HIPAA Compliance News

HHS Information Blocking and Interoperability Regulations Now in Effect

The new information blocking and interoperability regulations developed by the Department of Health and Human Services as part of the 21st Century Cures Act took effect on Monday this week. It has been over a year since the final rule was released, and now the benefits of the information blocking and interoperability provisions can now be realized.

The final rule defines information blocking and stipulates the penalties for providers that engage in activities that interfere with access, exchange, and use of electronic health information (EHI). The final rule also gives patients new rights over their healthcare data and allows them to request it be sent to the application of their choosing.

The compliance date was April 5, 2021, after which healthcare providers, certified health IT developers, and health information exchanges must comply with the provisions of the final rule. For the first 18 months from April 5, 2021, the information blocking provision only applies to a subset of EHI detailed in the US Core Data for Interoperability (v1). Core EHI includes clinical notes, immunization records, lab test results, medications, and other EHI. The initial 18-month period is intended to help the regulated community get used to the information blocking regulation before the full scope of the regulation’s definition of EHI comes into effect on October 5, 2022. Covered entities and business associates are encouraged to share all EHI if possible, and not restrict sharing to the data represented by the USCDI until the final compliance date in 18 months.

Under the final rule, the deadline for data sharing has been changed from 30 days from the request being received to “without unnecessary delay.” There is an expectation to make EHI immediately available via the platform of the connected covered entity to allow that information to be downloaded. It is important for policies and procedures to be reviewed and updated to ensure that EHI can be obtained as soon as possible, and not to continue to operate on the 30-day deadline, which could now be viewed as information blocking.

The final rule also gives patients further rights over their healthcare data and requires covered entities and business associates to provide patients with their electronic health information, on request, to an application of the patient’s choosing. Patient health information can be sent to these applications without much manual effort by clinicians through secure, standardized application programming interfaces (APIs). As with requests from other healthcare providers, for the first 18 months it is not necessary to provide full records to patients’ chosen applications, only data represented by the USCDI.

Under the HHS HIPAA Right of Access enforcement initiative, the HHS has imposed 18 penalties for failures to provide patients with a copy of their requested medical records in a timely manner. The HHS may well start enforcing compliance with the requirements of the final rule to allow patients to have their EHI send to a health application with similar vigor.  The HHS Office for the National Coordinator for Health IT (ONC) will be working with the HHS Office of Inspector General to enforce compliance with the information blocking provisions, although the final enforcement rule is still pending.

The post HHS Information Blocking and Interoperability Regulations Now in Effect appeared first on HIPAA Journal.

New Jersey Plastic Surgery Practice Pays $30K to OCR Settle HIPAA Right of Access Case

The HHS’ Office for Civil Rights has announced a settlement has been reached with Ridgewood, NJ-based Village Plastic Surgery to resolve potential violations of the HIPAA Right of Access. Under the terms of the settlement, Village Plastic Surgery will pay a $30,000 penalty and will adopt a corrective action plan that requires policies and procedures to be implemented related to access to protected health information (PHI). OCR will also monitor Village Plastic Surgery for compliance for 2 years.

OCR launched an investigation into Village Plastic Surgery following receipt of a complaint from a patient of the practice on September 7, 2019. The patient had requested a copy of the medical records held by the plastic surgery practice but had not been provided with those records within the maximum time allowed by the HIPAA Privacy Rule. OCR intervened and, during the course of its investigation, Village Plastic Surgery did not provide the patient with the requested records.

OCR investigators determined that the delay in providing the records, which exceeded the 30 allowed days for acting on patient requests for their medical records, was in violation of the HIPAA Right of Access, as detailed in 45 C.F.R. § 164.524. As a result of OCR’s intervention, the patient did receive a copy of the requested records. The case was settled by Village Plastic Surgery with no admission of liability.

“OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner,” said Acting OCR Director Robinsue Frohboese. “Covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.”

This is the 18th financial penalty to be imposed by OCR to resolve violations of the HIPAA Right of Access under its Right of Access enforcement initiative that was launched in late 2019. This is the 6th HIPAA penalty to be imposed in 2021, and the 5th to resolve a HIPAA Right of Access violation.

The post New Jersey Plastic Surgery Practice Pays $30K to OCR Settle HIPAA Right of Access Case appeared first on HIPAA Journal.

Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000

Arbour Hospital, a mental health clinic in Boston, MA, has settled a HIPAA Right of Action investigation with the HHS’ Office for Civil Rights (OCR) and has agreed to pay a $65,000 penalty.

OCR was informed about a potential violation of the HIPAA Right of Access on July 5, 2019. A patient of Arbour Hospital alleged he had requested a copy of his medical records from the hospital on May 7, 2019 but had not been provided with those records within two months.

When a healthcare provider receives a request from a patient who wishes to exercise their HIPAA Privacy Rule right to obtain a copy of their healthcare records, a copy of those records must be provided as soon as possible and no later than 30 days after the request is received. A 30-day extension is possible in cases where records are stored offsite or are otherwise not easily accessible. In such cases, the patient requesting the records must be informed about the extension in writing within 30 days and be provided with the reason for the delay.

OCR contacted Arbour Hospital and provided technical assistance on the HIPAA Right of Access on July 22, 2019 and the complaint was closed. The patient then submitted a second complaint to OCR on July 28, 2019 when his medical records had still not been provided. The records were eventually provided to the patient on November 1, 2019, almost 6 months after the written request was submitted and more than 3 months after OCR provided technical assistance on the HIPAA Right of Access.

OCR determined the failure to respond to a written, signed medical record request from a patient in a timely manner was in violation of the HIPAA Right of Access – 45 C.F.R. § 164.524(b). In addition to the financial penalty, Arbour Hospital is required to adopt a corrective action plan that involves implementing policies and procedures for patient record access and providing training to the workforce. Arbour Hospital will also be monitored by OCR for compliance for 1 year.

“Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care,” said Acting OCR Director Robinsue Frohboese.

The HIPAA Right of Access enforcement initiative was launched in late 2019 to ensure patients are provided with timely access to their medical records at a reasonable cost. This is the sixteenth financial penalty to be paid to OCR to resolve HIPAA Right of Access violations under this enforcement initiative and the 4th HIPAA Right of Access settlement to be announced in 2021.

The post Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000 appeared first on HIPAA Journal.

How Often is HIPAA Training Required?

HIPAA-covered entities and their business associates must ensure that all members of the workforce that encounter protected health information (PHI) in any of its forms need to be provided with training, but how often is HIPAA training required and how flexible are the HIPAA Rules when it comes to providing employee HIPAA training?

What Does HIPAA Say About Employee Training?

Both the HIPAA Privacy Rule and HIPAA Security Rule have training provisions. The HIPAA Privacy Rule states:

“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

The HIPAA Security Rule training standard states:

“Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).”

The Privacy Rule does not specify the content of training courses, and scant information is provided in the Security Rule as to what training courses should cover. This vagueness ensures that the HIPAA text does not have to be constantly updated every time technology changes or there is a new threat, although security reminders, protection from malicious software, log-in monitoring, and password management are all mentioned as addressable implementation specifications in the Security Rule.

How Often is HIPAA Training Required?

How often is HIPAA training required is a common question as the HIPAA test is a little vague. Employee HIPAA training must be provided when an employee joins the organization. The training should be provided “to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce.” Thereafter, further training is required when “functions are affected by a material change in the policies or procedures”, with the training provided “within a reasonable period of time after the material change becomes effective.”

It is also important to re-train the workforce regularly to reenforce the initial HIPAA training and ensure that no aspect of compliance is forgotten. The frequency of HIPAA training is at the discretion of each covered entity, with HIPAA only saying that retraining should be “periodic.”

That should be taken to mean at least every 2 years, although the industry best practice – which should be followed – is to provide refresher HIPAA training to the workforce annually.

How Frequently Should Security Awareness Training be Provided in Healthcare?

Periodic security awareness training is also required, in addition to providing security awareness training within a reasonable period of time after a person joins the covered entity’s workforce. In the case of security awareness training, an annual training session is no longer viewed by security professionals as sufficient, considering the extent to which employees are targeted by cybercriminals and the rapidly changing threat landscape.

Here, the best practice is to provide ongoing security awareness training to ensure that employees understand proper cyber hygiene and are kept up to date on the threats they are likely to encounter via the web and email. Training is best provided frequently in small doses to fit in with employee workflows. A biannual training session could be conducted, with frequent security reminders sent such as monthly or quarterly cybersecurity newsletters.

It is important for security awareness training to cover the threats employees are likely to encounter, especially malware and phishing attacks. Employees must be taught how to identify phishing emails as part of their security awareness training given the extent to which healthcare employees are targeted and the sheer number of phishing-related data breaches now being reported.

Document All Employee Training

There have been many enforcement actions by OCR where covered entities and business associates have not been able to provide documentation to prove that they are in compliance with the requirements of the HIPAA Privacy and Security Rules. If documentation cannot be provided to prove that all members of the workforce have been trained, any accidental HIPAA violations by employees are likely to be viewed as training failures.

The HIPAA Privacy Rule only states that “A covered entity must document that the training as described [in the HIPAA Text] has been provided.” You should therefore ensure that you create a training log that includes all employee names and record the date training was provided, the type of training, and the course that was completed.

HIPAA Penalties for Inadequate Training

The penalties for training failures can be severe. Any violation of the HIPAA Rules carries a maximum penalty of $1.5 million, with the level of culpability considered when determining an appropriate penalty. OCR has not, at the time of writing, imposed a penalty solely for training failures but there have been enforcement actions where the lack of either Privacy Rule training or security awareness training was a cited HIPAA violation that contributed to the financial penalty.

The post How Often is HIPAA Training Required? appeared first on HIPAA Journal.

Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation

A coalition of 41 state Attorneys General has agreed to settle an investigation into Retrieval-Masters Creditors Bureau dba American Medical Collection Agency (AMCA) over a 2019 data breach that resulted in the exposure/theft of the protected health information of 21 million Americans.

Retrieval-Masters Creditors Bureau is a debt collection agency, with its AMCA arm providing small debt collection services to healthcare clients such as laboratories and medical testing facilities.

From August 1, 2018 until March 30, 2019, an unauthorized individual had access to AMCA’s systems and exfiltrated sensitive data such as names, personal information, Social Security numbers, payment card information and, for some individuals, medical test information and diagnostic codes. The AMCA data breach was the largest healthcare data breach reported in 2019.

AMCA notified states about the breach starting June 3, 2019, and individuals affected by the breach were offered two years of complimentary credit monitoring services. The high cost of remediation of the breach saw AMCA file for bankruptcy protection in June 2019.

The multi-state investigation into the breach was led by the Indiana, Texas, Connecticut, and New York Attorneys General, with the Indiana and Texas AGs also participating in the bankruptcy proceedings to ensure that the investigation continued, and the personal and protected health information of breach victims was protected. AMCA received permission from the bankruptcy court to settle the multistate action and filed for dismissal of the bankruptcy on December 9, 2020.

The multistate investigation confirmed information security deficiencies contributed to the cause of the breach and despite AMCA receiving warnings from banks that processed AMCA payments about fraudulent use of payment cards, AMCA failed to detect the intrusion.

Under the terms of the settlement, AMCA is required to create and implement an information security program, develop an incident response plan, employ a qualified chief information security officer (CISO), hire a third-party assessor to perform an information security assessment, and continue to assist state attorneys general with investigations into the data breach.

A financial penalty of $21 million has been imposed on AMCA which will be distributed pro rata between the affected states; however, due to the financial position of the company, the $21 million financial penalty has been suspended. That payment will only need to be made if AMCA defaults on the terms of the settlement agreement.

“AMCA is a cautionary tale: When a company does not adequately invest in information security, the costs associated with a data breach can lead to bankruptcy – destroying the business and leaving affected individuals in harm’s way,” said Connecticut Attorney General Tong. “My office will continue to work to protect personal information even where the business that had the responsibility to do so cannot.”

“AMCA’s security failures resulted in 21 million Americans having their data illegally accessed. I am committed to protecting New Yorkers’ personal data and will not hesitate to hold companies accountable when they fail to safeguard that information,” said New York Attorney General Letitia James. “Today’s agreement ensures that the company has the appropriate security and incident response plan in place so that a failure like this does not take place again.”

Indiana, Texas, Connecticut, and New York led the investigation and were assisted by Florida, Illinois, Maryland, Massachusetts, Michigan, North Carolina, and Tennessee. The Attorneys General of Arizona, Arkansas, Colorado, the District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Utah, Vermont, Virginia, Washington, and West Virginia also joined the settlement.

The post Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation appeared first on HIPAA Journal.

Comment Period on Proposed HIPAA Privacy Rule Changes Extended by 45 Days

Changes to the HIPAA Rules are infrequent, so when updates are proposed they tend to include a slew of new requirements and updates to existing provisions. Before any updates are made, a request for information (RFI) is issued to allow the HHS to obtain feedback on aspects of the HIPAA Rules that are causing problems, and areas where improvements could be made.

Following the RFI, a proposed rule is issued by the HHS followed by a comment period. The comment period is the last chance for industry stakeholder, including patients and their families, to voice their opinions about the proposed changes before they are signed into law.

After issuing an RFI, the HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking on December 10, 2020, along with the standard 60-day comment period from the date of publication in the Federal Register (January 21, 2021). The comment period was due to expire on March 22, 2021.

Since the proposed changes include updates to the HIPAA Privacy Rule that will impact virtually everyone in the healthcare industry, the HHS has taken the decision to extend the comment period.

The proposed Privacy Rule changes include strengthening patient rights to access their own healthcare information, changes to facilitate greater family and caregiver involvement in the care of individuals in emergencies and health crises, changes to bring greater flexibility for disclosures in emergency situations, updates to reduce the administrative burden on healthcare providers, and changes to improve information sharing for care coordination and case management.

The HHS’ Office for Civil Rights is encouraging all stakeholders to read the proposed changes and submit their feedback. All comments received will be carefully considered and will shape the final rule which is expected to be issued in late 2021/early 2022.

“OCR anticipates a high degree of public interest in providing input on the proposals because the HIPAA Privacy Rule affects nearly anyone who interacts with the health care system,” said Acting OCR Director Robinsue Frohboese.  “The 45-day extension of the comment period to May 6, 2021, will give the public a full opportunity to consider the proposals and submit comments to inform future policy.”

You can view the Proposed Modifications to the HIPAA Privacy Rule here.

The post Comment Period on Proposed HIPAA Privacy Rule Changes Extended by 45 Days appeared first on HIPAA Journal.

Arizona High Court Revives Privacy Lawsuit Stemming from Pharmacy ED Medication Disclosure

This week, the Arizona Supreme Court revived a HIPAA violation lawsuit filed by a Phoenix man over a privacy violation by a pharmacy employee related to an erectile dysfunction medication prescription.

Greg Shepherd, 50, had visited his doctor for a routine medical appointment in January 2016 and his doctor provided him with a erectile dysfunction medication sample. He received a call from the Costco pharmacy later and was told that the full prescription for the ED medication was available to collect. Shepherd explained that he did not want the medication and cancelled the prescription.

Shepherd called the pharmacy a month later to check whether an unrelated prescription was ready to collect, and the pharmacy informed again him that his ED prescription was still waiting to be collected. Shepherd declined the medication a second time and told the pharmacy to cancel the prescription for the second time.

Shepherd, who had been trying to reconcile with his ex-wife, authorized her to collect an unrelated, regular prescription refill from the pharmacy. When she visited the pharmacy, the pharmacy worker provided both prescriptions to Shepherd’s ex-wife, and the pharmacy worker and his ex-wife allegedly joked about the ED medication. The ED medication was refused by his ex-wife, and when she returned to Shepherd and gave him his regular medication, she informed him that she knew about the ED medication and told him there was no chance of reconciliation. The lawsuit also alleges his ex-wife discussed the ED medication with Shepherd’s children and her friends.

Shepherd filed a complaint with Costco about the privacy violation, and Costco responded and admitted that the discussion between the pharmacy worker and Shepherd’s ex-wife about the ED medication was in violation of the HIPAA Privacy Rule and company policies and issued an apology. Shepherd then took legal action over the privacy violation, with the lawsuit citing a violation of the HIPAA Privacy Rule.

There is no private cause of action in the Federal HIPAA legislation, which means individuals do not have the right to sue for a HIPAA violation. Only the HHS’ Office for Civil Rights and state Attorneys General can take legal action against HIPAA-covered entities for violations of the Health Insurance Portability and Accountability Act Rules.

The lawsuit was dismissed by the Maricopa County Superior Court, as HIPAA does not permit private lawsuits and because state laws provide immunity for healthcare providers over privacy violations that occur when they are acting in good faith. Shepherd appealed, but the Court of Appeals affirmed the dismissal of Shepherd’s claims, aside from the claim of negligent disclosure of medical information.

While there is no private cause of action in HIPAA, Supreme Court Justice William G. Montgomery ruled that the standards of HIPAA can be used in state court to establish privacy violations have occurred in negligence claims. Costco had sought to dismiss the lawsuit based on the lack of a private cause of action, but Montgomery said in his ruling that Shepherd’s lawsuit was not solely filed over violations of the HIPAA Privacy Rule. The lawsuit also alleged violations of regulations governing pharmacies, therefore Superior Court Judge Aimee L. Anderson had dismissed the lawsuit in error.

Costco argued that state laws provide protection for companies acting in good faith, and that without a claim of bad faith it is not possible to show negligence. Montgomery ruled that the lawsuit did not have to include a claim of bad faith, as Shepherd was not aware that Costco would claim immunity under state law.

The case has now been returned to the lower court for further proceedings. While the case has been revived, Shepherd must provide clear and convincing evidence that the pharmacy and the pharmacy worker acted in bad faith by making the disclosure about the ED medication to his ex-wife.

Shepherd’s attorney, Joshua Carden, believes it is possible to demonstrate that this was a bad faith disclosure, as the prescription was cancelled twice by Shepherd and it can be proven that the Costco pharmacy was aware that Shepherd did not want the prescription.

The post Arizona High Court Revives Privacy Lawsuit Stemming from Pharmacy ED Medication Disclosure appeared first on HIPAA Journal.

Two Employees Fired for Impermissible PHI Disclosures to Third Parties

Humana has discovered an employee of a subcontractor of a business associate impermissibly disclosed the protected health information of approximately 65,000 of its members to a third-party for training purposes.

Cotiviti was contracted by Humana to provide assistance requesting medical records and used a subcontractor to review the requested medical records. Under HIPAA, subcontractors used by business associates are also required to comply with HIPAA.

The privacy violations occurred between October 12, 2020 and December 16, 2020 and Cotiviti notified Humana about the HIPAA violation on December 22, 2020. Cotiviti has worked with Humana to ensure that safeguards are implemented to prevent similar privacy breaches in the future, and that those safeguards are put in place at any subcontractors it uses. The individual who disclosed the data is no longer employed by the subcontractor.

The types of data disclosed includes member names’, addresses, phone numbers, email addresses, dates of birth, full or partial Social Security Numbers, insurance identification numbers, provider names, dates of service, medical record numbers, treatment information, and medical images.

While the disclosures were not made for malicious purposes and further disclosures of the PHI are not believed to have occurred, Humana is offering affected individuals 2 years of complimentary credit monitoring and identity theft protection services.

UPMC St. Margaret Fires Employee for Impermissible PHI Disclosure

UPMC St. Margaret has discovered an employee impermissibly disclosed the protected health information of certain patients to a third-party organization without authorization.

On August 2020, UPMC, St. Margaret discovered a medication administration report had been sent to an organization when there was no legitimate work purpose for doing so. The report contained information such as names, UPMC identification numbers, and medication administration data, including drug name, dose, time/date of administration, and the reason for providing medication.

Following the discovery of the impermissible disclosure, the employee’s access to UPMC systems was terminated, as was the individual’s employment with UPMC after the investigation was completed. Affected individuals were notified about the privacy breach on March 5, 2021. No reason was provided as to the notification delay.

The post Two Employees Fired for Impermissible PHI Disclosures to Third Parties appeared first on HIPAA Journal.

March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches

The deadline for reporting healthcare data breaches of fewer than 500 records that were discovered in 2020 is fast approaching. HIPAA covered entities and business associates have until March 1, 2021 to submit breach reports to the Department of Health and Human Services’ Office for Civil Rights (OCR)that were discovered between January 1, 2020 and December 31, 2020.

HIPAA defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” A risk assessment should be conducted to determine the probability that PHI has been compromised, that must include the nature and extent of PHI involved, the probability of identification of individuals; the person who used/disclosed the PHI; whether PHI was viewed or acquired by an unauthorized individual; and the extent to which risk has been mitigated.

The HIPAA Breach Notification Rule requires notifications to be issued to affected individuals within 60 days of the discovery of a breach. All breaches must be reported OCR , including security incidents and privacy breaches affecting a single patient. If the breach affects 500 or more individuals, OCR must also be notified within 60 days. When there is a smaller breach, patients must still be notified within 60 days, but OCR does not need to be notified until 60 days from the end of the calendar year when the breach was discovered.

Breach reports should be submitted to OCR electronically via the OCR breach reporting portal. While smaller breaches can be reported ‘together’ ahead of the deadline via the portal, each incident must be submitted individually. Since details of the breach must be provided, including contact information, the nature of the incident, and the actions taken following the breach, adding these breach reports can take some time. The best practice is to report the breaches throughout the year when sufficient information about the nature, scope, and cause of the breaches are known, rather than wait until the last minute.

The failure to report small healthcare data breaches before the deadline could result in sanctions and penalties against the covered entity or business associate.

The post March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches appeared first on HIPAA Journal.