HIPAA Compliance News

2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office

Posted by HIPAA Journal

A former receptionist at a New York dental practice has been sentenced to serve 2 to 6 years in state penitentiary for stealing the protected health information of hundreds of patients.

Annie Vuong, 31, was given access to the computer system and dental records of patients in order to complete her work duties. Vuong abused the access rights and stole the PHI of more than 650 patients. That information was passed to her co-defendants who used the data to steal identities and make fraudulent purchases of high value items.

Vuong was arrested on February 2, 2015, following a two-and-a-half-year investigation into identity theft by the New York District Attorney’s Office.

The theft of data occurred between May and November 2012, when the PHI of 653 patients was taken from the dental office. The types of information stolen included names, birth dates, and Social Security numbers. That information was shared with co-defendant Devin Bazile in an email.

Bazile used the information to obtain credit lines from Barclaycard in the victims’ names. Credit ranged from $2,000 to $7,000 per individual. Bazile along with co-defendants Joshua Hamilton and Ahmeen Evans used the credit to purchase Apple gift cards that were used by buy tablets and laptop computers totaling more than $700,000.

Bazile and Haughton had already been convicted and sentenced to lengthy jail terms for their role in the identity theft scheme. Bazile and Haughton were convicted of Grand Larceny in the Second Degree in 2015 and were sentenced to serve 3 to 9 years and 1 and 1/3 to 4 years in jail respectively. Evans was also convicted of Grand Larceny in the Second Degree and was sentenced to 5 years’ probation.

Vuong was found guilty of 189 counts against her including one count of Grand Larceny in the Second Degree, 49 counts of Grand Larceny in the Third Degree, 63 counts of Identity Theft in the First Degree, 45 counts of Grand Larceny in the Fourth Degree, 30 counts of Identity Theft in the Second Degree, and one count of Unlawful Possession of Personal Identification Information in the Second Degree.

The post 2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office appeared first on HIPAA Journal.

HHS Files Motion to Dismiss Ciox Health Lawsuit

Posted by HIPAA Journal

The Department of Health and Human Services has filed a motion to dismiss a lawsuit filed by the healthcare information management company Ciox Health claiming the lawsuit lacks standing.

Early this year, Ciox Health filed a lawsuit challenging changes to HIPAA in 2013 and subsequent enforcement guidance issued by the HHS in 2016. The changes to the HIPAA Privacy Rule in 2013 in question placed a limit on the amount that could be charged by covered entities for providing patients with copies of their health records. The charges must be limited to a reasonable cost-based fee. In 2016, the HHS issued guidance for the public explaining the rulemaking and providing answers to commonly asked questions about medical record access.

Ciox Health claims the changes threaten to upend the medical records industry and that the updates and guidance are ultra vires, arbitrary and capricious. Ciox Health is also seeking injunctive relief to stop the HHS from unlawfully enforcing the regulations.

In its motion to dismiss the lawsuit, filed in the U.S. District Court in Washington, D.C., HHS explains that the claims made by Ciox Health lack standing as the rulemaking it is challenging only applies to HIPAA-covered entities. Ciox Health a business associate, not a covered entity. HHS points out Ciox Health is challenging a rule that the company is not subject to. Further, the guidance which has been challenged has no force or effect of law and as such, there is nothing for Ciox Health to challenge.

The fees that Ciox Health can charge for providing copies of medical records are not limited by HIPAA. The HIPAA Rule that the firm is challenging is concerned with the fees that covered entities can charge patients. The fees that Ciox Health charges covered entities is a matter for Ciox Health to resolve with the covered entities that it serves.

HHS explained the claims of Ciox Health lack standing and a challenge has been made against “a rule that is anchored in a complex statutory scheme without basing the challenge on any concrete enforcement action,” also  CIOX Health failed to establish that it has suffered an injury as a result of the 2013 rulemaking and 2016 guidance and there are no constitutional grounds to make the claims.

“Because HHS has not and cannot take enforcement action against Ciox regarding the fees it charges for individual requests of PHI, Ciox cannot raise either an enforcement or preenforcement challenge to the Privacy Rule provision and guidance at issue.”

The post HHS Files Motion to Dismiss Ciox Health Lawsuit appeared first on HIPAA Journal.

Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks

Posted by HIPAA Journal

A recent study conducted by the Ponemon Institute on behalf of Merlin International has revealed healthcare organizations are failing to provide sufficient security awareness training to their employees, which is hampering efforts to improve security posture.

Phishing is a major security threat and the healthcare industry is being heavily targeted. Phishing offers threat actors an easy way to bypass healthcare organizations’ security defenses. Threat actors are now using sophisticated tactics to evade detection by security solutions and get their emails delivered. Social engineering techniques are used to fool employees into responding to phishing emails and disclose their login credentials or install malware.

Phishing is used in a high percentage of cyberattacks on healthcare organizations. Research conducted by Cofense (formerly PhishMe) suggests as many as 91% of cyberattacks start with a phishing email. While security solutions can be implemented to block the majority of phishing emails from being delivered to end users’ inboxes, it is not possible to block 100% of malicious emails. Security awareness training is therefore essential.

Healthcare employees should be trained how to recognize phishing emails and how to respond when potentially malicious messages are received. Training should be provided to help eliminate risky behaviors and teach cybersecurity best practices. The failure to provide sufficient training leaves healthcare organizations at risk of attack.

The Ponemon/Merlin International study on 627 healthcare executives in the United States suggests healthcare organizations are not doing enough to improve security awareness and develop a security culture.  More than half of respondents (52%) said the lack of security awareness was affecting their organization’s security posture.

The Merlin International report, 2018 Impact of Cyber Insecurity on Healthcare Organizations, revealed 62% of respondents have experienced a cyberattack in the past 12 months, with half of those incidents resulting in the loss of healthcare data. Poor security awareness is contributing to a high percentage of those breaches.

When asked about the biggest concerns, there was an equal split between external attacks by hackers and internal breaches due to errors and employee negligence – 63% and 64% respectively.

The main threats to the confidentiality, integrity, and availability of healthcare data were perceived to be unsecured medical devices (78%), BYOD (76%) and insecure mobile devices (72%).

57% of respondents felt use of the cloud, mobile, and IoT technologies has increased the number of vulnerabilities that could be exploited to gain access to healthcare data. 55% of respondents said medical devices were not included in their cybersecurity strategy and the continued use of legacy systems was seen to be a security issue by 58% of respondents.

Even though 62% of organizations have experienced a data breach in the last year and it is a requirement for HIPAA compliance, 51% of organizations have not developed an incident response program that allows them to rapidly respond and remediate breaches.

Staffing was seen to be the biggest roadblock preventing organizations from improving their security posture. 74% believed a lack of suitable staff was a major issue hampering efforts to improve cybersecurity. 60% of respondents do not believe they have the right cybersecurity qualifications in house and only 51% of surveyed organizations have appointed a CISO.

“Healthcare organizations must get even more serious about cybersecurity to protect themselves and their patients from losing access to or control of the proprietary and personal information and systems the industry depends on to provide essential care,” said Brian Wells, Director of Healthcare Strategy at Merlin International.

The post Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks appeared first on HIPAA Journal.

HIPAA Compliance for Pharmacies

Posted by HIPAA Journal

HIPAA is a federal law that establishes the acceptable uses and disclosures of protected health information (PHI), sets standards for the secure storage and transmission of PHI, and gives patients the right to obtain copies of their PHI. HIPAA compliance for pharmacies is not an option. The penalties for failing to comply with HIPAA can be severe.

Key Elements of HIPAA Compliance for Pharmacies

The combined text of HIPAA Rules published by the Department of Health and Human Services’ Office for Civil Rights is 115 pages, so covering all elements of HIPAA compliance for pharmacies is beyond the scope of this post; however, some of the key elements of HIPAA compliance for pharmacies have been outlined below.

Conduct risk analyses – A comprehensive, organization wide risk analysis must be conducted to identify all risks to the confidentiality, integrity, and availability of ePHI. Any risks identified must be subjected to a HIPAA-compliant risk management process. A risk analysis is not a onetime checkbox item. Risk analyses must be conducted regularly, such as when there is a change to business practices or new technology is introduced.

Safeguard PHI at all times – One of the most important aspects of HIPAA compliance for pharmacies is ensuring safeguards are implemented to ensure the confidentiality, integrity, and availability of physical and electronic PHI. Pharmacies can decide on the best safeguards to implement with decisions guided by the findings of the risk analysis.

Appoint a privacy officer – A privacy officer must be appointed. Any member of staff can be your designated privacy officer. That person’s responsibility is to ensure policies and procedures are followed, documentation and filing is performed correctly, and patient requests for PHI are responded to in a timely manner. The privacy officer must also monitor for changes to HIPAA regulations and work with the owner or manager to ensure continued compliance.

Obtain authorizations – HIPAA permits the use of PHI for treatment purposes, requesting or receiving payment, or pharmacy operations. Any other use or disclosure of PHI must be authorized by the patient in writing prior to PHI being used or disclosed.

Obtain business associate agreements – A third party that needs access to PHI or copies of PHI to perform a service on behalf of the pharmacy is classed as a business associate and is also required to comply with HIPAA Rules. A business associate must provide reasonable assurances to the covered entity, by means of a business associate agreement, that the requirements of HIPAA have been understood and that HIPAA Rules will be followed.

Ensure PHI is not impermissibly disclosed – Accidentally or deliberately disclosing PHI for reasons not permitted by the Privacy Rule can cause considerable harm to patients. Policies and procedures must be developed and implemented to reduce the risk of impermissible disclosures. Care must be taken not to disclose more than the ‘minimum necessary’ PHI.

Provide patients with copies of their PHI – The HIPAA Privacy Rule gives patients the right to obtain copies of their PHI on request. While that right is typically exercised with healthcare providers, pharmacies must also provide copies of pharmacy records related to an individual if requested.

Dispose of PHI correctly – PHI such as prescription labels and documents must be disposed of in a manner that prevents the PHI from being viewed or reconstructed. Paperwork such as labels should be shredded, pulverized, pulped, or incinerated. ePHI on electronic devices must be permanently erased before disposal.

Provide training to staff – All pharmacy staff are required to comply with HIPAA Rules, as well as volunteers and interns that are required to come into contact with PHI. All staff must be trained and made aware of HIPAA Rules that apply to them and what constitutes PHI.  Training should be provided as soon as possible with refresher training provided regularly. Pharmacies must also provide security awareness training to staff.

Inform patients of privacy practices – All HIPAA covered entities must document their privacy practices and share that information with patients. Signatures should be obtained from patients confirming they have received the notice of privacy practices.

Notify patients/OCR of a privacy breach – Patients must be informed when their PHI has been exposed or stolen and OCR must also be notified. Notifications must be sent to patients and OCR within 60 days of the discovery of a breach. OCR can be notified of a breach impacting fewer than 500 individuals no later than 60 days from the end of the calendar year in which the breach occurred.

Since HIPAA compliance for pharmacies can be complex and the penalties for noncompliance severe, we suggest contacting a compliance specialist who will be able to walk you through the steps you need to take to comply with all aspects of HIPAA Rules. Alternatively, if you are unsure about any aspect of HIPAA compliance for pharmacies, contact a healthcare attorney.

Penalties for HIPAA Violations by Pharmacies

It doesn’t matter how large or small your business is, HIPAA compliance for pharmacies is not optional. There have been several penalties for HIPAA violations by pharmacies over the past few years. Not only can HIPAA violations attract a significant fine, they can also seriously damage the reputation of your pharmacy.

The HHS’ Office for Civil Rights has increased enforcement activity in the past two years and fines and settlements over HIPAA violations are now far more common. State attorneys general are also taking action over privacy breaches and are pursuing financial settlements when PHI is exposed or impermissibly disclosed. State attorneys general can issue fines up to $250,000 for violations of the same type that are experienced in a single year. The HHS’ Office for Civil Rights can issue fines up to $1.5 million per violation category, per year.

  • In 2009, CVS Pharmacy settled potential HIPAA violations with OCR for $2.25 million after it was discovered prescription bottles and receipts had been disposed of improperly.
  • In 2010, Rite Aid Corp settled with OCR for $1 million to resolve violations of HIPAA relating to the improper disposal of PHI.
  • In 2014, Walgreens was fined $1.4 million for the impermissible disclosure of a patient’s PHI. A pharmacist shared a patient’s PHI with her husband and at least three other people.
  • In 2015, Cornell Pharmacy, a small pharmacy in Denver, was fined $125,000 for the improper disposal of PHI.

The post HIPAA Compliance for Pharmacies appeared first on HIPAA Journal.

Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law

Posted by HIPAA Journal

Virtua Medical Group – A network of physicians affiliated to over 50 medical practices in New Jersey – has been financially penalized by the New Jersey Attorney General’s Office for failing to protect the privacy of more than 1,650 patients whose medical information was accessible online without the need for any authentication.

The electronic protected health information was exposed as a result of a misconfigured server. The error occurred at a business associate of the medical group – Best Medical Transcription – which had been provided with audio files to transcribe medical notes.

Best Medical Transcription was contracted to transcribe dictations of medical notes, reports, and letters from three New Jersey medical practices: Virtua Pain and Spine Specialists in Voorhees, Virtua Gynecological Oncology Specialists, and Virtua Surgical Group in Hainesport.

The transcribed notes were uploaded to a password-protected FTP website; however, in January 2016 during a software upgrade on the FTP server, the password protection was accidentally removed allowing patient data to be accessed by anyone without the need for authentication.

Further, the content of the FTP server was indexed by search engines and could be found by typing in search terms contained in the notes. For example, typing in a patient’s name would allow the information to be found, which happened on at least one occasion. A patient found portions of her medical records online after performing a Google search.

The types of information exposed included names, medical diagnoses, and prescriptions of as many as 1,654 patients who had previously received medical services at one of the three medical centers.

When the privacy breach was discovered, Best Medical Transcription reinstated the password protection on the FTP server, although caches of the information remained accessible online and could still be found by performing a Google search.  The password was reinstated on January 15, 2016, although a week later, Virtua Medical Group received a call from a patient whose daughter’s medical records were still accessible online.

At that point, while Best Medical Transcription was aware of the lack of password and a potential breach, it had not notified Virtua Medical Group that data had been exposed. The investigation by Virtua Medical Group revealed 462 patients’ records had been indexed by the search engines. Virtua Medical Group submitted individual requests to Google to have the information taken down and patients were notified about the breach in March.

An investigation into the breach by the New Jersey Division of Consumer Affairs revealed there had been multiple failures to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements. While the breach affected a business associate of Virtua Medical Group, it was the medical group that was penalized.

The Division of Consumer Affairs alleged there had been a failure to conduct a comprehensive risk analysis to identify threats to the confidentiality, integrity, and availability of ePHI and insufficient security protections had been implemented to reduce risk.

A security awareness and training program had not been implemented for the entire workforce, there were unacceptable delays in identifying and responding to the breach, no procedures had been established and implemented to create retrievable exact copies of the ePHI maintained on the FTP site, no written log of the number of times the FTP site was accessed had been maintained, and there had been an impermissible disclosure of patients’ ePHI.

Those errors and oversights constituted violations of the HIPAA Privacy and Security Rules and the New Jersey Consumer Fraud Act.

In addition to the financial penalty of $407,184 and $10,632 to reimburse attorney’s fees and investigation costs, Virtua Medical Group has agreed to implement a robust corrective action plan which includes hiring a third-party security professional to perform a comprehensive risk analysis relating to the storage, transmission and receipt of ePHI and to perform further risk assessments every two years.

The post Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law appeared first on HIPAA Journal.

What Happens if You Break HIPAA Rules?

Posted by HIPAA Journal

HIPAA requires covered entities to provide training to staff to ensure HIPAA Rules and regulations are understood. During HIPAA training, healthcare employees should be aware of the possible penalties for HIPAA violations, but what are those penalties, and what happens if you break HIPAA Rules?

What Happens if You Break HIPAA Rules?

If you break HIPAA Rules there are four potential outcomes:

  1. The violation could be dealt with internally by an employer
  2. You could be terminated
  3. You could face sanctions from professional boards
  4. You could face criminal charges which include fines and imprisonment

What happens if you break HIPAA Rules will depend on the severity of the violation. The actions of employers, professional boards, federal regulators, and the Department of Justice will depend on several factors:

  1. The nature of the violation
  2. Whether there was knowledge that HIPAA Rules were being violated, or by exercising due diligence, it should have been clear that HIPAA Rules were being violated
  3. Whether action was taken to correct the violation
  4. Whether there was malicious intent or HIPAA Rules were violated for personal gain
  5. The harm caused by the violation(s)
  6. The number of people impacted by the violation
  7. Whether there was a violation of the criminal provision of HIPAA

Civil Penalties for HIPAA Violations

Civil penalties for HIPAA violations start at $100 per violation by any individual who violates HIPAA Rules. The fine can rise to $25,000 if there have been multiple violations of the same type. These penalties are applied when the individual was aware that HIPAA Rules were being violated or should have been aware had due diligence been exercised. If there was no willful neglect of HIPAA Rules and the violation was corrected within 30 days from when the employee knew that HIPAA Rules had been violated, civil penalties will not apply.

Criminal Penalties for HIPAA Violations

The criminal penalties for HIPAA violations can be severe. The minimum fine for willful violations of HIPAA Rules is $50,000. The maximum criminal penalty for a HIPAA violation by an individual is $250,000. Restitution may also need to be paid to the victims. In addition to the financial penalty, a jail term is likely for a criminal violation of HIPAA Rules.

As with the penalties for HIPAA violations for HIPAA covered entities and business associates, there are penalty tiers.

Criminal violations that occur as a result of negligence can result in a prison term of up to 1 year. Obtaining protected health information under false pretenses carries a maximum prison term of 5 years. Knowingly violating HIPAA Rules with malicious intent or for personal gain can result in a prison term of up to 10 years in jail. There is also a mandatory two-year jail term for aggravated identity theft.

What Happens if You Break HIPAA Rules FAQs

What happens if you violate HIPAA?

If you are a member of a Covered Entity´s or Business Associate´s workforce, the consequences of the violation will depend on the organization´s sanctions policy. If you are a Covered Entity or Business Associate, you are required to report the violation to HHS´ Office for Civil Rights if it has resulted in an impermissible disclosure of unsecured PHI.

What are the consequences of violating HIPAA?

This again depends on your HIPAA “status” (Covered Entity, Business Associate, workforce member, etc.) and the nature of the violation. However, in most cases, the consequences of violating HIPAA are more training. Covered Entities and Business Associates are required to conduct periodic HIPAA risk assessments which should consider HIPAA training as a preventative tool, while more than a third of Corrective Action Plans issued by HHS´ Office for Civil Rights involve additional training.

What happens if a medical facility violates the HIPAA Privacy Rule?

The consequences of a medical facility violating the HIPAA Privacy Rule depends on who identifies the violation and what they do with that information. For example, if a member of the workforce identifies the information, it is likely to be reported to a compliance officer and the violation resolved internally. Similarly, a patient could report the violation to the person indicated on the Notice of Privacy Practices, which would again result in an internal resolution.

However, both the member of the workforce and the patient could report the HIPAA violation to HHS´ Office for Civil Rights via the OCR Complaints Portal. In this case, OCR would review the case, seek evidence of the violation from the complainant; and, if there is sufficient evidence to suggest a violation has occurred, OCR may choose to conduct an investigation. If found guilty of a violation, the penalty will reflect the nature and seriousness of the violation.

What happens if a doctor violates HIPAA?

This depends on the doctor´s HIPAA status. If he or she is employed by a Covered Entity or Business Associate, the doctor will be subject to the penalties stipulated by their employer´s sanctions policy. If the doctor is a sole practitioner, and the violation is reported to HHS´ Office for Civil Rights, the doctor may be investigated and required to comply with a Corrective Action Plan and/or issued with a civil monetary penalty.

What happens if you break HIPAA rules due to a lack of training?

If you break HIPAA rules due to a lack of training, your employer is at fault because he or she has a legal requirement to provide training “as necessary and appropriate for members of the workforce to carry out their function in a HIPAA-compliant manner” (HIPAA Privacy Rule). To prevent any dispute about whether appropriate training has been provided, employers are required to document what training has been provided, when it was provided, and who attended.

Can I get in trouble for disclosing more than the minimum necessary information?

This depends on the circumstances, how much information was disclosed, and whether it had a negative impact on the patient. The Privacy Rule does allow for incidental disclosures – which are “by-products of another permissible use or disclosure” – provided the minimum necessary rule has been applied with respect to the primary use or disclosure.

Who is to blame for inadvertent disclosures caused by a computer error?

Covered Entities and Business Associates are required to implement administrative, technical, and physical safeguards to prevent events such as computer errors. If the inadvertent disclosure is attributable to a Covered Entity or Business Associate failing to implement safeguards – or failing to provide instruction on how to use the computer securely – the employer is at fault. If, however, the inadvertent disclosure is attributable to operator error, the employee is at fault.

How are breaches of HIPAA identified?

Breaches of HIPAA can be identified in various ways. The Covered Entity or Business Associate can find them during a risk analysis, the HHS Office for Civil Rights can find them during a HIPAA audit, or the patient(s) whose data has been disclosed without authorization can report it. Third parties scouring the Internet for vulnerable applications and storage volumes can also identify breaches of HIPAA.

What if I am aware of a colleague breaking HIPAA rules?

Your employer should have a process for reporting breaches of HIPAA that include when a colleague breaks the rules. Usually you would report the breach to a supervisor, manager, or departmental head; but, if you are uncomfortable speaking with somebody in your department – or that person is the colleague breaking HIPAA rules – you should be able to speak with the HIPAA Privacy Officer.

The post What Happens if You Break HIPAA Rules? appeared first on HIPAA Journal.

What is Considered Protected Health Information Under HIPAA?

Posted by HIPAA Journal

Health, treatment, or payment information, and any identifiers maintained with this information, is considered Protected Health Information under HIPAA if the information is created, received, maintained, or transmitted by a “covered entity” or by a “business associate”.

However, because there are times when a covered entity might not maintain identifying information with health, treatment, or payment information, there is no definitive list of what is considered Protected Health Information under HIPAA.

A lack of understanding about what is considered Protected Health Information under HIPAA is one of the primary reasons for HIPAA-related complaints to HHS´ Office for Civil Rights.

Protected Health Information ChecklistThis is not surprising, as there are times when the same information can be both protected and non-protected depending on how it is maintained.

This article aims to provide you with the full and correct definition of Protected Health Information.

HIPAA rules and regulations are substantially about protecting PHI and we recommend you use our Protected Health Information Checklist to understand what is required for the protection of PHI.

What is Considered Protected Health Information under HIPAA?

To best understand what is considered Protect Health Information under HIPAA it is necessary to review not only the definition of Protected Health Information under HIPAA in 45 CFR §160.103, but also the definitions of “health information”, individually identifiable health information”, and “designated record set”.

This is because, when taking the four HIPAA PHI definitions into account, it is easier to determine what information is protected under HIPAA and when.

Starting with health information, this is defined as any information, including genetic information, whether oral or recorded in any form or medium, that:

  1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
  2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Thereafter, the definition of individually identifiable health information is much the same, other than the definition only applies to health care providers, health plans, employers (in the role of an administrator of a self-insured health plan), and health care clearinghouses, and only relates to information that identifies or could be used to identify the individual who is the subject of the health information or the individual´s family, employer, or members of their household.

What is Considered Protected Health Information Under HIPAA The Protected Health Information definition is similar to that for individually identifiable health information when maintained or transmitted by a Covered Entity other than PHI excludes health information maintained in students´ educational records (as these are protected by the Family Educational Rights and Privacy Act) and health information maintained by a Covered Entity in its role as an employer (i.e., health information relating to an employee´s absence from work).

It is important to note these HIPAA PHI definitions only apply to health care providers, health plans, and health care clearing houses that qualify as HIPAA Covered Entities, and only to Business Associates while they are performing a service for or on behalf of a Covered Entity.  For more information about when the Protected Health Information definition may not apply to a health care provider or health plan, please see “The HIPAA Definition of Covered Entities Explained”.

Compliance Issues Regarding Protected Health Information under HIPAA

HHS´ Office for Civil Rights updates an Enforcement Highlights webpage on which it lists the compliance issues most often alleged in complaints in order of frequency. Because a single data breach can affect many thousands of individuals, it is not surprising to see impermissible uses and disclosures at the top of the list. However, the next four items imply a lack of understanding about what is considered Protected Health Information under HIPAA:

  • Impermissible uses and disclosures of PHI
  • Lack of safeguards for (non-electronic) PHI
  • Failures to provide patient access to PHI
  • Lack of Administrative Safeguards for electronic PHI
  • Violations of the minimum necessary standard

It is worth noting that, other than mandatory breach notifications, the most likely source of a complaint to HHS´ Office for Civil Rights is a patient. It is not necessarily be the case that Covered Entities, Business Associates, and members of their respective workforces have a lack of understanding about what is considered Protected Health Information under HIPAA, but rather that patients need better educating about what HIPAA Protected Health Information is.

In a perfect world, an explanation of what HIPAA Protected Health Information is would be covered in the Notice of Privacy Practices. However, most Notices of Privacy Practices already contain more information than most patients are prepared to read; and, as will become evident in later sections of this article, explaining what is covered under HIPAA – and what is not – will likely raise more questions than answers for patients wishing to exercise their Privacy Rule rights.

In order to reduce the number of complaints to HHS´ Office for Civil Rights, it is advisable for Covered Entities and Business Associates to ensure all members of the workforce have a thorough understanding of what is considered Protected Health Information under HIPAA – not only to answer patients´ questions, but also to carry out their functions within the Covered Entity or Business Associate in compliance with HIPAA.

Designated Record Sets and What Information is Protected by HIPAA

Considered Protected Health Information Under HIPAAThe definition of designated record sets appears in the introduction to the Privacy Rule in 45 CFR §164.501. This standard defines designated record sets as “a group of records maintained by or for a Covered Entity that is the medical records and billing records about individuals […] or the enrollment, payment, and claims information maintained by or for a health plan that is used in whole or in part by or for the Covered Entity to make decisions about individuals.”

This definition is followed by a footnote that explains a record can be “any item, collection, or grouping of information that includes Protected Health Information and is maintained, collected, used, or disseminated by or for a Covered Entity.” While this may be a little confusing to follow – and likely difficult to make clear to patients unfamiliar with the terminology of HIPAA – an explanation of what information is protected by HIPAA could be explained thus:

  • Protected Health Information is health information (i.e., a diagnosis, a test result, an x-ray, etc.) that is maintained in the same record set as individually identifiable information (i.e., a name, an address, a phone number, etc.).
  • Any other non-health information included in the same record set assumes the same protections as the health information. However, when non-health information is maintained outside the record set, the protections do not apply.
  • A Covered Entity may maintain multiple record sets about an individual (i.e., a patient or plan member), but individuals only have the right to access and request amendments to information maintained in designated record sets.

This explanation of what information is protected by HIPAA can help reduce patients´ misunderstandings about what is considered Protected Health Information under HIPAA and reduce the volume of complaints to HHS´ Office for Civil Rights. It can also accelerate the flow of information within a health care facility when members of the workforce understand that not every piece of information relating to a patient has to be locked down behind access controls.

Examples of Protected Health Information and Why There is No List of Protected Health Information

Many examples of Protected Health Information refer to the PHI identifiers listed under the safe harbor method of de-identification in 45 CFR §164.514. It is now more than twenty years since this Protected Health Information list was compiled and it is very out of date. For example, in many cases Social Security Numbers have been replaced by Medicare Beneficiary Identifiers, social media handles did not exist when the list of PHI identifiers was compiled, and few people had Emotional Support Animals.

Indeed, Emotional Support Animals are a good example of when non-health information can be both protected and non-protected depending on how information is maintained. If information relating to a patient´s Emotional Support Animal is maintained in a record set, it assumes the same protections as the patient´s health information. However, if it is maintained in a separate database that does not contain health information (i.e., to accommodate transport requirements) it is not protected.

It is because of scenarios such as this that there is no list of Protected Health Information. Protected Health Information can be any information relating to an individual that is maintained in the same record set as the individual´s health information. To include non-health information that is not maintained in a record set in a list of Protected Health Information (i.e., license plate numbers, device identifiers, URLs, etc.) is unnecessary and not the objective of the Privacy Rule.

In conclusion, there is no doubt that understanding what is considered Protected Health Information under HIPAA can be complicated; but, by identifying what is Protected Health Information – and what isn´t – and knowing when protections are applied to non-health information – and when they are not – Covered Entities and Business Associates can accelerate the flow of information and reduce the number of unjustified complaints by patients to HSS´ Office for Civil Rights.

FAQs

What does HIPAA protect?

HIPAA protects the privacy of individually identifiable health information via the provisions of the Privacy Rule. However, it is important to be aware that HIPAA provides a “federal floor” of privacy protections. In many locations, states have passed privacy laws with more stringent protections than HIPAA and, in these locations, state law preempts HIPAA.

What information is protected by HIPAA?

The information protected by HIPAA is all health information relating to an individual´s past, present, or future physical or mental health or condition, the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual. Any information that can identify – or be used to identify – the subject of the information is also protected by HIPAA when it is maintained in the same designated record set as an individual’s health information.

What is considered HIPAA information?

What is considered HIPAA information is any health information or connected identifier “created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse”. Many of these organizations are not HIPAA covered entities and not required to comply with HIPAA.

What is considered PHI under HIPAA?

What is considered PHI under HIPAA is any combination of health information and identifiers created, received, maintained, or transmitted by a covered entity. However, although the term combination is used in this definition, PHI can be a single item – for example, a picture of a baby sent to a pediatrician.

When maintained in the same designated record set as information relating to health, treatment, or payment, PHI covered under HIPAA includes any item of information that could be used to identify the subject of the health, treatment, or payment information.

Using this HIPAA definition of PHI, examples of Protected Health Information include an individual’s LGBTQ status, information about their emotional support animal, and contact information for a family member, friend, or support group – if this information could be used to identify the subject of the health, treatment, or payment information.

What is not considered PHI under HIPAA?

There are numerous examples of what is not considered PHI under HIPAA. One of the most common is students´ health information when it is created, received, maintained, or transmitted by a public school or college; for although the school or college may qualify as a partial covered entity, students´ medical records are considered to be part of their educational records under FERPA.

What information can be shared without violating HIPAA?

All information can be shared without violating HIPAA provided it is shared for a permissible use or disclosure or the entity sharing the information has obtained a written authorization from the subject of the information. With regards to written authorizations, it is important to be aware that individuals have the right to revoke their authorizations at any time.

What is not included in PHI?

What is not included in PHI depends on where information is maintained. PHI is any combination of health information and identifiers when they are maintained in the same designated record set. However, when health information and individual identifiers are maintained separately from each other, the identifiers alone are not considered protected health information under HIPAA. For example, jdoe@yahoo.com, Stillwater MN, and auto registration AYP 197 are not included in PHI when they are not maintained with health information in the same designated record set.

What is the difference between PII, PHI, and IIHA?

The difference between PII, PHI, and IIHA is that PII is Personally Identifiable Information used outside a healthcare context, while PHI (Protected Health Information) and IIHA (Individually Identifiable Health Information) is the same information used within a healthcare context. Although PHI is the more commonly used acronym in HIPAA, both PHI and IIHI are protected by the Privacy and Security Rules because they mean exactly the same thing.

Would patient information such as “Mr. Brown from New York” be considered PHI?

Patient information such as “Mr. Brown from New York” could be considered PHI if the information is maintained in a designated record set with either Mr. Brown´s health information or the health information of a family member, employee, or close personal friend.

Are email addresses that don´t reveal a person’s name considered identifiers for PHI purposes?

Email addresses that don’t reveal a person’s name are considered identifiers for PHI purposes if the email address is maintained in the same designated record set as an individual’s health information. This is because it is quite simple to find out who an email address such as “anonymous@xyz.com“ belongs to by doing a little research on social media or using a reverse email lookup tool on the Internet. Even if social media or a reverse lookup tool does not give you the individual´s name, you will still be able to find enough information about the individual for the email address – when maintained with health information – to be considered PHI.

What is the difference between an allowable disclosure of PHI and an incidental disclosure?

The difference between an allowable disclosure of PHI and an incidental disclosure is that covered entities are allowed to disclose PHI for treatment, payment, and health care operations. An incidental disclosure is a secondary, accidental disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another disclosure permitted by the Privacy Rule – for example, if a physician invites a health plan employee to his office to discuss payments, and the health plan employee passes a patient he or she recognizes in the waiting room.

How do you determine what a reasonably anticipated threat to PHI is?

You determine what a reasonably anticipated threat to PHI is by conducting frequent risk analyses in order to identify threats to the integrity of PHI. If the threats could be reasonably anticipated, covered entities and business associates are required to implement measures to protect against the threats occurring, or mitigate the consequences if the threats occur.

What information does HIPAA protect?

The information HIPAA protects is all individually identifiable health information that relates to an individual´s past, present, or future medical condition, treatment for medical conditions, and payment for treatments. As well as medical, treatment, and payment information, any information maintained in the same designated record set as the individually identifiable health information that could be used to identify the individual is also protected.

Who can access information under HIPAA?

The answer to the question of who can access information under HIPAA has three parts. 1. The subject of the information and representatives of HHS´ Office of Civil Rights must have access to information when requested. 2. Authorized personnel and certain organizations can have access to information under HIPAA if it involves a permissible use or disclosure as defined by the Privacy Rule. 3. All other requests for access to information under HIPAA must be accompanied by a written authorization from the patient.

Is gender a HIPAA identifier?

Gender is a HIPAA identifier if the information could be used to identify the subject of health information maintained or transmitted by a Covered Entity – or by a Business Associate acting on a Covered Entity´s behalf. The gender of an individual – and their LGBTQ status – is always Protected Health Information when it is maintained or transmitted in the same designated record set as an individual’s health information.

What health information is protected by federal law?

What health information is protected by federal law depends on the federal law and whether it is preempted by state law. For example, HIPAA laws protect health information relating to an individual’s past, present, or future physical or mental health condition, treatment for the condition, and payment for treatment.

However other federal laws exist that also protect health information in certain circumstances. For example, the amended Confidentiality of Alcohol and Drug Abuse Patient Records Regulations protect the confidentiality of substance use disorder patient records and is enforced by the Substance Abuse and Mental Health Services Administration (an agency within HHS).

Under the Public Health Service Act, any health information provided to a family planning agency is protected even if the family planning agency is not a HIPAA Covered Entity. Similarly, any health information provided to any federal government agency is protected by the Privacy Act, while any health information maintained about a student by a school is protected by FERPA.

With regards to state law, Illinois is one of many states that has introduced regulations that preempt HIPAA in specific areas. In this case, Illinois’ Biometric Information Privacy Act regulates the collection, use, and handling of biometric identifiers and information by private companies. Texas has similar regulations included in its Medical Records Privacy Act.

What is considered HIPAA information?

The term HIPAA information can relate to any standard in the text of the Health Insurance Portability and Accountability Act inasmuch as the term could mean information about a pre-existing condition for insurance purposes, information contained in a Medicare claims transaction, or the right to withhold information from an insurance provider when treatment has been paid for privately.

What is HIPAA protected information?

HIPAA protected information is most often considered to be the contents of a designated record set – i.e., both the health information in the designated record set and any non-health information that identifies or could be used to identify the subject of the health information. This description can also include any data relating to a family member, friend, or employer that could identify the individual.

How should you explain the definition of PHI under HIPAA to a patient?

To explain the definition of PHI under HIPAA to a patient, it is a good idea to create a web page with a full explanation of what is protected under HIPAA and under what circumstances it is protected. A link to the web page could be included in the Notice of Privacy Practices with a note asking patients to review the web page prior to making a complaint.

When is the disclosure of HIPAA data a HIPAA violation?

Any disclosure of HIPAA data is a HIPAA violation if it is permitted by the Privacy Rule or authorized by the individual to whom the data relates. A HIPAA violation of this nature is usually considered to be a data breach; and, depending on the consequences of the violation, may have to be reported to HHS´ Office for Civil Rights and the affected individual(s).

The post What is Considered Protected Health Information Under HIPAA? appeared first on HIPAA Journal.

Security Breaches in Healthcare in the Last Three Years

Posted by HIPAA Journal

There have been 955 major security breaches in healthcare in the last three years that have resulted in the exposure/theft of 135,060,443 healthcare records. More than 41% of the population of the United States have had some of their protected health information exposed as a result of those breaches, which have been occurring at a rate of almost one a day over the past three years.

There has been a steady rise in reported security beaches in healthcare in the last three years. In 2015 there were 270 data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. The figure rose to 327 security breaches in 2016, and 342 security breaches in 2017.

reported healthcare data breaches in 2017

More healthcare security breaches are being reported than at any other time since HIPAA required covered entities to disclose data breaches, although the number of individuals affected by healthcare data breaches has been declining year-over year for the past three years.

In 2015, a particularly bad year for healthcare industry data breaches, 112,107,579 healthcare records were exposed or stolen. The majority of those records were exposed in three data breaches. The 78.8 million-record data breach at Anthem Inc., the 11 million-record breach at Premera Blue Cross, and the 10 million-record breach at Excellus Health Plan.

Other major security breaches in 2015 include the University of California Los Angeles Health breach of 4.5 million records and Medical Informatics Engineering breach of 3.9 million records.

In 2016, 14,679,461 healthcare records were exposed or stolen, with three incidents involving more than 1 million records: The 3.62 million-record breach at Banner Health, the 3.46 million-record breach at Newkirk Products, Inc., and the 2.21 million-record breach at 21st Century Oncology.

In 2017, the worst year for healthcare security incidents in terms of the number of breaches reported, there were 3,286,498 healthcare records exposed or stolen. There were two breaches involving more than half a million records. The 500,000-record breach at Airway Oxygen, Inc., and the 697800-record breach at Commonwealth Health Corporation

15 Largest Security Breaches in Healthcare in the Last Three Years

 

Rank Year Covered Entity Entity Type Records Exposed/Stolen Breach Cause
1 2015 Anthem, Inc. Affiliated Covered Entity Health Plan 78800000 Hacking/IT Incident
2 2015 Premera Blue Cross Health Plan 11000000 Hacking/IT Incident
3 2015 Excellus Health Plan, Inc. Health Plan 10000000 Hacking/IT Incident
4 2015 University of California, Los Angeles Health Healthcare Provider 4500000 Hacking/IT Incident
5 2015 Medical Informatics Engineering Business Associate 3900000 Hacking/IT Incident
6 2016 Banner Health Healthcare Provider 3620000 Hacking/IT Incident
7 2016 Newkirk Products, Inc. Business Associate 3466120 Hacking/IT Incident
8 2016 21st Century Oncology Healthcare Provider 2213597 Hacking/IT Incident
9 2015 CareFirst BlueCross BlueShield Health Plan 1100000 Hacking/IT Incident
10 2016 Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants Healthcare Provider 882590 Hacking/IT Incident
11 2016 County of Los Angeles Departments of Health and Mental Health Healthcare Provider 749017 Hacking/IT Incident
12 2017 Commonwealth Health Corporation Healthcare Provider 697800 Theft
13 2015 Virginia Department of Medical Assistance Services (VA-DMAS) Health Plan 697586 Hacking/IT Incident
14 2016 Bon Secours Health System Incorporated Healthcare Provider 651971 Unauthorized Access/Disclosure
15 2015 Georgia Department of Community Health Health Plan 557779 Hacking/IT Incident

 

Main Causes of Security Breaches in Healthcare in the Last Three Years

The three main causes of security breaches in healthcare in the last three years were hacking/IT incidents, unauthorized access and disclosure incidents, and the loss/theft of physical records and unencrypted electronic devices containing ePHI.

There has been a downward trend in the number of theft/loss incidents over the past three years as healthcare organizations have started encrypting records on portable electronic devices. However, improper disposal incidents have risen year over year as have hacking incidents. In 2017, hacking/IT incidents were the main cause of healthcare data breaches.

healthcare data breaches in 2017 (hacking)

healthcare data breaches in 2017 (Unauthorized access/disclosures)

Healthcare Data Breaches in 2017 (loss/theft)

Financial Penalties for Security Breaches in Healthcare in the Last Three Years

In addition to annual increases in data breaches, financial penalties for HIPAA violations have also been increasing, both in terms of number of settlements and civil monetary penalties issued and the penalty amounts.

The HHS’ Office for Civil Rights is now enforcing HIPAA Rules far more aggressively and multi-million-dollar fines are regularly issued. The last three years have seen 29 HIPAA covered entities and business associates financially penalized for data breaches that have occurred as a result of noncompliance with HIPAA Rules.

In the last three years, the HHS’ Office for Civil Rights has collected $49,091,700 in financial penalties from its enforcement actions. The average settlement amount in 2017 was $1.94 million.

The post Security Breaches in Healthcare in the Last Three Years appeared first on HIPAA Journal.

Is Uber Health HIPAA Compliant?

Posted by HIPAA Journal

This March, Uber officially launched Uber Health – A platform that makes arranging transport for patients more straightforward and cost effective. The service should benefit patients and providers alike, although questions have been raised about HIPAA and whether Uber Health is HIPAA compliant.

What is Uber Health?

Uber Health consists of an online dashboard that healthcare providers can use to schedule transport for their patients in advance. Provided the patient has a mobile phone, he/she will receive a notification about the collection and drop off location via text message. In contrast to the standard Uber service, Uber Health does not require the use of a smartphone app.

By using Uber Health, healthcare providers can potentially reduce the number of no shows and ensure more patients turn up on time for their appointments. Rides can be scheduled when the patient is in a facility, ensuring they have transport arranged for follow up appointments. The service could also be used for caregivers and staff.

The official launch of the platform comes after a trial on around 100 healthcare organizations, with the platform now made available to healthcare organizations of all sizes.

Uber Health HIPAA compliant ride scheduling service

Image Source: Uber

Is Uber Health HIPAA Compliant?

Any HIPAA-covered entity that signs up to use Uber Health would be required to enter patient names and appointment times into the system, so prior to using the service a business associate agreement would need to be obtained. Uber is happy to sign BAAs with all participating healthcare organizations.

Uber maintains on its website that Uber Health is HIPAA compliant and any data entered via the dashboard is protected by privacy and security controls in line with HIPAA standards. All data remains secured in the system, and the only information passed to its drivers is the name of the patient, the pickup and drop off time, and the collection point and drop off location, as with any taxi service. No protected health information is passed to the drivers.

Uber says it consulted with Clearwater Compliance while developing the Uber Health service to ensure all requirements of HIPAA were satisfied. Uber has conducted HIPAA-compliant risk analyses and completed compliance assessments and has been confirmed to be compliant with HIPAA Rules.

Provided a business associate agreement is obtained from Uber, Uber Health is a HIPAA compliant ride sharing service and can be used without violating HIPAA Rules.

The post Is Uber Health HIPAA Compliant? appeared first on HIPAA Journal.