules for Uses and Disclosures of PHI (§164.502 to §164.512), and the Minimum Necessary Standard when making phone calls to someone other than the individual which relate to the individual´s condition, treatment, or payment for treatment.

Implied Consent and FTC Guidelines

Phone calls to individuals from Covered Entities and Business Associates are permissible if the recipient of the phone call has given their implied consent by providing a contact telephone number to the Covered Entity or Business Associate. However, under HIPAA, individuals also have the right to revoke consent or request that communications are either made by voice or by text.

Healthcare-related – but not payment-related – phone calls and text messages from Covered Entities to individuals are FTC compliant if they are made for an allowable reason. Allowable reasons are limited to:

  • Appointments and reminders
  • Hospital pre-registration instructions
  • Health checkups
  • The provision of medical treatment
  • Lab test results
  • Notifications about prescriptions
  • Pre-operative instructions
  • Post-discharge follow-up calls
  • Home healthcare instructions

According to the FTC guidelines, calls to individuals should start with the Covered Entity stating their name and the reason for the call. Calls can last no longer than 60 seconds (text messages must be no longer than 160 characters), and Covered Entities cannot contact individuals more than three times per week. Any additional contact – by voice or by text – requires the individual´s authorization.

Making Other Phone Calls HIPAA Compliant

Other phone calls made by a Covered Entity or Business Associate (i.e., not to an individual for an allowable reason) are only subject to the General Rules for Uses and Disclosures and the Minimum Necessary Standard if the communication involves the disclosure of an individual´s PHI. Any phone calls that do not involve the disclosure of PHI are not subject to the Privacy Rule standards.

Nonetheless, there are many types of HIPAA-related phone calls that are subject to Privacy Rule standards. For example, a phone call made from one Covered Entity to another for treatment, payment, or healthcare operations purposes, a phone call made to local authorities to report a public health issue, or a phone call made to the police to report patient abuse or neglect.

Covered Entities can communicate PHI to a Business Associate in a phone call, but before doing so, a Business Associate Agreement must be in place to stipulate the allowable uses and disclosures of PHI. In states where more stringent privacy protections exist, it may also be necessary for a Covered Entity to enter into a contract with another Covered Entity before disclosing PHI for any reason.

Is PHI Disclosed in a Phone Call Subject to the Security Rule?

One final point about making phone calls HIPAA compliant concerns whether PHI disclosed during a phone call is subject to the Security Rule. According to the definition of electronic media in  §160.103 of the HIPAA General Provisions, PHI disclosed during a phone call is not considered to be subject to the Security Rule “if the information being exchanged did not exist in electronic form immediately before the transmission”.

However, if the PHI is subsequently recorded on electronic media, the stored PHI (now ePHI) becomes subject to Security Rule standards. Therefore, if PHI is disclosed during a permissible provider-to-provider phone call, and the information is entered into an EHR or other electronic database, the information has to be protected in the same way as any other PHI relating to the individual that is stored electronically.

Are Phone Calls HIPAA Compliant? FAQs

Can nurses give patient information over the phone?

As members of a Covered Entity´s workforce, nurses can give patient information over the phone for permissible uses and disclosures. However, before nurses give patient information over the phone, it is important they verify the identity of the person they are speaking with in order to prevent unauthorized disclosures or disclosing more than the minimum necessary patient information.

Is sharing patient information with family over the phone HIPAA compliant?

With regards to sharing patient information with family over the phone, patients should be given the opportunity to object to their information being shared with family members. Provided the patient has not objected, sharing patient information with family over the phone is HIPAA compliant. However, it is still necessary to comply with the Minimum Necessary Standard.

If a patient is incapacitated and unable to object to their information being shared, healthcare providers can share patient information over the phone with family members provided that the disclosure of PHI is considered to be in the patient´s best interests. Once the patient is no longer incapacitated, he or she must be given the opportunity to object as soon as possible.

Are cell phone calls HIPAA compliant?

As discussed above in “Implied Consent and FTC Guidelines”, calls to cell phones are HIPAA compliant if a patient has given their cell phone number to the Covered Entity as a point of contact. If a patient has given both a cell phone number and a landline number, Covered Entities can use either number to contact the patient up to the FTC- mandated limit of three calls/texts per week.

What information can hospitals give over the phone?

If they are responding to an enquiry about the well-being of a patient, hospitals can provide “directory information” such as the general condition of the patient and their location within the hospital provided the patient is asked for by name, the identity of the caller is verified, and the patient has not objected to the information being disclosed.

Is a landline HIPAA compliant?

Calling a patient´s landline for an allowable reason is HIPAA compliant provided the landline number has been provided to the Covered Entity by the patient or patient’s representative. However, Covered Entities must take care to verify that the person they are speaking with is the patient, as landlines can be shared among multiple occupiers or – in a business – multiple employees.

Is giving out a phone number a HIPAA violation?

Giving out a phone number can be a HIPAA violation, but only in certain circumstances. Generally, a phone number is an “identifier” that, when included in a patient´s “designated record set”, becomes Protected Health Information. Any protected identifier in a designated record set can be disclosed if the disclosure is permitted by the General Rules for Uses and Disclosures of PHI.

If a patient has objected to their phone number being given out, if the phone number is given out without authorization for a disclosure requiring an authorization, or if the phone number is given out in the course of an impermissible disclosure, these are examples of HIPAA violations – if the phone number is included in the patient´s designated record set. If it is not part of the patient´s designated record set, the phone number is not protected, and therefore no HIPAA violation has occurred.

The post Are Phone Calls HIPAA Compliant? appeared first on HIPAA Journal.

What is the Maximum Penalty for Violating HIPAA?

Posted by HIPAA Journal

The maximum penalty for violating HIPAA is currently $1,919,173 (September 2022). However, this figure represents the maximum penalty per violation type, and Covered Entities and Business Associates found guilty of multiple violations can expect to pay much more.

When Congress passed HIPAA in 1996, it set the maximum penalty for violating HIPAA at $100 per violation with an annual cap of $25,000. These limits were applied when the Department of Health & Human Services (HHS) published the Enforcement Rule in 2006 and they stayed in force until the publication of the Final Omnibus Rule in 2013.

Among other changes to HIPAA, the Final Omnibus Rule introduced amendments to the Enforcement Rule attributable to passage of the HITECH Act in 2009. The HITECH Act mandated a four tier penalty structure for HIPAA violations and new minimum and maximum penalties for violating HIPAA. The four tiers were based on the level of culpability associated with the violation:

Tier 1 – Lack of Knowledge:  The person did not know (and, by exercising reasonable diligence, would not have known) that the event was a violation of HIPAA.

Tier 2 – Lack of Oversight: The violation was due to reasonable cause and not willful neglect to comply with the HIPAA regulations.

Tier 3 – Willful Neglect: The violation was due to the willful neglect of the Covered Entity or Business Associate but corrected within 30 days of discovery.

Tier 4 – Willful Neglect, Not Corrected: The violation was due to the willful neglect of the Covered Entity or Business Associate but not corrected within 30 days of discovery.

The Penalties for Violating HIPAA Change after Review

Originally, due to “inconsistent language” of the HITECH Act, HHS interpreted the new Enforcement Rule penalty structure as follows:

Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit
Lack of Knowledge $100 $50,000 $1,500,000
Lack of Oversight $1,000 $50,000 $1,500,000
Willful Neglect $10,000 $50,000 $1,500,000
Willful Neglect not Corrected within 30 days $50,000 $50,000 $1,500,000

 

However, following a review of the penalty tiers by HHS´ Office of General Counsel, the annual caps were amended in 2019 to align with those mandated by HITECH.

Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit
Reasonable Efforts $100 $50,000 $25,000
Reasonable Cause $1,000 $50,000 $100,000
Willful Neglect – Corrected $10,000 $50,000 $250,000
Willful Neglect – Not Corrected within 30 days $50,000 $50,000 $1,500,000

 

This resulted in the annual limit for a Tier 1 violation being less than the maximum penalty for violating HIPAA in Tier 1 – a situation that has continued as the penalties for violating HIPAA have been adjusted to account for inflation. Additionally, the maximum penalty for violating HIPAA in Tier 4 has also been increased. The current (September 2022) penalties for violating HIPAA are:

Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit
Lack of Knowledge $127 $60,973 $30,133
Lack of Oversight $1,280 $60,973 $121,946
Willful Neglect $12,794 $60,973 $304,865
Willful Neglect not Corrected within 30 days $60,973 $1,919,173 $1,919,173

The Maximum Penalty for Violating HIPAA is per Violation Type

It is important for Covered Entities and Business Associates to be aware that the maximum penalty for violating HIPAA is per violation type. This mean that (for example), if a Covered Entity fails to conduct a risk assessment, fails to implement measures to prevent a foreseeable breach, and fails to notify patients when a breach occurs, the Covered Entity could be issued the maximum penalty for violating HIPAA three times over.

It is also important to be aware that State Attorneys General have the authority to impose civil money penalties on Covered Entities and Business Associates found to have violated HIPPA. Consequently, what a Covered Entity or Business Associate pays in penalties to HHS´ Office for Civil Rights may be substantially increased – as Anthem Inc. found out following a breach of 78.8 million records in 2015.

In addition to reaching a $16 million settlement with HHS´ Office for Civil Rights, Anthem Inc. was also fined $48.2 million by State Attorneys General in two separate cases. Additionally, a class action was brought against Anthem Inc. by individuals whose data was breached – resulting in a further $115 million settlement. Consequently, if found guilty of a HIPAA violation, the maximum penalty for violating HIPAA could be much more then the figures published annually in the Federal Register.

The post What is the Maximum Penalty for Violating HIPAA? appeared first on HIPAA Journal.

Can Medical Records be Subpoenaed?

Posted by HIPAA Journal

In answer to the question can medical records be subpoenaed; the answer is yes because every type of record can be subpoenaed. Possibly a more relevant question would be “how should healthcare providers respond to a subpoena for medical records”?

In most states, there are three types of subpoenas – a “witness subpoena” that requires an entity to appear in court to give evidence, a “deposition subpoena” that requires an entity to provide copies of records and/or attend a deposition hearing, and a “subpoena duces tecum” that requires an entity to provide copies of records and/or attend a court hearing.

All three types of subpoenas can be used to subpoena medical records or require a healthcare provider to answer questions/testify about a medical record. Although are not exclusive to any particular type of case, a witness subpoena will most likely be used in a legal action where both a patient and a healthcare provider are the parties in a case (i.e., a medical negligence claim).

The other two types of subpoenas will most commonly involve cases in which the healthcare provider is not a party in a civil or criminal action (i.e., an injury compensation claim), but the patient´s medical records are required to support discovery and/or resolve the action. In such cases, it is important to be aware can medical records be subpoenaed in compliance with HIPAA.

What HIPAA Says about Medical Records being Subpoenaed

The relevant parts of HIPAA relating to medical records being subpoenaed can be found in §164.512 of the Privacy Rule – “[Permissible] uses and disclosures for which an authorization [from the patient] or opportunity to agree or object is not required” – specifically the section relating to disclosures for judicial and administrative proceedings (Section C). This section states that healthcare providers can disclose PHI in response to a subpoena provided that:

  • Only PHI expressly requested by the subpoena is disclosed and de-identified information could not reasonably have been used.
  • The information requested is relevant to a legitimate proceeding and the request is specific and limited in scope.
  • The subject of the PHI has been informed about the subpoena or reasonable efforts have been made to notify the individual.
  • An objection has not been filed by the subject of the PHI and the time to file an objection has elapsed.
  • Any PHI disclosed in response to a subpoena is not used for any purpose other than the purpose for which it was requested.
  • The party seeking the disclosure has put in place or requested a protective order to prevent further disclosures.
  • Any PHI disclosed in response to the subpoena for medical records will be returned or disposed of at the end of the proceedings for which they were requested.

It is important to be aware that the provisions of Section C do not supersede other provisions of the Privacy Rule. Consequently, it is still necessary to obtain an authorization before disclosing psychotherapy notes or substance abuse disorder medical records, the Minimum Necessary Standard still applies, and Covered Entities have to comply with the provisions of any state laws that pre-empt HIPAA when more stringent privacy protections exist.

Responding to a Subpoena for Medical Records

There are different ways to respond to a subpoena for medical records depending on the type of subpoena (witness, deposition, or duces tecum) and the subpoena issuer. It is important to respond correctly when medical records are subpoenaed because incorrect responses can result in HIPAA violations. For this reason, healthcare providers and administrators should obtain legal advice to find out can medical records be subpoenaed in the specific circumstances of each subpoena.

The significance of the subpoena issuer is that it is not possible to object to a court order, a subpoena signed by a judge, magistrate, or administrative tribunal, or a grand jury subpoena. In such cases, it is necessary to comply with the subpoena for medical records and respond by disclosing the PHI expressly requested by the subpoena – notwithstanding that the content of the subpoena should cover the Privacy Rule provisions listed above (i.e., return or disposal of PHI, etc.).

If a subpoena is signed by a court clerk or attorney, additional assurances may be required by HIPAA. For example, a subpoena requesting medical records relating to substance abuse disorder medical records is invalid unless it is accompanied by a signed court order authorizing the disclosure. Similarly, if patient authorization is required to respond to a subpoena, healthcare providers should use their own authorization form rather than a waiver sent with the subpoena by an attorney.

Objecting to a Subpoena for Medical Records

Healthcare providers can object to a subpoena for medical records when it has been signed by a court clerk or attorney for a variety of reasons. These include (but are not limited to):

  • The subpoena does not allow the healthcare provider sufficient time to collate the information requested.
  • The subpoena requires the disclosure of PHI requiring an authorization and it has not been possible to obtain an authorization from the patient.
  • The subpoena imposes an undue burden on the healthcare provider – typically when the PHI of multiple patients is requested for a class action.
  • The subpoena is unreasonable or oppressive, or it is procedurally defective (i.e., no protective order has been requested to prevent further disclosures).

Usually there is a time period for filing an objection to a subpoena, and this can vary according to where the subpoena is issued. Similarly, there may be other reasons for objecting to a subpoena for medical records depending on state law. Consequently, expert and specialist legal advice is needed for the specific circumstances of each subpoena, and healthcare providers and administrators should always obtain legal advice before responding to a subpoena for medical records.

Can Medical Records be Subpoenaed? FAQs

Can courts subpoena medical records?

Yes, but as mentioned above, it is important to establish whether a court-issued subpoena is signed by a judge or a court clerk on behalf of an attorney as this affects the right to object to a subpoena for medical records.

Can an attorney subpoena medical records?

In most states, an attorney can subpoena medical records. However, in some states medical records obtained by an attorney via a deposition subpoena can only be used during the discovery process and are not admissible as evidence in court (also see the next FAQ).

Can a judge subpoena medical records?

Judges can subpoena medical records at any stage of proceedings. They can also subpoena medical records previously subpoenaed by an attorney if the medical records have been obtained via a deposition subpoena and are not admissible in court.

How far back can medical records be subpoenaed?

This depends on the purpose of the subpoena and the state in which the subpoena was issued. This is because statutes of limitations exist on certain legal proceedings (i.e., you cannot file a personal injury claim after x years), and because state-mandated retention periods differ from state-to-state.

What is a subpoena duces tecum for healthcare records?

A subpoena duces tecum for healthcare records is a court order requiring a healthcare provider to produce the requested medical records at a deposition or court hearing. Usually, the court order allows the healthcare provider to produce the medical records remotely without an in-person appearance being necessary.

The post Can Medical Records be Subpoenaed? appeared first on HIPAA Journal.

Is it Okay to Share ePHI via a Business Password Manager?

Posted by HIPAA Journal

One of the capabilities of many business password managers is the ability to send encrypted messages to any recipient. Often this capability is used to securely share login credentials or other confidential data. But is it okay to share ePHI via a business password manager?

Over the past few years, the capabilities of business password managers – particularly vault-based password managers – have grown significantly. For example, whereas SSO integration was once big news, these days we are talking more about password-less logins and it has been estimated that biometric facial recognition hardware will be present in 90% of smartphones by 2024.

With regards to the ability to send encrypted messages, this first started as a means of sending passwords to users in the same business subscription. It evolved into sending notes, files, and other data to users in the same business subscription, and then further evolved to sending encrypted messages of any kind to any recipient regardless of whether they are using a password manager.

Why Share ePHI via a Business Password Manager?

There are many circumstances when healthcare providers or other members of a Covered Entity´s workforce need to send or request ePHI to or from a colleague or Business Associate. In many cases, the colleague or Business Associate may not be in the same communications network – raising the issue of how to transmit ePHI securely in compliance with the HIPAA Security Rule.

The most common forms of communication – such as SMS, IM, email, etc. – are not suitable because they lack the necessary features to fulfil the requirements of the Technical Safeguards – for example, access controls, automatic logoff, encryption, audit controls, etc. However, most business password managers do have the necessary features to send and receive ePHI compliantly.

These features enable users to share ePHI via a business password manager securely without risking an impermissible disclosure of ePHI and facilitate “the flow of health information needed to provide and promote high-quality healthcare” – a major goal of the HIPAA Privacy Rule. However, in order to share ePHI via a business password manager in full compliance with HIPAA, the vendor of the password manager must sign a Business Associate Agreement. Not all are willing to do so.

Is a Business Associate Agreement Necessary?

In 2016, the Department of Health & Human Services (HHS) published an FAQ regarding whether or not a Cloud Service Provider is excluded from the definition of a Business Associate if the Cloud Service Provider cannot access ePHI stored in the cloud because it is encrypted and the Cloud Service Provider does not have the decryption key.

The answer was that a Cloud Service Provider is not excluded under the “conduit exception rule” because conduits such as the U.S. Postal Service, Fed-Ex, and DHL are transmission services and the temporary storage of PHI while it is in the conduit´s possession is incident to the transmission, while the temporary storage of ePHI with a Cloud Service Provider is persistent.

HHS stated in the FAQ that “a Cloud Service Provider that maintains ePHI for the purpose of storing it will qualify as a Business Associate […] even if the Cloud Service Provider does not actually view the information”. Substitute password manager vendors for Cloud Service Providers, and it is clear a Business Associate Agreement is necessary to share ePHI via a business password manager.

Which Vendors will Sign a Business Associate Agreement?

Not many, despite claiming to have HIPAA-compliant password managers. 1Password and Keeper – the two most popular password managers in the U.S. – both state they do not qualify as Business Associates because of their zero knowledge architectures (which is incorrect). LastPass and NordPass have such incorrect information about HIPAA on their websites that we strongly suspect they don´t understand a Business Associate Agreement is necessary. Most others keep quiet about the issue.

Among those that do publicly state they are willing to sign a Business Associate Agreement, Bitwarden and Zoho Vault are the most well-known. Of the two, Zoho Vault is the most feature-rich; but at nearly 50% more expensive per user than Bitwarden, Zoho Vault could work out to be unnecessarily expensive if you are not going to use all the features you are paying for. Additionally, Bitwarden passed a HIPAA Security Rule Assessment Report conducted by AuditOne in 2020.

In conclusion, it is okay to share ePHI via a business password manager, provided that the password manager has been configured to comply with the Technical Safeguards of the Security Rule and the vendor of the password manager has signed a Business Associate Agreement. If the vendor is unwilling to sign a Business Associate Agreement, it is not possible to share ePHI via a business password manager without violating HIPAA.

The post Is it Okay to Share ePHI via a Business Password Manager? appeared first on HIPAA Journal.