HIPAA Compliance News

Legislation Changes and New HIPAA Regulations in 2018

Posted by HIPAA Journal

The policy of two out for every new regulation introduced means there are likely to be few, if any, new HIPAA regulations in 2018. However, that does not mean it will be all quiet on the HIPAA front. HHS’ Office for Civil Rights (OCR) director Roger Severino has indicated there are some HIPAA changes under consideration.

OCR is planning on removing some of the outdated and labor-intensive elements of HIPAA that provide little benefit to patients, although before HIPAA changes are made, OCR will seek feedback from healthcare industry stakeholders.

As with previous updates, OCR will submit notices of proposed rulemaking and will seek comment on the proposed changes. Those comments will be carefully considered before any HIPAA changes are made.

The full list of proposed changes to the HIPAA Privacy Rule have not been made public, although Severino did provide some insight into what can be expected in 2018 at a recent HIPAA summit in Virginia.

Severino explained there were three possible changes to HIPAA regulations in 2018, the first relates to enforcement of HIPAA Rules by OCR.

Since the introduction of the Enforcement Rule, OCR has had the power to financially penalize HIPAA covered entities that are discovered to have violated HIPAA Rules or not put sufficient effort into compliance. Since the incorporation of HITECH Act into HIPAA in 2009, OCR has been permitted to retain a proportion of the settlements and CMPs it collects through its enforcement actions. Those funds are used, in part, to cover the cost of future enforcement actions and to provide restitution to victims. To date, OCR has not done the latter.

OCR is considering requesting information on how a proportion of the settlements and civil monetary penalties it collects can be directed to the victims of healthcare data breaches and HIPAA violations.

One area of bureaucracy that OCR is considering changing is the requirement for covered entities to retain signed forms from patients confirming they have received a copy of the covered entity’s notice of privacy practices. In many cases, the forms are signed by patients who just want to see a doctor. The forms are not actually read.

One potential change is to remove the requirement to obtain and store signed forms and instead to inform patients of privacy practices via a notice in a prominent place within the covered entity’s facilities.

Severino also said OCR is considering changing HIPAA regulations in 2018 relating to good faith disclosures of PHI. OCR is considering formally clarifying that disclosing PHI in certain circumstances is permitted without first obtaining consent from patients – The sharing of PHI with family members and close friends when a patient is incapacitated or in cases of opioid drug abuse for instance.

While HIPAA does permit healthcare providers to disclose PHI when a patient is in imminent harm, further rulemaking is required to cover good faith disclosures.

While these HIPAA changes are being considered, it could take until 2019 before they are implemented.

The post Legislation Changes and New HIPAA Regulations in 2018 appeared first on HIPAA Journal.

Study Suggests Improper Disposal of PHI is Commonplace

Posted by HIPAA Journal

A recent study (published in JAMA) has highlighted just how frequently hospitals are disposing of PHI in an insecure manner. While the study was conducted in Canada, which is not covered by HIPAA, the results highlight an important area of PHI security that is often overlooked.

Improper Disposal of PHI is More Common than Previously Thought

Researchers at St. Michael’s Hospital in Toronto checked recycled paperwork at five teaching hospitals in Canada. Each of the five hospitals had policies covering the secure disposal of documents containing PHI and separate recycling bins were provided for general paperwork and documents containing sensitive information. The latter were shredded before disposal.

Despite the document disposal policies, paperwork containing personally identifiable information (PII) and personal health information (PHI) were often incorrectly placed in the bins. The researchers identified 2,867 documents containing PII and 1,885 items containing personally identifiable health information in the standard recycling bins. 1,042 documents contained high sensitivity PII, 843 items contained PII with medium sensitivity, and 802 contained low sensitivity data.

821 items included clinical notes, summaries, and medical reports, there were 385 discarded labels with patient identifiers clearly visible, 345 billing forms, 340 diagnostic test results, and 317 requests and communications containing personally identifiable information.

The study shows that even with policies in place covering the proper disposal of paper records, sensitive information is still regularly disposed of in an insecure manner.

Improper Disposal of PHI in the United States

In February, 23% of the month’s healthcare data breaches involved paper/film records. Those breaches impacted 121,607 individuals. In January 33% of the month’s data breaches involved paper/film records. Those breaches impacted 13,513 individuals.

Overall, between January 1, 2010 and December 31, 2017, there have been 514 healthcare data breaches involving 500 or more paper records. Those breaches have impacted 3,393,240 individuals.

Breaches of Physical PHI

Patients Impacted by Breaches of Physical PHI

Improper Disposal of Paper/Films and ePHI

Patients Impacted by Improper Disposal of all Forms of PHI

Many privacy incidents involving paper records only impact a few patients and are not made public, so it is difficult to determine exactly how many incidents have occurred and how many patients have been impacted, although the Canadian study suggests these types of breaches are incredibly common.

To prevent these types of privacy breaches, HIPAA covered entities should carefully review their policies, procedures and physical safeguards for PHI and strengthen controls as appropriate.

The post Study Suggests Improper Disposal of PHI is Commonplace appeared first on HIPAA Journal.

How to Become HIPAA Compliant

Posted by HIPAA Journal

How to become HIPAA compliant is one of the biggest challenges for many businesses operating in the healthcare and health insurance industries. Nonetheless, businesses who operate in these industries – and service providers that do business with them – must understand what HIPAA compliance entails and how to become HIPAA compliant.

What is HIPAA Compliance?

For many businesses operating in the healthcare and health insurance industries – and for businesses outside these industries that collect individually identifiable health information – HIPAA compliance means complying with any standards of the HIPAA Administrative Simplification Regulations that are relevant to their operations and that are not preempted by any other state or federal regulations.

Not every business operating in the healthcare and health insurance industries is required to become HIPAA compliant. The HIPAA Administrative Simplification Regulations only apply to businesses that qualify as a HIPAA Covered Entity or Business Associate according to the definitions provided in the HIPAA General Provisions (45 CFR §160.103) and to health-related businesses regulated by the Federal Trade Commission.

Additionally, not every business operating in the healthcare and health insurance industry is required to comply with every standard of the HIPAA Administrative Simplification Regulations. For example, healthcare providers that outsource claims and billing operations do not have to comply with Part 162 of the Regulations – although it is necessary to know what they are in order to conduct due diligence on third party service providers.

Therefore, HIPAA compliance entails reviewing the HIPAA Administrative Simplification Regulations, identifying which standards are relevant to your business’s operations (and which you need to be aware of in order to conduct due diligence on third party service providers), and comparing these standards with any state or federal regulations you may be subject to. Thereafter, follow the steps in the next section to become HIPAA compliant.

How to Become HIPAA Compliant

After identifying which standards your business needs to comply with to become HIPAA compliant, there is no one-size-fits-all path to compliance. Most businesses will already have some of the required measures in place to protect the privacy of individually identifiable health information or to safeguard the confidentiality, integrity, and availability of electronic Protected Health Information. Most will also have processes in place to comply with state Breach Notification Rules.

Therefore, the way to become HIPAA compliant is to compare the measures you need to implement with those you already have in place. This may mean you only have to fine-tune a number of policies and implement additional security procedures to comply with the HIPAA Privacy and Security Rules, or it may mean a complete overhaul of your compliance strategy to address shortcomings in how the privacy of individual identifiable health information is protected.

It is important that both your existing measures and those you introduce to become HIPAA compliant are documented, that you conduct a risk analysis to identify any remaining potential vulnerabilities, and that you provide HIPAA training to members of the workforce that have experienced a “material change” to working practices. It may also be necessary to amend existing Notices of Privacy Practices and to review Business Associate Agreements to ensure they are compliant.

Service providers with whom you do business also need to be made aware they must become HIPAA compliant if the service involves the disclosure (to the service provider) of Protected Health Information. Although it is in the service providers’ best interests to take responsibility for their own compliance, it may be necessary for your business to get involved with explaining to them the measures they need to implement in order to become HIPAA compliant.

Help with Becoming HIPAA Compliant

Becoming HIPAA compliant can be a daunting prospect, especially considering the severity of penalties for HIPAA violations and the consequences of a breach of Protected Health Information or patient privacy. Fortunately, there are a number of useful resources that can help businesses – both Covered Entities and Business Associates – become HIPAA compliant.

HIPAA Compliance Checklist

The first of these is a HIPAA compliance checklist. Although a comprehensive HIPAA checklist may cover more areas of compliance than is necessary for every business, one of the benefits of a comprehensive checklist is that it can help businesses identify areas of compliance they may have overlooked when reviewing the HIPAA Administrative Simplification Regulations.

HHS Guidance Materials

The second useful resource is the guidance materials published by the Department of Health and Human Services. This resource tends to deal with more specific areas of compliance (rather than general areas covered by a compliance checklist) and some businesses may find the depth of detail unnecessary while they are in the early stages of becoming HIPAA compliant.

HIPAA Compliance Software

Depending on where your business is on the path to becoming HIPAA compliant, HIPAA compliance software can help you identify gaps between your existing measures and those you need to implement, or double-check you have covered everything you need to. Additionally, adopting HIPAA compliance software indicates a good faith attempt to comply with HIPAA.

How to Remain HIPAA Compliant

Not only can becoming HIPAA compliant be a daunting prospect, remaining HIPAA compliant can also be a challenge. New threats to the confidentiality, integrity, and availability of electronic Protected Health Information are constantly emerging and poor compliance practices can creep in as members of the workforce take shortcuts “to get the job done”.

One of the best ways to remain HIPAA compliant is by using HIPAA compliance software to continually self-assess compliance. The auditing capabilities of the software will help you understand when additional security measures need to be implemented or when refresher training is necessary to remind members of the workforce of their compliance responsibilities.

HIPAA compliance software can also help your business comply with the requirement to conduct regular risk assessments and – all the time the software is being utilized – maintains the impression of a good faith attempt to comply with HIPAA. This may be essential if your business is only just taking its first steps on the path to becoming HIPAA compliant.

How to Become HIPAA Compliant: FAQs

Who are the federal and state regulators of the HIPAA Rules?

The federal and state regulators of the HIPAA Rules are the Department of Health and Human Services (HHS), the Federal Trade Commission (FTC), and State Attorneys General. Reports of HIPAA violations are investigated by HHS’ Office for Civil Rights. The agency has the authority to impose civil penalties or refer violations to the Department of Justice if criminal activity is suspected. Non-HIPAA covered organizations – such as vendors of health apps – are regulated by the FTC.

At a state level, HIPAA compliance is regulated by State Attorneys General. State Attorneys General can also initiate complaints from state residents relating to any failure to protect individually identifiable health information from impermissible uses and disclosures. Additionally, many states have privacy laws that pre-empt areas of HIPAA. Consequently, businesses need to be aware of which state laws apply to their activities in addition to HIPAA.

What sort of businesses would be regulated by the FTC rather than HHS?

The sort of business that would be regulated by the FTC rather than HHS is any business that is not a HIPAA covered entity or HIPAA business associate, but that creates, receives, maintains, or transmits individually identifiable health information. Since the passage of the HITECH Act in 2009, these businesses have had to comply with the Breach Notification Rule

Typically, these businesses include the manufacturers of health apps (i.e., fitness trackers) and connected devices (wearable blood pressure cuffs) if the products offer or maintain a personal health record (PHR) collected on consumers´ behalf. Additionally, vendors of software that accesses information in a PHR or sends information to a PHR are also subject to the Breach Notification Rule.

The Security Rule has “required” and “addressable” implementation specifications. What does this mean?

The Security Rule has “required” and “addressable” implementation specifications because some implementation specifications may not be reasonable or appropriate in all circumstances. In such circumstances, an addressable implementation specification allows Covered Entities to implement an alternative measure, provided the alternative measure is at least as effective and the reason for implementing it is documented.

Why doesn´t HHS recognize HIPAA certifications?

HHS doesn’t recognize HIPAA certifications because a HIPAA certification is a “point in time” accreditation that certifies a business complies with the HIPAA requirements at the time the certificate was issued. Under §164.308, businesses are required to conduct “periodic technical and non-technical evaluations”. Consequently, a point in time accreditation does not fulfil this requirement and – as HHS notes – does not “preclude HHS from subsequently finding a security violation”.

Where can I find the full text of the Administrative Simplification Regulations?

You can find the full text of the Administrative Simplification Regulations via a PDF compiled by the Department of Health and Human Services which can be downloaded from this page on the HHS website. For businesses unfamiliar with HIPAA, please note the PDF not only includes the Privacy, Security, and Breach Notification Rules (and the changes made to them by the HITECH Act), but also Transaction, Code Set, and Identifier Standards.

What are the Administrative Simplification Regulations?

The Administrative Simplification Regulations are Parts 160, 162, and 164 of the Code of Federal Regulations relating to Public Welfare. When HIPAA was passed in 1996, Congress instructed the Secretary of Health and Human Services to develop these Parts to cover compliance investigations and civil penalties (Part 160) and the transaction code sets (Part 162).

Part 164 of the Administrative Simplification Regulations contains the Rules most Covered Entities are familiar with – the Privacy, Security, and Breach Notification Rule – although rather than being included in HIPAA at the time the first two Rules were developed, the Breach Notification Rule was added following the passage of the HITECH Act in 2009.

Why do some businesses operating in the healthcare industry not have to comply with HIPAA?

Some businesses operating in the healthcare industry do not have to comply with HIPAA because they do not qualify as HIPAA Covered Entities. This may be because they do not conduct transactions for which HHS has published standards (i.e., a counsellor that bills clients directly), or because they do not conduct the transactions electronically (i.e., claims are sent via the mail).

However, if these businesses work for a Covered Entity as a Business Associate, they are required to comply with HIPAA to the extent agreed in the Business Associate Agreement. Furthermore, even if a healthcare provider does not have to comply with HIPAA because they do not qualify as a Covered Entity, they may still have to comply with other state and federal privacy regulations.

How might some businesses already have measures in place to comply with the Privacy Rule?

Some businesses might already have measures in place to comply with the Privacy Rule if, for example, they have areas of the waiting room sectioned off so healthcare professionals can discuss diagnoses with patients and their families in private, if they already have a “minimum necessary” policy, or if they allow patients to request a copy of their medical records.

How might some businesses already have measures in place to comply with the Security Rule?

Some businesses might already have measures in place to comply with the Security Rule if, for example, they enforce a password policy that requires users to create unique and complex passwords, if they run a security and awareness training program (which includes all members of the workforce), and if they maintain on-premises servers in a secure, access-controlled environment.

Why will most businesses have processes in place to comply with the Breach Notification Rule?

Most businesses will have processes in place to comply with the Breach Notification Rule because all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have laws requiring private businesses, and – in most states – governmental entities to notify individuals of security breaches of information involving personally identifiable information.

Security breach laws typically have provisions regarding who must comply with the law (i.e., businesses, data or information brokers, healthcare providers, etc.), definitions of “personal information” (i.e., name combined with SSN, driver’s license or state ID, account numbers, etc.), what constitutes a breach (i.e., unauthorized acquisition of data), requirements for notice (i.e., timing or method of notice, who must be notified), and exemptions (i.e., for encrypted data).

How many states have medical privacy laws that can preempt HIPAA?

Forty-four states have medical privacy laws that can preempt HIPAA, but generally there may only be one or two clauses in the state regulations HIPAA Covered Entities have to be aware of. For example, in many states, a patient authorization is required before the patient’s HIV/AIDS status can be revealed by a healthcare provider (not required by HIPAA), or it may be the case that reports of child and elder abuse are mandatory (compared to being permitted by HIPAA).

What is a material change to policies and procedures that requires refresher HIPAA training?

A material change to policies and procedures that requires refresher HIPAA training is any change to a policy or procedure that affects the roles of members of the workforce. For example, if you change the procedures for requesting an accounting of disclosures, members of the workforce who respond to patients’ requests for an accounting of disclosures will have to be trained in the new procedures.

Is HIPAA refresher training mandatory?

HIPAA refresher training is mandatory when there is a material change to policies and procedures, but it is a best practice for Covered Entities to provide refresher training at least annually to prevent poor compliance practices creeping in. In addition, it is important to be aware that the security and awareness program required by the Security Rule is a “program” and not a one-off session. This implies security and awareness training should be ongoing and include references to HIPAA policies.

What difference does “a good faith attempt” at HIPAA compliance make following a data breach?

The difference a good faith attempt at HIPAA compliance can make following a data breach is significant. In January 2021, President Trump signed an amendment to the HITECH Act which gives HHS’ Office for Civil Rights enforcement discretion when calculating a civil monetary penalty following a data breach. Although the amendment doesn’t provide immunity from HIPAA penalties, HHS’ Office for Civil Rights has the authority to refrain from enforcing a penalty if there has been a good faith attempt to comply with HIPAA in the twelve months previous to a data breach.

Why is it in service providers’ best interests to take responsibility for their own compliance?

Since the publication of the Final Omnibus Rule in 2013, service providers operating as Business Associates have been directly liable for compliance with certain Privacy Rule and Security Rule requirements. Therefore, even though Business Associates are required to report all security incidents to the Covered Entity they are providing a service to, if it transpires that a data breach was attributable to the Business Associate’s failure to comply with the Privacy Rule and Security Rule requirements, the Business Associate – rather than the Covered Entity – will be considered liable.

The post How to Become HIPAA Compliant appeared first on HIPAA Journal.

HIPAA Rules on Contingency Planning

Posted by HIPAA Journal

In its March 2018 cybersecurity newsletter, OCR explained HIPAA Rules on contingency planning and urged healthcare organizations to plan for emergencies to ensure a return to normal operations can be achieved in the shortest possible time frame.

A contingency plan is required to ensure that when disaster strikes, organizations know exactly what steps must be taken and in what order.

Contingency plans should cover all types of emergencies, such as natural disasters, fires, vandalism, system failures, cyberattacks, and ransomware incidents. The steps that must be taken for each scenario could well be different, especially in the case of cyberattacks vs. natural disasters. The plan should incorporate procedures to follow for specific types of disasters.

Contingency planning is not simply a best practice. It is a requirement of the HIPAA Security Rule. Contingency planning should not be considered a onetime checkbox item necessary for HIPAA compliance. It should be an ongoing process with plans regularly checked, updated, and tested to ensure any deficiencies are identified and addressed.

What are the HIPAA Rules on Contingency Planning?

HIPAA Rules on contingency planning are concerned with ensuring healthcare organizations return to normal operations as quickly as possible and the confidentiality, integrity, and availability of PHI is safeguarded.

HIPAA Rules on contingency planning can be found in the Security Rule administrative safeguards -45 CFR § 164.308(a)(7)(ii)(A-E).

  • Develop and Implement a Data Backup Plan – 308(a)(7)(ii)(A)
  • Develop a Disaster Recovery Plan – 308(a)(7)(ii)(B)
  • Develop and Emergency Mode Operation Plan – 308(a)(7)(ii)(C)
  • Develop and Implement Procedures for Testing and Revision of Contingency Plans – 308(a)(7)(ii)(D)
  • Perform an Application and Data Criticality Analysis – 308(a)(7)(ii)(E)

A data backup plan ensures that when disaster strikes, PHI is not lost or destroyed. A viable copy of all ePHI must be created that allows exact copies of ePHI to be restored, which includes all forms of ePHI such as medical records, diagnostic images, test results, case management information, and accounting systems.  It is a good best practice to adopt a 3-2-1 approach for backups: Create three copies of data, store them on at least two different media, and have one copy stored securely offsite. Backups must also be tested to ensure the recovery of data is possible.

A disaster recovery plan should establish the procedures that must be followed to restore access to data, including how files should be restored from backups. A copy of the plan should be readily available and stored in more than one location.

The emergency mode operation plan must ensure critical business processes continue to maintain the security of ePHI when operating in emergency mode, for example when there is a technical failure or power outage.

All elements of the contingency plan must be regularly tested and revised as necessary. OCR recommends conducting scenario-based walkthroughs and live tests of the complete plan.

Covered entities should “assess the relative criticality of specific applications and data in support of other contingency plan components.” All software applications that are used to store, maintain, or transmit ePHI must be assessed to determine the level of criticality to business functions as it will be necessary to prioritize each when data is restored.

Summary of Key Elements of Contingency Planning

OCR has provided a summary of the key elements of contingency planning:

  • The primary goal is to maintain critical operations and minimize loss.
  • Define time periods – What must be done during the first hour, day, or week?
  • Establish Plan Activation – What event(s) will cause the activation of the contingency plan?  Who has the authority to activate the contingency plan?
  • Ensure the contingency plan can be understood by all types of employees.
  • Communicate and share the plan and roles and responsibilities with the organization.
  • Establish a testing schedule for the plan to identify gaps.
  • Ensure updates for plan effectiveness and increase organizational awareness.
  • Review the plan on a regular basis and situationally when there are technical, operational, environmental, or personnel changes in the organization.

The post HIPAA Rules on Contingency Planning appeared first on HIPAA Journal.

Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach

Posted by HIPAA Journal

An alleged healthcare data breach that saw the protected health information of patients of CVS Caremark exposed has resulted in legal action against CVS, Caremark, and its mailing vendor, Fiserv.

The lawsuit, which was filed in Ohio federal court on March 21, 2018, relates to an alleged privacy breach that occurred as a result of an error that affected a July/August 2017 mailing sent to approximately 6,000 patients.

In July 2017, CVS Caremark was contracted to operate as the pharmacy benefits manager for the Ohio HIV Drug Assistance Program (PhDAP), and under that program, CVS Caremark provides eligible patients with HIV medications and communicates with them about prescriptions.

In July/August 2017, CSV Caremark’s mailing vendor Fiserve sent letters to patients containing their membership cards and information about how they could obtain their HIV medications.

In the lawsuit the complaint alleges HIV-related information was clearly visible through the plastic windows of the envelopes, allowing the information to be viewed by postal service workers, family members, and roommates. It is alleged the mailing resulted in the disclosure of the recipient’s HIV status.

According to Ohio Department of Health policies, information related to HIV should only be sent in non-window envelopes. The mailing would have violated those policies and Health Information Portability and Accountability Act (HIPAA) Rules.

Such a HIPAA breach would need to be reported to the Department of Health and Human Services’ Office for Civil Rights within 60 days of discovery of the breach; however, the complainant alleges no breach report was submitted to OCR and notifications were not sent to affected individuals – A further breach of HIPAA Rules.

Plaintiffs are seeking punitive and compensatory damages and coverage of their legal costs.

There have been other breaches of HIV information in recent weeks, including a mailing error by a vendor of Aetna. In that case, HIV-related information was visible through the clear plastic windows of envelopes in a mailing to 12,000 individuals. Aetna settled a class action lawsuit filed on behalf of victims of the breach for $17,161,200 and is currently suing its mailing vendor to recover the costs. Aetna was also fined by the New York Attorney General over the breach and settled that case for $1.15 million.

The post Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach appeared first on HIPAA Journal.

What is the Civil Penalty for Knowingly Violating HIPAA?

Posted by HIPAA Journal

What is the civil penalty for knowingly violating HIPAA Rules? What is the maximum financial penalty for a HIPAA violation and when are fines issued? In this post we answer these questions and explain about the penalties for violating HIPAA Rules

What is HIPAA?

The Health Insurance Portability and Accountability Act – HIPAA – is a federal law that applies to healthcare organizations and healthcare employees. HIPAA requires healthcare organizations to develop policies and procedures to protect the privacy of patients and implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). HIPAA places restrictions on the uses of health data, who can be provides with copies of health information, and gives patients the right to obtain copies of their health data.

HIPAA covered entities are typically healthcare providers, health plans, and healthcare clearinghouses. HIPAA also applies to vendors and suppliers (business associates) that require access to PHI to perform their contracted duties.

As with other federal laws, there are penalties for noncompliance. The financial penalties for HIPAA violations can be severe, especially when HIPAA has been “knowingly” violated – When HIPAA Rules have been consciously violated with intent.

Financial Penalties for Healthcare Organizations Who Knowingly Violating HIPAA

The civil penalty tier system for healthcare organizations is based on the extent to which the HIPAA covered entity was aware that HIPAA Rules were violated. The maximum civil penalty for knowingly violating HIPAA is $50,000 per violation up to a maximum of $1.5 million per violation category.

Penalty Structure for HIPAA Violations

 

Civil penalties will be dictated by the nature and extent of the violation, the number of individual affected, and the harm that has been caused to those individuals.

Healthcare Employees May Have to Pay a Civil Penalty for Knowingly Violating HIPAA

As with healthcare organizations, healthcare employees can also be fined for violating HIPAA Rules. Civil penalties can be issued to any person who is discovered to have violated HIPAA Rules. The Office for Civil Rights can impose a penalty of $100 per violation of HIPAA when an employee was unaware that he/she was violating HIPAA Rules up to a maximum of $25,000 for repeat violations.

In cases of reasonable cause, the fine rises to $1,000 per violation with a maximum of $100,000 for repeat violations, for willful neglect of HIPAA Rules where the violation was corrected the fine is $10,000 and up to $250,000 for repeat violations and willful neglect with no correction carries a penalty of $50,000 per violation and up to $1.5 million for repeat violations.

Criminal Charges for HIPAA Violations

The Office for Civil Rights enforces HIPAA Rules in conjunction with the Department of Justice and will refer cases of possible criminal violations of HIPAA Rules to the DoJ. Directors, officers, and employees may be deemed to be criminally liable for violations of HIPAA Rules under the principle of corporate criminal liability, and if not directly liable, could be charged with aiding and abetting or conspiracy.

The penalty tiers are based on the extent to which an employee was aware that HIPAA Rules were being violated. At the lowest level, a violation of HIPAA Rules could attract a maximum penalty of $50,000 and/or up to one year imprisonment.

If HIPAA Rules are violated under false pretenses the maximum fine rises to $100,000 and/or up to 5 years imprisonment. The maximum civil penalty for knowingly violating HIPAA Rules is $250,000, such as when healthcare information is stolen with the intent to sell, transfer, or use for personal gain, commercial advantage, or malicious harm. In addition to a fine, the maximum jail term is 10 years.

In addition to the punishment provided, aggravated identity theft carries a prison term of 2 years. When PHI has been stolen and patients have been defrauded, restitution may also need to be paid.

The post What is the Civil Penalty for Knowingly Violating HIPAA? appeared first on HIPAA Journal.

Can You Make WordPress HIPAA Compliant?

Posted by HIPAA Journal

WordPress is a convenient content management system that allows websites to be quickly and easily constructed. The platform is popular with businesses, but is it suitable for use in healthcare? Can you make WordPress HIPAA compliant?

Before assessing whether it is possible to make WordPress HIPAA compliant, it is worthwhile covering how HIPAA applies to websites.

HIPAA and Websites

HIPAA does not specifically cover compliance with respect to websites, HIPAA requirements for websites are therefore a little vague.

As with any other forms of electronic capture or transmission of ePHI, safeguards must be implemented in line with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of ePHI. Those requirements apply to all websites, including those developed from scratch or created using an off-the-shelf platform such as WordPress.

Websites must incorporate administrative, physical, and technical controls to ensure the confidentiality of any protected health information uploaded to the website or made available through the site.

  • HIPAA-covered entities must ensure there are access controls in place to prevent unauthorized individuals from gaining access to PHI or to the administration control panel
  • Audit controls must be in place that log access to the site and any activity on the site that involves ePHI
  • There must be integrity controls in place that prevent ePHI from being altered or destroyed
  • Transmission security controls must be implemented to ensure any ePHI uploaded to the site is secured (and encrypted in transit) and data must be appropriately secured at rest (encrypted on a third-party server or encrypted/otherwise secured on a covered entity’s web server)
  • Physical security controls must be implemented to prevent unauthorized access to the web server
  • Administrators and any internal users should be trained on use of the website and made aware of HIPAA Privacy and Security Rules
  • The website must be hosted with a HIPAA-compliant hosting provider (or internally)
  • If a third-party hosting company is used, a business associate agreement is required

Once all the necessary controls have been implemented that satisfy the requirements of the HIPAA Security Rule, the website (and plugins) and all associated systems that interact with the site must be subjected to a risk analysis. All risks to the confidentiality, integrity, and availability of ePHI must be identified and those risks and addressed via risk management processes that reduce those risks to a reasonable and acceptable level.

WordPress and Business Associate Agreements

WordPress will not sign a business associate agreement with HIPAA covered entities and there is no mention of BAAs on the WordPress site. So, does that mean that the platform cannot be used in healthcare?

A business associate agreement is not necessarily required. If you simply want to create a blog to communicate with patients, provided you do not upload any PHI to the site or collect PHI through the site (such as making appointments), a business associate agreement would not be required.

You would also not need a BAA if PHI is stored separately from the website and is accessed via a plugin. If the plugin has been developed by a third party, you would need a business associate agreement with the plugin developer.

If you want to use the website in connection with PHI, there are several steps you must take to make WordPress HIPAA compliant.

How to Make WordPress HIPAA Compliant

A standard off-the-shelf WordPress installation will not be HIPAA compliant as WordPress does not offer a HIPAA-compliant service. It is possible to make WordPress HIPAA compliant, but it will be a major challenge. You will need to ensure the following before any ePHI is uploaded to or collected through the website.

  • Perform a risk analysis prior to using the site in connection with any ePHI and reduce risks to a reasonable and acceptable level
  • Use a HIPAA compliant hosting service for your website. Simply hosting the site with a HIPAA compliant hosting provider does not guarantee compliance. Ensure that all access, audit, and integrity controls are in place and safeguards implemented to secure data at rest and in transit
  • Perform a security scan of the site to check for vulnerabilities
  • Only use plugins from trustworthy sources
  • Ensure all plugins are updated and the latest version of WordPress is installed
  • Use security plugins on the website – Wordfence for example
  • Use a SaaS provider that can interface the ePHI component into your website or develop the interface internally
  • Ensure ePHI is stored outside of WordPress
  • Set strong passwords and admin account names to reduce the potential for brute force attacks. Use rate limiting to further enhance security and use two factor authentications for administrator accounts
  • Ensure that users cannot sign up for accounts directly without first being vetted
  • Ensure any data collected via web forms is encrypted in transit
  • Obtain business associate agreements with all service providers/plugin developers who require access to ePHI or whose software touches ePHI

WordPress was not developed to confirm to HIPAA standards so making WordPress HIPAA compliant is complicated. Ensuring a WordPress site remains HIPAA compliant is similarly difficult. There have also been several security issues with WordPress over the years and vulnerabilities are frequently identified. WordPress is not the only problem. Plugins are frequently found to have vulnerabilities and there is considerable potential for those vulnerabilities to be exploited.

While it is possible to make WordPress HIPAA compliant, the potential risks to ePHI are considerable. WordPress makes website creation simple, but not as far as HIPAA compliance is concerned.

Our recommendation is to develop your own website from scratch that is easier to secure and maintain, host the site with a HIPAA compliant hosing company, and if you do not have employees with the correct skill sets, use a vendor that specializes in developing HIPAA compliant websites and patient portals.

The post Can You Make WordPress HIPAA Compliant? appeared first on HIPAA Journal.

Banner Health Anticipates Potential Financial Penalty from OCR over 2016 Cyberattack

Posted by HIPAA Journal

According to a financial report issued by Banner Health, OCR is investigating the colossal 2016 Banner Health data breach which saw the protected health information of 3.7 million patients exposed. The breach involved Banner Health facilities at 27 locations in Alaska, Arizona, California, Colorado, Nebraska, Nevada, and Wyoming and resulted in the exposure of highly sensitive protected health information including names, dates of birth, Social Security numbers, and health insurance information.

The attackers gained access to the payment processing system used in its food and beverage outlets with a view to obtaining credit card numbers. However, once access to the network was gained, they also accessed servers containing PHI.

Banner Health reports that it has cooperated with OCR’s investigation into the breach and has supplied information as requested. However, OCR was not satisfied with its response and the evidence supplied on its HIPAA compliance efforts. Specifically, OCR was not satisfied with the documentation supplied to demonstrate “past security assessment activities” with its responses rated as “inadequate”.

Banner Health has respond and provided additional evidence of its security efforts but “negative findings” are anticipated. Banner Health suspects a financial penalty may be pursued by OCR, although it is not known how much the penalty is likely to be.

The Department of Health and Human Services’ Office for Civil Rights investigates all data breaches over 500 records. OCR can issue fines of up to $1.5 million per violation category, per year. HIPAA violations that have been allowed to persist over several years, and cases where there have been multiple violations of HIPAA Rules, can see multi-million-dollar financial penalties pursued. Fines have been issued of $25,000, although there have also been settlements in excess of $4 million dollars.

Based on previous HIPAA settlements, a breach of this magnitude is likely to see a fine toward the upper end of the spectrum.

In addition to a potential fine from OCR for non-compliance with HIPAA Rules, nine lawsuits were filed by plaintiffs affected by the 2016 data breach which have since been consolidated into a single class action lawsuit.

While many data breach lawsuits have been dismissed for lack of standing, this lawsuit appears to be going the distance. The plaintiffs have already demonstrated impending injury as a result of the exposure and theft of their health information.

Banner Health holds an insurance policy against cyberattacks although the extent of insurance coverage is not known. Banner Health is vigorously defending the lawsuit, but should its efforts fail, the health system believes a substantial proportion of the legal costs and any settlement will be covered by its cyber risk insurance policy.

The post Banner Health Anticipates Potential Financial Penalty from OCR over 2016 Cyberattack appeared first on HIPAA Journal.

Jail Terms for HIPAA Violations by Employees

Posted by HIPAA Journal

The penalties for HIPAA violations by employees can be severe, especially those involving the theft of protected health information.

HIPAA violations by employees can attract a fine of up to $250,000 with a maximum jail term of 10 years and a 2-year jail term for aggravated identity theft.

This month there have been two notable cases of HIPAA violations by employees, one of which has resulted in a fine and imprisonment, with the other likely to result in a longer spell in prison when sentencing takes place in June.

Jail Term for Former Transformations Autism Treatment Center Employee

In February, a former Behavioral Analyst at the Transformations Autism Treatment Center (TACT) was discovered to have stolen the protected health information of patients following termination.

Jeffrey Luke, 29, of Collierville, TN gained access to a TACT Google Drive account containing the PHI of patients following termination and downloaded the PHI of 300 current and former patients onto his personal computer.

Approximately one month after Luke was terminated, TACT discovered patient information had been remotely accessed and downloaded. An investigation was launched and law enforcement was notified, with the latter alerting the FBI. Luke was identified as the perpetrator from his IP address, with the search of his residence uncovering a computer containing stolen electronic patient records and TACT forms and templates.

Luke’s access rights to Google Drive had been terminated by TACT in accordance with HIPAA Rules; however, after termination, Luke had gained access to a shared Google Drive account and authorized access from his personal Gmail account.

It is unclear exactly how that was achieved after his access rights were terminated. Court documents say Luke hacked the account and law enforcement found evidence Luke had researched how to gain access to the data.

Law enforcement discovered this was not the first time Luke had stolen data from an employer. His computer also contained patient data from another former employer – Somerville, TN-based Behavioral and Counseling Services.

Luke pleaded guilty to the charges and was sentenced to 30 days in jail and 3 years of supervised release. Luke was also ordered to pay $14,941.36 in restitution.

This case sends a message to healthcare employees considering stealing healthcare data to sell, use, or pass on to a new employer, that data theft carries stiff penalties. While Luke will only serve 30 days in jail, he will have a criminal record which will hamper future employment.

Healthcare organizations should also take precautions to minimize the opportunity for ex-employees to access PHI remotely after they have left employment. When an employment contract ends, or an employee is terminated, access to all systems must be blocked and passwords should be changed on any shared accounts.

Nursing Home Employee Pleads Guilty to Theft of Credit Card Numbers

A former employee at a nursing home in St. Louis County, MO has pleaded guilty to the theft of credit card numbers.

Shaniece Borney, 29, of St. Louis County, was employed at a NHC Health Care nursing home between 2016 and 2017. Borney abused her access to the computer system and stole the credit card details of patients. The credit card details were used to make purchases for herself and family members.

Borney faces up to 10 years in jail and could be fined up to $250,000 and will be required to pay restitution to the victims of the fraud. Borney will be sentenced on June 21, 2018.

The post Jail Terms for HIPAA Violations by Employees appeared first on HIPAA Journal.