HIPAA Compliance News

IT Departments Slow to Modify and Block Access Rights When Employees Change Roles or Leave the Company

A recent survey of IT professionals, conducted by IT firm Ivanti, has revealed access rights to digital resources are not always terminated promptly when employees change roles or leave the company. The latter is especially concerning as there is a high risk of data theft and sabotage of company systems by former employees. There have been many reported cases of former employees taking sensitive data to new employers and conducting malicious acts in cases of termination.

The survey was conducted online in the summer of 2019 on 400 individuals, 70% of whom were IT professionals. Questions were asked about setting up permissions for new employees, modifying access rights when roles change, and terminating access rights to company resources when employees are terminated, contracts end, or employees find alternative employment.

The respondents came from a broad range of industries including healthcare. 27% of respondents said they were required to comply with the Health Insurance Portability and Accountability Act (HIPAA), 25% were required to comply with the EU’s General Data Protection Regulation (GDPR), and 23% had to comply with the Sarbanes-Oxley Act (SOX)

While policies and procedures have been established to cover the entire process, the survey revealed issues onboarding new employees, modifying permissions, and terminating access rights.

85% of employees said they did not have access to all the resources they needed to complete their job duties when they first joined the company. Surveyed IT professionals confirmed that to be the case, with 38% saying it takes an average of 2-4 days to fully onboard new starters and 27% said it takes more than a week.

From a security and compliance perspective, modifying access rights to resources is of far greater importance but even though legislation such as HIPAA calls for prompt changes to be made to prevent unauthorized data access, access right changes are slow to be applied, if they are applied at all.

Only 55% of respondents were confident that access to unnecessary resources was removed when an employee’s role in the organization changed. 26% of IT professionals said it typically takes over a week to fully deprovision employees when they leave the company and only half of surveyed IT professionals were confident that access to critical systems and data had been blocked for the most recent employee to leave the company. When asked if they knew someone who still had access to a former employer’s systems or data, 52% said yes.

The biggest perceived risks of failing to fully deprovision a former employee were sensitive data leakage (38%), cyberattacks through an unmanaged account (26%), and malicious data theft (24%).

When asked about the reasons for the onboarding, amending, and offboarding issues, the main issue was poorly defined processes, cited as a problem by 24% of surveyed IT professionals. 23% said there were issues with automation and 10% said it was due to a lack of resources. More than half of IT professionals (54%) had to make changes manually, 37% used some automation, and just 9% said processes were fully automated and were applied as soon as HR makes a change.

Unless job roles and permissions are well defined and procedures properly documented, issues will occur and without a high degree of automation, there are bound to be delays offboarding employees, even though the delays expose companies to considerable risk and potential fines for noncompliance.

The post IT Departments Slow to Modify and Block Access Rights When Employees Change Roles or Leave the Company appeared first on HIPAA Journal.

Senate Fails to Remove Ban on Funding of National Patient Identifier

The Department of Health and Human Services (HHS) is prohibited from using any of its budget to fund the development and implementation of a national patient identifier, but there was hope that the ban would finally be lifted this year.

The House of Representatives added an amendment to its Departments of Labor, Health, and Human Services, and Education, and Related Agencies Act of 2020 which removed the ban, which would allow the HHS to follow through on this requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

It now looks likely that the ban will remain in place for at least another year as the Senate Appropriations Subcommittee’s draft 2020 fiscal budget bill, released last Wednesday, has retained the text banning the HHS from acting on this HIPAA requirement.

The ban has been in place since 1999 and was introduced because of concerns over patient privacy. The ban has been written into the Congressional budget every year since and the proposed 2020 fiscal budget bill is no different.

The proposed fiscal budget bill includes the text, “None of the funds made available in this act may be used to promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider), until legislation is enacted specifically approving the 13 standard.”

The purpose of the national patient identifier is to make it easier for patients to be efficiently matched with their health records. Regardless of where a patient receives treatment, their health data will be tied to them through their unique national patient identifier code. The new identifier would help to ensure that patient information could flow freely between different healthcare organizations and it is seen by many healthcare industry stakeholders to be essential for full interoperability. A national patient identifier could help to improve patient privacy, patient safety, and eliminate considerable waste and misspending in healthcare.

For several years, industry associations such as the College of Healthcare Information Management Executives (CHIME), the American Health Information Management Association (AHMIA), and the Health Innovation Alliance (HIA) have been calling for the ban to be lifted.

HIA Executive Director Joel White has called the ban ‘antiquated’ and said studies have suggested that patients are matched with their records as little as 50% of the time. A national patient identifier would instantly solve that problem.

Efforts to have the ban removed have stepped up in recent years, and this year 56 healthcare stakeholder groups urged the Senate to remove the ban. Significant progress was made this year when the amendment receives strong bipartisan support in the House of Representatives.

Convincing the Senate to lift the ban is proving more difficult. As long as privacy concerns remain, the ban is unlikely to be lifted. One of the main issues is a single identifier would be used to tie medical records to an individual from birth until death, and that could allow unprecedented tracking of Americans through their health records. It could also potentially facilitate the sharing, use, and analysis of patient data without patient consent.

While the draft fiscal budget bill has not had the ban removed, it is possible that an amendment could be made at a later date. AHMIA and CHIME leaders remain hopeful that the Senate will follow the House’s lead and have the ban lifted this year.

The post Senate Fails to Remove Ban on Funding of National Patient Identifier appeared first on HIPAA Journal.

Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches

Researchers from Michigan State University and Johns Hopkins University have conducted a study of healthcare data breaches over the past 10 years to examine what types of information are most commonly exposed in healthcare data breaches.

The study, published in the journal Annals of Internal Medicine on Monday September 23, 2019, confirms that the health information of approximately 169 million Americans was exposed, compromised, or impermissibly disclosed in 1,461 data breaches at 1,388 entities between October 2009 and July 2019. Those breaches each impacted 500 or more individuals and were reportable incidents under HIPAA and the HITECH Act.

The researchers explain that information about the types of information exposed in data breaches is not widely available to the public, since it is not a requirement to share the types of data that have been compromised in the breaches. It is therefore difficult for researchers to classify the amount and types of healthcare information exposed and gain an accurate picture of the consequences of the breaches.

“When the media reports data breaches that occurred to healthcare providers, the headline is always the number of patients affected,” explained John (Xuefeng) Jiang, MSU professor of accounting and information systems at MSU and lead author of the study. “We felt both the regulators and the public didn’t pay enough attention to the type of information compromised in the healthcare data breach.”

Types of Data Exposed in Healthcare Data Breaches

For the study, the researchers categorized healthcare data into three main groups: Demographic information (Names, email addresses, personal identifiers etc.); service and financial information (Payments, payment dates, billing amounts etc.); and Medical information (Diagnosis, treatments, medications etc.)

Social Security numbers, drivers license numbers, payment card information, bank account information, insurance information, and birth dates added to a subcategory of sensitive demographic information. This information could be used by criminals for identity theft, medical identity theft, tax and financial fraud. A subcategory of medical information was also used for particularly sensitive health data such as substance abuse records, HIV status, sexually transmitted diseases, mental health information, and cancer diagnoses, due to the potential implications for patients should that information be exposed or compromised.

Key Findings of the Study

  • 71% of breaches involved either sensitive demographic information or sensitive financial information, which placed 159 million individuals at risk of identity theft or financial fraud
  • 66% of breaches involved sensitive demographic information such as Social Security numbers
  • 65% of the breaches exposed general medical or clinical information
  • 35% of breaches compromised service or financial information
  • 16% of breaches only exposed medical or clinical information without exposing sensitive demographic or financial information
  • 76% of breaches included sensitive service and financial information such as credit card numbers – Those breaches affected 49 million individuals
  • 2% of breaches compromised sensitive health information – Those breaches affected 2.4 million individuals

Jiang believes hackers are not targeting healthcare organizations to gain access to patients’ sensitive medical information, instead healthcare organizations are attacked, and hackers take whatever data they can find in the hope that the information can be monetized. Jiang suggests hospitals and research institutions should store medical information separately from demographic information. Medical information could then be shared between healthcare providers and researchers without greatly increasing risks for patients. A separate system could be used for demographic, financial and billing information, which is needed by hospital administration staff.

The researchers advocate greater focus on the types of information exposed or compromised in healthcare data breaches to help breach victims manage risk more effectively. They suggest the Department of Health and Human Services should formally collect and publish information about the types of data that have been exposed in data breaches to help the public assess the potential for harm. The researchers plan to work closely with lawmakers and the healthcare industry to provide practical guidance and advice based on the results of their academic studies.

Data Breach Notifications Under HIPAA

The HIPAA Breach Notification Rule requires all patients affected by a reportable healthcare data breach to be notified within 60 days of discovery of the breach. Affected individuals must be told what types of information have been exposed or compromised as that information allows breach victims to make a determination about the risk they face so they can make a decision about any actions they need to take to reduce the risk of harm.

OCR explains in its online guidance on breach notification requirements of HIPAA, “These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).”

Publicly Available HIPAA Breach Information

The HHS’ Office for Civil Rights, as required by the HITECH Act, has been publishing summaries of data breaches of 500 or more healthcare records on the HHS website since October 2009. The breach portal, which can be accessed by the public, contains basic information about the breaches.

The breach portal details the name of the breached entity, state, type of covered entity, individuals affected, breach submission date, type of breach, location of breached information, and whether there was business associate involvement. This information can also be downloaded for breaches that are under investigation by OCR and for incidents that have been archived following the closure of the OCR investigation.

When a data breach is archived, further information is added to the breach summary in a “web description” field. The web summary is not available for breaches still under investigation, but the information is included for archived breaches. The web summary is only viewable in the downloaded breach reports.

In many cases, the web description includes details of the types of information that were exposed in the breach, but not in all cases. Formalizing this requirement would ensure that all breaches detailed on the portal would have that information included. The web description field also includes information on any actions taken by OCR in response to the breach that led to the resolution and closure of the investigation.

The post Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches appeared first on HIPAA Journal.

August 2019 Healthcare Data Breach Report

In August, healthcare data breaches continued to be reported at a rate of more than 1.5 per day, which is around twice the average monthly breaches in 2018 (29.5 per month). This is the second successive month when breaches have been reported at such an elevated level. While the number of breaches has not changed much since last month (49 compared to 50), there has been a substantial reduction in the number of exposed records.

 

August saw 729,975 healthcare records breached compared to 25,375,729 records in July, 3,452,442 records in June, and 1,988,376 records in May. The exceptionally high breach total for July was mostly due to the massive data breach at American Medical Collection Agency (See below for an update on the AMCA breach total).

Breached Healthcare Records by Year

Causes of August 2019 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in August. 32 breaches were attributed to hacking/IT incidents, which is almost double the number of breaches from all other causes. Hacking/IT incidents breached 602,663 healthcare records – 82.56% of all records breached in August. The average breach size was 18,833 records and the median breach size was 5,248 records.

There were 12 unauthorized access/disclosure incidents reported in August which breached 77,316 healthcare records. Those incidents breached an average of 6,443 records and the mean breach size was 1,281 records.  There were 3 loss incidents and 2 theft incidents. The theft incidents saw 17,650 records potentially compromised and 32,346 records were exposed due to the loss of paperwork or electronic devices. The mean loss breach size was 10,782 records and the mean theft breach size was 8,825 records.

Causes of August 2019 Healthcare Data Breaches

Location of Breached PHI

Phishing continues to pose serious problems for healthcare organizations. Out of the 49 reported breaches, 46.94% – 23 breaches – involved PHI stored in email accounts. The majority of those email breaches were due to phishing attacks.

There were 9 breaches reported that involved PHI stored on network servers, several of which involved ransomware. There were 7 breaches involving paper records/films, highlighting the need for enhanced physical security and administrative controls.

Four breaches involved portable electronic devices such as zip drives and laptop computers. These types of breaches have reduced considerably in recent years largely through the use of encryption, which should be implemented on all portable electronic devices used to store ePHI.

Location of Breached PHI in August 2019 Healthcare Data Breaches

Defending against phishing attacks is a major challenge, and one that can only be solved through layered defenses and staff training. Technological solutions such as spam filters, web filters, firewall rules, multi-factor authentication, and DMARC should be implemented to block phishing attempts, but the sophisticated nature of many phishing campaigns means even layered defenses may be bypassed. End user training is therefore essential. Employees must be trained how to recognize email threats and conditioned how to respond when suspicious emails land in their inboxes.

An annual training session may have been sufficient to provide protection a few years ago, but the increased number of attacks and diverse nature of email threats means a single annual training session is no longer enough. Annual classroom-based training sessions should be augmented with more regular refresher training sessions, cybersecurity bulletins, and email alerts about new threats to watch out for. Phishing simulation exercises are also very beneficial for helping identify individuals who require further training and to find out how effective training has been at reducing susceptibility to phishing attacks.

Largest Healthcare Data Breaches in August 2019

Listed below are the top ten healthcare data breaches reported in August 2019. The largest breach of the month was a phishing attack on Presbyterian Healthcare Services, which saw 183,370 healthcare records breached. The Conway Regional Health System, NorthStar Anesthesia, and Source 1 Healthcare Solutions breaches were also due to phishing attacks.

The Wisconsin Diagnostic Laboratories breach, which affected 114,985 individuals, the 33,370-record breach at Mount Sinai Hospital, and the 29,644-record breach at Integrated Regional Laboratories were all due to the hacking of business associate AMCA.

The breach at Grays Harbor Community Hospital was due to a ransomware attack and the Renown Health breach was due to the loss of a portable storage device. The cause of the breach at Timothee T. Wilkin, D.O. has not been confirmed.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Presbyterian Healthcare Services Healthcare Provider 183370 Hacking/IT Incident
Wisconsin Diagnostic Laboratories Healthcare Provider 114985 Hacking/IT Incident
Grays Harbor Community Hospital Healthcare Provider 88399 Hacking/IT Incident
Conway Regional Health System Healthcare Provider 37000 Unauthorized Access/Disclosure
Mount Sinai Hospital Healthcare Provider 33730 Hacking/IT Incident
Integrated Regional Laboratories, LLC Healthcare Provider 29644 Hacking/IT Incident
Renown Health Healthcare Provider 27004 Loss
NorthStar Anesthesia, P.A. Healthcare Provider 19807 Unauthorized Access/Disclosure
Source 1 Healthcare Solutions LLC Business Associate 15450 Hacking/IT Incident
Timothee T. Wilkin, D.O. Healthcare Provider 15113 Hacking/IT Incident

 

August 2019 Healthcare Data Breaches by Covered Entity Type

42 of the month’s 49 data breaches were reported by healthcare providers and three incidents were reported by health plans. Business associates reported 4 breaches and a further 8 incidents had some business associate involvement.

August 2019 Healthcare Data Breaches by Covered Entity Type

August 2019 Healthcare Data Breaches by State

August’s healthcare data breaches affected entities based in 26 states. Texas was the worst affected with 5 reported breaches. 4 breaches were reported by entities based in Washington state, and three breaches were suffered by entities based in Arkansas, New York, and Pennsylvania.

California, Georgia, Illinois, Massachusetts, Minnesota, Missouri, New Mexico, Ohio, Oregon, and Wisconsin each experienced 2 breaches and one breach was reported by an entity based in each of Connecticut, Florida, Iowa, Kansas, Michigan, Nevada, New Jersey, Oklahoma, Rhode Island, Tennessee, and Virginia.

HIPAA Enforcement Activity in August 2019

There were no civil monetary penalties or settlements between the HHS and HIPAA-covered entities/business associates in August, and also no HIPAA-related enforcement activities by state attorneys general.

AMCA Data Breach Update

The AMCA data breach affected at least 24 healthcare organizations, 23 of which have now submitted breach reports to the Department of Health and Human Service’ Office for Civil Rights. The confirmed breach total currently stands at 26,043,743 records with a further 16,100 records expected to be added to that total.  These breaches were mostly reported to OCR in July and August.

Healthcare Organization Confirmed Victim Count
1 Quest Diagnostics/Optum360 11,500,000
2 LabCorp 10,251,784
3 Clinical Pathology Associates 1,733,836
4 Carecentrix 467,621
5      Laboratories/Opko Health 425,749
6 American Esoteric Laboratories 409,789
7 Sunrise Medical Laboratories 401,901
8 Inform Diagnostics 173,617
9 CBLPath Inc. 141,956
10 Laboratory Medicine Consultants 140,590
11 Wisconsin Diagnostic Laboratories 114,985
12 CompuNet Clinical Laboratories 111,555
13 Austin Pathology Associates 43,676
14 Mount Sinai Hospital 33,730
15 Integrated Regional Laboratories 29,644
16 Penobscot Community Health Center 13,299
17 Pathology Solutions 13,270
18 West Hills Hospital and Medical Center / United WestLabs 10,650
19 Seacoast Pathology, Inc 8,992
20 Arizona Dermatopathology 5,903
21 Laboratory of Dermatology ADX, LLC 4,082
22 Western Pathology Consultants 4,079
23 Natera 3,035
24 South Texas Dermatopathology LLC TBC (Est. 16,100)
Total Records Breached 26,043,743

The post August 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Webinar: Social Media and HIPAA Compliance: Protecting Your Practice in the Digital Age

Social media is a potential minefield for HIPAA violations. One impulsive response to an online review could violate the privacy of a patient, breach HIPAA Rules, and leave and the practice at risk of a significant HIPAA violation penalty.

In the digital age, healthcare providers have to deal with a whole new set of privacy concerns. Social media cannot be avoided, so it is important to understand what must be done to protect the business.

“Proactively generating reviews and also responding to them effectively, in a timely manner is essential to marketing your practice. However, without proper precaution, health care providers could face serious privacy breaches and even HIPAA violations,” said Liam.

In the webinar, Liam will explain how healthcare providers can respond to reviews in a manner that minimizes legal risk, while remaining fully compliant with HIPAA regulations.

Register for our upcoming webinar to find out how to manage your online reputation–without risking your practice.

Webinar Details:

Date:    Tuesday, September 17th

Time:    2:00 pm ET/11:00 am PT

Register Here

The post Webinar: Social Media and HIPAA Compliance: Protecting Your Practice in the Digital Age appeared first on HIPAA Journal.

OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that one of the main areas of HIPAA enforcement in 2019 would be HIPAA right of access failures, including untimely responses to access requests and overcharging for copies of medical records.

The HIPAA right of access allows patients to obtain copies of their medical records on request. HIPAA-covered entities are required to honor those requests and provide patients with access to PHI or copies of health data contained in a ‘designated record set’ within 30 days of the request being received. A covered entity is permitted to charge a reasonable, cost-based fee for providing a copy of the individual’s PHI, which can include the cost of certain labor, supplies and postage.

HIPAA-covered entities that fail to provide copies of records in a reasonable time frame or charge excessive amounts for providing a copy of a patient’s PHI are in violation of the HIPAA Privacy Rule – See 45 CFR 164.501. Such violations can attract a sizable financial penalty.

This week, OCR has announced that the first settlement has been reached with a HIPAA-covered entity under the right of access initiative. Bayfront Health St. Petersburg, a 480-bed hospital in St. Petersburg, FL, has agreed to pay OCR $85,000 to settle the case.

OCR launched an investigation into a potential HIPAA violation at Bayfront Health following receipt of a complaint from a patient on August 14, 2018. The patient alleged that she had requested her fetal heart monitor records from Bayfront Health St. Petersburg in October 2017. At the time of the complaint, 9 months after the request was made, she had still not been provided with a full copy of her records.

OCR confirmed that the patient made the request on October 18, 2017 and was informed by Bayfront Health that the records could not be found. Two further requests were sent to Bayfront Health by the patient’s counsel on January 2, 2018 and February 12, 2018. In March 2018, Bayfront Health provided an incomplete set of records and a complete response was only received on August 23, 2018. The patient’s counsel shared the records with the patient, but it took the intervention of OCR for the fetal heart monitor records to be provided to the patient. Those records were provided directly to the patient on February 7, 2019.

OCR determined that the failure to provide access to the patient’s designated record set was a clear violation of 45 C.F.R. § 164.524 and that the HIPAA violation warranted a sizable financial penalty.

“Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino.  “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”

In addition to the financial penalty, Bayfront Health has agreed to implement a corrective action plan and will be monitored by OCR for the following 12 months.

The post OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative appeared first on HIPAA Journal.

Most Patients Happy to Share EHR Data for Research, But Not Entire Medical Record

A majority of patients are comfortable with sharing their biospecimens and EHR data for research purposes, according to a new study published in JAMA Network Open; however, most patients want to restrict the sharing of at least one part of their medical record. Patients also exhibited preferences as to the institutions with whom their data and biospecimens were shared.

Certain legislation covering the use of EHR data and biospecimens allow patient data to be shared for research purposes, either in identifiable or de-identified form, unless the patient explicitly opts out of data sharing. The researchers note that this all or nothing approach is problematic, as many patients are concerned about sharing certain types of information due to fears about secondary uses of their data.

The researchers investigated the attitudes of 1,246 adults in the United States about a tiered consent approach to EHR record sharing. This approach splits an individual’s medical records into smaller parts, which allows patients to consent to sharing certain parts of their medical records and restricting sharing on others. The researchers also investigated attitudes toward sharing EHR or partial EHR data with different types of researchers.

A small percentage of patients – 46 individuals (3.7%) – declined to share their EHR data with their own healthcare provider, 352 individuals (28.3%) declined sharing their data with nonprofit organizations, and 590 (47.4%) declined to share their data with for-profit organizations. 291 individuals (23.4%) said they would be happy to share data with any researcher.

Overall, 909 patients (72.9%) were willing to share their EHR data and biospecimens selectively and, in general, there was a preference for sharing data within the organization where patients received medical care, followed by nonprofit healthcare organizations. Patients were least willing to share data with for-profit organizations. The majority of patients said at least one item on their medical record should not be shared with others for research purposes.

“In a system in which people can choose where to receive care, it seems plausible that a patient selects to receive care in the most trusted institution, and this trust may more easily transfer to the care of data and biospecimens,” wrote the researchers.

By giving patients the choice of sharing subsets of their EHR data, patients would appear to be more open to sharing their records for research purposes. The researchers also found that there was a marked difference in the number of patients willing to share their data based on the method of obtaining consent. When opt-in forms were used, patients were willing to share fewer data items than when opt-out forms were used.

“We found that a tiered-permission system that allowed for specific removal of data items or categories of data could be implemented in practice and that it mattered to participants with whom the EHR data and biospecimens would be shared because there were differences in sharing preferences according to the researchers’ affiliations,” said the researchers.

The post Most Patients Happy to Share EHR Data for Research, But Not Entire Medical Record appeared first on HIPAA Journal.

Hurricane Dorian: Limited HIPAA Waiver Issued in Puerto Rico, Florida, Georgia, South Carolina

Alex Azar, Secretary of the Department of Health and Human Services (HHS) has declared a public health emergency (PHE) in Puerto Rico and the states of Florida, Georgia, and South Carolina due to Hurricane Dorian.

The announcement follows the presidential PHE in the above areas as the states prepare for when the hurricane makes landfall. The declaration was accompanied by the announcement of a limited waiver of HIPAA sanctions and penalties for certain provisions of the HIPAA Privacy Rule, as mandated by the Project Bioshield Act of 2004 of the Social Security Act. The waiver only applies in the emergency areas and for the period of time covered by the PHE.

The waiver applies to hospitals that have implemented their disaster protocol, and only for up to 72 hours from when the disaster protocol was implemented, unless the PHE declaration terminates before that 72-hour period has elapsed.

Once the PHE comes to an end, hospitals are required to comply with all requirements of the HIPAA Privacy Rule for all patients, including those still under the care of the hospital when the PHE ends. The HHS notes that during a PHE, the requirements of the HIPAA Privacy and Security Rules remain in place.

Even in the absence of a HIPAA waiver, the HIPAA Privacy Rule permits the sharing of patient information with friends, family, public health officials, and emergency personnel. Entities can share patient information for the purposes of providing treatment, for public health activities, and to lessen a serious threat to public health or safety. Information can also be shared with patients’ friends, family and other individuals involved in their care to ensure that proper care and treatment can be provided.

Under the terms of the HIPAA waiver, the HHS agrees to waive HIPAA sanctions and penalties for the following provisions of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

Further information on the waiver and HIPAA privacy and disclosures of PHI in emergency situations can be found on the following link: https://www.hhs.gov/sites/default/files/hurricane-dorian-hipaa-bulletin.pdf

The post Hurricane Dorian: Limited HIPAA Waiver Issued in Puerto Rico, Florida, Georgia, South Carolina appeared first on HIPAA Journal.

UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit

On June 26, a patient of University of Chicago Medical Center (UCMC) filed a lawsuit against the medical center and Google over an alleged privacy violation related to the sharing of protected health information (PHI) without first properly de-identifying the data.

Patient information was shared with Google to assist with the development of its predictive medical data analytics technology. HIPAA does not prohibit the sharing of information with third parties such as technology companies, provided consent is obtained from patients prior to information being shared.

Alternatively, healthcare organizations can share patient information provided it is de-identified. Under HIPAA, that means removing 18 identifiers to ensure patients cannot be identified. HIPAA calls for one of two methods to be used to de-identify PHI: Expert determination or the safe harbor method. The latter involves stripping PHI of all 18 identifiers, while the former requires an expert to determine, through recognized statistical and scientific principles, that the risk of patients being re-identified is sufficiently low.

The lawsuit alleges UCMC failed to remove all the necessary information from the data prior to it being shared with Google. In addition to the dates and times when patients checked in/out of hospital, the lawsuit alleges “copious free-text notes” were also shared with Google.

The time stamps place each patient at the hospital at a specific time, which places patient privacy at risk. The lawsuit alleges the inclusion of time stamps violates the provisions of the safe harbor de-identification method and that UCMC did not obtain consent from patients to share their data with Google.

The main issue is Google already stores vast quantities of user data from its “prolific data mining” activities and that the tech giant is in a position where it could identify all individuals from the medical records provided by UCMC.

The lawsuit even goes as far as to suggest the collaboration between the medical center and the hospital is an attempt to “pull off what is likely the greatest heist of consumer medical records in history.”

Last week, UCMC and Google filed motions to have the lawsuit dismissed. The defendants claim that a secure process was employed to de-identify patient data and that the process was fully compliant with HIPAA Rules. Further, Google argues that the plaintiff and other class members do not allege Google has used its data to re-identify patients, only that the company has the capability of doing so. Consequently, no injury has been sustained as a result of the sharing of information and even if an injury had been sustained, the case should be dismissed as there is no private right of action under HIPAA.

The defendants also argue that the definition of the intrusion provided by the plaintiffs does not fall under HIPAA as each patient voluntarily provided their medical information to the medical center. Instead, it falls under the Consumer Fraud and Deceptive Business Practices Act.

The post UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit appeared first on HIPAA Journal.