HIPAA Compliance News

September 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

63 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in September, bringing an end to the downward trend in data breaches seen over the previous three months. September’s total was above the 12-month average of 59 breaches a month, with data breaches being reported at a rate of more than 2 per day. In 2017, data breaches were being reported at a rate of one per day.

healthcare data breaches in the past 12 months - September 2022

While the number of reported data breaches increased by 28.6% month-over-month, for the third consecutive month the number of breached records decreased, with 2,440,434 records breached across the 63 reported incidents. September’s total was well below the 12-month average of 3,481,033 breached records a month. Breached healthcare records in the past 12 months

So far in 2022, 31,705,618 patient records have been exposed or impermissibly disclosed.

The Largest Healthcare Data Breaches Reported in September

30 data breaches of 10,000 or more patient records were reported to the HHS’ Office for Civil Rights in September 2022, all but one of which were hacking/IT incidents. The largest data breach involved the records of more than 542,000 patients of the Wolfe Clinic in Iowa and occurred at its electronic health record provider Eye Care Leaders. The attack saw database and system configuration files deleted. More than 3.6 million individuals were affected by the data breach.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Wolfe Clinic, P.C. IA Healthcare Provider 542,776 Hacking incident at its EHR provider (Eye Care Leaders)
Empress Ambulance Service LLC NY Healthcare Provider 318,558 Ransomware attack
Cytometry Specialists, Inc. d/b/a CSI Laboratories GA Healthcare Provider 244,850 Business email compromise (BEC) attack
FMC Services, LLC TX Healthcare Provider 233,948 Hacked network server
Physician’s Business Office, Inc. WV Business Associate 196,673 Hacked network server
Providence WA Anesthesia Services PC NY Healthcare Provider 98,643 Hacked network server at management company
Medical Associates of the Lehigh Valley PA Healthcare Provider 75,628 Ransomware attack
Dyersburg Family Walk-In Clinic, LLC (Reelfoot Family Walk-In Clinic) TN Healthcare Provider 58,562 Hacked network server (data theft confirmed)
Palm Springs Anesthesia Services PC NY Healthcare Provider 58,513 Hacked network server at management company
Reiter Affiliated Companies, LLC CA Business Associate 48,000 Ransomware attack at a business associate
Reiter Affiliated Health and Welfare Plan CA Health Plan 45,000 Ransomware attack
Anesthesia Services of San Joaquin PC NY Healthcare Provider 44,015 Hacked network server at management company
Anesthesia Associates of El Paso PA NY Healthcare Provider 43,168 Hacked network server at management company
The Physicians’ Spine and Rehabilitation Specialists of Georgia, P.C. GA Healthcare Provider 38,765 Hacked network server
Country Doctor Community Clinic WA Healthcare Provider 38,751 Hacked network server
Resource Anesthesiology Associates PC NY Healthcare Provider 37,697 Hacked network server at management company
Lubbock Heart & Surgical Hospital TX Healthcare Provider 23,379 Hacked network server
Genesis Health Care, Inc. SC Healthcare Provider 21,226 Hacked network server
Resource Anesthesiology Associates of IL PC NY Healthcare Provider 18,321 Hacked network server at management company
Bronx Anesthesia Services PC NY Healthcare Provider 17,802 Hacked network server at management company
Resource Anesthesiology Associates of CA A Medical Corporation CA Healthcare Provider 16,001 Hacked network server at management company
Monroe Ear Nose and Throat Associates, PC MI Healthcare Provider 14,500 Hacked network server hosting EHRs
Magellan Rx Management MD Business Associate 13,663 Hacked network server
Hazleton Anesthesia Services PC NY Healthcare Provider 13,607 Hacked network server at management company
Riverside Medical Group NJ Healthcare Provider 12,499 Hacked legacy server containing EHRs
Anesthesia Associates of Maryland LLC MD Healthcare Provider 12,403 Hacked network server at management company
Northern California Fertility Medical Center CA Healthcare Provider 12,145 Ransomware attack
Neurology Center of Nevada NV Healthcare Provider 11,700 Hacking incident involving EHRs
Dr. Alexander J. Richardson, DPM OH Healthcare Provider 11,300 Hacking incident involving EHRs
WellMed Medical Management TX Healthcare Provider 10,506 A physician took records to his new practice

Causes of September 2022 Data Breaches

As is now the norm, the majority of the month’s data breaches were categorized as hacking/IT incidents, which include hacking, ransomware and malware attacks, phishing attacks, and misconfigured databases and cloud resources.

Causes of September 2022 healthcare data breaches

52 breaches – 82% of the month’s total – were hacking/IT incidents, which resulted in the exposure and/or theft of the records of 2,410,654 individuals. The average breach size was 46,359 records and the median breach size was 12,274 records. These incidents accounted for 98.78% of all records breached in September.

Ransomware is commonly used in attacks on hospitals to prevent access to business-critical files and patient records. These attacks typically involve data theft prior to file encryption with the attackers threatening to sell or publish the stolen data if the ransom is not paid. Several threat actors have now dispensed with the file encryption and are just stealing data and demanding payment to prevent its sale or release. That makes the attacks quicker and easier for the attackers and ransoms are still often paid. These extortion-only attacks have been increasing in recent months.

There were 7 reported unauthorized access/disclosure incidents reported, which include unauthorized access by employees, misdirected emails, and mailing errors. Across the 7 breaches, the records of 24,639 individuals were impermissibly disclosed. The average breach size was 3,250 records and the median breach size was 1,359 records.

There were 4 data breaches reported that involved the loss or theft of electronic devices that contained individually identifiable protected health information. Those devices contained 5,141 records. The average breach size was 1,285 records and the median breach size was 1,207 records. These incidents could have been avoided had data on the devices been encrypted.

The number of email-related data breaches is below the levels normally seen, with just 7 email data breaches reported. However, data from the ransomware remediation firm Coveware suggests email is still the most common way that threat actors gain access to networks in ransomware attacks. One of the largest data breaches reported this month – at CSI Laboratories – saw threat actors gain access to email accounts containing the records of almost 245,000 individuals. The email account was then used in a business email compromise attack to try to reroute CSI customer healthcare provider payments.

locatioon of PHI in september 2022 healthcare data breaches

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the worst affected entity in September with 46 data breaches reported, with 10 breaches reported by business associates and 7 breaches reported by health plans. Healthcare providers and health plans often choose to report breaches at business associates themselves, as was the case in 7 data breaches at business associates in September. The pie chart below reflects this and shows where the data breaches actually occurred.

September 2022 healthcare data breaches - entities reporting

Healthcare Data Breaches by State

HIPAA-regulated entities in 22 states reported data breaches in September. New York was the worst affected state with 15 breaches reported. 13 of the breaches were reported by providers of anesthesia services – The breach actually occurred at their management company.

State Breaches
New York 15
California 8
Tennessee & Washington 5
Florida & Texas 4
Georgia 3
Indiana, Maryland, New Jersey, & Pennsylvania 2
Colorado, Connecticut, Iowa, Michigan, Montana, Nebraska, Nevada, Ohio, Rhode Island, South Carolina, & Wisconsin 1

HIPAA Enforcement Activity in September

The HHS’ Office for Civil Rights agreed to settle HIPAA violations with three healthcare providers in September. All three of the settlements resolved violations of the HIPAA Right of Access, where patients were not provided with timely access to their medical records. All three cases were investigated by OCR after patients filed complaints that they had not been provided with their requested medical records. Great Expressions Dental Center of Georgia was also discovered to have overcharged a patient for providing a copy of her medical records.

Great Expressions Dental Center of Georgia, P.C. settled its case for $80,000, Family Dental Care, P.C. settled its case for $30,000, and B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental, settled its care for $25,000,  All three settlements involved a corrective action plan to address the areas of non-compliance.

OCR has now imposed 20 financial penalties on HIPAA-regulated entities to resolve HIPAA violations so far this year – more than any year to date.

The post September 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

When Can PHI be Disclosed?

Posted by HIPAA Journal

Most sources of information answering the question when can PHI be disclosed refer to the standards of the HIPAA Privacy Rule that specify the required and permissible uses and discloses of PHI, and those that require the consent or authorization of the individual (§164.502 – §164.514).

However, it is important to be aware that there are inconsistencies within these standards. Scenarios exist when “permissible” disclosures are actually “required” disclosures, when only a limited amount of information can be provided in a permissible disclosure, and when PHI can be disclosed for purposes other than those listed in the Privacy Rule.

It is also important to be aware that the Privacy Rule has limited scope inasmuch as It only applies to Covered Entities and Business Associates (subject to the contents of a Business Associate Agreement). Any healthcare provider that is not a Covered Entity – or any organization not covered by HIPAA – is not required to comply with the standards for when can PHI be disclosed.

When Can PHI be Disclosed According to the Privacy Rule?

The standards of the Privacy Rule distinguish between when PHI has to be disclosed, when PHI can be disclosed, and when PHI must only be disclosed if a written authorization exists from the subject of the PHI or their personal representative. There is also a standard for occasions when an individual should be given an opportunity to agree or object to a disclosure of PHI.

When Does PHI Have to be Disclosed?

According to the Privacy Rule, PHI has to be disclosed when an individual requests access to it or when HHS´ Office for Civil Rights is conducting an audit, an investigation, or a compliance review. Other than in these two scenarios, disclosures of PHI are “permitted” by the Privacy Rule or require a written authorization from the subject of the PHI or their personal representative.

When Can PHI be Disclosed?

There are many scenarios in which PHI can be disclosed but the disclosure is not “required” (according to the Privacy Rule). These include, but are not limited to:

  • Disclosures to the individual or their personal representative other than access requests or requests for an accounting of disclosures.
  • Disclosures for treatment, payment, and healthcare operations (TPOs). This includes disclosures to external healthcare providers for treatment purposes.
  • Disclosures as required by other federal laws or state legislation – for example, to report abuse, neglect, or domestic violence.
  • Disclosures for the twelve public interest and benefit activities listed in 164.512 – subject to compliance with the Minimum Necessary Standard.
  • When PHI is disclosed in a Limited Data Set for the purposes of research or public health subject to a data use agreement being in place.
  • When a Covered Entity of Business Associate receives a subpoena for medical records in connection with a judicial or administrative proceeding.

Which Disclosures Require an Authorization?

Practically all other disclosures of PHI require a written authorization from the subject of the PHI or their personal representative. This includes “protected” disclosures such as the disclosure of psychotherapy notes and substance abuse disorder records, as well as disclosures for marketing and fundraising – which the subject of the PHI has the right to revoke at any time.

The Opportunity to Agree or Object

The exception to the authorization requirement is when an individual has the opportunity to informally agree or object to a disclosure of PHI. Cases in which this option exists are limited to inclusion in a hospital directory and for notifying family and friends of an admission. However, if the individual is unable to agree or object, Covered Entities can make a good-faith judgment instead.

What Inconsistencies Exist within these Standards?

It is important for Covered Entities and Business Associates to be aware that inconsistencies exist in the Privacy Rule standards to ensure PHI is not inadvertently disclosed – or withheld. It was mentioned above that scenarios exist when “permissible” disclosures are actually “required” when only a limited amount of information can be provided in a permissible disclosure, and when PHI can be disclosed for purposes other than those listed in the Privacy Rule. Here are a few examples:

It would have been impossible for the Department of Health and Human Services to predict state legislation in respect of the mandatory reporting of abuse, neglect, and domestic violence at the time the Privacy Rule was published; but federal laws – such as OSHA – existed and had mandatory reporting requirements. Under these reporting requirements, the disclosure of PHI is required (by OSHA) rather than permissible – an inconsistency that has raised issues in the past.

With regards to limited “permissible” disclosures, these can limit what PHI can be disclosed to less than the minimum necessary. An example of this inconsistency occurs with regard to the identification of a suspect, fugitive, witness, or missing person. In such cases, Covered Entities may not be able to provide law enforcement officers with sufficient PHI to achieve the intended purpose because they are not allowed (amongst other things) to disclose photos of the individual.

The issue of when can PHI be disclosed for purposes other than those listed in the Privacy Rule depends on what information is being disclosed and whether it is maintained in a designated record set. For example, car license numbers are considered PHI if they are maintained in a designated record set along with health information; but, if a patient´s car is blocking an emergency exit, is it acceptable to request the car is moved over a Public Address system? The Privacy Rule says no!

When Can PHI be Disclosed by Other Organizations?

Not all organizations that collect, receive, maintain, or transmit PHI are subject to the HIPAA Privacy Rules for uses and disclosures. For example, a healthcare provider that accepts payments directly from patients is not a Covered Entity under HIPAA because they do not conduct transactions for which the Department of Health and Human Services has developed standards. Whether or not they can disclose PHI will be subject to state privacy legislation rather than HIPAA.

Also not subject to the Privacy Rule are vendors of Personal Health Devices (although they are subject to the Breach Notification Rule) and payment processors. Payment processors such as PayPal and Venmo are known to disclose data to advertisers, and therefore it is important Covered Entities only use services that are not subject to the Privacy Rule when a payment is initiated by a patient. Covered Entities should never request a payment nor create an invoice using an unsecure service.

It is also important that Covered Entities conduct due diligence on potential Business Associates before entering into a Business Associate Agreement to ascertain if they use third-party services that are not subject to the Privacy Rule. If the third party was to disclose PHI without the Business Associate first entering into a Business Associate Agreement with the third party – for example, PayPal will not sign a Business Associate Agreement – the Covered Entity could be considered liable for any breach of unsecured PHI. If doubts remain about when can PHI be disclosed, seek professional compliance advice.

The post When Can PHI be Disclosed? appeared first on HIPAA Journal.

Pharma Sales Rep Pleads Guilty to Healthcare Fraud and Criminal HIPAA Violations

Posted by HIPAA Journal

A pharmaceutical sales rep has pleaded guilty to conspiring to commit healthcare fraud and wrongfully disclosing and obtaining patients’ protected health information in an elaborate healthcare fraud scheme involving criminal HIPAA violations.

Keith Ritson, 42, of Bayville, New Jersey, is a former pharmaceutical sales representative who promoted compound prescription medications and other drugs between 2014 and 2016. Compound prescription medications are specialty drugs that are mixed by a pharmacist to meet the needs of individual patients and are typically prescribed when standard medications for a specific medical condition cannot be taken by a patient, due to an allergy for instance. Compound prescription medications are not FDA approved but can be legally prescribed by a physician who determines that standard medications are not appropriate for a particular patient.

Ritson discovered that certain health insurance plans with pharmacy benefit management services covered compound prescription medications from a Louisiana pharmacy – Central Rexall Drugs, Inc. The pharmacy benefits administrator paid prescription drug claims and the state of New Jersey and other insurance plans were billed for the amounts paid. Ritson and his conspirators discovered certain insurance companies would reimburse thousands of dollars a month for some compound prescription medications, and Ritson would receive a percentage of the money paid to the pharmacy by the pharmacy benefits administrator for any prescription medications he arranged.

Individuals who had insurance plans that covered the compound medications would be recruited to receive the medications, even if they were not medically necessary, and Ritson himself also received the medications. Ritson identified the patients through the medical practice of Dr. Frank Alario. Alario pleaded guilty to his role in the healthcare fraud scheme earlier this month.

Ritson was not associated with Alario’s medical practice and was therefore not permitted to access or obtain the protected health information of Alario’s patients, but Alario provided Ritson with access to his offices and patient information to check which patients had insurance plans that would cover the medications. Ritson would then earmark patients so Alario would then know which patients to prescribe the medications to. In some instances, Ritson was present in patient examination rooms with Alario, and patients were given the impression that he was either employed by the medical practice or was affiliated with it.

Ritson used patient information to fill out prescription forms and Alario would then authorize the prescriptions. Ritson would then be paid a commission on those prescriptions.  Ritson pleaded guilty to one count of conspiracy to commit health care fraud and one count of conspiring to wrongfully disclose and obtain patients’ PHI on October 19, 2022. He is due to be sentenced on Feb. 7, 2023, and faces up to 10 years in jail, a $250,000 fine for the healthcare fraud count, and a maximum of one year in jail for the criminal HIPAA violation and a $50,000 fine. Alario faces up to one year in jail and a $50,000 fine for his role in the scheme.

Three former executives of Central Rexall Drugs were charged for their role in the scheme in a 24-count indictment including healthcare and wire fraud. They are Christopher Kyle Johnston, 43, of Mandeville, Louisiana; Trent Brockmeier, 60, of Pigeon Forge, Tennessee; and Christopher Casseri, 54, of Baton Rouge, Louisiana. Hayley Taff, 39, of Hammond, Louisiana, worked at the pharmacy and pleaded guilty to conspiracy to commit healthcare fraud and is due to be sentenced on March 13, 2023.

The post Pharma Sales Rep Pleads Guilty to Healthcare Fraud and Criminal HIPAA Violations appeared first on HIPAA Journal.

COVID-19 Public Health Emergency and HIPAA Telehealth Flexibilities Due to be Extended

Posted by HIPAA Journal

The Secretary of the Department of Health and Human Services, Xavier Becerra, is expected to extend the COVID-19 Public Health Emergency (PHE) today (October 13, 2022) for the 11th time. The COVID-19 PHE was first declared in January 2020 by then HHS Secretary, Alex Azar II, with the last extension issued by Becerra on July 15, 2022. That makes today the final day of the PHE should no further extension be declared. The extension, if confirmed, will last for a further 90 days, making the next deadline January 11, 2023.

Several flexibilities were introduced in response to the COVID-19 PHE, including changes to Medicare to expand coverage of telehealth services during the pandemic. Coverage was extended to include Medicare beneficiaries in any geographic region, not just beneficiaries in rural areas. Beneficiaries were permitted to remain in their homes for telehealth visits, the visits could be delivered via smartphones, and Medicare expanded the list of services that could be provided virtually.

The Department of Health and Human Services’ Office for Civil Rights also issued a Notice of Enforcement Discretion with respect to the good faith provision of telehealth services. “OCR will exercise its enforcement discretion and will not impose penalties for non-compliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency,” explained OCR in its COVID-19 telehealth guidance.

Under OCR’s Notice of Enforcement Discretion, healthcare providers are permitted to use “any non-public facing remote communication product that is available to communicate with patients,” even if the technology would not normally be permitted under HIPAA, such as if the provider will not enter into a business associate agreement with the healthcare provider.

“The Notification of Enforcement Discretion will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, including any extensions, whichever occurs first,” explained OCR. “OCR will issue a notice to the public when it is no longer exercising its enforcement discretion based upon the latest facts and circumstances.”

The HHS has previously committed to providing a 60-day notice to states before the expiration of the COVID-19 PHE or the termination of the HIPAA telehealth flexibilities to give them time to prepare. The HHS is also due to notify healthcare groups in advance to allow them to prepare their members. The absence of any such notifications makes it almost certain that a further extension will be announced. Should the decision be made not to extend the COVID-19 further past January 2023, the 60-day notice period will need to be issued by mid-November.

It is important for healthcare providers to be aware that while the COVID-19 public health emergency has been repeatedly extended, these extensions will not continue indefinitely. When the COVID-19 PHE is declared over, the HIPAA telehealth flexibilities will come to an end. It is therefore recommended that healthcare organizations prepare for the end of the COVID-19 PHE and start evaluating HIPAA-compliant telehealth solutions – Solutions that have the necessary safeguards to comply with the HIPAA Security Rule and are provided by vendors willing to enter into a business associate agreement. Healthcare providers should consider transitioning to those solutions ahead of the HHS announcement of the end of the COVID-19 PHE, or ensure that they develop a plan that can be implemented immediately when notice is provided that the PHE will end.

The post COVID-19 Public Health Emergency and HIPAA Telehealth Flexibilities Due to be Extended appeared first on HIPAA Journal.

Doctor Who Provided PHI to Pharma Sales Rep Pleads Guilty to Criminal Violations of HIPAA

Posted by HIPAA Journal

A former physician with practices in New Jersey, New York, and Florida has pleaded guilty to criminal violations of HIPAA for disclosing patients’ protected health information to a sales representative of a pharmaceutical firm, according to the U.S. Attorney’s Office of the District of New Jersey.

The Frank Alario, 65, of Delray Beach, Florida, pleaded guilty to disclosing patient information to sales rep, Keith Ritson, who promoted compound prescription medications and other medications to the patients. Compound prescription medications are medications mixed specifically for individual patients when standard FDA-approved medications are determined to not be appropriate, due to an allergy for example. Compound prescription medications are not approved by the FDA but can be legally prescribed by physicians.

The HIPAA Privacy Rule permits disclosures of patients’ protected health information for the purposes of treatment, payment, or healthcare operations; however, other disclosures are only permitted if consent to share information is provided by each patient. Ritson was an outside pharmaceutical representative who was not associated with Alario’s practices, and as such Ritson was not permitted to access the protected health information of Alario’s patients. Permission to disclose the information was not provided by patients.

Alario allowed Ritson to have significant access to his office, patients’ medical files, and other patient information, both inside and outside normal business hours. Ritson was given access to areas of Alario’s office that were restricted to staff members, such as areas with patient files and computers. In addition to allowing access to these areas, Ritson was allowed to look up patient information in files and on computers to identify patients who had insurance coverage that would pay for the compound medications. Ritson would then mark the files of patients whose insurance would pay for the medications so Alario would know which patients to prescribe the medications to.

In some cases, Ritson was allowed to be present during appointments. Alario gave patients the impression that Ritson was a member of staff or was affiliated with the medical practice and during those appointments sensitive health information would be directly disclosed to Ritson. The information obtained was then used to fill out prescription forms for medications, which would then be authorized by Alario, with Ritson receiving a commission on the prescribed prescriptions.

Alario and Ritson were both charged in an indictment for conspiring to violate HIPAA. Ritson’s charges are still pending, with his trial scheduled for November 7, 2022. Alario pleaded guilty and sentencing is scheduled for February 7, 2023. Alario faces a maximum of one year in jail and a $50,000 fine.

The post Doctor Who Provided PHI to Pharma Sales Rep Pleads Guilty to Criminal Violations of HIPAA appeared first on HIPAA Journal.

NIST Urged to Make HIPAA Security Rule Implementation Guidance More Usable by Small Providers

Posted by HIPAA Journal

The Health Sector Coordinating Council (HSCC) has urged the National Institute for Standards & Technology to provide tailored guidance for smaller and lesser-resourced healthcare organizations on implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and makes several other recommendations to improve the utility of its new HIPAA Security Rule implementation guidance.

Background

Recently, NIST issued a draft update (SP 800-66r2) to its 2008 publication: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and sought feedback from industry stakeholders ahead of the publication of the final version of the guidance.

SP 800-66r2 provides guidance for HIPAA-regulated entities on assessing and managing risks to ePHI, suggests activities that should be considered as part of an information security program, and provides several useful resources that HIPAA-regulated entities can use to help them implement the requirements of the HIPAA Security Rule.

HSCC is a private sector-led critical infrastructure advisory council of large, medium, and small health industry stakeholders, that works with government partners to identify and mitigate threats and vulnerabilities that have the potential to affect the ability of the sector to deliver healthcare services. HSCC has a Cybersecurity Working Group that represents 350 healthcare organizations that collaborate toward improving the cyber security and resiliency of the healthcare industry and patient safety.

HSCC Recommendations for Improving NIST HIPAA Security Rule Guidance

Improve the Structure to Better Meet the Needs of Smaller Healthcare Organizations

HSCC has made several recommendations for NIST to consider prior to releasing the final version of its guidance. One of the main issues is NIST has created a document that can be used by healthcare organizations of all sizes; however, HSCC suggests this one-size-fits-all approach has resulted in the guidance not being well adapted for smaller healthcare organizations, which are the ones that would benefit most from additional guidance on HIPAA Security Rule compliance.

The problem with the one-size-fits-all approach is the guidance document – which runs to 139 pages – provides detailed information, but much of that information is not relevant to smaller HIPAA-regulated entities. Resources have been shared to help HIPAA-regulated entities achieve compliance with the HIPAA Security Rule, but there are insufficient resources provided specifically for smaller healthcare organizations and suggests the suggested resources could be better organized to improve the utility of the publication.

Stress the Importance of Adopting Recognized Security Practices

HSCC draws attention to its publication, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HCIP) which was developed under the 405(d) Program and Task Group, to help organizations of all sizes manage cyber threats. HCIP has been developed to be scalable and has the flexibility to be easily used by smaller healthcare organizations, without prescribing to a single pathway for improving cyber posture. HSCC recommends this tool, and other similar resources should be referenced in its Security Rule guidance.

Now that H.R. 7898 (Public Law 116-321) has been signed into law, content should be included in the Security Rule guidance on how the adoption of recognized security practices provides benefits to healthcare organizations in the form of shorter compliance audits and fewer fines, altogether with information on how to implement the security best practices promulgated under section 405(d) of the Cybersecurity Act of 2015 by adopting the NIST Cybersecurity Framework (NIST CSF) and following the recommendations outlined in publications such as the HICP.

HCSS also recommends NIST should stress the importance of following cybersecurity best practices, and that by adopting those practices will help HIPAA-regulated entities with HIPAA Security Rule compliance, compliance with other Federal mandates, and how following these best practices can help to ensure business continuity and patient safety. HSCC has recommended NIST publish separate guidance for small- and mid-sized healthcare organizations with more tailored resources that stresses the importance of practicing good cyber hygiene.

HSCC also draws attention to the use of the terms ‘risk assessment’ and ‘risk analysis’ in the document, which are often used as synonyms, even though NIST has separate definitions for both. To avoid confusion, HSCC recommends NIST uses these terms consistently and clarifies when a risk analysis or risk assessment is required.

Help Small Healthcare Providers Prepare for the End of the COVID-19 PHE

HSCC has also drawn attention to the flexibilities introduced in response to the COVID-19 Public Health Emergency (PHE), specifically, the notice of enforcement discretion issued by OCR stating sanctions and penalties will not be imposed for the good faith use of communications technologies for providing telehealth services during the PHE, which would normally not be considered HIPAA-compliant. The guidance should make it clear that as the PHE winds down, healthcare providers should migrate to more secure methods of communication to better protect patient privacy and reduce cyber incidents.

The post NIST Urged to Make HIPAA Security Rule Implementation Guidance More Usable by Small Providers appeared first on HIPAA Journal.

Is Google Meet HIPAA Compliant?

Posted by HIPAA Journal

Google Meet is an advanced VoIP and videoconferencing service that can be used by healthcare providers to provide telehealth services, remote consultations, and virtual patient visits. But is Google Meet HIPAA compliant?

Google Meet is rapidly becoming the go-to videoconferencing service for organizations in all industries due to its integrations with other productivity tools in the Google Workspace Suite. However, if the service is used by healthcare providers to communicate Protected Health Information, certain measures must be put in place to make Google Meet HIPAA compliant.

First of all, before Google Meet is used to collect, share, or transmit Protected Health Information, a healthcare provider must subscribe to a Business Google Workspace or Cloud Identity account and sign Google´s Business Associate Addendum.  The Addendum provides information about which of Google´s services can be used in compliance with HIPAA and what the customers´ obligations are.

The BAA Alone Does Not Make Google Meet HIPAA Compliant

However, signing the Business Associate Addendum does not – by itself – make Google Meet HIPAA compliant. System administrators have to configure the service to support compliance – for example, by making Meet the default videoconferencing service in the organization to prevent workstations prompting calls via Hangouts, which is not HIPAA compliant when used in video mode.

It may also be necessary to make all Google Meet invites private in order to mask any PHI mentioned in the invites (i.e., patients´ names) and to control access to recordings of Meet videos, which are saved to Google Drive by default. It will certainly be necessary to develop policies on how to use Google Meet in compliance with HIPAA and train members of the workforce on the policies.

To help healthcare providers and their Business Associates use Google Meet in compliance with HIPAA, Google recently updated its Workspace and Cloud Identity Implementation Guide. The Guide not only provides advice on how to make Google Meet HIPAA compliant, but also all the services in the Workspace and Cloud identity services covered by the Business Associate Addendum.

Why HIPAA Compliance Matters in Telehealth

It has been claimed that healthcare professionals often mistakenly believe that communicating ePHI via any communication channel is in compliance with HIPAA when the communication is directly between a healthcare professional and a patient. This is not true, and there are many examples of unencrypted communications being intercepted or accessed impermissibly.

Consequently, it is important that Covered Entities and Business Associates implement a secure and HIPAA compliant solution such as Google Meet when providing telehealth services. However, it is equally important that the solution is configured to comply with the Technical Safeguards of the Security Rule, that only authorized users have access to the solution, and that system of monitoring Google Meet communications is implemented to prevent accidental or malicious breaches of ePHI.

The post Is Google Meet HIPAA Compliant? appeared first on HIPAA Journal.

3 Dental Practices Fined for HIPAA Right of Access Violations

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has agreed to settle three HIPAA investigations of potential HIPAA Right of Access violations by dental practices. All three of the investigations were initiated after complaints from patients about the failure of their dental practices to provide them with timely access to their medical records, with one of the cases also involving an allegation of overcharging for a copy of medical records.

A patient of the Georgia-based dental and orthodontics provider, Great Expressions Dental Center of Georgia, P.C. (GEDC-GA), filed a complaint with OCR in November 2020 after being told that she could not be provided with a copy of her medical records unless she paid a $170 copying fee. The HIPAA Right of Access does permit healthcare organizations to charge patients for providing a copy of their medical records, but the costs must be reasonable and cost-based.

OCR’s investigation confirmed that the patient was not provided with a copy of her records until February 2021, 15 months after the initial request. OCR also determined that GEDC-GA’s practice of assessing copying fees resulted in the patient being charged a fee that was not reasonable and cost-based. GEDC-GA chose to settle the case and paid an $80,000 penalty and implemented a robust corrective action plan to address noncompliance with the HIPAA Right of Access.

An investigation was launched into the Chicago, IL-based dental practice, Family Dental Care, P.C. following an August 8, 2020, complaint from a former patient who alleged she had not been provided with a complete set of her medical records. The former patient submitted a request for her complete records in May 2020, but only portions of those records were provided. The patient was not provided with her full records until October 2020, more than 5 months after the initial request was submitted. OCR determined there had been a failure to provide timely access to the requested medical records, which violated the HIPAA Right of Access. Family Dental Care chose to settle the case and paid a $30,000 financial penalty and implemented a corrective action plan to address the non-compliance.

On October 26, 2020, OCR received a complaint from a patient of B. Steven L. Hardy, D.D.S., LTD (doing business as Paradise Family Dental in Las Vegas, NV). The patient alleged to have requested a copy of her and her minor child’s medical records on multiple occasions, but the records had not been provided. The requests were made between April 11, 2020, and December 4, 2020, but the records were not provided until December 31, 2020, 8 months after the initial request was submitted. OCR determined the delay in providing the records violated the HIPAA Right of Access. Paradise chose to settle the case and paid a $25,000 financial penalty and implemented a corrective action plan to address the non-compliance.

“These right of access three actions send an important message to dental practices of all sizes that are covered by the HIPAA Rules to ensure they are following the law,” said OCR Director Melanie Fontes Rainer. “Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.”

The post 3 Dental Practices Fined for HIPAA Right of Access Violations appeared first on HIPAA Journal.

Are Phone Calls HIPAA Compliant?

Posted by HIPAA Journal

The answer to the question are phone calls HIPAA compliant can be dependent on who is making the call, what the call concerns and who the call is to.

Before discussing are phone calls HIPAA compliant, it is important to establish who HIPAA applies to. This is because almost two-thirds of complaints about HIPAA violations are rejected because they allege a violation has been committed by a business that is not subject to the HIPAA Rules. In such cases, HHS´ Office for Civil Rights has no jurisdiction to investigate complaints and so rejects them.

HIPAA applies to most health plans, health care clearinghouses, and healthcare providers (“Covered Entities”), and to Business Associates and subcontractors providing a service for on behalf of a Covered Entity. Healthcare-related calls from these sources to individuals are permissible provided the recipient has given their implied consent to receive a call and the call follows FTC guidelines.

Additionally, to make phone calls HIPAA compliant, Covered Entities and Business Associates are required to comply with the General Rules for Uses and Disclosures of PHI (§164.502 to §164.512), and the Minimum Necessary Standard when making phone calls to someone other than the individual which relate to the individual´s condition, treatment, or payment for treatment.

Implied Consent and FTC Guidelines

Phone calls to individuals from Covered Entities and Business Associates are permissible if the recipient of the phone call has given their implied consent by providing a contact telephone number to the Covered Entity or Business Associate. However, under HIPAA, individuals also have the right to revoke consent or request that communications are either made by voice or by text.

Healthcare-related – but not payment-related – phone calls and text messages from Covered Entities to individuals are FTC compliant if they are made for an allowable reason. Allowable reasons are limited to:

  • Appointments and reminders
  • Hospital pre-registration instructions
  • Health checkups
  • The provision of medical treatment
  • Lab test results
  • Notifications about prescriptions
  • Pre-operative instructions
  • Post-discharge follow-up calls
  • Home healthcare instructions

According to the FTC guidelines, calls to individuals should start with the Covered Entity stating their name and the reason for the call. Calls can last no longer than 60 seconds (text messages must be no longer than 160 characters), and Covered Entities cannot contact individuals more than three times per week. Any additional contact – by voice or by text – requires the individual´s authorization.

Making Other Phone Calls HIPAA Compliant

Other phone calls made by a Covered Entity or Business Associate (i.e., not to an individual for an allowable reason) are only subject to the General Rules for Uses and Disclosures and the Minimum Necessary Standard if the communication involves the disclosure of an individual´s PHI. Any phone calls that do not involve the disclosure of PHI are not subject to the Privacy Rule standards.

Nonetheless, there are many types of HIPAA-related phone calls that are subject to Privacy Rule standards. For example, a phone call made from one Covered Entity to another for treatment, payment, or healthcare operations purposes, a phone call made to local authorities to report a public health issue, or a phone call made to the police to report patient abuse or neglect.

Covered Entities can communicate PHI to a Business Associate in a phone call, but before doing so, a Business Associate Agreement must be in place to stipulate the allowable uses and disclosures of PHI. In states where more stringent privacy protections exist, it may also be necessary for a Covered Entity to enter into a contract with another Covered Entity before disclosing PHI for any reason.

Is PHI Disclosed in a Phone Call Subject to the Security Rule?

One final point about making phone calls HIPAA compliant concerns whether PHI disclosed during a phone call is subject to the Security Rule. According to the definition of electronic media in  §160.103 of the HIPAA General Provisions, PHI disclosed during a phone call is not considered to be subject to the Security Rule “if the information being exchanged did not exist in electronic form immediately before the transmission”.

However, if the PHI is subsequently recorded on electronic media, the stored PHI (now ePHI) becomes subject to Security Rule standards. Therefore, if PHI is disclosed during a permissible provider-to-provider phone call, and the information is entered into an EHR or other electronic database, the information has to be protected in the same way as any other PHI relating to the individual that is stored electronically.

Are Phone Calls HIPAA Compliant? FAQs

Can nurses give patient information over the phone?

As members of a Covered Entity´s workforce, nurses can give patient information over the phone for permissible uses and disclosures. However, before nurses give patient information over the phone, it is important they verify the identity of the person they are speaking with in order to prevent unauthorized disclosures or disclosing more than the minimum necessary patient information.

Is sharing patient information with family over the phone HIPAA compliant?

With regards to sharing patient information with family over the phone, patients should be given the opportunity to object to their information being shared with family members. Provided the patient has not objected, sharing patient information with family over the phone is HIPAA compliant. However, it is still necessary to comply with the Minimum Necessary Standard.

If a patient is incapacitated and unable to object to their information being shared, healthcare providers can share patient information over the phone with family members provided that the disclosure of PHI is considered to be in the patient´s best interests. Once the patient is no longer incapacitated, he or she must be given the opportunity to object as soon as possible.

Are cell phone calls HIPAA compliant?

As discussed above in “Implied Consent and FTC Guidelines”, calls to cell phones are HIPAA compliant if a patient has given their cell phone number to the Covered Entity as a point of contact. If a patient has given both a cell phone number and a landline number, Covered Entities can use either number to contact the patient up to the FTC- mandated limit of three calls/texts per week.

What information can hospitals give over the phone?

If they are responding to an enquiry about the well-being of a patient, hospitals can provide “directory information” such as the general condition of the patient and their location within the hospital provided the patient is asked for by name, the identity of the caller is verified, and the patient has not objected to the information being disclosed.

Is a landline HIPAA compliant?

Calling a patient´s landline for an allowable reason is HIPAA compliant provided the landline number has been provided to the Covered Entity by the patient or patient’s representative. However, Covered Entities must take care to verify that the person they are speaking with is the patient, as landlines can be shared among multiple occupiers or – in a business – multiple employees.

Is giving out a phone number a HIPAA violation?

Giving out a phone number can be a HIPAA violation, but only in certain circumstances. Generally, a phone number is an “identifier” that, when included in a patient´s “designated record set”, becomes Protected Health Information. Any protected identifier in a designated record set can be disclosed if the disclosure is permitted by the General Rules for Uses and Disclosures of PHI.

If a patient has objected to their phone number being given out, if the phone number is given out without authorization for a disclosure requiring an authorization, or if the phone number is given out in the course of an impermissible disclosure, these are examples of HIPAA violations – if the phone number is included in the patient´s designated record set. If it is not part of the patient´s designated record set, the phone number is not protected, and therefore no HIPAA violation has occurred.

The post Are Phone Calls HIPAA Compliant? appeared first on HIPAA Journal.