HIPAA Compliance News

OCR Explains HITECH Recognized Security Practices and How to Demonstrate They are in Place

Posted by HIPAA Journal

The Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) has released a video presentation on its YouTube channel that explains in detail how the 2021 HITECH Act amendment regarding “Recognized Security Practices” applies to HIPAA-regulated entities, and how HIPAA-regulated entities can demonstrate to OCR that Recognized Security Practices have been in place for the 12 months prior to a security breach.

Background

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, part of the American Recovery and Reinvestment Act (ARRA), was introduced by the Obama administration to encourage the adoption of health information technology to improve quality, safety, and efficiency; engage patients in their care; increase coordination of care; improve the health status of the population; and ensure the privacy and security of healthcare data.

On January 5, 2022, H.R 7898 was signed into law which amended Section 13412 of the HITECH Act to require the HHS to take the Recognized Security Practices of HIPAA-regulated entities into account in certain HIPAA Security Rule enforcement and audit activities, when a HIPAA-regulated entity is able to demonstrate Recognized Security Practices have been in place continuously for the 12 months prior to a security incident.

The HITECH Act update does not create a safe harbor for organizations that have implemented Recognized Security Practices granting them immunity from liability for HIPAA Security Rule violations, and it will not prevent OCR from imposing financial penalties when HIPAA Security Rule violations are discovered. Organizations that can demonstrate they have implemented Recognized Security Practices can mitigate fines under section 1176 of the Social Security Act, mitigate the remedies that would otherwise be agreed in agreements to resolve violations of the HIPAA Security Rule, and reduce the length and extent of audits and investigations. The HITECH Act amendment acts as an incentive for HIPAA-regulated entities to implement Recognized Security Practices and do everything in their power to safeguard patient data. OCR has confirmed that implementing Recognized Security Practices is voluntary.

On April 6, 2022, OCR issued a Request for Information (RFI) seeking input from the public on the HITECH Act amendment, specifically on how HIPAA-regulated entities were implementing Recognized Security Practices, and how they anticipated demonstrating that they are in place and have been for 12 months. The RFI also included a request for comment on the long-awaited implementation of the HITECH Act requirement for OCR to share a proportion of the civil monetary penalties and settlements collected through its HIPAA enforcement activities with individuals who have been harmed due to HIPAA violations.

What Are Recognized Security Practices?

In the video, Nick Heesters, senior advisor for cybersecurity at OCR, explains how the HITECH Act was amended, what constitutes Recognized Security Practices, and how they can be implemented to reduce liability. Recognized Security Practices are standards, guidelines, best practices, methodologies, procedures, and processes developed under:

  • The National Institute of Standards and Technology (NIST) Cybersecurity Framework
  • Section 405(d) of the Cybersecurity Act of 2015, or
  • Other programs that address cybersecurity that are explicitly recognized by statute or regulation

HIPAA-regulated entities are free to choose the Recognized Security Practices that are best suited to their organization.

OCR Security Rule Audits and HIPAA Security Rule Investigations of Potential Violations

Heesters confirmed that in the event of an audit or investigation into potential HIPAA Security Rule violations, OCR will send a data request to the regulated entity to inform them they can voluntarily provide evidence that Recognized Security Practices have been in place. This will increase awareness of the HITECH Act amendment and also allow the regulated entity to submit evidence as a mitigating factor. The request will also include guidance on how that evidence can be provided and the types of evidence that a HIPAA-regulated entity can consider submitting.

How to Demonstrate Recognized Security Practices Have Been in Place

Heesters explained how HIPAA-regulated entities can demonstrate to OCR that Recognized Security Practices have been in place and the types of evidence that they can consider submitting. OCR will not limit the evidence that can be provided and the request is not a one-time opportunity to provide evidence. Evidence can be provided to OCR continuously.

The regulated entity must demonstrate that Recognized Security Practices have been fully implemented and have been and continue to be actively and consistently in use. Simply providing documentation that only establishes the initial adoption of Recognized Security Practices is insufficient and OCR will not consider documentation stating the organization plans to implement Recognized Security Practices in the future. Documentation must demonstrate the implementation of Recognized Security Practices throughout the enterprise.

In the response, HIPAA-regulated entities should state which Recognized Security Practices have been implemented. If a HIPAA-regulated entity has chosen “other programs,” OCR will need to be provided with statutory or regulatory citations showing they were developed, recognized, or promulgated by statute or regulation.

OCR suggests the following can be provided as evidence, although the list is not exhaustive:

  • Policies and procedures regarding the implementation and use of RSPs
  • RSP implementation project plans and meeting minutes
  • Diagrams and narrative detail of RSP implementation and use
  • Training materials regarding RSP implementation and use
  • Application screenshots and reports showing RSP implementation and use
  • Vendor contracts and statements of work regarding RSP implementation
  • OCR also requires dates that support the implementation and use of RSPs for the previous 12 months

Heesters confirmed that organizations that have implemented Recognized Security Practices, and are able to demonstrate that sufficiently, will not avoid financial penalties, but OCR will consider the Recognized Security Practices as a mitigating factor. These practices only mitigate against HIPAA Security Rule investigations and audits, not other investigations and audits, such as investigations into potential HIPAA Privacy Rule violations. Heesters also confirmed that the lack of Recognized Security Practices will not be considered an aggravating factor and will not result in increased penalties.

The post OCR Explains HITECH Recognized Security Practices and How to Demonstrate They are in Place appeared first on HIPAA Journal.

September 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

63 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in September, bringing an end to the downward trend in data breaches seen over the previous three months. September’s total was above the 12-month average of 59 breaches a month, with data breaches being reported at a rate of more than 2 per day. In 2017, data breaches were being reported at a rate of one per day.

healthcare data breaches in the past 12 months - September 2022

While the number of reported data breaches increased by 28.6% month-over-month, for the third consecutive month the number of breached records decreased, with 2,440,434 records breached across the 63 reported incidents. September’s total was well below the 12-month average of 3,481,033 breached records a month. Breached healthcare records in the past 12 months

So far in 2022, 31,705,618 patient records have been exposed or impermissibly disclosed.

The Largest Healthcare Data Breaches Reported in September

30 data breaches of 10,000 or more patient records were reported to the HHS’ Office for Civil Rights in September 2022, all but one of which were hacking/IT incidents. The largest data breach involved the records of more than 542,000 patients of the Wolfe Clinic in Iowa and occurred at its electronic health record provider Eye Care Leaders. The attack saw database and system configuration files deleted. More than 3.6 million individuals were affected by the data breach.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Wolfe Clinic, P.C. IA Healthcare Provider 542,776 Hacking incident at its EHR provider (Eye Care Leaders)
Empress Ambulance Service LLC NY Healthcare Provider 318,558 Ransomware attack
Cytometry Specialists, Inc. d/b/a CSI Laboratories GA Healthcare Provider 244,850 Business email compromise (BEC) attack
FMC Services, LLC TX Healthcare Provider 233,948 Hacked network server
Physician’s Business Office, Inc. WV Business Associate 196,673 Hacked network server
Providence WA Anesthesia Services PC NY Healthcare Provider 98,643 Hacked network server at management company
Medical Associates of the Lehigh Valley PA Healthcare Provider 75,628 Ransomware attack
Dyersburg Family Walk-In Clinic, LLC (Reelfoot Family Walk-In Clinic) TN Healthcare Provider 58,562 Hacked network server (data theft confirmed)
Palm Springs Anesthesia Services PC NY Healthcare Provider 58,513 Hacked network server at management company
Reiter Affiliated Companies, LLC CA Business Associate 48,000 Ransomware attack at a business associate
Reiter Affiliated Health and Welfare Plan CA Health Plan 45,000 Ransomware attack
Anesthesia Services of San Joaquin PC NY Healthcare Provider 44,015 Hacked network server at management company
Anesthesia Associates of El Paso PA NY Healthcare Provider 43,168 Hacked network server at management company
The Physicians’ Spine and Rehabilitation Specialists of Georgia, P.C. GA Healthcare Provider 38,765 Hacked network server
Country Doctor Community Clinic WA Healthcare Provider 38,751 Hacked network server
Resource Anesthesiology Associates PC NY Healthcare Provider 37,697 Hacked network server at management company
Lubbock Heart & Surgical Hospital TX Healthcare Provider 23,379 Hacked network server
Genesis Health Care, Inc. SC Healthcare Provider 21,226 Hacked network server
Resource Anesthesiology Associates of IL PC NY Healthcare Provider 18,321 Hacked network server at management company
Bronx Anesthesia Services PC NY Healthcare Provider 17,802 Hacked network server at management company
Resource Anesthesiology Associates of CA A Medical Corporation CA Healthcare Provider 16,001 Hacked network server at management company
Monroe Ear Nose and Throat Associates, PC MI Healthcare Provider 14,500 Hacked network server hosting EHRs
Magellan Rx Management MD Business Associate 13,663 Hacked network server
Hazleton Anesthesia Services PC NY Healthcare Provider 13,607 Hacked network server at management company
Riverside Medical Group NJ Healthcare Provider 12,499 Hacked legacy server containing EHRs
Anesthesia Associates of Maryland LLC MD Healthcare Provider 12,403 Hacked network server at management company
Northern California Fertility Medical Center CA Healthcare Provider 12,145 Ransomware attack
Neurology Center of Nevada NV Healthcare Provider 11,700 Hacking incident involving EHRs
Dr. Alexander J. Richardson, DPM OH Healthcare Provider 11,300 Hacking incident involving EHRs
WellMed Medical Management TX Healthcare Provider 10,506 A physician took records to his new practice

Causes of September 2022 Data Breaches

As is now the norm, the majority of the month’s data breaches were categorized as hacking/IT incidents, which include hacking, ransomware and malware attacks, phishing attacks, and misconfigured databases and cloud resources.

Causes of September 2022 healthcare data breaches

52 breaches – 82% of the month’s total – were hacking/IT incidents, which resulted in the exposure and/or theft of the records of 2,410,654 individuals. The average breach size was 46,359 records and the median breach size was 12,274 records. These incidents accounted for 98.78% of all records breached in September.

Ransomware is commonly used in attacks on hospitals to prevent access to business-critical files and patient records. These attacks typically involve data theft prior to file encryption with the attackers threatening to sell or publish the stolen data if the ransom is not paid. Several threat actors have now dispensed with the file encryption and are just stealing data and demanding payment to prevent its sale or release. That makes the attacks quicker and easier for the attackers and ransoms are still often paid. These extortion-only attacks have been increasing in recent months.

There were 7 reported unauthorized access/disclosure incidents reported, which include unauthorized access by employees, misdirected emails, and mailing errors. Across the 7 breaches, the records of 24,639 individuals were impermissibly disclosed. The average breach size was 3,250 records and the median breach size was 1,359 records.

There were 4 data breaches reported that involved the loss or theft of electronic devices that contained individually identifiable protected health information. Those devices contained 5,141 records. The average breach size was 1,285 records and the median breach size was 1,207 records. These incidents could have been avoided had data on the devices been encrypted.

The number of email-related data breaches is below the levels normally seen, with just 7 email data breaches reported. However, data from the ransomware remediation firm Coveware suggests email is still the most common way that threat actors gain access to networks in ransomware attacks. One of the largest data breaches reported this month – at CSI Laboratories – saw threat actors gain access to email accounts containing the records of almost 245,000 individuals. The email account was then used in a business email compromise attack to try to reroute CSI customer healthcare provider payments.

locatioon of PHI in september 2022 healthcare data breaches

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the worst affected entity in September with 46 data breaches reported, with 10 breaches reported by business associates and 7 breaches reported by health plans. Healthcare providers and health plans often choose to report breaches at business associates themselves, as was the case in 7 data breaches at business associates in September. The pie chart below reflects this and shows where the data breaches actually occurred.

September 2022 healthcare data breaches - entities reporting

Healthcare Data Breaches by State

HIPAA-regulated entities in 22 states reported data breaches in September. New York was the worst affected state with 15 breaches reported. 13 of the breaches were reported by providers of anesthesia services – The breach actually occurred at their management company.

State Breaches
New York 15
California 8
Tennessee & Washington 5
Florida & Texas 4
Georgia 3
Indiana, Maryland, New Jersey, & Pennsylvania 2
Colorado, Connecticut, Iowa, Michigan, Montana, Nebraska, Nevada, Ohio, Rhode Island, South Carolina, & Wisconsin 1

HIPAA Enforcement Activity in September

The HHS’ Office for Civil Rights agreed to settle HIPAA violations with three healthcare providers in September. All three of the settlements resolved violations of the HIPAA Right of Access, where patients were not provided with timely access to their medical records. All three cases were investigated by OCR after patients filed complaints that they had not been provided with their requested medical records. Great Expressions Dental Center of Georgia was also discovered to have overcharged a patient for providing a copy of her medical records.

Great Expressions Dental Center of Georgia, P.C. settled its case for $80,000, Family Dental Care, P.C. settled its case for $30,000, and B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental, settled its care for $25,000,  All three settlements involved a corrective action plan to address the areas of non-compliance.

OCR has now imposed 20 financial penalties on HIPAA-regulated entities to resolve HIPAA violations so far this year – more than any year to date.

The post September 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

When Can PHI be Disclosed?

Posted by HIPAA Journal

Most sources of information answering the question when can PHI be disclosed refer to the standards of the HIPAA Privacy Rule that specify the required and permissible uses and discloses of PHI, and those that require the consent or authorization of the individual (§164.502 – §164.514).

However, it is important to be aware that there are inconsistencies within these standards. Scenarios exist when “permissible” disclosures are actually “required” disclosures, when only a limited amount of information can be provided in a permissible disclosure, and when PHI can be disclosed for purposes other than those listed in the Privacy Rule.

It is also important to be aware that the Privacy Rule has limited scope inasmuch as It only applies to Covered Entities and Business Associates (subject to the contents of a Business Associate Agreement). Any healthcare provider that is not a Covered Entity – or any organization not covered by HIPAA – is not required to comply with the standards for when can PHI be disclosed.

When Can PHI be Disclosed According to the Privacy Rule?

The standards of the Privacy Rule distinguish between when PHI has to be disclosed, when PHI can be disclosed, and when PHI must only be disclosed if a written authorization exists from the subject of the PHI or their personal representative. There is also a standard for occasions when an individual should be given an opportunity to agree or object to a disclosure of PHI.

When Does PHI Have to be Disclosed?

According to the Privacy Rule, PHI has to be disclosed when an individual requests access to it or when HHS´ Office for Civil Rights is conducting an audit, an investigation, or a compliance review. Other than in these two scenarios, disclosures of PHI are “permitted” by the Privacy Rule or require a written authorization from the subject of the PHI or their personal representative.

When Can PHI be Disclosed?

There are many scenarios in which PHI can be disclosed but the disclosure is not “required” (according to the Privacy Rule). These include, but are not limited to:

  • Disclosures to the individual or their personal representative other than access requests or requests for an accounting of disclosures.
  • Disclosures for treatment, payment, and healthcare operations (TPOs). This includes disclosures to external healthcare providers for treatment purposes.
  • Disclosures as required by other federal laws or state legislation – for example, to report abuse, neglect, or domestic violence.
  • Disclosures for the twelve public interest and benefit activities listed in 164.512 – subject to compliance with the Minimum Necessary Standard.
  • When PHI is disclosed in a Limited Data Set for the purposes of research or public health subject to a data use agreement being in place.
  • When a Covered Entity of Business Associate receives a subpoena for medical records in connection with a judicial or administrative proceeding.

Which Disclosures Require an Authorization?

Practically all other disclosures of PHI require a written authorization from the subject of the PHI or their personal representative. This includes “protected” disclosures such as the disclosure of psychotherapy notes and substance abuse disorder records, as well as disclosures for marketing and fundraising – which the subject of the PHI has the right to revoke at any time.

The Opportunity to Agree or Object

The exception to the authorization requirement is when an individual has the opportunity to informally agree or object to a disclosure of PHI. Cases in which this option exists are limited to inclusion in a hospital directory and for notifying family and friends of an admission. However, if the individual is unable to agree or object, Covered Entities can make a good-faith judgment instead.

What Inconsistencies Exist within these Standards?

It is important for Covered Entities and Business Associates to be aware that inconsistencies exist in the Privacy Rule standards to ensure PHI is not inadvertently disclosed – or withheld. It was mentioned above that scenarios exist when “permissible” disclosures are actually “required” when only a limited amount of information can be provided in a permissible disclosure, and when PHI can be disclosed for purposes other than those listed in the Privacy Rule. Here are a few examples:

It would have been impossible for the Department of Health and Human Services to predict state legislation in respect of the mandatory reporting of abuse, neglect, and domestic violence at the time the Privacy Rule was published; but federal laws – such as OSHA – existed and had mandatory reporting requirements. Under these reporting requirements, the disclosure of PHI is required (by OSHA) rather than permissible – an inconsistency that has raised issues in the past.

With regards to limited “permissible” disclosures, these can limit what PHI can be disclosed to less than the minimum necessary. An example of this inconsistency occurs with regard to the identification of a suspect, fugitive, witness, or missing person. In such cases, Covered Entities may not be able to provide law enforcement officers with sufficient PHI to achieve the intended purpose because they are not allowed (amongst other things) to disclose photos of the individual.

The issue of when can PHI be disclosed for purposes other than those listed in the Privacy Rule depends on what information is being disclosed and whether it is maintained in a designated record set. For example, car license numbers are considered PHI if they are maintained in a designated record set along with health information; but, if a patient´s car is blocking an emergency exit, is it acceptable to request the car is moved over a Public Address system? The Privacy Rule says no!

When Can PHI be Disclosed by Other Organizations?

Not all organizations that collect, receive, maintain, or transmit PHI are subject to the HIPAA Privacy Rules for uses and disclosures. For example, a healthcare provider that accepts payments directly from patients is not a Covered Entity under HIPAA because they do not conduct transactions for which the Department of Health and Human Services has developed standards. Whether or not they can disclose PHI will be subject to state privacy legislation rather than HIPAA.

Also not subject to the Privacy Rule are vendors of Personal Health Devices (although they are subject to the Breach Notification Rule) and payment processors. Payment processors such as PayPal and Venmo are known to disclose data to advertisers, and therefore it is important Covered Entities only use services that are not subject to the Privacy Rule when a payment is initiated by a patient. Covered Entities should never request a payment nor create an invoice using an unsecure service.

It is also important that Covered Entities conduct due diligence on potential Business Associates before entering into a Business Associate Agreement to ascertain if they use third-party services that are not subject to the Privacy Rule. If the third party was to disclose PHI without the Business Associate first entering into a Business Associate Agreement with the third party – for example, PayPal will not sign a Business Associate Agreement – the Covered Entity could be considered liable for any breach of unsecured PHI. If doubts remain about when can PHI be disclosed, seek professional compliance advice.

The post When Can PHI be Disclosed? appeared first on HIPAA Journal.

Pharma Sales Rep Pleads Guilty to Healthcare Fraud and Criminal HIPAA Violations

Posted by HIPAA Journal

A pharmaceutical sales rep has pleaded guilty to conspiring to commit healthcare fraud and wrongfully disclosing and obtaining patients’ protected health information in an elaborate healthcare fraud scheme involving criminal HIPAA violations.

Keith Ritson, 42, of Bayville, New Jersey, is a former pharmaceutical sales representative who promoted compound prescription medications and other drugs between 2014 and 2016. Compound prescription medications are specialty drugs that are mixed by a pharmacist to meet the needs of individual patients and are typically prescribed when standard medications for a specific medical condition cannot be taken by a patient, due to an allergy for instance. Compound prescription medications are not FDA approved but can be legally prescribed by a physician who determines that standard medications are not appropriate for a particular patient.

Ritson discovered that certain health insurance plans with pharmacy benefit management services covered compound prescription medications from a Louisiana pharmacy – Central Rexall Drugs, Inc. The pharmacy benefits administrator paid prescription drug claims and the state of New Jersey and other insurance plans were billed for the amounts paid. Ritson and his conspirators discovered certain insurance companies would reimburse thousands of dollars a month for some compound prescription medications, and Ritson would receive a percentage of the money paid to the pharmacy by the pharmacy benefits administrator for any prescription medications he arranged.

Individuals who had insurance plans that covered the compound medications would be recruited to receive the medications, even if they were not medically necessary, and Ritson himself also received the medications. Ritson identified the patients through the medical practice of Dr. Frank Alario. Alario pleaded guilty to his role in the healthcare fraud scheme earlier this month.

Ritson was not associated with Alario’s medical practice and was therefore not permitted to access or obtain the protected health information of Alario’s patients, but Alario provided Ritson with access to his offices and patient information to check which patients had insurance plans that would cover the medications. Ritson would then earmark patients so Alario would then know which patients to prescribe the medications to. In some instances, Ritson was present in patient examination rooms with Alario, and patients were given the impression that he was either employed by the medical practice or was affiliated with it.

Ritson used patient information to fill out prescription forms and Alario would then authorize the prescriptions. Ritson would then be paid a commission on those prescriptions.  Ritson pleaded guilty to one count of conspiracy to commit health care fraud and one count of conspiring to wrongfully disclose and obtain patients’ PHI on October 19, 2022. He is due to be sentenced on Feb. 7, 2023, and faces up to 10 years in jail, a $250,000 fine for the healthcare fraud count, and a maximum of one year in jail for the criminal HIPAA violation and a $50,000 fine. Alario faces up to one year in jail and a $50,000 fine for his role in the scheme.

Three former executives of Central Rexall Drugs were charged for their role in the scheme in a 24-count indictment including healthcare and wire fraud. They are Christopher Kyle Johnston, 43, of Mandeville, Louisiana; Trent Brockmeier, 60, of Pigeon Forge, Tennessee; and Christopher Casseri, 54, of Baton Rouge, Louisiana. Hayley Taff, 39, of Hammond, Louisiana, worked at the pharmacy and pleaded guilty to conspiracy to commit healthcare fraud and is due to be sentenced on March 13, 2023.

The post Pharma Sales Rep Pleads Guilty to Healthcare Fraud and Criminal HIPAA Violations appeared first on HIPAA Journal.

COVID-19 Public Health Emergency and HIPAA Telehealth Flexibilities Due to be Extended

Posted by HIPAA Journal

The Secretary of the Department of Health and Human Services, Xavier Becerra, is expected to extend the COVID-19 Public Health Emergency (PHE) today (October 13, 2022) for the 11th time. The COVID-19 PHE was first declared in January 2020 by then HHS Secretary, Alex Azar II, with the last extension issued by Becerra on July 15, 2022. That makes today the final day of the PHE should no further extension be declared. The extension, if confirmed, will last for a further 90 days, making the next deadline January 11, 2023.

Several flexibilities were introduced in response to the COVID-19 PHE, including changes to Medicare to expand coverage of telehealth services during the pandemic. Coverage was extended to include Medicare beneficiaries in any geographic region, not just beneficiaries in rural areas. Beneficiaries were permitted to remain in their homes for telehealth visits, the visits could be delivered via smartphones, and Medicare expanded the list of services that could be provided virtually.

The Department of Health and Human Services’ Office for Civil Rights also issued a Notice of Enforcement Discretion with respect to the good faith provision of telehealth services. “OCR will exercise its enforcement discretion and will not impose penalties for non-compliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency,” explained OCR in its COVID-19 telehealth guidance.

Under OCR’s Notice of Enforcement Discretion, healthcare providers are permitted to use “any non-public facing remote communication product that is available to communicate with patients,” even if the technology would not normally be permitted under HIPAA, such as if the provider will not enter into a business associate agreement with the healthcare provider.

“The Notification of Enforcement Discretion will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, including any extensions, whichever occurs first,” explained OCR. “OCR will issue a notice to the public when it is no longer exercising its enforcement discretion based upon the latest facts and circumstances.”

The HHS has previously committed to providing a 60-day notice to states before the expiration of the COVID-19 PHE or the termination of the HIPAA telehealth flexibilities to give them time to prepare. The HHS is also due to notify healthcare groups in advance to allow them to prepare their members. The absence of any such notifications makes it almost certain that a further extension will be announced. Should the decision be made not to extend the COVID-19 further past January 2023, the 60-day notice period will need to be issued by mid-November.

It is important for healthcare providers to be aware that while the COVID-19 public health emergency has been repeatedly extended, these extensions will not continue indefinitely. When the COVID-19 PHE is declared over, the HIPAA telehealth flexibilities will come to an end. It is therefore recommended that healthcare organizations prepare for the end of the COVID-19 PHE and start evaluating HIPAA-compliant telehealth solutions – Solutions that have the necessary safeguards to comply with the HIPAA Security Rule and are provided by vendors willing to enter into a business associate agreement. Healthcare providers should consider transitioning to those solutions ahead of the HHS announcement of the end of the COVID-19 PHE, or ensure that they develop a plan that can be implemented immediately when notice is provided that the PHE will end.

The post COVID-19 Public Health Emergency and HIPAA Telehealth Flexibilities Due to be Extended appeared first on HIPAA Journal.

Doctor Who Provided PHI to Pharma Sales Rep Pleads Guilty to Criminal Violations of HIPAA

Posted by HIPAA Journal

A former physician with practices in New Jersey, New York, and Florida has pleaded guilty to criminal violations of HIPAA for disclosing patients’ protected health information to a sales representative of a pharmaceutical firm, according to the U.S. Attorney’s Office of the District of New Jersey.

The Frank Alario, 65, of Delray Beach, Florida, pleaded guilty to disclosing patient information to sales rep, Keith Ritson, who promoted compound prescription medications and other medications to the patients. Compound prescription medications are medications mixed specifically for individual patients when standard FDA-approved medications are determined to not be appropriate, due to an allergy for example. Compound prescription medications are not approved by the FDA but can be legally prescribed by physicians.

The HIPAA Privacy Rule permits disclosures of patients’ protected health information for the purposes of treatment, payment, or healthcare operations; however, other disclosures are only permitted if consent to share information is provided by each patient. Ritson was an outside pharmaceutical representative who was not associated with Alario’s practices, and as such Ritson was not permitted to access the protected health information of Alario’s patients. Permission to disclose the information was not provided by patients.

Alario allowed Ritson to have significant access to his office, patients’ medical files, and other patient information, both inside and outside normal business hours. Ritson was given access to areas of Alario’s office that were restricted to staff members, such as areas with patient files and computers. In addition to allowing access to these areas, Ritson was allowed to look up patient information in files and on computers to identify patients who had insurance coverage that would pay for the compound medications. Ritson would then mark the files of patients whose insurance would pay for the medications so Alario would know which patients to prescribe the medications to.

In some cases, Ritson was allowed to be present during appointments. Alario gave patients the impression that Ritson was a member of staff or was affiliated with the medical practice and during those appointments sensitive health information would be directly disclosed to Ritson. The information obtained was then used to fill out prescription forms for medications, which would then be authorized by Alario, with Ritson receiving a commission on the prescribed prescriptions.

Alario and Ritson were both charged in an indictment for conspiring to violate HIPAA. Ritson’s charges are still pending, with his trial scheduled for November 7, 2022. Alario pleaded guilty and sentencing is scheduled for February 7, 2023. Alario faces a maximum of one year in jail and a $50,000 fine.

The post Doctor Who Provided PHI to Pharma Sales Rep Pleads Guilty to Criminal Violations of HIPAA appeared first on HIPAA Journal.

NIST Urged to Make HIPAA Security Rule Implementation Guidance More Usable by Small Providers

Posted by HIPAA Journal

The Health Sector Coordinating Council (HSCC) has urged the National Institute for Standards & Technology to provide tailored guidance for smaller and lesser-resourced healthcare organizations on implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and makes several other recommendations to improve the utility of its new HIPAA Security Rule implementation guidance.

Background

Recently, NIST issued a draft update (SP 800-66r2) to its 2008 publication: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and sought feedback from industry stakeholders ahead of the publication of the final version of the guidance.

SP 800-66r2 provides guidance for HIPAA-regulated entities on assessing and managing risks to ePHI, suggests activities that should be considered as part of an information security program, and provides several useful resources that HIPAA-regulated entities can use to help them implement the requirements of the HIPAA Security Rule.

HSCC is a private sector-led critical infrastructure advisory council of large, medium, and small health industry stakeholders, that works with government partners to identify and mitigate threats and vulnerabilities that have the potential to affect the ability of the sector to deliver healthcare services. HSCC has a Cybersecurity Working Group that represents 350 healthcare organizations that collaborate toward improving the cyber security and resiliency of the healthcare industry and patient safety.

HSCC Recommendations for Improving NIST HIPAA Security Rule Guidance

Improve the Structure to Better Meet the Needs of Smaller Healthcare Organizations

HSCC has made several recommendations for NIST to consider prior to releasing the final version of its guidance. One of the main issues is NIST has created a document that can be used by healthcare organizations of all sizes; however, HSCC suggests this one-size-fits-all approach has resulted in the guidance not being well adapted for smaller healthcare organizations, which are the ones that would benefit most from additional guidance on HIPAA Security Rule compliance.

The problem with the one-size-fits-all approach is the guidance document – which runs to 139 pages – provides detailed information, but much of that information is not relevant to smaller HIPAA-regulated entities. Resources have been shared to help HIPAA-regulated entities achieve compliance with the HIPAA Security Rule, but there are insufficient resources provided specifically for smaller healthcare organizations and suggests the suggested resources could be better organized to improve the utility of the publication.

Stress the Importance of Adopting Recognized Security Practices

HSCC draws attention to its publication, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HCIP) which was developed under the 405(d) Program and Task Group, to help organizations of all sizes manage cyber threats. HCIP has been developed to be scalable and has the flexibility to be easily used by smaller healthcare organizations, without prescribing to a single pathway for improving cyber posture. HSCC recommends this tool, and other similar resources should be referenced in its Security Rule guidance.

Now that H.R. 7898 (Public Law 116-321) has been signed into law, content should be included in the Security Rule guidance on how the adoption of recognized security practices provides benefits to healthcare organizations in the form of shorter compliance audits and fewer fines, altogether with information on how to implement the security best practices promulgated under section 405(d) of the Cybersecurity Act of 2015 by adopting the NIST Cybersecurity Framework (NIST CSF) and following the recommendations outlined in publications such as the HICP.

HCSS also recommends NIST should stress the importance of following cybersecurity best practices, and that by adopting those practices will help HIPAA-regulated entities with HIPAA Security Rule compliance, compliance with other Federal mandates, and how following these best practices can help to ensure business continuity and patient safety. HSCC has recommended NIST publish separate guidance for small- and mid-sized healthcare organizations with more tailored resources that stresses the importance of practicing good cyber hygiene.

HSCC also draws attention to the use of the terms ‘risk assessment’ and ‘risk analysis’ in the document, which are often used as synonyms, even though NIST has separate definitions for both. To avoid confusion, HSCC recommends NIST uses these terms consistently and clarifies when a risk analysis or risk assessment is required.

Help Small Healthcare Providers Prepare for the End of the COVID-19 PHE

HSCC has also drawn attention to the flexibilities introduced in response to the COVID-19 Public Health Emergency (PHE), specifically, the notice of enforcement discretion issued by OCR stating sanctions and penalties will not be imposed for the good faith use of communications technologies for providing telehealth services during the PHE, which would normally not be considered HIPAA-compliant. The guidance should make it clear that as the PHE winds down, healthcare providers should migrate to more secure methods of communication to better protect patient privacy and reduce cyber incidents.

The post NIST Urged to Make HIPAA Security Rule Implementation Guidance More Usable by Small Providers appeared first on HIPAA Journal.

Is Google Meet HIPAA Compliant?

Posted by HIPAA Journal

Google Meet is an advanced VoIP and videoconferencing service that can be used by healthcare providers to provide telehealth services, remote consultations, and virtual patient visits. But is Google Meet HIPAA compliant?

Google Meet is rapidly becoming the go-to videoconferencing service for organizations in all industries due to its integrations with other productivity tools in the Google Workspace Suite. However, if the service is used by healthcare providers to communicate Protected Health Information, certain measures must be put in place to make Google Meet HIPAA compliant.

First of all, before Google Meet is used to collect, share, or transmit Protected Health Information, a healthcare provider must subscribe to a Business Google Workspace or Cloud Identity account and sign Google´s Business Associate Addendum.  The Addendum provides information about which of Google´s services can be used in compliance with HIPAA and what the customers´ obligations are.

The BAA Alone Does Not Make Google Meet HIPAA Compliant

However, signing the Business Associate Addendum does not – by itself – make Google Meet HIPAA compliant. System administrators have to configure the service to support compliance – for example, by making Meet the default videoconferencing service in the organization to prevent workstations prompting calls via Hangouts, which is not HIPAA compliant when used in video mode.

It may also be necessary to make all Google Meet invites private in order to mask any PHI mentioned in the invites (i.e., patients´ names) and to control access to recordings of Meet videos, which are saved to Google Drive by default. It will certainly be necessary to develop policies on how to use Google Meet in compliance with HIPAA and train members of the workforce on the policies.

To help healthcare providers and their Business Associates use Google Meet in compliance with HIPAA, Google recently updated its Workspace and Cloud Identity Implementation Guide. The Guide not only provides advice on how to make Google Meet HIPAA compliant, but also all the services in the Workspace and Cloud identity services covered by the Business Associate Addendum.

Why HIPAA Compliance Matters in Telehealth

It has been claimed that healthcare professionals often mistakenly believe that communicating ePHI via any communication channel is in compliance with HIPAA when the communication is directly between a healthcare professional and a patient. This is not true, and there are many examples of unencrypted communications being intercepted or accessed impermissibly.

Consequently, it is important that Covered Entities and Business Associates implement a secure and HIPAA compliant solution such as Google Meet when providing telehealth services. However, it is equally important that the solution is configured to comply with the Technical Safeguards of the Security Rule, that only authorized users have access to the solution, and that system of monitoring Google Meet communications is implemented to prevent accidental or malicious breaches of ePHI.

The post Is Google Meet HIPAA Compliant? appeared first on HIPAA Journal.

3 Dental Practices Fined for HIPAA Right of Access Violations

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has agreed to settle three HIPAA investigations of potential HIPAA Right of Access violations by dental practices. All three of the investigations were initiated after complaints from patients about the failure of their dental practices to provide them with timely access to their medical records, with one of the cases also involving an allegation of overcharging for a copy of medical records.

A patient of the Georgia-based dental and orthodontics provider, Great Expressions Dental Center of Georgia, P.C. (GEDC-GA), filed a complaint with OCR in November 2020 after being told that she could not be provided with a copy of her medical records unless she paid a $170 copying fee. The HIPAA Right of Access does permit healthcare organizations to charge patients for providing a copy of their medical records, but the costs must be reasonable and cost-based.

OCR’s investigation confirmed that the patient was not provided with a copy of her records until February 2021, 15 months after the initial request. OCR also determined that GEDC-GA’s practice of assessing copying fees resulted in the patient being charged a fee that was not reasonable and cost-based. GEDC-GA chose to settle the case and paid an $80,000 penalty and implemented a robust corrective action plan to address noncompliance with the HIPAA Right of Access.

An investigation was launched into the Chicago, IL-based dental practice, Family Dental Care, P.C. following an August 8, 2020, complaint from a former patient who alleged she had not been provided with a complete set of her medical records. The former patient submitted a request for her complete records in May 2020, but only portions of those records were provided. The patient was not provided with her full records until October 2020, more than 5 months after the initial request was submitted. OCR determined there had been a failure to provide timely access to the requested medical records, which violated the HIPAA Right of Access. Family Dental Care chose to settle the case and paid a $30,000 financial penalty and implemented a corrective action plan to address the non-compliance.

On October 26, 2020, OCR received a complaint from a patient of B. Steven L. Hardy, D.D.S., LTD (doing business as Paradise Family Dental in Las Vegas, NV). The patient alleged to have requested a copy of her and her minor child’s medical records on multiple occasions, but the records had not been provided. The requests were made between April 11, 2020, and December 4, 2020, but the records were not provided until December 31, 2020, 8 months after the initial request was submitted. OCR determined the delay in providing the records violated the HIPAA Right of Access. Paradise chose to settle the case and paid a $25,000 financial penalty and implemented a corrective action plan to address the non-compliance.

“These right of access three actions send an important message to dental practices of all sizes that are covered by the HIPAA Rules to ensure they are following the law,” said OCR Director Melanie Fontes Rainer. “Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.”

The post 3 Dental Practices Fined for HIPAA Right of Access Violations appeared first on HIPAA Journal.