HIPAA Compliance News

HHS Issues Guidance to Teaching Hospitals and Medical Schools on Informed Consent Requirements

Posted by Steve Alder

The Department of Health and Human Services (HHS) has written to the nation’s teaching hospitals and medical schools to clarify the requirement to obtain informed consent from patients before they are subjected to sensitive examinations, especially on patients under anesthesia.

HHS Secretary Xavier Becerra, Office for Civil Rights Director Melanie Fontes Rainer, and CMS administrator Chiquita Brooks-LaSure explained in the letter that they are aware of media reports and medical and scientific literature that indicate that as part of the training of medical students, patients are subjected to sensitive and intimate examinations – including pelvic, breast, prostate, or rectal examinations – while under anesthesia, when proper informed consent has not been obtained from the patients.

The letter stresses that it is vital for hospitals and medical schools to obtain and document informed consent before examinations are performed and that informed consent is required in all circumstances. Patients have the right to refuse to have sensitive examinations performed for teaching purposes and can refuse to consent to previously unagreed examinations while under anesthesia. The CMS has issued new guidance that clarifies the requirements of the Hospital Conditions of Participation with respect to the CMS’s revision of its hospital interpretive guidance about informed consent.

OCR has also stressed that under the HIPAA Privacy Rule, patients have the right to restrict who can access their PHI, including in situations where they may be unconscious while having a medical procedure performed. OCR has provided a Q&A that explains this HIPAA Privacy Rule right with respect to examinations by medical students while under anesthesia, and subsequent examinations when the covered entity has agreed to restrict disclosures of PHI.

The post HHS Issues Guidance to Teaching Hospitals and Medical Schools on Informed Consent Requirements appeared first on HIPAA Journal.

Cyber Security for Healthcare: USA Summit

Posted by Ian

The HealthSec: Cyber Security for Healthcare Summit returns for its 2nd edition in Boston, Massachusetts on June 12th – 13th!

As operations in healthcare and life sciences industries are becoming increasingly digitized and internet-connected, the attack surface is expanding and cybersecurity risks are growing.

In the light of this, healthcare security leaders from across the hospitals & healthcare systems, healthcare equipment and services, medical devices, pharma and biotech industries are preparing to gather at the summit to learn how to protect their sensitive data from cyber attacks.

CPD certified event

This CPD certified event is your chance to unite with cybersecurity leaders from the likes of Abbott, GSK, Moderna, Pfizer and Johnson & Johnson through interactive sessions, as well as 6+ hours of networking, including seated lunches and a drinks reception.

Over 2 days, you’ll learn how to build resilience, mitigate risks and strengthen your cybersecurity strategy to combat new and ongoing threats through thought leadership talks, in-depth case-studies, panel discussions and roundtables. See list of speakers

Agenda highlights include:

  • A Culture of Shared Responsibility Between HDOs and MDMs: What It Looks Like, and How to Achieve It
  • How to Effectively Address Third Party Risk Management Pain Points in Healthcare
  • Case Study: Surviving a Ransomware Attack -Lessons Learned from the Healthcare Industry
  • Streamlining Regulatory Compliance in Healthcare: How Do We Get There?

For 15% discount on passes, register now using the code “HIPPA” at registration online here.

The post Cyber Security for Healthcare: USA Summit appeared first on HIPAA Journal.

February 2024 Healthcare Data Breach Report

Posted by Steve Alder

There has been a fall in the number of reported healthcare data breaches for the second consecutive month, with 59 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

 

There were 10.6% fewer breaches reported in February than in January, which followed a 22% reduction between December 2023 and January 2024. Over the past 12 months, an average of 64 healthcare breaches have been reported each month, and while February is well under that average, 22.9% more breaches were reported in February 2024 than in February 2023.

For the third consecutive month, the number of breached records has fallen, reducing by 41.7% from January to 5,130,515 records, which is well below the 12-month average of 8.9 million records a month and around half as many records as were breached in February 2023. These figures could increase as three data breaches were reported as involving 500 or 501 records. These figures are often placeholders to meet HIPAA’s breach reporting requirements when the number of affected individuals has yet to be determined.

Biggest Healthcare Data Breaches in February 2024

There were 24 data breaches of 10,000 healthcare records in February, the largest of which was a 2.35 million record data breach at Medical Management Resource Group, which does business as American Vision Partners. A further 1.67 million records were compromised in breaches at Eastern Radiologists and Unite Here, both of which were hacking incidents. Only four breaches of 10,000 or more records were not hacking incidents.

Ransomware attacks continue to plague the healthcare industry, but it is difficult to determine the scale of the problem since breach notifications rarely mention whether ransomware was used. Ransomware groups typically steal data and leak it or sell it if the ransom is not paid. If the nature of the attack is not explained to the affected individuals, it is difficult for them to accurately assess the level of risk they face and make informed decisions about the steps they need to take to prevent their personal information from being misused.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Present
Medical Management Resource Group, L.L.C. AZ Business Associate 2,350,236 Hacking incident (Data theft confirmed)
Eastern Radiologists, Inc NC Healthcare Provider 886,746 Hacking incident
UNITE HERE NY Business Associate 791,273 Hacking incident
Northeast Orthopedics and Sports Medicine, PLLC NY Healthcare Provider 177,101 Hacking incident
Bold Quail Holdings, LLC (NewGen Administrative Services, LLC) CA Healthcare Provider 105,425 Hacking incident
Prime Healthcare Employee Health Plan CA Health Plan 101,135 Hacking incident at business associate (Keenan & Associates)
Egyptian Health Department IL Healthcare Provider 100,000 Hacking incident
Scurry County Hospital District dba Cogdell Memorial Hospital TX Healthcare Provider 86,981 Hacking incident
MedQ, Inc. TX Business Associate 54,725 Ransomware attack (Data theft confirmed)
Coleman Professional Services Inc. OH Healthcare Provider 51,889 Email accounts compromised
Greater Cincinnati Behavioral Health Services OH Healthcare Provider 50,000 Hacking incident
Kirkland & Ellis LLP IL Business Associate 48,802 Hacking incident (MOVEit Transfer)
Employee Benefits Corporation of America and Benefit Design Group, Inc. VA Health Plan 38,912 Hacking incident
Washington County Hospital and Nursing Home AL Healthcare Provider 29,346 Ransomware attack (Data theft confirmed)
Qualcomm Incorporated CA Health Plan 27,038 Hacking incident at a business associate
McKenzie County Healthcare System, Inc. ND Healthcare Provider 21,000 Email accounts compromised
East Carolina University’s Brody School of Medicine, a member of the ECU Health affiliated covered entity NC Healthcare Provider 19,085 Unauthorized access to a network server
Tiegerman NY Healthcare Provider 19,000 Hacking incident
Human Affairs International of California CA Business Associate 18,347 Unauthorized Access/Disclosure of paper/films
Maryville, Inc. NJ Healthcare Provider 15,503 Email account compromised
Bay Area Anesthesia, LLC FL Healthcare Provider 15,196 Hacking incident at business associate (Bowden Barlow Law)
AGC Flat Glass North America, Inc. Welfare Benefits Plan GA Health Plan 13,079 Hacking incident
Littleton Regional Healthcare NH Healthcare Provider 12,614 Misdirected email
CVS Caremark Part D Services, L.L.C. (“CVS”) RI Business Associate 11,193 Unauthorized Access/Disclosure of paper/films

Data Breach Causes and Location of Compromised PHI

As has been the case for many months, the main cause of healthcare data breaches in February was hacking. In February, there were 41 data breaches classed as hacking/IT incidents – 69.5% of the month’s data breaches. These incidents typically see large numbers of records compromised and February was no exception. Across those 41 incidents, the protected health information of 5,017,167 individuals was exposed or compromised – 97.8% of the month’s breached records. The 16 largest healthcare data breaches in February were all hacking incidents. The average breach size was 122,370 records and the median breach size was 7,288 records.

HIPAA-regulated entities reported 16 data breaches that were classed as unauthorized access/disclosure incidents. Across those 16 data breaches, the records of 104,359 individuals were accessed by unauthorized individuals or were impermissibly disclosed. The largest of those incidents was a phishing attack that saw multiple email accounts compromised and the records of 21,000 individuals exposed. The average breach size was 6,522 records and the median breach size was 2,516 records. There were two theft incidents involving the records of 8,989 individuals. No loss or improper disposal incidents were reported in February. The most common location of breached healthcare data was network servers, followed by email accounts.

While it is not possible to prevent all data breaches, many could be avoided by ensuring compliance with the HIPAA Security Rule and implementing OCR’s HPH Cybersecurity Performance Goals (CPGs). The CPGs are split into essential CPGs and advanced CPGs. The Essential CPGs address common vulnerabilities, will significantly improve an organization’s security posture and incident response, and minimize residual risk. The Enhanced CPGs are intended to help HPH sector organizations mature their cybersecurity capabilities and improve their defences against additional attack vectors. A recent IBM study determined that 85% of cyberattacks in critical infrastructure sectors could have been prevented with basic security measures such as those included in the essential CPGs.

Where Did the Data Breaches Occur?

OCR’s data breach portal shows there were 33 data breaches at healthcare providers (1,632,712 records), 16 data breaches at health plans (212,785 records), and 10 data breaches at business associates (3,285,018 records). These figures show the reporting entity rather than where the data breach occurred. When a data breach occurs at a business associate, it may be reported by the business associate, the affected covered entities, or a combination of the two. For example, in February,16 data breaches were reported by health plans, but 8 of those breaches occurred at business associates. The pie charts show where the data breaches occurred rather than the entity that reported the breach.

Geographical Distribution of Healthcare Data Breaches

In February, large healthcare data breaches were reported by HIPAA-regulated entities in 27 states and the District of Columbia. California had the most breaches but Arizona was the worst affected in terms of the number of breached records, with 2,351,027 records compromised in 2 data breaches.

State Breaches
California 6
New York & Ohio 5
Illinois, Kentucky & Texas 4
Alabama, Florida & Michigan 3
Arizona, North Carolina & Rhode Island 2
Colorado, Georgia, Iowa, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, North Dakota, Oklahoma, Pennsylvania, South Carolina, Tennessee, Virginia, West Virginia & the District of Columbia 1

HIPAA Enforcement Activity in February 2024

In February, OCR announced two settlements with HIPAA-regulated entities to resolve HIPAA compliance failures. OCR investigated Montefiore Medical Center, a non-profit hospital system based in New York City, over a data breach involving a malicious insider. The breach was discovered in 2015 by the New York Police Department, and the investigation revealed a former employee had stolen the data of 12,517 patients over a 6-month period in 2013. OCR launched an investigation in 2015, but it took until February 2024 for the case to be settled.

OCR identified multiple HIPAA failures, and the severity of those failures warranted a significant fine. Montefiore Medical Center was determined to have failed to conduct a comprehensive risk analysis, failed to implement procedures to regularly review records of information system activity, and failed to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI. Montefiore Medical Center agreed to pay a $4.75 million penalty to settle the alleged HIPAA violations.

OCR also announced a $40,000 settlement with Green Ridge Behavioral Health, a Gaithersburg, MD-based provider of psychiatric evaluations, medication management, and psychotherapy. This was the second settlement to be reached with a HIPAA-regulated entity over a ransomware attack. OCR determined that a comprehensive risk analysis had not been conducted, there was a failure to manage risks to the confidentiality, integrity, and availability of ePHI, and there were insufficient policies and procedures for reviewing records of information system activity. These failures contributed to the ransomware attack and the impermissible disclosure of the PHI of more than 14,000 patients.

State Attorneys General also have the authority to issue financial penalties for HIPAA violations; however, no civil monetary penalties or settlements were announced in February.

The post February 2024 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Updates Guidance on the Use of Online Tracking Technologies by HIPAA Regulated Entities

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued updated guidance for entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) on the use of online tracking technologies. The updated guidance is intended to provide greater clarity for HIPAA-regulated entities on the use of these technologies. OCR has not changed its position on the use of these technologies or how HIPAA applies.

Why OCR Issued Guidance on Online Tracking Technologies

OCR first issued the guidance in December 2022 after research into the use of these technologies revealed that most U.S. hospitals had added these technologies on their websites, which transmit user data to third parties such as Meta (Facebook), Google, and others. A variety of user data is collected and transmitted about users’ interactions on websites and apps, and some of that data can include protected health information.

The initial guidance explained that these technologies could not be used by HIPAA-regulated entities unless there was a business associate agreement in place with the provider of the technologies and the disclosures of protected health information are permitted by the HIPAA Privacy Rule. Alternatively, consent must be obtained from individuals before the information is transmitted to third parties. OCR has previously stated that non-compliant use of online tracking technologies is an enforcement priority, and in July 2023, OCR and the Federal Trade Commission (FTC) sent warning letters to around 130 hospitals and telehealth providers about the risks of using these technologies and the potential for impermissible disclosures of PHI.

OCR Sued Over its Tracking Technology Guidance

Since the providers of these technologies typically do not sign business associate agreements with HIPAA-regulated entities and obtaining consent from individuals is costly and challenging, these technologies can generally not be used by HIPAA-regulated entities without risking violating the HIPAA Rules.  The American Hospital Association (AHA) urged OCR to reconsider its guidance, and when OCR failed to do so, AHA filed a lawsuit challenging the legality of the guidance. The AHA maintains that these technologies are critical to the function of websites, and that prohibiting their use ultimately harms healthcare providers and patients. Further, while HIPAA-regulated entities were not permitted to use these technologies, the code remained on many government websites, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites.

Online Tracking Technology Guidance Updated to Clear up Confusion

OCR’s updated guidance provides a general overview of how the HIPAA Rules apply to the use of tracking technologies and includes additional examples of when the code can and cannot be used, tips for complying with HIPAA, and OCR’s enforcement priorities regarding online tracking technologies. In the updated guidance, OCR stressed that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” Protected health information is information that relates to the past, present, or future health, health care, or payment for health care, that has identifiers that link that information to an individual or allow that individual to be identified. If any of that information is collected on a web page, the technologies cannot be used without a business associate agreement with the provider of the code and the disclosures must be permitted by the HIPAA Privacy Rule, or consent must be obtained from individuals. Consent cannot be obtained by including information about these disclosures in the Notice of Privacy Practices, via a pop-up on the websites or banner stating that use of the site may involve the disclosure of health information to a third party, or by asking a user to either accept or reject cookies. A valid HIPAA authorization is required.

OCR suggests that if a vendor will not sign a BAA covering the use of the code, then a different vendor should be found that will sign a BAA. Alternatively, a customer data platform vendor could be used, which de-identifies the PHI before the information is sent to a third party. It is not permitted to transfer PHI to a vendor without a BAA even if the vendor claims that they will strip out any identifying information after the disclosure. The collection of PHI is more likely on user-authenticated pages such as patient portals; however, there is the potential for PHI to be disclosed on unauthenticated web pages. For instance, on an appointment booking page that collects no health information, if the user enters their email address and that information is transmitted to a third party, that would be classed as an impermissible disclosure of PHI.

For some web pages, the nature of the visit determines whether HIPAA applies. For instance, if a student is searching for information on oncology services when researching the availability of those services pre- and post-pandemic, the collection and transmission of their IP address and other personally identifiable information to a third party without a BAA is not a HIPAA violation, as HIPAA does not apply as there is no PHI involved. If a patient is visiting the same pages to get a second opinion about their diagnosis or cancer treatment, the transmission of the same data would be a HIPAA violation without a BAA, as that information would be classed as PHI. Other examples have been added to the guidance to make it clear when HIPAA applies and when it does not.

OCR explained its enforcement priorities with respect to online tracking technologies and said it is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies. “OCR’s principal interest in this area is ensuring that regulated entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity, and availability of ePHI,” explained OCR in the guidance. “OCR investigations are fact-specific and may involve the review of technical information regarding a regulated entity’s use of any tracking technologies. OCR considers all of the available evidence in determining compliance and remedies for potential noncompliance.”

The post OCR Updates Guidance on the Use of Online Tracking Technologies by HIPAA Regulated Entities appeared first on HIPAA Journal.

OCR Opens HIPAA Compliance Investigation of Change Healthcare

Posted by Steve Alder

The HHS’ Office for Civil Rights has opened an investigation of Change Healthcare following its February 21, 2024, cyberattack, just three weeks after the attack occurred. Typically, OCR’s investigations of cyberattacks and data breaches are initiated several months after the breach is reported, which may even be years after the breach occurred. In this case, the incident has not even been reported to OCR as it is still under investigation. Change Healthcare has only just brought its systems back online – 99% of pharmacy and payment platforms are now up and running according to a recent statement  and there are still 5 weeks before the HIPAA Breach Notification Rule’s deadline for reporting breaches is reached.

The rapidly initiated investigation is in response to the magnitude of the incident, which is disrupting health care and billing information systems nationwide and has been estimated to be costing providers well over a billion in reimbursement losses per day due to Change Healthcare’s systems being unavailable. The disruption caused to providers that use Change Healthcare’s systems is causing extreme financial difficulties and some providers have had to make difficult decisions about whether they can continue to operate. As such, the incident poses a direct threat to critically needed patient care and essential operations of the healthcare industry.

In a “Dear Colleague” letter uploaded to the HHS website, OCR Director Melanie Fontes Rainer said “Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident. OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”

OCR also explained in the letter that its interest in other entities that partner with Change Healthcare and UnitedHealth Group is secondary. While OCR is not prioritizing investigations of healthcare providers, health plans, and business associates that have partnered with Change Healthcare or UnitedHealth Group, OCR has taken the opportunity to remind them that they have regulatory responsibilities under HIPAA and they must ensure that they have business associate agreements in place and that they issue timely notifications to the HHS and any affected individuals. In the letter, the OCR Director shared resources to assist HIPAA-regulated entities with protecting records, systems, and patients from cyberattacks.

“This is an unusual move by OCR but given the far-reaching impact of the cyberattack and the massive effect it is having on healthcare organizations that rely on Change Healthcare’s services and systems, the breach warrants swift investigation to determine if Change Healthcare and its parent company were fully compliant with the HIPAA Rules,” commented Steve Alder, Editor-in-Chief, The HIPAA Journal.

Lisa Plaggemier, Executive Director of the National Cybersecurity Alliance (NCA), offered some advice for readers of The HIPAA Journal and shared some of the lessons that can be learned from this devastating cyberattack.

Lisa Plaggemier, Executive Director of the National Cybersecurity Alliance

Lisa Plaggemier, Executive Director of the National Cybersecurity Alliance

The cyberattack on UnitedHealth Group and Change Healthcare serves as a stark reminder of the critical need for robust cybersecurity measures within the healthcare sector. Firstly, healthcare organizations must prioritize comprehensive risk assessments and implement stringent security protocols to safeguard sensitive patient data. This includes regular security audits, employee training on cybersecurity best practices, encryption of data both at rest and in transit, and proactive monitoring for suspicious activities. Furthermore, investments in cutting-edge cybersecurity technologies and partnerships with reputable cybersecurity firms can bolster defenses against evolving cyber threats.

Additionally, the incident highlights the indispensable role of government oversight and regulation in safeguarding healthcare data. Government agencies, such as the Department of Health and Human Services’ Office for Civil Rights, play a vital role in enforcing compliance with health privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA). Through rigorous investigations and enforcement actions, regulatory bodies can hold healthcare entities accountable for lapses in data protection and ensure swift responses to cyber incidents. Moreover, collaboration between government agencies, law enforcement, and private sector stakeholders is essential to enhance threat intelligence sharing and coordinate responses to cyber threats, ultimately bolstering the resilience of the healthcare sector against future cyberattacks.

In light of the recent cyberattack on UnitedHealth Group and Change Healthcare, consumers and patients also play a crucial role in protecting their personal health information. One key step is to remain vigilant about sharing sensitive data, both online and offline, only with trusted healthcare providers and entities. Patients should inquire about the security measures implemented by their healthcare providers, including encryption protocols and data breach response plans. Additionally, individuals should regularly review their medical bills and insurance statements for any discrepancies or unauthorized charges, which could indicate fraudulent activity. Furthermore, maintaining strong, unique passwords for healthcare portals and enabling multi-factor authentication can add an extra layer of security to personal health information. By staying informed, vigilant, and proactive, consumers can contribute to safeguarding their own health data and mitigating the risks posed by cyber threats in the healthcare sector.

The post OCR Opens HIPAA Compliance Investigation of Change Healthcare appeared first on HIPAA Journal.

Indiana Attorney General Files Lawsuit Against Apria Healthcare Alleging HIPAA Violations

Posted by Steve Alder

Indiana Attorney General Todd Rokita has filed a lawsuit against Apria Healthcare alleging violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws following a cyberattack and data breach that affected 1,869,598 individuals, including 42,000 Hoosiers.

Apria Healthcare is an Indianapolis, IA-based provider of home healthcare equipment and related services. Apria Healthcare was notified by the Federal Bureau of Investigation (FBI) on September 1, 2021, about unauthorized access to its internal systems. The investigation confirmed that between April 5, 2019, and May 7, 2019, and again from August 27, 2021, to October 10, 2021, an unauthorized third party accessed its internal systems, including several employee email accounts. The electronic protected health information exposed included names, birth certificates, financial information, Social Security numbers, medical histories, and health information. Apria Healthcare determined that the reason for the intrusion was to obtain funds from Apria Healthcare rather than patient data.  Notifications were mailed to the affected individuals in May 2023, more than 20 months after being notified about the breach by the FBI.

Attorney General Rokita alleged that Apria Healthcare deliberately concealed the data breach by failing to issue notifications for 629 days and that the delay violated the HIPAA Breach Notification Rule, which requires individual notifications to be issued to the affected individuals within 60 days of the discovery of a data breach. The delayed notification also violated Indiana’s Disclosure of a Security Breach Act, which requires notifications to be issued without undue delay and not more than 45 days after the discovery of a data breach. Owens and Minor acquired Apria Healthcare in March 2022. Attorney General Rokita alleged that Owens and Minor was aware of the data breaches yet still failed to issue timely notifications.

Attorney General Rokita also alleged violations of the HIPAA Privacy and Security Rules – the failure to implement appropriate technical safeguards to ensure the confidentiality, integrity, and availability of ePHI, and the impermissible disclosure of the ePHI of more than 1.8 million individuals – and violations of the Indiana Deceptive Consumer Sales Act. “Patients should be able to trust their medical providers at all times,” said Attorney General Rokita. “All Hoosier patients deserve their privacy, especially when it comes to medical care. When your private information is accessible or leaked to a stranger, you’re susceptible to life-altering threats, such as identity theft and financial ruin. Our office has adamantly fought back against careless companies who disregard major cybersecurity threats.”

The post Indiana Attorney General Files Lawsuit Against Apria Healthcare Alleging HIPAA Violations appeared first on HIPAA Journal.

CMS Updates Policy to Allow Texting Patient Information and Patient Orders

Posted by Steve Alder

The Centers for Medicare and Medicaid Services (CMS) at the Department of Health and Human Services (HHS) has updated its policy on texting patient information between members of the care team and texting patient orders. Clinical teams are now permitted to text patient information provided they use a HIPAA-compliant texting platform to do so, and provided they are in compliance with the Conditions of Participation (CoPs). The CMS also permits the texting of patient orders.

In January 2018, the CMS issued a QSO-19-10-Hospital, CAHs Revised memorandum – Texting of Patient Information among Healthcare Providers in Hospitals and Critical Access Hospitals (CAHs) – acknowledging that many hospitals had adopted a secure text messaging platform for communicating among hospital and CAH team members; however, the CMS stated that texting patient orders from a provider to a member of the care team was not compliant with the CoPs due to concerns about privacy, record retention, and the confidentiality, security, and integrity of systems at the time. When the memorandum was written, most hospitals did not have the capability to use secure text messaging platforms to incorporate messages into electronic health records (EHRs). Improvements in technology over the past 6 years, such as the use of encryption, ensure that sensitive health information can be transmitted and stored securely and advances in technology, especially the application interface capabilities of text messaging platforms, allow data to be transferred into EHRs.

While texting patient orders is now permitted, Computerized Provider Order Entry (CPOE) is the preferred method of order entry by a provider. If an order is entered via CPOE and immediately downloaded into the hospital’s or CAH’s EHR system, it is permitted under the CoPs because the order is dated, timed, authenticated, and promptly placed in the medical record. However, providers must utilize and maintain systems/platforms that are secure and encrypted. They must ensure the integrity of author identification and minimize risks to patient privacy and confidentiality, as required by HIPAA.

In addition, procedures and processes should be implemented that routinely assess the security and integrity of the texting systems/platforms to avoid negative outcomes that could compromise the care of patients. Any provider that opts to incorporate texting patient information or orders into the EHR should ensure that the platform is compliant with the requirements of the HITECH Act and HIPAA.

The post CMS Updates Policy to Allow Texting Patient Information and Patient Orders appeared first on HIPAA Journal.

OCR Seeks Feedback on HIPAA Audits

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is conducting a HIPAA Audit Review Survey and is seeking feedback from entities that were subjects of HIPAA compliance audits to gather information to improve future audit programs.

Between 2016 and 2017, OCR conducted its second phase of HIPAA compliance audits. The desk-based audit program involves documentation requests on specific aspects of the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. The audits revealed which elements of the HIPAA Rules were proving problematic for HIPAA-covered entities and their business associates.

The audit review survey is being conducted to gather information about the effect of the audits on the audited entities and their opinions on the audit process. The aim is to determine the efficacy of the audit program in assessing the efforts made by HIPAA-covered entities and their business associates to comply with the HIPAA Rules and measure the effect of the audits on covered entities’ and business associates’ subsequent actions to comply with HIPAA.

The survey will provide the audited entities with the opportunity to comment on the usefulness of HHS HIPAA guidance and communications, how easy the online submission portal was to use when uploading documentation requested by auditors, and whether the communicated findings of the audits and the audits themselves actually helped to improve entity compliance.

OCR is also seeking feedback on the burden that the audits placed on covered entities and business associates regarding the requested documentation and responses to audit-related requests, including the impact on day-to-day business operations. Questionnaires will consist of 39 questions and will be sent to Privacy and Security Officers at 166 HIPAA-covered entities and 41 business associates. The information collected will be used to improve future HIPAA compliance audits.

The post OCR Seeks Feedback on HIPAA Audits appeared first on HIPAA Journal.

HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations

Posted by Steve Alder

The U.S. Department of Health and Human Services (HHS) has finalized the proposed modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (Part 2). “The Final Rule strengthens confidentiality protections while improving care coordination for patients and providers. Patients can seek needed treatment and care for substance use disorder knowing that greater protections are in place to keep their records private, and providers can now better share information to improve patient care,” said OCR Director Melanie Fontes Rainer.

The Part 2 regulations have been in effect since 1975 and protect “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder [SUD] education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” These records are subject to strict protections due to the sensitivity of the information contained in those records and avoid deterring people from seeking treatment for SUD due to fears about discrimination and prosecution.

The bipartisan Coronavirus Aid, Relief, and Economic Security Act (CARES Act) called for the Part 2 regulations to be more closely aligned with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Breach Notification, and Enforcement Rules. On December 2, 2022, the HHS, via the Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA), published a Notice of Proposed Rulemaking (NPRM) to implement the changes required by the CARES Act. The comments received from industry stakeholders in response to the NPRM have been considered and appropriate modifications have been made before finalizing the changes.

The modifications include permitting the use and disclosure of Part 2 records based on a single patient consent. Once that consent has been given by a patient it covers all future uses and disclosures for treatment, payment, and health care operations. The final rule also permits disclosure of records without patient consent to public health authorities, provided the records are first deidentified using the methods stated in HIPAA. Redisclosure of Part 2 records by HIPAA-covered entities and business associates is permitted, provided those disclosures are in accordance with the HIPAA Privacy Rule, with certain exceptions. Separate consent is required for the disclosure of SUD clinician notes, which will be handled in the same way that psychotherapy notes are handled under HIPAA.

Patients’ SUD treatment records were already protected and could not be used to investigate or prosecute the patient unless written consent is obtained from the patient or as required by a court order that meets Part 2 requirements. Prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings have also been expanded in the final rule. The final rule clarifies the steps that investigative agencies must follow to be eligible for safe harbor. Before any request for records is made, the agency is required to search the SAMHSA treatment facility directory and check the provider’s Notice of Privacy Practices to determine if they are subject to Part 2.

The final rule gives patients new rights to obtain an “accounting of disclosures,” request restrictions on certain disclosures, and opt out of receiving fundraising communications, as is the case under the HIPAA Privacy Rule. Patients will also be able to file a complaint about Part 2 violations directly with the Secretary. In the event of a breach of Part 2 records, the requirements for notifications are now the same as the HIPAA Breach Notification Rule. The HHS has also been given enforcement authority, including the ability to impose civil monetary penalties for Part 2 violations. The criminal and civil penalties for Part 2 violations will be the same as those for violations of the HIPAA Rules.  Other changes that have been introduced based on comments received on the NPRM include a statement confirming that Part 2 records do not need to be segregated and that it is not permitted to combine patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.

“Patient confidentiality is one of the bedrock principals in health care. People who are struggling with substance use disorders must have the same ability to keep their information private as anyone else. This new rule helps to ensure that happens, by strengthening confidentiality protections and improving the integration of behavioral health with other medical records,” said HHS Secretary Xavier Becerra. “The Biden-Harris Administration has made it a priority to end the stigmatization of those living with substance use disorders and give health care providers the tools they need so they can treat the whole patient while continuing to protect patient privacy. We will not rest until behavioral health is fully integrated into health care and those struggling with behavioral health challenges get the best treatment available.”

The final rule is due to be published in the Federal Register in mid-February. The compliance date has been set as 2 years from the date of publication. A fact sheet has been published by the HHS summarizing the changes that have been made in the Final Rule.

The post HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations appeared first on HIPAA Journal.