HIPAA Compliance News

What is Considered Protected Health Information Under HIPAA?

Posted by HIPAA Journal

Health, treatment, or payment information, and any identifiers maintained with this information, is considered Protected Health Information under HIPAA if the information is created, received, maintained, or transmitted by a “covered entity” or by a “business associate”.

However, because there are times when a covered entity might not maintain identifying information with health, treatment, or payment information, there is no definitive list of what is considered Protected Health Information under HIPAA.

A lack of understanding about what is considered Protected Health Information under HIPAA is one of the primary reasons for HIPAA-related complaints to HHS´ Office for Civil Rights.

Protected Health Information ChecklistThis is not surprising, as there are times when the same information can be both protected and non-protected depending on how it is maintained.

This article aims to provide you with the full and correct definition of Protected Health Information.

HIPAA rules and regulations are substantially about protecting PHI and we recommend you use our Protected Health Information Checklist to understand what is required for the protection of PHI.

What is Considered Protected Health Information under HIPAA?

To best understand what is considered Protect Health Information under HIPAA it is necessary to review not only the definition of Protected Health Information under HIPAA in 45 CFR §160.103, but also the definitions of “health information”, individually identifiable health information”, and “designated record set”.

This is because, when taking the four HIPAA PHI definitions into account, it is easier to determine what information is protected under HIPAA and when.

Starting with health information, this is defined as any information, including genetic information, whether oral or recorded in any form or medium, that:

  1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
  2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Thereafter, the definition of individually identifiable health information is much the same, other than the definition only applies to health care providers, health plans, employers (in the role of an administrator of a self-insured health plan), and health care clearinghouses, and only relates to information that identifies or could be used to identify the individual who is the subject of the health information or the individual´s family, employer, or members of their household.

What is Considered Protected Health Information Under HIPAA The Protected Health Information definition is similar to that for individually identifiable health information when maintained or transmitted by a Covered Entity other than PHI excludes health information maintained in students´ educational records (as these are protected by the Family Educational Rights and Privacy Act) and health information maintained by a Covered Entity in its role as an employer (i.e., health information relating to an employee´s absence from work).

It is important to note these HIPAA PHI definitions only apply to health care providers, health plans, and health care clearing houses that qualify as HIPAA Covered Entities, and only to Business Associates while they are performing a service for or on behalf of a Covered Entity.  For more information about when the Protected Health Information definition may not apply to a health care provider or health plan, please see “The HIPAA Definition of Covered Entities Explained”.

Compliance Issues Regarding Protected Health Information under HIPAA

HHS´ Office for Civil Rights updates an Enforcement Highlights webpage on which it lists the compliance issues most often alleged in complaints in order of frequency. Because a single data breach can affect many thousands of individuals, it is not surprising to see impermissible uses and disclosures at the top of the list. However, the next four items imply a lack of understanding about what is considered Protected Health Information under HIPAA:

  • Impermissible uses and disclosures of PHI
  • Lack of safeguards for (non-electronic) PHI
  • Failures to provide patient access to PHI
  • Lack of Administrative Safeguards for electronic PHI
  • Violations of the minimum necessary standard

It is worth noting that, other than mandatory breach notifications, the most likely source of a complaint to HHS´ Office for Civil Rights is a patient. It is not necessarily be the case that Covered Entities, Business Associates, and members of their respective workforces have a lack of understanding about what is considered Protected Health Information under HIPAA, but rather that patients need better educating about what HIPAA Protected Health Information is.

In a perfect world, an explanation of what HIPAA Protected Health Information is would be covered in the Notice of Privacy Practices. However, most Notices of Privacy Practices already contain more information than most patients are prepared to read; and, as will become evident in later sections of this article, explaining what is covered under HIPAA – and what is not – will likely raise more questions than answers for patients wishing to exercise their Privacy Rule rights.

In order to reduce the number of complaints to HHS´ Office for Civil Rights, it is advisable for Covered Entities and Business Associates to ensure all members of the workforce have a thorough understanding of what is considered Protected Health Information under HIPAA – not only to answer patients´ questions, but also to carry out their functions within the Covered Entity or Business Associate in compliance with HIPAA.

Designated Record Sets and What Information is Protected by HIPAA

Considered Protected Health Information Under HIPAAThe definition of designated record sets appears in the introduction to the Privacy Rule in 45 CFR §164.501. This standard defines designated record sets as “a group of records maintained by or for a Covered Entity that is the medical records and billing records about individuals […] or the enrollment, payment, and claims information maintained by or for a health plan that is used in whole or in part by or for the Covered Entity to make decisions about individuals.”

This definition is followed by a footnote that explains a record can be “any item, collection, or grouping of information that includes Protected Health Information and is maintained, collected, used, or disseminated by or for a Covered Entity.” While this may be a little confusing to follow – and likely difficult to make clear to patients unfamiliar with the terminology of HIPAA – an explanation of what information is protected by HIPAA could be explained thus:

  • Protected Health Information is health information (i.e., a diagnosis, a test result, an x-ray, etc.) that is maintained in the same record set as individually identifiable information (i.e., a name, an address, a phone number, etc.).
  • Any other non-health information included in the same record set assumes the same protections as the health information. However, when non-health information is maintained outside the record set, the protections do not apply.
  • A Covered Entity may maintain multiple record sets about an individual (i.e., a patient or plan member), but individuals only have the right to access and request amendments to information maintained in designated record sets.

This explanation of what information is protected by HIPAA can help reduce patients´ misunderstandings about what is considered Protected Health Information under HIPAA and reduce the volume of complaints to HHS´ Office for Civil Rights. It can also accelerate the flow of information within a health care facility when members of the workforce understand that not every piece of information relating to a patient has to be locked down behind access controls.

Examples of Protected Health Information and Why There is No List of Protected Health Information

Many examples of Protected Health Information refer to the PHI identifiers listed under the safe harbor method of de-identification in 45 CFR §164.514. It is now more than twenty years since this Protected Health Information list was compiled and it is very out of date. For example, in many cases Social Security Numbers have been replaced by Medicare Beneficiary Identifiers, social media handles did not exist when the list of PHI identifiers was compiled, and few people had Emotional Support Animals.

Indeed, Emotional Support Animals are a good example of when non-health information can be both protected and non-protected depending on how information is maintained. If information relating to a patient´s Emotional Support Animal is maintained in a record set, it assumes the same protections as the patient´s health information. However, if it is maintained in a separate database that does not contain health information (i.e., to accommodate transport requirements) it is not protected.

It is because of scenarios such as this that there is no list of Protected Health Information. Protected Health Information can be any information relating to an individual that is maintained in the same record set as the individual´s health information. To include non-health information that is not maintained in a record set in a list of Protected Health Information (i.e., license plate numbers, device identifiers, URLs, etc.) is unnecessary and not the objective of the Privacy Rule.

In conclusion, there is no doubt that understanding what is considered Protected Health Information under HIPAA can be complicated; but, by identifying what is Protected Health Information – and what isn´t – and knowing when protections are applied to non-health information – and when they are not – Covered Entities and Business Associates can accelerate the flow of information and reduce the number of unjustified complaints by patients to HSS´ Office for Civil Rights.

FAQs

What does HIPAA protect?

HIPAA protects the privacy of individually identifiable health information via the provisions of the Privacy Rule. However, it is important to be aware that HIPAA provides a “federal floor” of privacy protections. In many locations, states have passed privacy laws with more stringent protections than HIPAA and, in these locations, state law preempts HIPAA.

What information is protected by HIPAA?

The information protected by HIPAA is all health information relating to an individual´s past, present, or future physical or mental health or condition, the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual. Any information that can identify – or be used to identify – the subject of the information is also protected by HIPAA when it is maintained in the same designated record set as an individual’s health information.

What is considered HIPAA information?

What is considered HIPAA information is any health information or connected identifier “created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse”. Many of these organizations are not HIPAA covered entities and not required to comply with HIPAA.

What is considered PHI under HIPAA?

What is considered PHI under HIPAA is any combination of health information and identifiers created, received, maintained, or transmitted by a covered entity. However, although the term combination is used in this definition, PHI can be a single item – for example, a picture of a baby sent to a pediatrician.

When maintained in the same designated record set as information relating to health, treatment, or payment, PHI covered under HIPAA includes any item of information that could be used to identify the subject of the health, treatment, or payment information.

Using this HIPAA definition of PHI, examples of Protected Health Information include an individual’s LGBTQ status, information about their emotional support animal, and contact information for a family member, friend, or support group – if this information could be used to identify the subject of the health, treatment, or payment information.

What is not considered PHI under HIPAA?

There are numerous examples of what is not considered PHI under HIPAA. One of the most common is students´ health information when it is created, received, maintained, or transmitted by a public school or college; for although the school or college may qualify as a partial covered entity, students´ medical records are considered to be part of their educational records under FERPA.

What information can be shared without violating HIPAA?

All information can be shared without violating HIPAA provided it is shared for a permissible use or disclosure or the entity sharing the information has obtained a written authorization from the subject of the information. With regards to written authorizations, it is important to be aware that individuals have the right to revoke their authorizations at any time.

What is not included in PHI?

What is not included in PHI depends on where information is maintained. PHI is any combination of health information and identifiers when they are maintained in the same designated record set. However, when health information and individual identifiers are maintained separately from each other, the identifiers alone are not considered protected health information under HIPAA. For example, jdoe@yahoo.com, Stillwater MN, and auto registration AYP 197 are not included in PHI when they are not maintained with health information in the same designated record set.

What is the difference between PII, PHI, and IIHA?

The difference between PII, PHI, and IIHA is that PII is Personally Identifiable Information used outside a healthcare context, while PHI (Protected Health Information) and IIHA (Individually Identifiable Health Information) is the same information used within a healthcare context. Although PHI is the more commonly used acronym in HIPAA, both PHI and IIHI are protected by the Privacy and Security Rules because they mean exactly the same thing.

Would patient information such as “Mr. Brown from New York” be considered PHI?

Patient information such as “Mr. Brown from New York” could be considered PHI if the information is maintained in a designated record set with either Mr. Brown´s health information or the health information of a family member, employee, or close personal friend.

Are email addresses that don´t reveal a person’s name considered identifiers for PHI purposes?

Email addresses that don’t reveal a person’s name are considered identifiers for PHI purposes if the email address is maintained in the same designated record set as an individual’s health information. This is because it is quite simple to find out who an email address such as “anonymous@xyz.com“ belongs to by doing a little research on social media or using a reverse email lookup tool on the Internet. Even if social media or a reverse lookup tool does not give you the individual´s name, you will still be able to find enough information about the individual for the email address – when maintained with health information – to be considered PHI.

What is the difference between an allowable disclosure of PHI and an incidental disclosure?

The difference between an allowable disclosure of PHI and an incidental disclosure is that covered entities are allowed to disclose PHI for treatment, payment, and health care operations. An incidental disclosure is a secondary, accidental disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another disclosure permitted by the Privacy Rule – for example, if a physician invites a health plan employee to his office to discuss payments, and the health plan employee passes a patient he or she recognizes in the waiting room.

How do you determine what a reasonably anticipated threat to PHI is?

You determine what a reasonably anticipated threat to PHI is by conducting frequent risk analyses in order to identify threats to the integrity of PHI. If the threats could be reasonably anticipated, covered entities and business associates are required to implement measures to protect against the threats occurring, or mitigate the consequences if the threats occur.

What information does HIPAA protect?

The information HIPAA protects is all individually identifiable health information that relates to an individual´s past, present, or future medical condition, treatment for medical conditions, and payment for treatments. As well as medical, treatment, and payment information, any information maintained in the same designated record set as the individually identifiable health information that could be used to identify the individual is also protected.

Who can access information under HIPAA?

The answer to the question of who can access information under HIPAA has three parts. 1. The subject of the information and representatives of HHS´ Office of Civil Rights must have access to information when requested. 2. Authorized personnel and certain organizations can have access to information under HIPAA if it involves a permissible use or disclosure as defined by the Privacy Rule. 3. All other requests for access to information under HIPAA must be accompanied by a written authorization from the patient.

Is gender a HIPAA identifier?

Gender is a HIPAA identifier if the information could be used to identify the subject of health information maintained or transmitted by a Covered Entity – or by a Business Associate acting on a Covered Entity´s behalf. The gender of an individual – and their LGBTQ status – is always Protected Health Information when it is maintained or transmitted in the same designated record set as an individual’s health information.

What health information is protected by federal law?

What health information is protected by federal law depends on the federal law and whether it is preempted by state law. For example, HIPAA laws protect health information relating to an individual’s past, present, or future physical or mental health condition, treatment for the condition, and payment for treatment.

However other federal laws exist that also protect health information in certain circumstances. For example, the amended Confidentiality of Alcohol and Drug Abuse Patient Records Regulations protect the confidentiality of substance use disorder patient records and is enforced by the Substance Abuse and Mental Health Services Administration (an agency within HHS).

Under the Public Health Service Act, any health information provided to a family planning agency is protected even if the family planning agency is not a HIPAA Covered Entity. Similarly, any health information provided to any federal government agency is protected by the Privacy Act, while any health information maintained about a student by a school is protected by FERPA.

With regards to state law, Illinois is one of many states that has introduced regulations that preempt HIPAA in specific areas. In this case, Illinois’ Biometric Information Privacy Act regulates the collection, use, and handling of biometric identifiers and information by private companies. Texas has similar regulations included in its Medical Records Privacy Act.

What is considered HIPAA information?

The term HIPAA information can relate to any standard in the text of the Health Insurance Portability and Accountability Act inasmuch as the term could mean information about a pre-existing condition for insurance purposes, information contained in a Medicare claims transaction, or the right to withhold information from an insurance provider when treatment has been paid for privately.

What is HIPAA protected information?

HIPAA protected information is most often considered to be the contents of a designated record set – i.e., both the health information in the designated record set and any non-health information that identifies or could be used to identify the subject of the health information. This description can also include any data relating to a family member, friend, or employer that could identify the individual.

How should you explain the definition of PHI under HIPAA to a patient?

To explain the definition of PHI under HIPAA to a patient, it is a good idea to create a web page with a full explanation of what is protected under HIPAA and under what circumstances it is protected. A link to the web page could be included in the Notice of Privacy Practices with a note asking patients to review the web page prior to making a complaint.

When is the disclosure of HIPAA data a HIPAA violation?

Any disclosure of HIPAA data is a HIPAA violation if it is permitted by the Privacy Rule or authorized by the individual to whom the data relates. A HIPAA violation of this nature is usually considered to be a data breach; and, depending on the consequences of the violation, may have to be reported to HHS´ Office for Civil Rights and the affected individual(s).

The post What is Considered Protected Health Information Under HIPAA? appeared first on HIPAA Journal.

Security Breaches in Healthcare in the Last Three Years

Posted by HIPAA Journal

There have been 955 major security breaches in healthcare in the last three years that have resulted in the exposure/theft of 135,060,443 healthcare records. More than 41% of the population of the United States have had some of their protected health information exposed as a result of those breaches, which have been occurring at a rate of almost one a day over the past three years.

There has been a steady rise in reported security beaches in healthcare in the last three years. In 2015 there were 270 data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. The figure rose to 327 security breaches in 2016, and 342 security breaches in 2017.

reported healthcare data breaches in 2017

More healthcare security breaches are being reported than at any other time since HIPAA required covered entities to disclose data breaches, although the number of individuals affected by healthcare data breaches has been declining year-over year for the past three years.

In 2015, a particularly bad year for healthcare industry data breaches, 112,107,579 healthcare records were exposed or stolen. The majority of those records were exposed in three data breaches. The 78.8 million-record data breach at Anthem Inc., the 11 million-record breach at Premera Blue Cross, and the 10 million-record breach at Excellus Health Plan.

Other major security breaches in 2015 include the University of California Los Angeles Health breach of 4.5 million records and Medical Informatics Engineering breach of 3.9 million records.

In 2016, 14,679,461 healthcare records were exposed or stolen, with three incidents involving more than 1 million records: The 3.62 million-record breach at Banner Health, the 3.46 million-record breach at Newkirk Products, Inc., and the 2.21 million-record breach at 21st Century Oncology.

In 2017, the worst year for healthcare security incidents in terms of the number of breaches reported, there were 3,286,498 healthcare records exposed or stolen. There were two breaches involving more than half a million records. The 500,000-record breach at Airway Oxygen, Inc., and the 697800-record breach at Commonwealth Health Corporation

15 Largest Security Breaches in Healthcare in the Last Three Years

 

Rank Year Covered Entity Entity Type Records Exposed/Stolen Breach Cause
1 2015 Anthem, Inc. Affiliated Covered Entity Health Plan 78800000 Hacking/IT Incident
2 2015 Premera Blue Cross Health Plan 11000000 Hacking/IT Incident
3 2015 Excellus Health Plan, Inc. Health Plan 10000000 Hacking/IT Incident
4 2015 University of California, Los Angeles Health Healthcare Provider 4500000 Hacking/IT Incident
5 2015 Medical Informatics Engineering Business Associate 3900000 Hacking/IT Incident
6 2016 Banner Health Healthcare Provider 3620000 Hacking/IT Incident
7 2016 Newkirk Products, Inc. Business Associate 3466120 Hacking/IT Incident
8 2016 21st Century Oncology Healthcare Provider 2213597 Hacking/IT Incident
9 2015 CareFirst BlueCross BlueShield Health Plan 1100000 Hacking/IT Incident
10 2016 Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants Healthcare Provider 882590 Hacking/IT Incident
11 2016 County of Los Angeles Departments of Health and Mental Health Healthcare Provider 749017 Hacking/IT Incident
12 2017 Commonwealth Health Corporation Healthcare Provider 697800 Theft
13 2015 Virginia Department of Medical Assistance Services (VA-DMAS) Health Plan 697586 Hacking/IT Incident
14 2016 Bon Secours Health System Incorporated Healthcare Provider 651971 Unauthorized Access/Disclosure
15 2015 Georgia Department of Community Health Health Plan 557779 Hacking/IT Incident

 

Main Causes of Security Breaches in Healthcare in the Last Three Years

The three main causes of security breaches in healthcare in the last three years were hacking/IT incidents, unauthorized access and disclosure incidents, and the loss/theft of physical records and unencrypted electronic devices containing ePHI.

There has been a downward trend in the number of theft/loss incidents over the past three years as healthcare organizations have started encrypting records on portable electronic devices. However, improper disposal incidents have risen year over year as have hacking incidents. In 2017, hacking/IT incidents were the main cause of healthcare data breaches.

healthcare data breaches in 2017 (hacking)

healthcare data breaches in 2017 (Unauthorized access/disclosures)

Healthcare Data Breaches in 2017 (loss/theft)

Financial Penalties for Security Breaches in Healthcare in the Last Three Years

In addition to annual increases in data breaches, financial penalties for HIPAA violations have also been increasing, both in terms of number of settlements and civil monetary penalties issued and the penalty amounts.

The HHS’ Office for Civil Rights is now enforcing HIPAA Rules far more aggressively and multi-million-dollar fines are regularly issued. The last three years have seen 29 HIPAA covered entities and business associates financially penalized for data breaches that have occurred as a result of noncompliance with HIPAA Rules.

In the last three years, the HHS’ Office for Civil Rights has collected $49,091,700 in financial penalties from its enforcement actions. The average settlement amount in 2017 was $1.94 million.

The post Security Breaches in Healthcare in the Last Three Years appeared first on HIPAA Journal.

Is Uber Health HIPAA Compliant?

Posted by HIPAA Journal

This March, Uber officially launched Uber Health – A platform that makes arranging transport for patients more straightforward and cost effective. The service should benefit patients and providers alike, although questions have been raised about HIPAA and whether Uber Health is HIPAA compliant.

What is Uber Health?

Uber Health consists of an online dashboard that healthcare providers can use to schedule transport for their patients in advance. Provided the patient has a mobile phone, he/she will receive a notification about the collection and drop off location via text message. In contrast to the standard Uber service, Uber Health does not require the use of a smartphone app.

By using Uber Health, healthcare providers can potentially reduce the number of no shows and ensure more patients turn up on time for their appointments. Rides can be scheduled when the patient is in a facility, ensuring they have transport arranged for follow up appointments. The service could also be used for caregivers and staff.

The official launch of the platform comes after a trial on around 100 healthcare organizations, with the platform now made available to healthcare organizations of all sizes.

Uber Health HIPAA compliant ride scheduling service

Image Source: Uber

Is Uber Health HIPAA Compliant?

Any HIPAA-covered entity that signs up to use Uber Health would be required to enter patient names and appointment times into the system, so prior to using the service a business associate agreement would need to be obtained. Uber is happy to sign BAAs with all participating healthcare organizations.

Uber maintains on its website that Uber Health is HIPAA compliant and any data entered via the dashboard is protected by privacy and security controls in line with HIPAA standards. All data remains secured in the system, and the only information passed to its drivers is the name of the patient, the pickup and drop off time, and the collection point and drop off location, as with any taxi service. No protected health information is passed to the drivers.

Uber says it consulted with Clearwater Compliance while developing the Uber Health service to ensure all requirements of HIPAA were satisfied. Uber has conducted HIPAA-compliant risk analyses and completed compliance assessments and has been confirmed to be compliant with HIPAA Rules.

Provided a business associate agreement is obtained from Uber, Uber Health is a HIPAA compliant ride sharing service and can be used without violating HIPAA Rules.

The post Is Uber Health HIPAA Compliant? appeared first on HIPAA Journal.

Legislation Changes and New HIPAA Regulations in 2018

Posted by HIPAA Journal

The policy of two out for every new regulation introduced means there are likely to be few, if any, new HIPAA regulations in 2018. However, that does not mean it will be all quiet on the HIPAA front. HHS’ Office for Civil Rights (OCR) director Roger Severino has indicated there are some HIPAA changes under consideration.

OCR is planning on removing some of the outdated and labor-intensive elements of HIPAA that provide little benefit to patients, although before HIPAA changes are made, OCR will seek feedback from healthcare industry stakeholders.

As with previous updates, OCR will submit notices of proposed rulemaking and will seek comment on the proposed changes. Those comments will be carefully considered before any HIPAA changes are made.

The full list of proposed changes to the HIPAA Privacy Rule have not been made public, although Severino did provide some insight into what can be expected in 2018 at a recent HIPAA summit in Virginia.

Severino explained there were three possible changes to HIPAA regulations in 2018, the first relates to enforcement of HIPAA Rules by OCR.

Since the introduction of the Enforcement Rule, OCR has had the power to financially penalize HIPAA covered entities that are discovered to have violated HIPAA Rules or not put sufficient effort into compliance. Since the incorporation of HITECH Act into HIPAA in 2009, OCR has been permitted to retain a proportion of the settlements and CMPs it collects through its enforcement actions. Those funds are used, in part, to cover the cost of future enforcement actions and to provide restitution to victims. To date, OCR has not done the latter.

OCR is considering requesting information on how a proportion of the settlements and civil monetary penalties it collects can be directed to the victims of healthcare data breaches and HIPAA violations.

One area of bureaucracy that OCR is considering changing is the requirement for covered entities to retain signed forms from patients confirming they have received a copy of the covered entity’s notice of privacy practices. In many cases, the forms are signed by patients who just want to see a doctor. The forms are not actually read.

One potential change is to remove the requirement to obtain and store signed forms and instead to inform patients of privacy practices via a notice in a prominent place within the covered entity’s facilities.

Severino also said OCR is considering changing HIPAA regulations in 2018 relating to good faith disclosures of PHI. OCR is considering formally clarifying that disclosing PHI in certain circumstances is permitted without first obtaining consent from patients – The sharing of PHI with family members and close friends when a patient is incapacitated or in cases of opioid drug abuse for instance.

While HIPAA does permit healthcare providers to disclose PHI when a patient is in imminent harm, further rulemaking is required to cover good faith disclosures.

While these HIPAA changes are being considered, it could take until 2019 before they are implemented.

The post Legislation Changes and New HIPAA Regulations in 2018 appeared first on HIPAA Journal.

Study Suggests Improper Disposal of PHI is Commonplace

Posted by HIPAA Journal

A recent study (published in JAMA) has highlighted just how frequently hospitals are disposing of PHI in an insecure manner. While the study was conducted in Canada, which is not covered by HIPAA, the results highlight an important area of PHI security that is often overlooked.

Improper Disposal of PHI is More Common than Previously Thought

Researchers at St. Michael’s Hospital in Toronto checked recycled paperwork at five teaching hospitals in Canada. Each of the five hospitals had policies covering the secure disposal of documents containing PHI and separate recycling bins were provided for general paperwork and documents containing sensitive information. The latter were shredded before disposal.

Despite the document disposal policies, paperwork containing personally identifiable information (PII) and personal health information (PHI) were often incorrectly placed in the bins. The researchers identified 2,867 documents containing PII and 1,885 items containing personally identifiable health information in the standard recycling bins. 1,042 documents contained high sensitivity PII, 843 items contained PII with medium sensitivity, and 802 contained low sensitivity data.

821 items included clinical notes, summaries, and medical reports, there were 385 discarded labels with patient identifiers clearly visible, 345 billing forms, 340 diagnostic test results, and 317 requests and communications containing personally identifiable information.

The study shows that even with policies in place covering the proper disposal of paper records, sensitive information is still regularly disposed of in an insecure manner.

Improper Disposal of PHI in the United States

In February, 23% of the month’s healthcare data breaches involved paper/film records. Those breaches impacted 121,607 individuals. In January 33% of the month’s data breaches involved paper/film records. Those breaches impacted 13,513 individuals.

Overall, between January 1, 2010 and December 31, 2017, there have been 514 healthcare data breaches involving 500 or more paper records. Those breaches have impacted 3,393,240 individuals.

Breaches of Physical PHI

Patients Impacted by Breaches of Physical PHI

Improper Disposal of Paper/Films and ePHI

Patients Impacted by Improper Disposal of all Forms of PHI

Many privacy incidents involving paper records only impact a few patients and are not made public, so it is difficult to determine exactly how many incidents have occurred and how many patients have been impacted, although the Canadian study suggests these types of breaches are incredibly common.

To prevent these types of privacy breaches, HIPAA covered entities should carefully review their policies, procedures and physical safeguards for PHI and strengthen controls as appropriate.

The post Study Suggests Improper Disposal of PHI is Commonplace appeared first on HIPAA Journal.

HIPAA Rules on Contingency Planning

Posted by HIPAA Journal

In its March 2018 cybersecurity newsletter, OCR explained HIPAA Rules on contingency planning and urged healthcare organizations to plan for emergencies to ensure a return to normal operations can be achieved in the shortest possible time frame.

A contingency plan is required to ensure that when disaster strikes, organizations know exactly what steps must be taken and in what order.

Contingency plans should cover all types of emergencies, such as natural disasters, fires, vandalism, system failures, cyberattacks, and ransomware incidents. The steps that must be taken for each scenario could well be different, especially in the case of cyberattacks vs. natural disasters. The plan should incorporate procedures to follow for specific types of disasters.

Contingency planning is not simply a best practice. It is a requirement of the HIPAA Security Rule. Contingency planning should not be considered a onetime checkbox item necessary for HIPAA compliance. It should be an ongoing process with plans regularly checked, updated, and tested to ensure any deficiencies are identified and addressed.

What are the HIPAA Rules on Contingency Planning?

HIPAA Rules on contingency planning are concerned with ensuring healthcare organizations return to normal operations as quickly as possible and the confidentiality, integrity, and availability of PHI is safeguarded.

HIPAA Rules on contingency planning can be found in the Security Rule administrative safeguards -45 CFR § 164.308(a)(7)(ii)(A-E).

  • Develop and Implement a Data Backup Plan – 308(a)(7)(ii)(A)
  • Develop a Disaster Recovery Plan – 308(a)(7)(ii)(B)
  • Develop and Emergency Mode Operation Plan – 308(a)(7)(ii)(C)
  • Develop and Implement Procedures for Testing and Revision of Contingency Plans – 308(a)(7)(ii)(D)
  • Perform an Application and Data Criticality Analysis – 308(a)(7)(ii)(E)

A data backup plan ensures that when disaster strikes, PHI is not lost or destroyed. A viable copy of all ePHI must be created that allows exact copies of ePHI to be restored, which includes all forms of ePHI such as medical records, diagnostic images, test results, case management information, and accounting systems.  It is a good best practice to adopt a 3-2-1 approach for backups: Create three copies of data, store them on at least two different media, and have one copy stored securely offsite. Backups must also be tested to ensure the recovery of data is possible.

A disaster recovery plan should establish the procedures that must be followed to restore access to data, including how files should be restored from backups. A copy of the plan should be readily available and stored in more than one location.

The emergency mode operation plan must ensure critical business processes continue to maintain the security of ePHI when operating in emergency mode, for example when there is a technical failure or power outage.

All elements of the contingency plan must be regularly tested and revised as necessary. OCR recommends conducting scenario-based walkthroughs and live tests of the complete plan.

Covered entities should “assess the relative criticality of specific applications and data in support of other contingency plan components.” All software applications that are used to store, maintain, or transmit ePHI must be assessed to determine the level of criticality to business functions as it will be necessary to prioritize each when data is restored.

Summary of Key Elements of Contingency Planning

OCR has provided a summary of the key elements of contingency planning:

  • The primary goal is to maintain critical operations and minimize loss.
  • Define time periods – What must be done during the first hour, day, or week?
  • Establish Plan Activation – What event(s) will cause the activation of the contingency plan?  Who has the authority to activate the contingency plan?
  • Ensure the contingency plan can be understood by all types of employees.
  • Communicate and share the plan and roles and responsibilities with the organization.
  • Establish a testing schedule for the plan to identify gaps.
  • Ensure updates for plan effectiveness and increase organizational awareness.
  • Review the plan on a regular basis and situationally when there are technical, operational, environmental, or personnel changes in the organization.

The post HIPAA Rules on Contingency Planning appeared first on HIPAA Journal.

Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach

Posted by HIPAA Journal

An alleged healthcare data breach that saw the protected health information of patients of CVS Caremark exposed has resulted in legal action against CVS, Caremark, and its mailing vendor, Fiserv.

The lawsuit, which was filed in Ohio federal court on March 21, 2018, relates to an alleged privacy breach that occurred as a result of an error that affected a July/August 2017 mailing sent to approximately 6,000 patients.

In July 2017, CVS Caremark was contracted to operate as the pharmacy benefits manager for the Ohio HIV Drug Assistance Program (PhDAP), and under that program, CVS Caremark provides eligible patients with HIV medications and communicates with them about prescriptions.

In July/August 2017, CSV Caremark’s mailing vendor Fiserve sent letters to patients containing their membership cards and information about how they could obtain their HIV medications.

In the lawsuit the complaint alleges HIV-related information was clearly visible through the plastic windows of the envelopes, allowing the information to be viewed by postal service workers, family members, and roommates. It is alleged the mailing resulted in the disclosure of the recipient’s HIV status.

According to Ohio Department of Health policies, information related to HIV should only be sent in non-window envelopes. The mailing would have violated those policies and Health Information Portability and Accountability Act (HIPAA) Rules.

Such a HIPAA breach would need to be reported to the Department of Health and Human Services’ Office for Civil Rights within 60 days of discovery of the breach; however, the complainant alleges no breach report was submitted to OCR and notifications were not sent to affected individuals – A further breach of HIPAA Rules.

Plaintiffs are seeking punitive and compensatory damages and coverage of their legal costs.

There have been other breaches of HIV information in recent weeks, including a mailing error by a vendor of Aetna. In that case, HIV-related information was visible through the clear plastic windows of envelopes in a mailing to 12,000 individuals. Aetna settled a class action lawsuit filed on behalf of victims of the breach for $17,161,200 and is currently suing its mailing vendor to recover the costs. Aetna was also fined by the New York Attorney General over the breach and settled that case for $1.15 million.

The post Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach appeared first on HIPAA Journal.

What is the Civil Penalty for Knowingly Violating HIPAA?

Posted by HIPAA Journal

What is the civil penalty for knowingly violating HIPAA Rules? What is the maximum financial penalty for a HIPAA violation and when are fines issued? In this post we answer these questions and explain about the penalties for violating HIPAA Rules

What is HIPAA?

The Health Insurance Portability and Accountability Act – HIPAA – is a federal law that applies to healthcare organizations and healthcare employees. HIPAA requires healthcare organizations to develop policies and procedures to protect the privacy of patients and implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). HIPAA places restrictions on the uses of health data, who can be provides with copies of health information, and gives patients the right to obtain copies of their health data.

HIPAA covered entities are typically healthcare providers, health plans, and healthcare clearinghouses. HIPAA also applies to vendors and suppliers (business associates) that require access to PHI to perform their contracted duties.

As with other federal laws, there are penalties for noncompliance. The financial penalties for HIPAA violations can be severe, especially when HIPAA has been “knowingly” violated – When HIPAA Rules have been consciously violated with intent.

Financial Penalties for Healthcare Organizations Who Knowingly Violating HIPAA

The civil penalty tier system for healthcare organizations is based on the extent to which the HIPAA covered entity was aware that HIPAA Rules were violated. The maximum civil penalty for knowingly violating HIPAA is $50,000 per violation up to a maximum of $1.5 million per violation category.

Penalty Structure for HIPAA Violations

 

Civil penalties will be dictated by the nature and extent of the violation, the number of individual affected, and the harm that has been caused to those individuals.

Healthcare Employees May Have to Pay a Civil Penalty for Knowingly Violating HIPAA

As with healthcare organizations, healthcare employees can also be fined for violating HIPAA Rules. Civil penalties can be issued to any person who is discovered to have violated HIPAA Rules. The Office for Civil Rights can impose a penalty of $100 per violation of HIPAA when an employee was unaware that he/she was violating HIPAA Rules up to a maximum of $25,000 for repeat violations.

In cases of reasonable cause, the fine rises to $1,000 per violation with a maximum of $100,000 for repeat violations, for willful neglect of HIPAA Rules where the violation was corrected the fine is $10,000 and up to $250,000 for repeat violations and willful neglect with no correction carries a penalty of $50,000 per violation and up to $1.5 million for repeat violations.

Criminal Charges for HIPAA Violations

The Office for Civil Rights enforces HIPAA Rules in conjunction with the Department of Justice and will refer cases of possible criminal violations of HIPAA Rules to the DoJ. Directors, officers, and employees may be deemed to be criminally liable for violations of HIPAA Rules under the principle of corporate criminal liability, and if not directly liable, could be charged with aiding and abetting or conspiracy.

The penalty tiers are based on the extent to which an employee was aware that HIPAA Rules were being violated. At the lowest level, a violation of HIPAA Rules could attract a maximum penalty of $50,000 and/or up to one year imprisonment.

If HIPAA Rules are violated under false pretenses the maximum fine rises to $100,000 and/or up to 5 years imprisonment. The maximum civil penalty for knowingly violating HIPAA Rules is $250,000, such as when healthcare information is stolen with the intent to sell, transfer, or use for personal gain, commercial advantage, or malicious harm. In addition to a fine, the maximum jail term is 10 years.

In addition to the punishment provided, aggravated identity theft carries a prison term of 2 years. When PHI has been stolen and patients have been defrauded, restitution may also need to be paid.

The post What is the Civil Penalty for Knowingly Violating HIPAA? appeared first on HIPAA Journal.

Can You Make WordPress HIPAA Compliant?

Posted by HIPAA Journal

WordPress is a convenient content management system that allows websites to be quickly and easily constructed. The platform is popular with businesses, but is it suitable for use in healthcare? Can you make WordPress HIPAA compliant?

Before assessing whether it is possible to make WordPress HIPAA compliant, it is worthwhile covering how HIPAA applies to websites.

HIPAA and Websites

HIPAA does not specifically cover compliance with respect to websites, HIPAA requirements for websites are therefore a little vague.

As with any other forms of electronic capture or transmission of ePHI, safeguards must be implemented in line with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of ePHI. Those requirements apply to all websites, including those developed from scratch or created using an off-the-shelf platform such as WordPress.

Websites must incorporate administrative, physical, and technical controls to ensure the confidentiality of any protected health information uploaded to the website or made available through the site.

  • HIPAA-covered entities must ensure there are access controls in place to prevent unauthorized individuals from gaining access to PHI or to the administration control panel
  • Audit controls must be in place that log access to the site and any activity on the site that involves ePHI
  • There must be integrity controls in place that prevent ePHI from being altered or destroyed
  • Transmission security controls must be implemented to ensure any ePHI uploaded to the site is secured (and encrypted in transit) and data must be appropriately secured at rest (encrypted on a third-party server or encrypted/otherwise secured on a covered entity’s web server)
  • Physical security controls must be implemented to prevent unauthorized access to the web server
  • Administrators and any internal users should be trained on use of the website and made aware of HIPAA Privacy and Security Rules
  • The website must be hosted with a HIPAA-compliant hosting provider (or internally)
  • If a third-party hosting company is used, a business associate agreement is required

Once all the necessary controls have been implemented that satisfy the requirements of the HIPAA Security Rule, the website (and plugins) and all associated systems that interact with the site must be subjected to a risk analysis. All risks to the confidentiality, integrity, and availability of ePHI must be identified and those risks and addressed via risk management processes that reduce those risks to a reasonable and acceptable level.

WordPress and Business Associate Agreements

WordPress will not sign a business associate agreement with HIPAA covered entities and there is no mention of BAAs on the WordPress site. So, does that mean that the platform cannot be used in healthcare?

A business associate agreement is not necessarily required. If you simply want to create a blog to communicate with patients, provided you do not upload any PHI to the site or collect PHI through the site (such as making appointments), a business associate agreement would not be required.

You would also not need a BAA if PHI is stored separately from the website and is accessed via a plugin. If the plugin has been developed by a third party, you would need a business associate agreement with the plugin developer.

If you want to use the website in connection with PHI, there are several steps you must take to make WordPress HIPAA compliant.

How to Make WordPress HIPAA Compliant

A standard off-the-shelf WordPress installation will not be HIPAA compliant as WordPress does not offer a HIPAA-compliant service. It is possible to make WordPress HIPAA compliant, but it will be a major challenge. You will need to ensure the following before any ePHI is uploaded to or collected through the website.

  • Perform a risk analysis prior to using the site in connection with any ePHI and reduce risks to a reasonable and acceptable level
  • Use a HIPAA compliant hosting service for your website. Simply hosting the site with a HIPAA compliant hosting provider does not guarantee compliance. Ensure that all access, audit, and integrity controls are in place and safeguards implemented to secure data at rest and in transit
  • Perform a security scan of the site to check for vulnerabilities
  • Only use plugins from trustworthy sources
  • Ensure all plugins are updated and the latest version of WordPress is installed
  • Use security plugins on the website – Wordfence for example
  • Use a SaaS provider that can interface the ePHI component into your website or develop the interface internally
  • Ensure ePHI is stored outside of WordPress
  • Set strong passwords and admin account names to reduce the potential for brute force attacks. Use rate limiting to further enhance security and use two factor authentications for administrator accounts
  • Ensure that users cannot sign up for accounts directly without first being vetted
  • Ensure any data collected via web forms is encrypted in transit
  • Obtain business associate agreements with all service providers/plugin developers who require access to ePHI or whose software touches ePHI

WordPress was not developed to confirm to HIPAA standards so making WordPress HIPAA compliant is complicated. Ensuring a WordPress site remains HIPAA compliant is similarly difficult. There have also been several security issues with WordPress over the years and vulnerabilities are frequently identified. WordPress is not the only problem. Plugins are frequently found to have vulnerabilities and there is considerable potential for those vulnerabilities to be exploited.

While it is possible to make WordPress HIPAA compliant, the potential risks to ePHI are considerable. WordPress makes website creation simple, but not as far as HIPAA compliance is concerned.

Our recommendation is to develop your own website from scratch that is easier to secure and maintain, host the site with a HIPAA compliant hosing company, and if you do not have employees with the correct skill sets, use a vendor that specializes in developing HIPAA compliant websites and patient portals.

The post Can You Make WordPress HIPAA Compliant? appeared first on HIPAA Journal.