HIPAA Compliance News

California Dentists at Risk of Financial Penalties for Slow Release of Copies of Dental Records

Posted by HIPAA Journal

A recent report from the Dental Board of California has revealed dentists in the state are failing to provide patients with copies of their dental records in a timely manner, in violation of state laws and the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule.

Under state law (BPC §1684.1), dental practices are required to provide patients with a copy of their dental records within 15 days of a request being submitted. HIPAA (45 CFR § 164.524) requires covered dental offices to provide patients with a copy of their dental records within 30 days of the request being submitted. The HIPAA Privacy Rule also requires dentists and other HIPAA-covered entities to provide a copy of records in the format requested by the patient, provided that the request is reasonable, and the practice has the capability to provide records in the requested format.

The Dental Board has the authority to cite and fine practices that are found to have violated state laws and its 2018 Sunset Review Report for the California Legislature says citations have increased by 36% in each of the past 4 fiscal years. The failure to provide copies of dental records before the 15-day deadline is one of the five most commonly cited violations of state laws.

The Dental Board explained that “Citations may be used when patient harm is not found, but the quality of care provided to the consumer is substandard.” The Board can issue fines of up to $500 per day to a maximum of $5,000 for failing to provide copies of dental records to patients within the 15-day deadline.

Dental records can include x-ray images, photographs, test results, models, treatment information, and dentist’s notes, which should all be provided to patients on request. In addition to Dental Board fines, untimely responses to patient requests and the failure to provide copies of health information could result in a financial penalty for noncompliance with HIPAA.

While it would be unusual for state attorneys general to issue financial penalties for this aspect of noncompliance with HIPAA, one of the first financial penalties issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) for noncompliance with HIPAA was for a failure to provide patients with copies of their health records. Cignet Health of Prince George’s County had to pay OCR a $4,300,000 civil monetary penalty in 2011 to resolve the HIPAA violation.

Further, OCR explained at HIMSS19 that one of the aspects of HIPAA noncompliance that will be subject to enforcement actions in 2019 is violations of the HIPAA Privacy Rule’s right of access requirement.

Any dental office found to be routinely denying patients access to their health data or willfully failing to adhere to the 30-day deadline could be issued with a sizable financial penalty for noncompliance.

The post California Dentists at Risk of Financial Penalties for Slow Release of Copies of Dental Records appeared first on HIPAA Journal.

Northwestern Medicine Sued Over Medical Information Disclosure on Twitter

Posted by HIPAA Journal

Northwestern Medicine Regional Medical Group is being sued by a patient whose sensitive medial information was disclosed on Twitter and Facebook.

Gina Graziano discovered some of her sensitive medical information had been disclosed on social media websites and contacted Northwestern Medicine to complain about the privacy investigation.

Northwestern Medicine investigated the complaint and determined that Graziano’s medical records had been accessed on two separate occasions by a hospital employee who had no treatment relationship with Graziano. The records were accessed on March 5 and 6, 2019, using an employee’s login credentials.

Graziano’s medical file contained a range of sensitive information, including her personal details, the reason for a recent visit to the emergency department, lab test results, medications, medical history, imaging results, and other information.

Sensitive information which Graziano did not want to be placed in the public domain was disseminated on social media sites causing her to be publicly humiliated. While Northwestern Medicine did not disclose the name of the employee in the letter sent in response to her complaint, Graziano learned that the individual was Jessica Wagner, the current girlfriend of her ex-boyfriend David Wirth. Both individuals have also been named in the legal action.

In her lawsuit, Wagner is alleged to have accessed Graziano’s medical records for a period of 37 minutes, then impermissibly disclosed some of her medical information to Wagner, who then posted the information on social media sites with intent to cause Graziano harm.

Northwestern Medicine has confirmed that appropriate disciplinary action has been taken against the employee over the HIPAA violation and the Department of Health and Human Services has been notified of the HIPAA breach. It is unclear whether criminal charges have been filed against Wagner. CBS Chicago reports that Wagner was fired over the HIPAA violation.

Northwestern Medicine has issued an apology and has offered Graziano 12 months of credit monitoring services as a precaution against identity theft and fraud.

The post Northwestern Medicine Sued Over Medical Information Disclosure on Twitter appeared first on HIPAA Journal.

Is DocuSign HIPAA Compliant?

Posted by HIPAA Journal

Can DocuSign be used by healthcare organizations in connection with electronic protected health information (ePHI) without violating HIPAA Rules? Is DocuSign HIPAA compliant?

DocuSign is a San Francisco-based provider of electronic signature technology and transaction management services. Via DocuSign, companies can send documents such as contracts to customers and business associates and obtain their electronic signatures to confirm that they have read the document and agree to any terms and conditions contained therein.

In healthcare, eSignature services can streamline administrative tasks and save many hours of chasing up paperwork. The DocuSign solution can be used by healthcare providers for a range of different purposes, including obtaining eSignatures on SLAs, business associate agreements, credentialing forms, and patient consent forms.

However, if the service is used in connection with any electronic protected health information, DocuSign would be classed as a business associate. HIPAA requires all business associates to enter into a HIPAA-compliant business associate agreement with covered entities prior to being provided with or given access to ePHI.

Is DocuSign HIPAA Compliant?

When considering if DocuSign is HIPAA compliant, a key test is whether the company is willing to sign a BAA with a HIPAA-covered entity. On the DocuSign website, the company states that it is prepared to sign a BAA and has already done so with many healthcare providers and life science customers.

DocuSign also confirms that while the company does not access ePHI, any ePHI that passes through its service is secured. DocuSign also confirms that it is in full compliance with the privacy and security requirements of HIPAA and its service meets HHS standards for digital signatures.

In order to obtain a BAA, customers must first sign up for an Enterprise account with DocuSign and they must ensure the signed BAA is obtained prior to using the service with any ePHI.

Provided a BAA is obtained, DocuSign can be considered a HIPAA compliant eSignature service.

The post Is DocuSign HIPAA Compliant? appeared first on HIPAA Journal.

February 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

Healthcare data breaches continued to be reported at a rate of more than one a day in February. February saw 32 healthcare data breaches reported, one fewer than January.

Healthcare data breaches by month

The number of reported breaches may have fell by 3%, but February’s breaches were far more severe. More than 2.11 million healthcare records were compromised in February breaches – A 330% increase from the previous month.

Records exposed in Healthcare data breaches by month

Causes of Healthcare Data Breaches in February 2019

Commonly there is a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents; however, in February, hacking and IT incidents such as malware infections and ransomware attacks dominated the healthcare data breach reports.

75% of all reported breaches in February (24 incidents) were hacking/IT incidents and those incidents resulted in the theft/exposure of 96.25% of all records that were breached. All but one of the top ten healthcare data breaches in February were due to hacks and IT incidents.

There were four unauthorized access/disclosure incidents and 4 cases of theft of physical or electronic PHI. The unauthorized access/disclosure incidents involved 3.1% of all compromised records and 0.65% of records were compromised in the theft incidents.

Causes of Healthcare data breaches in February 2019

Largest Healthcare Data Breaches in February 2019

The largest healthcare data breach reported in February involved the accidental removal of safeguards on a network server, which allowed the protected health information of more than 973,000 patients of UW Medicine to be exposed on the internet. Files were indexed by the search engines and could be found with simple Google searches. Files stored on the network server were accessible for a period of more than 3 weeks.

The second largest data breach was due to a ransomware attack on Columbia Surgical Specialist of Spokane. While patient information may have been accessed, no evidence was found to suggest any ePHI was stolen by the attackers.

The 326,629-record breach at UConn Health was due to a phishing attack that saw multiple employees’ email accounts compromised, and one email account was compromised in a phishing attack on Rutland Regional Medical Center that contained the ePHi of more than 72,000 patients.

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 UW Medicine Healthcare Provider 973,024 Hacking/IT Incident
2 Columbia Surgical Specialist of Spokane Healthcare Provider 400,000 Hacking/IT Incident
3 UConn Health Healthcare Provider 326,629 Hacking/IT Incident
4 Rutland Regional Medical Center Healthcare Provider 72,224 Hacking/IT Incident
5 Delaware Guidance Services for Children and Youth, Inc. Healthcare Provider 50,000 Hacking/IT Incident
6 Rush University Medical Center Healthcare Provider 44,924 Unauthorized Access/Disclosure
7 AdventHealth Medical Group Healthcare Provider 42,161 Hacking/IT Incident
8 Reproductive Medicine and Infertility Associates, P.A. Healthcare Provider 40,000 Hacking/IT Incident
9 Memorial Hospital at Gulfport Healthcare Provider 30,642 Hacking/IT Incident
10 Pasquotank-Camden Emergency Medical Service Healthcare Provider 20,420 Hacking/IT Incident

 

Location of Breached Protected Health Information

Email is usually the most common location of compromised PHI, although in February there was a major rise in data breaches due to compromised network servers. 46.88% of all breaches reported in February involved ePHI stored on network servers, 25% involved ePHI stored in email, and 12.5% involved ePHI in electronic medical records.

Location of breached PHI

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in February 2019 with 24 incidents reported. There were five breaches reported by health plans, and three breaches reported by business associates of HIPAA-covered entities. A further seven breaches had some business associate involvement.

February 2019 healthcare data breaches by covered entity

Healthcare Data Breaches by State

The healthcare data breaches reported in February were spread across 22 states. California and Florida were the worst affected states with three breaches apiece. Two breaches were reported in each of Illinois, Kentucky, Maryland, Minnesota, Texas, and Washington, and one breach was reported in each of Arizona, Colorado, Connecticut, Delaware, Georgia, Kansas, Massachusetts, Mississippi, Montana, North Carolina, Virginia, Wisconsin, and West Virginia.

HIPAA Enforcement Actions in February 2019

2018 was a record year for HIPAA enforcement actions, although 2019 has started slowly. The HHS’ Office for Civil Rights has not issued any fines nor agreed any HIPAA settlements so far in 2019.

There were no enforcement actions by state attorneys general over HIPAA violations in February. The only 2019 penalty to date is January’s $935.000 settlement between California and Aetna.

The post February 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Are Google Home and Google Assistant HIPAA Compliant?

Posted by HIPAA Journal

Can Google Home and Google Assistant be used in medical practices? Is Google Assistant HIPAA compliant or would using it in the workplace constitute a HIPAA violation?

Connected home assistants such as Google Home devices are growing in popularity. According to a 2018 study by market research firm Cognilytica, 51% of people use voice assistants in the car, 39% use them at home, and 1% use them at work. Apple’s Siri has the greatest market share followed by Google Assistant, which powers Google Home smart speakers.

It may be tempting to bring a Google Home device into the office and use it to take notes, get quick answers to questions, launch applications, and schedule reminders and calls. In a normal office environment, a Google Home device could possibly be used, but in healthcare, there is considerable potential for a HIPAA violation.

Virtual assistants are being developed for use in healthcare and they have potential to change how physicians interact with medical records and deliver patient care, but currently most virtual assistants lack the required security safeguards to satisfy the requirements of HIPAA.

Google Home devices can be configured to record audio and video, which in a healthcare setting could easily violate the privacy of patients. If any medical information is dictated or otherwise recorded, that would be classed as a HIPAA violation unless the voice technology was covered by a business associate agreement.

Is Google Assistant HIPAA Compliant?

Google does sign business associate agreements with healthcare companies for a wide range of its products, but currently neither Google Home nor Google Assistant are covered by its BAA. Until such time that Google confirms that its voice assistant meets the requirements of HIPAA and includes devices and the voice technology that power them into its BAA, neither Google Home nor Google Assistant are HIPAA compliant and should not be used in a healthcare setting.

The post Are Google Home and Google Assistant HIPAA Compliant? appeared first on HIPAA Journal.

Is Calendly HIPAA Compliant?

Posted by HIPAA Journal

Calendly is a popular tool that is used by many businesses to schedule meetings and appointments, but can Calendly be used by healthcare organizations? Is Calendly HIPAA compliant?

Businesses can waste a considerable amount of time scheduling appointments and meetings. Lengthy email exchanges and phone tag are commonplace. Calendly aims to eliminate the time wasted attempting to connect with others and the platform can reduce no-show rates through automated email and text reminders. The solution integrates with Google Calendar, iCloud calendar, Office 365, Salesforce, and GoToMeeting and other popular software platforms and can also be integrated directly into business websites to allow customers to schedule appointments directly.

The platform is used by healthcare organizations for scheduling internal meetings, but in order to use Calendly with any electronic protected health information, healthcare organizations would first need to enter into a HIPAA-compliant business associate agreement with Calendly.

Is Calendly HIPAA Compliant?

Calendly explains on its website that the platform is secure and all data uploaded is protected. Data sent to and stored by the scheduling tool is protected by 256-bit encryption and Calendly is hosted on Amazon Web Services, which is a HIPAA-compliant hosting solution. Calendly cannot read medical charts and other private information as it only reads the busy/free status of calendar events to avoid double bookings.

While secure, Calendly explains in the help section of its website that “Calendly should not be used for collecting Protected Health Information” and that the solution should not be used for asking “any personal or medical questions in the question form invitees complete when scheduling.” Calendly also does not sign business associates with HIPAA covered entities.

As such, Calendly is not a HIPAA-compliant scheduling tool. The tool can be used by healthcare organizations, just not in connection with any ePHI. Healthcare organizations should ensure that only HIPAA-compliant scheduling tools are used for booking patient appointments.

The post Is Calendly HIPAA Compliant? appeared first on HIPAA Journal.

Is Evernote HIPAA Compliant?

Posted by HIPAA Journal

Evernote is a useful cloud-based service that allows users to take notes, create to do lists, plan projects, and collaborate with teams, but is Evernote HIPAA compliant? Can Evernote be used in healthcare by physicians and other healthcare professionals without violating HIPAA Rules?

Evernote serves as an easily accessible repository for a wide range of information, including documents, audio files, images, and video files. One of the key features of Evernote which makes it so useful is the ability to automatically synch files and notes across multiple devices.

Evernote is available as a free app or a paid service for businesses and does incorporate access controls and security features such as single sign-on (SSO) and two-factor authentication to prevent unauthorized use of the applications.  Evernote stores data on the Google Cloud platform, which can be HIPAA compliant. Encryption is also supported by Evernote for Mac and Evernote for Windows Desktop. In-note encryption uses an AES 128-bit key.

Evernote is designed to make data sharing as easy as possible, which should raise a red flag if you are thinking about using Evernote with protected health information or files containing protected health information – patients documents or dictated notes for instance.

Is Evernote HIPAA Compliant?

So, with the above security controls, is Evernote HIPAA compliant? While the security controls mentioned above do offer some protection against unauthorized access, they are not currently sufficient to meet the requirements of the HIPAA Security Rule. Further, Evernote does not sign business associate agreements with HIPAA covered entities.

Therefore, Evernote is not a HIPAA compliant note taking app and it should therefore not be used in connection with any protected health information.

There are alternatives that can be used in its place.  You can read more about these on the links below:

Is Google Keep HIPAA Compliant?

Is Microsoft OneNote HIPAA Compliant?

The post Is Evernote HIPAA Compliant? appeared first on HIPAA Journal.

Is Return Path HIPAA Compliant?

Posted by HIPAA Journal

Return Path is an email marketing and optimization platform that allows businesses to automate and analyze their email marketing campaigns but is Return Path HIPAA compliant? Can the email marketing platform be used by healthcare organizations without violating HIPAA Rules?

Sending Marketing Emails to Patients and Health Plan Members

Before any healthcare organization can use an email service for sending marketing emails that contain electronic protected health information (ePHI) they must first:

  • Obtain consent from patients/plan members to receive marketing communications
  • Ensure that the service provider has appropriate security controls to protect the confidentiality of ePHI stored by or used by the platform
  • Ensure that ePHI can be uploaded to the platform securely without placing the information at risk of compromise
  • Enter into a HIPAA-compliant business associate agreement (BAA) with the service provider

Marketing messages are not included in the HIPAA Privacy Rule’s TPO definition. Consent must be obtained in writing from patients/members before ePHI can be used for marketing purposes.

A BAA is required, as the uploading of ePHI to a mailing service counts as a disclosure of ePHI. The service provider is considered a business associate and is required to be informed of its responsibilities with respect to HIPAA and must agree to abide by HIPAA Rules.

Provided the above conditions are met, a HIPAA-covered entity can use a third-party platform for sending marketing emails.

Is Return Path HIPAA Compliant?

Return Path naturally has a range of security protections in place to ensure the confidentiality, integrity, and availability data uploaded to its platform. However, Return Path makes no mention of HIPAA or business associate agreements in its terms and conditions.

Return Path also states in its T&Cs that it is the responsibility of users of its platform to ensure they comply with appropriate laws and regulations.

So, is Return Path HIPAA compliant? Without a BAA, Return Path is not a HIPAA compliant email service and cannot therefore be used in connection with any ePHI.

The post Is Return Path HIPAA Compliant? appeared first on HIPAA Journal.

Is Mandrill HIPAA Compliant?

Posted by HIPAA Journal

Is Mandrill HIPAA compliant? Can MailChimp’s transactional email service be used by healthcare organizations without violating HIPAA Rules?

Use of Mandrill by Healthcare Organizations

Mandrill is a transactional email offering from MailChimp, the leading automated email marketing platform. Mandrill allows businesses to automatically send emails to customers and individuals that interact with their web apps and connects to MailChimp via an API.

Transactional emails differ from marketing emails in that they are programmed to be triggered by events such as password resets, confirmation of placement of orders, welcome messages, and sending receipts. In contrast to marketing emails, which require an opt-in from patients/plan members under HIPAA Rules, in most cases, transactional emails do not.

That does not mean that there are no HIPAA issues for healthcare organizations that are considering using Mandrill. Any email service used by a healthcare organization that requires electronic protected health information (ePHI) to be uploaded would have to have privacy and security safeguards built into the platform to prevent unauthorized ePHI access and an audit trail would need to be maintained. Any ePHI uploaded would need to be secured in transit, and stored data would need to be encrypted.

If the service is to be used with any ePHI, the service provider would be classed as a business associate and a business associate agreement would therefore be required.

Most service providers that support HIPAA compliance and are prepared to enter into a business associate agreement with HIPAA-covered entities make it clear that they support HIPAA compliance and offer a BAA.

Is Mandrill HIPAA Compliant?

Users of Mandrill are bound by the terms and conditions of MailChimp. You can find out more about Mailchimp and HIPAA compliance here, but to summarize that post, MailChimp states that “You’re responsible for determining whether the Service is suitable for you to use in light of your obligations under any regulations like HIPAA” and since, at the time of writing, MailChimp does not offer a BAA, neither MailChimp or Mandrill are HIPAA compliant.

MailChimp and Mandrill can be used by healthcare organizations, but since they are not HIPAA compliant they cannot be used in connection with any ePHI.

The post Is Mandrill HIPAA Compliant? appeared first on HIPAA Journal.