HIPAA Compliance News

$2.175 HIPAA Settlement Agreed with Sentara Hospitals for Breach Notification Rule and BAA Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 8th HIPAA financial penalty of 2019. Sentara Hospitals has agreed to settle potential violations of the HIPAA Privacy and Breach Notification Rules and will pay a penalty of $2.175 million and will adopt a corrective action plan to address areas of noncompliance.

Sentara operates 12 acute care hospitals in Virginia and North Carolina and has more than 300 care facilities in both states. OCR launched a compliance investigation in response to a complaint from a patient on April 17, 2017. The patient had reported receiving a bill from Sentara containing another patient’s protected health information.

Sentara did report the breach to OCR, but the breach report stated that only 8 individuals had been affected, when the mailing had been misdirected and 577 individuals had had some of their PHI impermissibly disclosed. OCR determined that those 577 patients had their information merged with 16,342 different guarantor’s mailing labels.

OCR advised Sentara that under the HIPAA Breach Notification Rule – 45 C.F.R. § 164.408 – notifications were required and that the breach total needed to be updated, but Sentara persisted in its refusal to update the breach report and issue notifications. Sentara maintained that since the bills only contained names, account numbers, and dates of service, and not diagnoses, treatment information, and other medical information, it did not constitute a reportable breach.

OCR also found that Sentara Hospitals provides services for its member covered entities but had not entered into business associate agreements with its business associate until October 17, 2018.

Sentara Hospital’s parent organization and business associate, Sentara Healthcare, had been allowed to create, receive, maintain, and transmit PHI on its behalf without a BAA being in place. Sentara Hospitals had therefore not received satisfactory assurances that PHI would be safeguarded, in violation of 45 C.F.R. § 164.504(e)(2).

The corrective action plan requires Sentara Hospitals to revise its policies and procedures and ensure they are compliant with HIPAA Rules. Policies and procedures must be checked and revised at least annually, or more frequently if appropriate. OCR will be scrutinizing Sentara’s compliance efforts for a period of two years from the start date of the corrective action plan.

“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said OCR Director, Roger Severino.  “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

The latest settlement is another example of when HIPAA violations are uncovered in response to complaints from patients rather than data breach investigations. All it takes is for one patient to submit a complaint about a potential HIPAA violation for a compliance review to be launched. These investigations can occur at any time, which shows how important it is for healthcare organizations to ensure their policies and procedures fully meet the requirements of HIPAA.

So far in 2019, HIPAA-covered entities and business associates have paid $12,124,000 to OCR to resolve violations of HIPAA Rules.

The post $2.175 HIPAA Settlement Agreed with Sentara Hospitals for Breach Notification Rule and BAA Failures appeared first on HIPAA Journal.

Timothy Noonan Named Deputy Director for Health Information Privacy at Office for Civil Rights

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has named Timothy Noonan Deputy Director for Health Information Privacy.

The role of the Deputy Director for Health Information Privacy is to lead the Health Information Privacy Division of the Office for Civil Rights, oversee OCR’s national health information privacy policy and outreach activities, and administer and enforce the HIPAA Privacy, Security, and Breach Notification Rules and the confidentiality provisions of the Patient Safety Rule.

Noonan has been serving as Acting Deputy Director for Health Information Privacy since January 29, 2018, following the departure of Iliana Peters. Prior to taking on the position of Acting Deputy Director for Health Information Privacy, Noonan served as OCR’s Southeast Regional Manager, before moving to OCR’s headquarters to serve as Acting Associate Deputy Director for Regional Operations and the Acting Director for Centralized Case Management Operations.

In his 22 months as Acting Deputy Director for Health Information Privacy, Noonan has helped secure more than $37 million in HIPAA civil monetary penalties and settlements, including the largest ever HIPAA penalty – The $16 million settlement with Anthem Inc. over its 78.8 million-record data breach in 2015.

Noonan has also helped create the Right of Access Enforcement Initiative, under which guidance was issued to help reinforce individuals’ right of access to their medical records and the first financial penalty for Right of Access failures was agreed with Bayfront Health St Petersburg.

Under Noonan, guidance has also been issued on Health Apps and a request for information was issued seeking feedback from the public on how the HIPAA Privacy Rule should be modified to promote coordinated, value-based health care.

 

The post Timothy Noonan Named Deputy Director for Health Information Privacy at Office for Civil Rights appeared first on HIPAA Journal.

October 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 44.44% month-over-month increase in healthcare data breaches in October. 52 breaches were reported to the HHS’ Office for Civil Rights in October. 661,830 healthcare records were reported as exposed, impermissibly disclosed, or stolen in those breaches.

This month takes the total number of breached healthcare records in 2019 past the 38 million mark. That equates to 11.64% of the population of the United States.

Largest Healthcare Data Breaches in October 2019

Breached Entity Entity Type Individuals Affected Type of Breach
Betty Jean Kerr People’s Health Centers Healthcare Provider 152,000 Hacking/IT Incident
Kalispell Regional Healthcare Healthcare Provider 140,209 Hacking/IT Incident
The Methodist Hospitals, Inc. Healthcare Provider 68,039 Hacking/IT Incident
Children’s Minnesota Healthcare Provider 37,942 Unauthorized Access/Disclosure
Tots & Teens Pediatrics Healthcare Provider 31,787 Hacking/IT Incident
University of Alabama at Birmingham Healthcare Provider 19,557 Hacking/IT Incident
Prisma Health – Midlands Healthcare Provider 19,060 Hacking/IT Incident
South Texas Dermatopathology Laboratory Healthcare Provider 15,982 Hacking/IT Incident
Central Valley Regional Center Business Associate 15,975 Hacking/IT Incident
Texas Health Harris Methodist Hospital Fort Worth Healthcare Provider 14,881* Unauthorized Access/Disclosure

The largest healthcare data breach in October was reported by Betty Jean Kerr People’s Health Centers and was the result of a ransomware attack. At the time of issuing notifications, files that were encrypted in the attack remained locked. The decision was taken not to pay the ransom demand, but it was not possible to restore files from backups. Those files contained the health information of 152,000 patients.

The Kalispell Regional Healthcare data breach was due to a May 2019 phishing attack. An initial investigation did not uncover the extent of the breach. The forensic investigation revealed in August that the health information of up to 140,209 patients may have been accessed.

The Methodist Hospitals, Inc. data breach was also the result of a phishing attack. The incident was reported in October, but the initial email account compromise occurred in March 2019. Two accounts were breached for a total of four months.

South Texas Dermatopathology Laboratory is the last healthcare organization to report that its patients have been impacted by the data breach at the collection agency, AMCA. Its 15,982 records take the total number of individuals impacted by the AMCA breach to 26,059,725.

*Also of note is the data breach at Texas Health Resources. The breach makes the top 10 list of the most healthcare records exposed, but the breach was more far reaching than the table above shows. The Texas Health data breach involved a total of 82,577 records, but the breach was reported to the HHS’ Office for Civil Rights as 15 separate breaches, with one breach report submitted for each of its affected facilities. Had the incident been reported as a single incident, the month’s total would stand at 38 breaches – two more than September.

Causes of October 2019 Healthcare Data Breaches

There were 18 hacking/IT incidents reported in October involving 501,847 healthcare records. The average breach size was 27,880 records and the median breach size was 9,413 records.

There were 28 reported unauthorized access/disclosure incidents involving a total of 134,775 records. The mean breach size was 4,813 records and the median breach size was 2,135 records. Those incidents include the 15 separate breach reports from Texas Health Resources.

There were 5 loss/theft incidents involving 13,454 records. The mean breach size was 2,350 records and the median breach size was 2,752 records. One improper disposal incident was reported involving 11,754 records.

Location of Breached Health Information

Phishing continues to cause problems for healthcare organizations. Not only are healthcare providers struggling to block phishing attacks, they are also not detected quickly when they do occur. Several phishing attacks have been reported that have taken weeks to discover.

Multi-factor authentication can help to reduce the risk of stolen credentials being used by cybercriminals to access corporate email accounts, yet many healthcare organizations only implement this important security measure after a phishing attack has occurred.

This high number of “other” breaches is due to the mailing error at Texas Health, which accounts for 15 of the 19 incidents in the other category.

The majority of the network server breaches were due to ransomware attacks, which include the largest healthcare data breach of the month. That breach highlights just how important it is to ensure that a viable backup copy of all data is created, that the backup is tested to make sure data recovery is possible, and that at least one backup copy is stored on a non-networked device that is not exposed to the internet.

October 2019 Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in October with 45 reported incidents. Three breaches were reported by health plans, and four breaches were reported by business associates of HIPAA-covered entities. A further four breaches also had some business associate involvement but were reported by the covered entity.

October 2019 Healthcare Data Breaches by State

October saw healthcare organizations and business associates in 24 states report data breaches. With 15 breach reports coming from Texas Health, Texas was unsurprisingly the worst affected state with 17 incidents.

There were 4 breaches reported by entities based in Ohio, three breaches reported in California, and two breaches reported in each of Arkansas, Florida, Louisiana, Maryland, New Mexico, South Carolina, and Virginia. A single breach was reported in each of Alabama, Arizona, Georgia, Illinois, Indiana, Kentucky, Minnesota, Missouri, Mississippi, Montana, New York, Oregon, South Dakota, and Washington.

HIPAA Enforcement Actions in October 2019

A further two financial penalties for HIPAA violations were announced by the HHS’ Office for Civil Rights in October – One settlement and one civil monetary penalty.

OCR launched an investigation of Elite Dental Associates following a complaint from a patient who had some of her PHI publicly disclosed in response to a Yelp review. OCR found she was not the only patient to have had PHI disclosed in that manner. OCR also determined that the practice’s notice of privacy practices did not include sufficient information and was therefore not compliant with the HIPAA Privacy Rule. Elite Dental Associates agreed to settle its HIPAA violation case with OCR for $10,000.

OCR launched an investigation of Jackson Health System following the disclosure of PHI in the media. A photograph of an operating room display had been published which contained the health information of two individuals, including a well-known NFL star. The OCR investigation uncovered multiple Privacy Rule, Security Rule, and Breach Notification Rule violations spanning several years. OCR imposed a civil monetary penalty of $2,154,000 on Jackson Health System.

The post October 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Smartwatch Data Act Introduced to Improve Privacy Protections for Consumer Health Data

Posted by HIPAA Journal

The Stop Marketing And Revealing The Wearables And Trackers Consumer Health (Smartwatch) Data Act, has been introduced by Sens. Bill Cassidy, M.D., (R-Louisiana) and Jacky Rosen, (D-Nevada). The new legislation will ensure that health data collected through fitness trackers, smartwatches, and health apps cannot be sold or shared without consumer consent.

The Health Insurance Portability and Accountability Act (HIPAA) applies to health data collected, received, stored, maintained, or transmitted by HIPAA-covered entities and their business associates. Some of the same information is collected, stored, and transmitted by fitness trackers, wearable devices, and health apps. That information can be used, shared, or sold, without consent. Consumers have no control over who can access their health data. The new legislation aims to address that privacy gap.

The bill prohibits the transfer, sale, sharing, or access to any non-anonymized consumer health information or other individually identifiable health information that is collected, recorded, or derived from personal consumer devices to domestic information brokers, other domestic entities, or entities based outside the United States unless consent has been obtained from the consumer.

Consumer devices are defined as “equipment, application software, or mechanism that has the primary function or capability to collect, store, or transmit consumer health information.”

The Smartwatch Data Act applies to information about the health status of an individual, personal biometric information, and kinesthetic information collected directly through sensors or inputted manually into apps by consumers. The Smartwatch Data Act would treat all health data collected through apps, wearable devices, and trackers as protected health information.

There have been calls for HIPAA to be extended to cover app developers and wearable device manufacturers that collect, store, maintain, process, or transmit consumer health information. The Smartwatch Data Act does not extend HIPAA to cover these companies, instead the legislation applies to the data itself. The bill proposes the HHS’ Office for Civil Rights, the main enforcer of compliance with HIPAA, would also be responsible for enforcing compliance with the Smartwatch Data Act. The penalties for noncompliance with the Smartwatch Data Act would be the same as the penalties for HIPAA violations.

“The introduction of technology to our healthcare system in the form of apps and wearable health devices has brought up a number of important questions regarding data collection and privacy,” said Sen. Rosen “This commonsense, bipartisan legislation will extend existing health care privacy protections to personal health data collected by apps and wearables, preventing this data from being sold or used commercially without the consumer’s consent.”

The legislation was introduced following the news that Google has partnered with Ascension, the second largest healthcare provider in the United States, and has been given access to the health information of 50 million Americans. That partnership has raised a number of questions about the privacy of health information.

The Ascension data passed to Google is covered by HIPAA, but currently fitness tracker data is not. Google intends to acquire fitness tracker manufacturer Fitbit in 2020 and concern has been raised about how Google will use personal health data collected through Fitbit devices. The Smartwatch Data Act would help to ensure that consumers are given a say in how their health data is used.

The post Smartwatch Data Act Introduced to Improve Privacy Protections for Consumer Health Data appeared first on HIPAA Journal.

House Committee Leaders Demand Answers from Google and Ascension on Project Nightingale Partnership

Posted by HIPAA Journal

Leaders of the House Committee on Energy and Commerce are seeking answers from Google and Ascension on Project Nightingale. The Department of Health and Human Services’ Office for Civil Rights has also confirmed that an investigation has been launched to determine if HIPAA Rules have been followed.

The collaboration between Google and Ascension was revealed to the public last week. The Wall Street Journal reported that Ascension was transferring millions of patient health records to Google as part of an initiative called Project Nightingale.

A whistleblower at Google had contacted the WSJ to raise concerns about patient privacy. A variety of internal documents were shared with reporters on the extent of the partnership and the number of Google employees who had access to Ascension patients’ data. Under the partnership, the records of approximately 50 million patients will be provided to Google, 10 million of which have already been transferred.

According to the WSJ report, 150 Google employees are involved with the project and have access to patient data. The whistleblower stated that those individuals are able to access and download sensitive patient information and that patients had not been informed about the transfer of their data in advance. Understandably, the partnership has raised concerns about patient privacy.

Both Google and Ascension released statements about the partnership after the WSJ story was published, confirming that Google was acting as a business associate of Ascension, had signed a business associate agreement, and that it was in full compliance with HIPAA regulations. Under the terms of the BAA, which has not been made public, Google is permitted access to patient data in order to perform services on behalf of Ascension for the purpose of treatment, payment, and healthcare operations.

Google will be analyzing patient data and using its artificial intelligence and machine learning systems to develop tools to assist with the development of patient treatment plans. Google will also be helping Ascension modernize its infrastructure, electronic health record system, and improve collaboration and communication. Google has confirmed in a blog post that it is only permitted to use patient data for purposes outlined in the BAA and has stated that it will not be combining patient data with any consumer data it holds and that patient data will not be used for advertising purposes.

Democratic leaders of the House Committee on Energy and Commerce wrote to Google and Ascension on November 18, 2019 requesting further information on the partnership. The inquiry is being led by House Energy Committee Chairman, Frank Pallone Jr. (D-New Jersey). The letters have also been signed by Chairwoman of the Subcommittee on Health, Anna Eshoo (D-California), Subcommittee on Consumer Protection and Commerce Chair, Jan Schakowsky (D-Illinois), and Subcommittee on Oversight and Investigations Chair, Diana DeGette (D-Colorado).

In the letters, the Committee leaders have requested information on the “disturbing initiative” known as Project Nightingale.

“While we appreciate your efforts to provide the public with further information about Project Nightingale, this initiative raises serious privacy concerns. For example, longstanding questions related to Google’s commitment to protecting the privacy of its own users’ data raise serious concerns about whether Google can be a good steward of patients’ protected health information.”

Ascension’s decision not to inform patients prior to the transfer of protected health information has also raised privacy concerns, as has the number of Google employees given access to the data. Further, employees of Google’s parent company Alphabet also have access to Ascension data.

The Committee leaders have requested a briefing by no later than December 6, 2019 about the types of data being used, including the data being fed into its artificial intelligence tools, and the extent to which Google and Alphabet employees have access to the data. The Committee leaders also want to know what steps have been taken to protect patient information and the extent to which patients have been informed.

The Department of Health and Human Services’ Office for Civil Rights has also confirmed that it has launched an investigation into the partnership. Its investigation is primarily focused on how data is being transferred, the protections put in place to safeguard the confidentiality, integrity, and availability of protected health information, and whether HIPAA Rules are being followed. Google has stated it will be cooperating fully with the OCR investigation.

The post House Committee Leaders Demand Answers from Google and Ascension on Project Nightingale Partnership appeared first on HIPAA Journal.

Update Issued on Unsecured PACS as Exposed Medical Image Total Rises to 1.19 Billion

Posted by HIPAA Journal

It has been 60 days since Greenbone Networks uncovered the extent to which medical images in Picture Archiving and Communication Systems (PACS) servers are being exposed online. In an updated report, the German vulnerability analysis and management platform provider has revealed the problem is getting worse, not better.

Picture Archiving and Communication Systems (PACS) servers are extensively used by healthcare providers for archiving medical images and sharing those images with physicians for review, yet many healthcare providers are not ensuring their PACS servers have appropriate security. Consequently, medical images (X-Ray, MRI, CT Scans), along with personally identifiable patient information, is being exposed over the Internet. Anyone who knows where to look and how to search for the files can find them, view them and, in many cases, download the images without any authentication required. The images are not accessible due to software vulnerabilities. Data access is possible because of the misconfiguration of infrastructure and PACS servers.

Between July and September 2019, Greenbone Networks conducted an analysis to identify unsecured PACS servers around the globe. The study shed light on the scale of the problem. In the United States, 13.7 million data sets were found on unsecured PACS servers, which included 303.1 million medical images of which 45.8 million were accessible. The discovery was widely reported in the media at the time, and now further information on the scale of the problem has been released.

On Monday, November 18, Greenbone Networks issued an updated report that shows globally, 1.19 billion medical images have now been identified, increasing the previous total of 737 million by 60%. The results of 35 million medical examinations are online, up from 24 million.

In the United States, the researchers found 21.8 million medical examinations and 786 million medical images. 114.5 of those images were accessible and there are 15 systems that allow unprotected Web/FTP access and directory listing. In one PACS alone, the researchers found 1.2 million examinations and 61 million medical images. The researchers had full access to the data, which included the images and associated personally identifiable information. Greenbone Networks has confirmed that in the 24 hours prior to publication of its latest report, data access was still possible. “For most of the systems we scrutinized, we had – and still have – continued access to the personal health information,” explained Greenbone Networks CMS, Dirk Schrader.

Exposed Medical Images on PACS Servers. Source: Greenbone Networks

Earlier in November, Sen. Mark. R. Warner wrote to HHS’ Office for Civil Rights Director, Roger Severino, expressing concern over the apparent lack of action from OCR over the exposed files. Far from the situation improving following the announcement about the exposed data, it appears that very little is being done to secure the PACS servers and stop further data exposure.

The types of information in the images, which is classed as Protected Health Information (PHI) under HIPAA, includes names, dates of birth, examination dates, scope of the investigations, imaging procedures performed, attending physicians’ names, location of scan, number of images and, for 75% of the images, Social Security numbers.

The exposure of this data places patients at risk of identity theft and fraud, although there are other risks. Previously, security researchers have shown that flaws in the DICOM image format allows the insertion of malicious code. Images could therefore be downloaded, have malicious code inserted, and be uploaded back to the PACS. This could all be down without the knowledge of the data owner. For the purpose of the study, Greenbone Networks only investigated reading access, not image manipulation and upload.

Images were accessed and viewed using the RadiAnt DICOM Viewer. Instructions on configuration to view images using the RadiAnt DICOM Viewer are freely available online, as is the viewer and the list of IPs where the images are stored.

Greenbone Networks estimates that the exposed medical images and PHI has a value in excess of $1 billion dollars. The data could be used for a variety of nefarious purposes including identity theft, social engineering and phishing, and blackmail.

The exposure of the data is in violation of the Health Insurance Portability and Accountability Act (HIPAA), the EU’ s General Data Protection Regulation (GDPR), and many other data privacy and security laws. The data relates to more individuals in more than 52 countries.

The post Update Issued on Unsecured PACS as Exposed Medical Image Total Rises to 1.19 Billion appeared first on HIPAA Journal.

TigerConnect Survey Finds 89% of Healthcare Providers Still Use Fax Machines and 39% are Still Using Pagers

Posted by HIPAA Journal

TigerConnect has released its 2019 State of Healthcare Communications Report, which shows that continuing reliance on decades-old, inefficient communications technology is negatively impacting patients and is contributing to the increasing cost of healthcare provision.

For the report, TigerConnect surveyed more than 2,000 patients and 200 healthcare employees to assess the current state of communications in healthcare and gain insights into areas where communication inefficiencies are causing problems.

The responses clearly show that communication in healthcare is broken. 52% of healthcare organizations are experiencing communication disconnects that impact patients on a daily basis or several times a week. Those communication inefficiencies are proving frustrating for healthcare employees and patients alike.

The report reveals most hospitals are still heavily reliant on communications technology from the 1970s. 89% of hospitals still use faxes and 39% are still using pagers in some departments, roles, or even across the entire organization. The world may have moved on, but healthcare hasn’t, even though healthcare is the industry that stands to benefit most from the adoption of mobile technology.

The HHS’ Centers for Medicaid and Medicare Services (CMS) is pushing for fax machines to be eliminated by the end of 2020 and for healthcare organizations to instead use more secure, reliable, and efficient communications methods. Given the extensive use of fax machines, that target may be difficult to achieve.

“Adoption of modern communication solutions has occurred in every other industry but healthcare,” said Brad Brooks, chief executive officer and co-founder of TigerConnect. “Despite the fact that quality healthcare is vital to the well-being and functioning of a society, the shocking lack of communication innovation comes at a steep price, resulting in chronic delays, increased operational costs that are often passed down to the public, preventable medical errors, physician burnout, and in the worst cases, can even lead to death.”

The cost of communication inefficiencies in healthcare is considerable. According to NCBI, a 500-bed hospital loses more than $4 million each year as a result of communication inefficiencies and communication errors are the root cause of 70% of all medical error deaths.

The communication problems are certainly felt by healthcare employees, who waste valuable time battling with inefficient systems. The report reveals 55% of healthcare organizations believe the healthcare industry is behind the times in terms of communication technology compared to other consumer industries.

One of the main issues faced by healthcare professionals is not being able to get in touch with members of the care team when they need to. 39% of healthcare professionals said it was difficult or very difficult communicating with one or more groups of care team members.

Fast communication is critical for providing high quality care to patients and improvements are being made, albeit slowly. Secure messaging is now the primary method of communication overall for nurses (45%) and physicians (39%), although landlines are the main form of communication for allied health professionals (32%) and staff outside hospitals (37%), even though secure messaging platforms can be used by all groups in all locations.

Even though there is an increasing mobile workforce in healthcare, healthcare organizations are still heavily reliant on landlines. Landlines are still the top method of communication when secure messaging is not available. Landlines are also used 25% of the time at organizations that have implemented secure messaging.

Healthcare organizations that have taken steps to improve communication and have implemented secure messaging platforms are failing to get the full benefits of the technology. All too often, secure messaging technology is implemented in silos, with different groups using different methods and tools to communicate with each other. When secure messaging is not used, such as when the platform is only used by certain roles, communication is much more difficult.

The communications problems are also felt by patients. Nearly three quarters (74%) of surveyed patients who had spent at least some time in hospital in the past two years, either receiving treatment or visiting an immediate family member, said they were frustrated by inefficient processes.

The most common complaints were slow discharge/transfer times (31%), ED time with doctors (22%), long waiting room times (22%), the ability to communicate with a doctor (22%), and the length of time it takes to get lab test results back (15%). Many of these issues could be eased through improved communication between members of the care team. The survey also revealed hospital staff tend to underestimate the level of frustration that patients experience.

Communication problems play a large part in the bottlenecks that often occur in healthcare. Communication problems were cited as causing delayed discharges (50%), consult delays (40%), long ED wait times (38%), transport delays (33%) and slow inter-facility transfers (30%). There is a 50% greater chance of daily communication disconnects negatively impacting patients when secure messaging is not used.

Hospitals that communicate with patients by SMS/text or messaging apps are far more likely to rate their communication methods as effective or extremely effective. 75% of hospitals that use text/SMS and 73% that use messaging apps rate communication with patients as effective or very effective, compared to 62% that primarily use the telephone and 53% whose primary method of communicating with patients is patient portals. The survey also showed that only 20% of patients want to communicate via patient portals.

It has been established that secure messaging can improve communication and the quality of healthcare delivery, but healthcare communication is often not a strategic priority. 69% of surveyed healthcare professionals that are not using a secure messaging platform said this was due to budget constraints, 38% said money was spent on other IT priorities, and 34% cited concerns about patient data security, even though secure messaging platforms offer afar greater security than legacy communications systems.

TigerConnect has made several recommendations on how communication in healthcare needs to be improved.

  • Prioritize communication as a strategy
  • Focus on improving communication to ease major bottlenecks
  • Integrate communication platforms with EHRs to get the greatest value
  • Standardize communication across the entire organization
  • Include clinical leadership in solution design
  • Stop using patient portals to communicate with patients and start using patient messaging in the overall communication strategy.

The survey provides valuable insights into the state of communication in healthcare and clearly shows where improvements need to be made. The full TigerConnect 2019 State of Communication in Healthcare Report is available free of charge on this link (registration required).

The post TigerConnect Survey Finds 89% of Healthcare Providers Still Use Fax Machines and 39% are Still Using Pagers appeared first on HIPAA Journal.

51% of Healthcare Providers Still Not Fully Complying with HIPAA Right of Access

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights is cracking down on noncompliance with the HIPAA Right of Access and for good reason. A recent report from Ciitizen has revealed more than half of healthcare providers (51%) are not fully compliant with this aspect of HIPAA.

This is the second such report from Ciitizen, the first having been released on August 14, 2019. For the latest report, an additional 169 healthcare providers were assessed for Right of Access compliance, bringing the total assessed providers to 210.

Acting with authorization from patients, Ciitizen made requests for copies of patients records. Each healthcare provider was then given a rating based on their response, from 5 stars being fully compliant and responding within 5 days, down to 1 or 2 stars. A 1- or 2-star rating meant that were it not for multiple escalation calls to supervisors, the provider would not have been compliant.

There is some good news in the report. More providers are complying and there is less inconsistency from employee to employee. A growing number of healthcare providers are also now providing seamless access to patient records, with the percentage having increased from 30% to 40%.

The high figure or noncompliance is not because of the failure to provide patients with copies of their medical records on request, it is mostly because there needs to be “significant intervention” before requests are processed in a compliant manner.

For instance, the main reason for a 1-star rating is patients are not being provided with copies of their medical records in the digital format of their choosing. Inconsistency is also an issue. Many patients will be provided with copies of their records within 30 days, but a significant percentage will experience problems, such as having to make contact by phone on multiple occasions.

The findings from the first report were found to be broadly comparable to the second, although a far higher percentage of providers received a 1-star rating in the second report. In Cohort I (n=51), 27% received a 1-star rating and 24% received 2 stars. In Cohort II (n-169), 51% received a 1-star rating and 5% received a 2-star rating.

This can be explained by the fact that fewer escalation attempts were made by telephone after the initial request was submitted with Cohort II. That meant that the 30-day time limit for providing records was exceeded on occasion.

For Cohort II, out of the providers that were given a 1-star rating, 86% failed to provide the records in the requested format, 20% exceeded the 30-day time frame for providing records, and 1% attempted to charge excessive fees. In Cohort I, the figures were 86% format failures, 2% fee issues, and 2% failed to send the records to the designee. All requests were processed within 30 days.

It is important to point out that copies of records were requested in a specific digital format. Ciitizen said 76% of providers receiving a 1-star rating would have received a 4- or 5-star rating if they had been allowed to send records in any digital format (CD, fax, or encrypted email).

Ciitizen chose to request a specific digital format to assess compliance and better reflect real world scenarios. For instance, many patients do not have access to a fax machine and may not have a laptop/computer with a CD drive.

Ciitizen believes the use of standard open APIs would help to ensure that records could easily be provided in the format requested by the patient.

Ciitizen points out that providers are now accepting request forms by mail, email, and fax, which makes it far easier for patients to obtain a copy of their records. To date, excessive fees have not been an issue but, in some cases, this was only due to Ciitizen successfully resolving attempts by providers to charge fees that are not permitted under HIPAA by escalating the issue to supervisors.

The detailed Ciitizen report can be viewed and downloaded on this link.

Penalties for Noncompliance with HIPAA Right of Access

The penalties for noncompliance are can be severe. Willful neglect of HIPAA Rules now carries a minimum penalty of $58,490 per violation, if no corrective action has been taken, and a maximum penalty of $1,754,698 per violation, per year. OCR calculates penalties based on the number of days the organization has not been in compliance, so the maximum possible penalty is substantial.

OCR has stated on multiple occasions that HIPAA Right of Access failures are one of its main enforcement priorities. Already this year, OCR has issued one financial penalty for noncompliance with this important aspect of HIPAA and it will not be the last.

Bayfront Health St Petersburg was fined $85,000 for HIPAA Right of Access failures in September 2019 and in 2011, Cignet Health of Prince George’s County was ordered to pay a civil monetary penalty of $4,300,000 for denying patients access to their medical records.

It doesn’t take a data breach for an investigation into patient rights violations to be initiated by OCR. The Bayfront Health St Petersburg financial penalty was in response to a single complaint from a patient who had not been provided with her medical records in a timely manner.

The post 51% of Healthcare Providers Still Not Fully Complying with HIPAA Right of Access appeared first on HIPAA Journal.

Google Confirms it has Legitimate Access to Millions of Ascension Patients’ Health Records

Posted by HIPAA Journal

Following a report in the Wall Street Journal, Google has confirmed it is collaborating with one of the largest healthcare systems in the United States, which gives it access to a huge volume of patient data.

Google has partnered Ascension, the world’s largest catholic health system and the second largest non-profit health system in the United States. Ascension operates more than 2,600 healthcare facilities in 21 states, including 150 hospitals and over 50 senior living facilities.

The collaboration has given Google access to patient health information such as names, dates of birth, medical test results, diagnoses, treatment information, service dates, and other personal and clinical information.

The project – code name Project Nightingale – had been kept under the radar prior to the WSJ Report, which claimed that at least 150 Google employees have allegedly been able to access patient data as part of the project and that access to patient data had been granted without patients or physicians being informed. Both Google and Ascension made announcements about the Project Nightingale collaboration after the WSJ story was published.

In a November 11 press release, Ascension said it “is working with Google to optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities that enhance the experience of Ascension consumers, patients and clinical providers across the continuum of care.”

Google explained in its announcement that it had previously mentioned the collaboration in July 2019 in its Q2 earnings call, in which it stated, “Google Cloud’s AI and ML solutions are helping healthcare organizations like Ascension improve the healthcare experience and outcomes.”

Google explained in its November 11 blog post that collaboration with Ascension is focused on A) Shifting Ascension’s infrastructure to the Google Cloud platform; B) Helping Ascension implement G Suite productivity tools and; C) Extending tools to doctors and nurses to improve care. Google also stated that some of the tools it is working on are not yet active in clinical development and are still in the early testing stage, hence the code name, Project Nightingale.

Another goal of the collaboration is to use Google’s considerable computing capabilities to analyze patient data with a view to developing software that leverages its AI and machine learning technology to deliver more targeted care to patients.

Ascension said the it will be “Exploring artificial intelligence/machine learning applications that will have the potential to support improvements in clinical quality and effectiveness, patient safety, and advocacy on behalf of vulnerable populations, as well as increase consumer and provider satisfaction.”

As a business associate of Ascension, Google has confirmed that access to patient data is legitimate and in full compliance with Health insurance Portability and Accountability Act (HIPAA) Rules. Google has signed a BAA with Ascension and has implemented appropriate safeguards to keep patient information secure and is in full compliance with all requirements of HIPAA.

Ascension has also confirmed that the partnership is “underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling.”

While patients may be concerned that Google now has access to some of their most sensitive data, it is not standard practice for healthcare organizations to announce collaborations with third-party companies that provide services that require access to protected health information. However, a proactive announcement rather than a reactive press release may have helped allay fears and concerns.

The post Google Confirms it has Legitimate Access to Millions of Ascension Patients’ Health Records appeared first on HIPAA Journal.