HIPAA Compliance News

Is Zoho HIPAA Compliant?

Posted by HIPAA Journal

Many healthcare organizations would like to use Zoho tools and applications, but is Zoho HIPAA compliant? Can its tools and applications be used by U.S. healthcare organizations in conjunction with protected health information? In this post we explore whether Zoho supports HIPAA compliance for any of its cloud-based services.

What is Zoho?

Zoho is a Pleasanton, CA-based developer of cloud applications and web-based tools that includes email (Zoho Mail), a document editor (Zoho Docs), a customer relationship management platform (Zoho CRM), a spreadsheet editor (Zoho Sheet), a presentation editor (Zoho Show), a custom application builder (Zoho Creator), a project management platform (Zoho projects), live chat software (Zoho Chat), a bookkeeping service (Zoho Books), app integration platform (Zoho Flow), and an IoT management platform (WebNMS).

The company is focused on providing innovative cloud-based solutions for businesses and has been developing applications since 1996. Many of its solutions are broadly comparable to those provided by Google (G Suite) and Microsoft (Office 365). Its apps have been developed to integrate with both suites of products.

Can HIPAA-Covered Entities Obtain a Zoho Business Associate Agreement?

There has been considerable interest in Zoho from healthcare organizations in the United States who are keen to use its cloud-based services, although there is little information about business associate agreements on the Zoho website. Zoho forums suggest a Zoho HIPAA compliance program has been in development for some time, but as of yet, a Zoho HIPAA compliant service is not being offered.

We have contacted Zoho for clarification on business associate agreements and the current state of the Zoho HIPAA compliance program and are awaiting a reply; however, at present it would appear that Zoho will not enter into a BAA with HIPAA-covered entities.

Is Zoho HIPAA Compliant?

While Zoho is focused on providing solutions for businesses, there are several issues that need to be resolved before the platform can be used by U.S. healthcare organizations.

Zoho services have not been developed for the healthcare industry in the United States, and while the company complies with ISO/IEC 27001 and SOC 2 for security, crucially the company will not sign a business associate with HIPAA-covered entities.

So, is Zoho HIPAA compliant? At present, Zoho does not fully support HIPAA compliance and should therefore be avoided by HIPAA-covered entities and their business associates who are seeking HIPAA-compliant solutions. Zoho applications and tools should not be used in conjunction with any electronic protected health information.

The post Is Zoho HIPAA Compliant? appeared first on HIPAA Journal.

Is Office 365 HIPAA Compliant?

Posted by HIPAA Journal

Is Microsoft Office 365 HIPAA compliant? Can healthcare organizations use Office 365 and remain in compliance with HIPAA and HITECH Act Rules?

What is Office 365?

Office 365 is a suite of subscription products developed by Microsoft that includes Word, Excel, PowerPoint, OneNote, Outlook, Publisher, and Access.

Office 365 for Healthcare

Microsoft is willing to enter into a business associate agreement (BAA) with HIPAA covered entities for Office 365 and Microsoft Dynamics CRM Online, provided the latter is purchased through Volume Licensing Programs or the Dynamics CRM Online Portal. The Microsoft BAA also covers the use of the Microsoft Azure cloud platform.

Microsoft does not demand that a BAA be obtained prior to use of Office 365, as the BAA is automatically made available to customers with an online service contract. However, HIPAA covered entities should obtain a BAA prior to use of Office 365 in conjunction with any electronic protected health information (ePHI). They should also specify an administrative contact. In the event of a security breach, the administrative contact will be notified of a breach by Microsoft.

While there are companies that offer HIPAA certification to confirm that a company or product complies with HIPAA Rules, there is no official certification recognized by the HHS’ Office for Civil Rights or other federal agencies. However, Microsoft has undergone independent audits under ISO 27001 which incorporate assessments of security practices recommended by the HHS. Office 365 has been verified as having all necessary privacy and security controls to comply with HIPAA Rules.

Office 365 Security

All data uploaded to or stored on Microsoft servers is protected by encryption and any data transferred outside of Microsoft facilities is similarly encrypted.  However, packet headers and message headers are not encrypted.

Provided ePHI is not entered into the subject line of emails, the names of files attached to emails, or is used in the to and from fields of emails, email can be used securely.

Microsoft Office 365 meets HIPAA auditing requirements and logs of access to stored data are maintained. Reports on access logs can be obtained from Microsoft on request.

Microsoft offers 2-factor authentication to prevent Office 365 and Outlook email accounts from being accessed if a password is compromised and an unfamiliar device attempts to log into an account.

Is Microsoft Office 365 HIPAA Compliant?

So, is Microsoft Office 365 HIPAA compliant? Provided a HIPAA-covered entity has entered into a business associate agreement with Microsoft, Office 365 can be used in a manner compliant with HIPAA Rules.

While all appropriate privacy and security controls have been implemented by Microsoft to ensure that Office 365 can be used by HIPAA-covered entities while remaining compliant with HIPAA and the HITECH Act, use of Office 365 does not guarantee compliance, even if a BAA has been obtained from Microsoft.

It is the responsibility of covered entities to ensure access controls are configured correctly, administrator access tracking is turned on, Microsoft Dynamics CRM Online for supported devices is turned off, access control reports are obtained and checked regularly, and all users are trained how to use Office 365 in a manner compliant with HIPAA Rules.

The post Is Office 365 HIPAA Compliant? appeared first on HIPAA Journal.

When Was HIPAA Enacted?

Posted by HIPAA Journal

How long has compliance with the Health Insurance Portability and Accountability Act (HIPAA) been necessary? When was HIPAA enacted and what were the compliance dates for the original act and its subsequent amendments?

When was HIPAA Enacted?

HIPAA was enacted on August 21, 1996 when President Bill Clinton added his signature and signed the legislation into law. One of the key aims of the legislation was to improve the portability and accountability of health insurance coverage – Ensuring employees retained health insurance coverage when between jobs.

HIPAA combatted wastage in healthcare and helped to prevent fraud and abuse in healthcare delivery and health insurance. HIPAA also simplified the administration of healthcare.

HIPAA was enacted and signed into law in 1996, but there have been major updates to HIPAA legislation over the years, notably the introduction of the HIPAA Privacy Rule, The HIPAA Security Rule, the incorporation of HITECH Act requirements and the HIPAA Omnibus Rule.

These updates added many new provisions to HIPAA legislation and helped to ensure that patient privacy was protected, healthcare data was appropriately secured, patients and plan members were notified in the event of a breach of their protected health information, and business associates of HIPAA covered entities also had to comply with HIPAA Rules.

The introduction of the HIPAA Enforcement Rule in 2006 gave the Department of Health and Human Services’ Office for Civil Rights the power to enforce HIPAA. Since then, it has been possible for the HHS to pursue financial penalties for non-compliance with HIPAA Rules.

When was the HIPAA Privacy Rule Introduced?

The HIPAA Privacy Rule was first proposed on November 3, 1999 with the HIPAA Final Privacy Rule of HIPAA enacted on December 20, 2000, although corrections were made almost immediately. The most important date is April 14, 2003 when HIPAA-covered entities were required to comply with the HIPAA Privacy Rule.

The HIPAA Privacy Rule defined Protected Health Information (PHI) and regulated the use of PHI by HIPAA covered entities, stipulating to whom the information could be disclosed and under what circumstances.  The HIPAA Privacy Rule requires appropriate safeguards to be implemented to protect the privacy of patients. Patients were also given the right to obtain copies of the PHI held by HIPAA-covered entities.

When was the HIPAA Security Rule Introduced?

The HIPAA Security Rule was first proposed on August 12, 1998, with the final Security Rule of HIPAA enacted on February 20, 2003. Compliance with the HIPAA Security Rule became mandatory on April 21, 2006.

The HIPAA Security Rule is primarily concerned with the establishment of national standards for security to protect electronic protected health information. The HIPAA Security Rule requires administrative, physical, and technical safeguards to be implemented to ensure the confidentiality, integrity, and availability of PHI.  The HIPAA Security Rule also requires covered entities to conduct a risk analysis to identify risks to the confidentiality, integrity, and availability of PHI and to manage those risks and reduce them to a reasonable level.

When was the HITECH Act Incorporated into HIPAA?

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17, 2009. Certain elements of HITECH became effective the same month, such as increased penalties for violations of HIPAA Rules. Most of the provisions of the HITECH Act became effective and were enforceable from February 27, 2010.

The HITECH Act’s incorporation into HIPAA resulted in the creation of the HIPAA Breach Notification Rule which requires covered entities to notify individuals when PHI is exposed or compromised. HITECH also required business associates of HIPAA-covered entities to comply with HIPAA Rules and made them directly accountable for HIPAA violations.

The HIPAA Omnibus Rule of 2013 finalized and incorporated many provisions of the HITECH Act into HIPAA with the the HIPAA Omnibus Rule of HIPAA enacted on January 17, 2013. The compliance deadline was September 23, 2013.

Important Dates in the History of HIPAA

  • August 21, 1996 – HIPAA signed into law
  • December 20, 2000 – HIPAA Final Privacy Rule issued
  • February 20, 2003 – HIPAA Final Security Rule issued
  • April 14, 2003 – HIPAA Privacy Rule compliance deadline
  • April 21, 2006 – HIPAA Security Rule compliance deadline
  • March 16, 2006 – HIPAA Enforcement Rule becomes effective
  • February 17, 2009 – HITECH Act signed into law
  • February 27, 2010 – HITECH Act compliance deadline
  • January 17, 2013 – HIPAA Omnibus Final Rule issued
  • September 23, 2013 – Omnibus Rule compliance deadline

Further information on HIPAA

You can find out more about HIPAA compliance here, and for further information on landmarks in HIPAA take a look at our HIPAA history page and infographic.

The post When Was HIPAA Enacted? appeared first on HIPAA Journal.

Is a HIPAA Violation Grounds for Termination?

Posted by HIPAA Journal

Is a HIPAA violation grounds for termination? What actions are healthcare organizations likely to take if they discover an employee has violated HIPAA Rules?

Since the introduction of the HIPAA Enforcement Rule, the HHS’ Office for Civil Rights has been able to pursue financial penalties for HIPAA violations. Organizations discovered to have violated HIPAA Rules or failed to have implemented policies and procedures in line with HIPAA Rules can face severe financial penalties. But what about individual employees who accidentally or deliberately violate HIPAA and patient privacy?

Do Most Healthcare Organizations Consider a HIPAA Violation Grounds for Termination?

Not all HIPAA violations are equal, although any violation of HIPAA Rules is a serious matter that warrants investigation and action by healthcare organizations.

When a HIPAA violation is reported – by an employee, colleague or patient – healthcare organizations will investigate the incident and will attempt to determine whether HIPAA laws were violated, and if so, how the violation occurred, the implications for patients whose privacy has been violated, potential legal issues arising from the violation and possible action by regulators. Healthcare organizations will be keen to take action to ensure that similar violations are prevented in the future.

When an employee is discovered to have knowingly or unknowingly violated HIPAA Rules there are likely to be repercussions for the individual concerned.

An unintentional acquisition, access, or use of protected health information by a workforce member in which the acquisition, access, or use was made in good faith and within the scope of authority would not be a reportable breach and may not necessarily result in disciplinary action.

Some healthcare organizations have strict rules on violations of HIPAA Rules and regularly terminate employees for HIPAA violations. Others have a policy of dealing with minor HIPAA violations internally. Depending on the nature of the violation, the incident may warrant disciplinary action against the individual concerned which could see the employee suspended pending an investigation. Termination for a HIPAA violation is a possible outcome.

Ultimately the repercussions for a HIPAA violation will depend on the polices in place at an organization and the severity of the violation. A violation of the Minimum Necessary Information Standard may, depending on the circumstances, be considered a matter for internal disciplinary action and not termination. Viewing the medical records of any patient without authorization is likely to result in termination unless the incident is reported quickly, no harm was caused to the patient, and access was accidental or made in good faith.

Recent Cases Where Healthcare Providers Deemed a HIPAA Violation Grounds for Termination

Criminal Penalties for HIPAA Violations

Termination may not be the worst that can happen when HIPAA Rules are violated by employees. Healthcare employees may be found criminally liable for HIPAA violations and cases can be referred to the Department of Justice for prosecution.

Criminal violations of HIPAA Rules can result in financial penalties and jail time for healthcare employees. A fine of up to $50,000 and one year in jail is possible when PHI is knowingly obtained and impermissibly disclosed. A fine of up to $100,000 and five years in jail is possible for violations involving false pretenses, and a fine of up to $250,000 and up to 10 years in jail is possible when HIPAA Rules have been violated for malicious reasons or for personal gain. A further 2 years can be added onto the sentence for aggravated identity theft.

The post Is a HIPAA Violation Grounds for Termination? appeared first on HIPAA Journal.

Is Google Calendar HIPAA Compliant?

Posted by HIPAA Journal

Is Google Calendar HIPAA compliant? Can the time management and calendar scheduling service be used by healthcare organizations or would use of the service be considered a violation of HIPAA Rules? This post explores whether Google supports HIPAA compliance for the Google Calendar service.  

Google Calendar was launched in 2006 and is part of Google’s G Suite of products and services. Google Calendar could potentially be used for scheduling appointments, which may require protected health information to be added.

Uploading any protected health information to the cloud is not permitted by the HIPAA Privacy Rule unless certain HIPAA requirements have first been satisfied.

A risk analysis must be conducted to assess potential risks to the confidentiality, integrity, and availability of ePHI. Risks must be subjected to a HIPAA-compliant risk management process and reduced to an acceptable level. Access controls must be implemented to ensure that ePHI can only be viewed by authorized individuals, appropriate security controls must be in place to prevent unauthorized disclosures, and an audit trail must be maintained.

Further, healthcare organizations covered by HIPAA Rules are required to enter into a HIPAA-compliant business associate agreement with any vendor before any electronic protected health information is disclosed, even if the service provider says it does not access customer data.

Google has appropriate security controls in place to protect data uploaded to Google Calendar and access and audit controls can be configured, so Google Calendar HIPAA compliance hinges on whether Google is willing to enter into a business associate agreement with HIPAA-covered entities or their business associates.

Google’s Business Associate Agreement

Google is willing to sign a business associate agreement with healthcare organizations for its paid services, but not for any of its free services. The business associate agreement covers the use of G Suite, and includes Google Calendar, Google Drive, the chat messaging feature of Google Hangouts, Hangouts Meet, Google Keep, Google Cloud Search, Google Sites, Jamboard, and Google Vault services.

HIPAA-covered entities must enter into a BAA with Google prior to any of the above services being used with ePHI. Once a signed BAA has been obtained the services can be used, although it is the responsibility of the covered entity to ensure that the services are used in a manner compliant with HIPAA Rules. Google provides a HIPAA-compliant service, but it is still possible for organizations and employees to violate HIPAA Rules using its services.

Is Google Calendar HIPAA Compliant?

So, is Google Calendar HIPAA compliant? Provided a BAA has been obtained, Google Calendar can be considered a HIPAA compliant time management and calendar scheduling service.

The post Is Google Calendar HIPAA Compliant? appeared first on HIPAA Journal.

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

Posted by HIPAA Journal

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General.

While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members.

Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information.

The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law § 399-ddd(2)(e).

In addition to the $575,000 settlement, EmblemHealth is required to adopt a robust corrective action plan that requires a comprehensive risk analysis to be conducted related to the mailing of policy documents. The results of that risk analysis must be reported to the Attorney General’s office within 180 days. Policies and procedures related to mailings must also be reviewed and updated based on the findings of the risk analysis.

EmblemHealth must catalogue, review, and monitor mailings and ensure that all employees involved in mailings receive appropriate training. They must also be instructed to report any violations of the HIPAA Minimum Necessary Standard to EmblemHealth officials to allow prompt action to be taken manage risks to plan members. EmblemHealth is also required to report all security incidents to the Attorney General’s office for a period of 3 years from the date of the settlement.

According to Attorney General Schneiderman, New York has “weak and outdated security laws” which he has attempted to address by introducing the ‘Stop Hacks and Improve Electronic Data Security (SHIELD) Act’ in November 2017. There will now be a further push to get the SHIELD Act passed. Schneiderman claims the SHIELD Act will improve protections for state residents. Businesses will also be held accountable for data breaches that result in customers’ personal data being exposed.

“The careless handling of social security numbers is never acceptable,” said Attorney General Schneiderman. “New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data.”

The post EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach appeared first on HIPAA Journal.

What is HIPAA Certification?

Posted by HIPAA Journal

A frequently asked question in the healthcare industry is what is HIPAA certification; for although there is no standard or implementation specification within HIPAA that requires Covered Entities or Business Associate to certify compliance, several third-party organizations offer HIPAA certification services.

What is HIPAA Certification?

Although there is no official HHS-mandated HIPAA certification process or accreditation, it would be beneficial if there was. A HIPAA compliance certification could demonstrate that a Covered Entity or Business Associate understands and complies with HIPPA regulations – thus, for example, saving Covered Entities a considerable amount of time conducting due diligence on prospective vendors.

Nonetheless, despite there being no requirement for HIPAA certification, some companies claim to be certified as HIPAA compliant. What this means is they have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance. In the absence of a program endorsed by the Department of Health and Human Services (HHS), this is the next best thing.

Why there is No HHS-Endorsed HIPAA Certification

The Department of Health and Human Services does not endorse any type of HIPAA certification because HIPAA compliance is an on-going progress. A HIPAA certified company may have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance, but that is no guarantee the company will remain HIPAA compliant in the future.

There are multiple reasons why a company may not remain HIPAA compliant in the future. It may change the technologies it uses or the ways in which technologies are used. It may change business objectives, operational procedures, or change staff management policies. Any of these changes might invalidate a HIPAA certification – notwithstanding that HIPAA regulations may also change in the future.

HIPAA Training and Certification

HIPAA does not require employees to complete any specific training program and obtain HIPAA certification. However it is necessary for HIPAA training to be provided “as necessary and appropriate for members of the workforce to carry out their functions.” It is also necessary for the date and nature of the training to be documented, and the documentation maintained for at least six years.

Since HIPAA Rules are complex and far-reaching, HIPAA training companies are often used as an alternative to in-house training. The training companies employ HIPAA compliance experts to train employees on the aspects of HIPAA relevant to their roles – such as the correct ways of handling protected health information (PHI), and allowable uses and disclosures of PHI.

One of the benefits to Covered Entities of using a third-party HIPAA training company is that, at the successful conclusion to a training course, they are issued with a HIPAA certification to verify and validate that employees have attended a HIPAA training course. While the certification may not be endorsed by the HHS, it will be beneficial to the Covered Entity in the event of a HIPAA audit.

Third Party Audits Confirming HIPAA Compliance

With regards to HIPAA audits, it is important to note the HHS states on its website that “Certifications do not absolve Covered Entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”

Nonetheless, it is common for potential Business Associates of HIPAA Covered Entities to undergo audits by third party HIPAA compliance experts in order to confirm that their products, services, policies, and procedures meet HIPAA standards. The audits are useful for Covered Entities´ peace of mind as they confirm HIPAA compliance at the time the audit was conducted.

However, for Business Associates unfamiliar with the far-reaching complexities of HIPAA, it is likely they will require help to become compliant. For this reason, it can be important to select a third-party organization that not only offers HIPAA certification services, but one that can help Business Associates implement effective HIPAA compliance programs.

The post What is HIPAA Certification? appeared first on HIPAA Journal.

How to Report a HIPAA Violation Anonymously

Posted by HIPAA Journal

One of the questions we are sometimes asked is how to report a HIPAA violation anonymously. This is because, in many cases, complaints and reports will not be reviewed or investigated without your contact details.

When you file a health information privacy complaint or a security rule violation complaint via the Office for Civil Rights´ (OCR) online Complaints Portal, the first page you are asked to complete is your name and contact details. The reason for this is because, if OCR reviews your complaint and decides to investigate it, the agency may want to contact you for further information.

You cannot go beyond the first page of the complaints process without entering any contact details; and, if you complete the form using fictitious contact details, OCR will be unable to contact you to obtain the information it needs to conduct an investigation. Consequently, it is not possible to report a HIPAA violation anonymously via the OCR Complaints Portal.

There are Other Ways of Filing a Complaint with OCR

The Complaints Portal is not the only way to file a complaint with OCR. You can download a complaint form, complete it, send it to OCR by mail or as an email attachment. The form allows you to deny consent for revealing your name or any identifying information – which is not the same as reporting a HIPAA violation anonymously and “may result in the closure of the investigation”.

You can also write anonymously to OCR, send an email from a disposable temporary email address, or call the agency directly on (800) 368-1019. If you find none of these approaches work because OCR does not want people to report a HIPAA violation anonymously, you could try one of OCR´s Regional Offices to see if one of these are willing to accept an anonymous report.

OCR is Not the Only Agency You Can Complain To

HHS´ Office for Civil Rights is not the only “enforcer” of HIPAA. Violations of the Administrative Requirements can be reported to the Centers for Medicare and Medicaid Services (CMS), violations of the Breach Notification Rule by organizations not covered by HIPAA can be reported to the Federal Trade Commission, and criminal violations can be reported to the Department of Justice.

All these agencies have complaints processes similar to OCR inasmuch as it is difficult to report a HIPAA violation anonymously. This is also usually the case with Offices of State Attorneys General. However, if you have a strong case for an investigation and explain why you are unwilling to reveal your identity, you may be able to report a HIPAA violation anonymously to a state agency.

How Else to Report a HIPAA Violation Anonymously

State and federal agencies are not the only bodies you can approach with a health information privacy complaint or a security rule violation complaint. You can also directly approach the organization responsible for the HIPAA violation. This gives you more options to report a HIPAA violation anonymously and a greater likelihood the violation you are reporting is addressed.

It is important to note that, unless the complaint involves a data breach subsequently reported to OCR by the organization, there will be no enforcement action taken by any state or federal agency. However, while there will be no record of an organization “getting into trouble” for failing to comply with HIPAA, your anonymous report may prevent somebody else experiencing an adverse event attributable to a privacy or security violation.

How to Report a HIPAA Violation Anonymously FAQs

Why doesn´t OCR want people to report a HIPAA violation anonymously?

Not only does it make it very difficult to investigate a privacy complaint without knowing who the complaint relates to, but malicious individuals could make unsubstantiated complaints that waste the time of both OCR investigators and the organization being investigated. By insisting on verifiable contact details, OCR can prevent malicious and unsubstantiated complaints – even though this requirement could dissuade some individuals from making justifiable complaints.

If I have to give my name, what protection do I have against retaliation?

§160.316 of the HIPAA Administrative Simplification Regulations prohibits Covered Entities and Business Associates from threatening, intimidating, coercing, harassing, discriminating against, or taking any retaliatory action against an individual who reports a HIPAA violation. This not only applies to patients and health plan members, but to any individual – including members of a Covered Entity´s or Business Associate´s workforce.

Can I report a HIPAA violation anonymously if the violation affects someone else?

Even if you are reporting a HIPAA violation on behalf of another person, OCR, CMS, the Federal Trade Commission, and Department of Justice will require your verifiable contact details to ensure the report is not malicious and unsubstantiated. You may be able to report a HIPAA violation anonymously to a State Attorney General´s office; but the best way to make a report anonymously is to approach the noncompliant organization directly.

How do I report a criminal violation of HIPAA anonymously to the Department of Justice?

Unlike some crime “tip lines”, the Department of Justice does not accept anonymous reports. The only route to reporting a criminal violation anonymously is to contact the noncompliant organization´s Privacy Officer who should investigate your complaint (subject to you having a strong case). If the Privacy Officer believes a criminal violation has occurred, they will report it to OCR, who will refer it to the Department of Justice for investigation.

What should I do if I complain anonymously to an organization, but nothing happens?

It may be difficult to know if your complaint to an organization has been ignored because the organization has no way of contacting you to explain what it is doing to correct the violation – which may take some time if it involves the development of new policies and additional workforce training. However, if you are certain your complaint has been ignored and it is still within 180 days of the violation being identified, you can escalate your complaint to OCR – albeit not anonymously.

Are HIPAA complaints anonymous?

Although you can request that your name is withheld when you make a complaint to OCR, complaints made anonymously will not be investigated. This not only applies to complaints made to OCR, but also to State Attorneys General, county HHS offices, and – where applicable – CMS, and the FTC. The option exists to phone an agency and make a complaint anonymously, but without your name, it is unlikely any further action will be taken.

The post How to Report a HIPAA Violation Anonymously appeared first on HIPAA Journal.

Is Google Slides HIPAA Compliant?

Posted by HIPAA Journal

Is Google Slides HIPAA compliant? Can Google Slides be used by healthcare organizations without violating HIPAA Rules? This post explores whether Google Slides is HIPAA compliant and whether it is possible to use the presentation editor in connection with electronic protected health information.

Google Slides is a presentation editor that allows users to create slide shows, training material, and project presentations. It is an ideal option for users who do not regularly create slide shows or presentations and do not have a software package that offers the same functionality. Google Slides is available free of charge for consumers to use and is equivalent to Microsoft’s PowerPoint.

Healthcare organizations that are looking to create training courses and slideshows that involve the use of data protected by HIPAA need to exercise caution. Use of Google Slides with electronic protected health information could potentially violate HIPAA Rules and patient privacy. That could all too easily result in a financial penalty.

Google Slides is a web-based presentation program that is not exempt from HIPAA under the HIPAA Conduit Exception Rule. The use of any ePHI with Google Slides is prohibited by the Privacy Rule unless healthcare organizations enter into a business associate agreement with Google prior to the use of Google Slides.

How to Make Google Slides HIPAA Compliant

The first step to take before using Google Slides in connection with any ePHI is to enter into a business associate agreement with Google. Google offers a BAA for healthcare organizations covering G Suite and Google Drive, which includes Google Docs, Google Sheets, Google Forms, and Google Slides.

As with all Google Drive services, it is essential to control who has access to files created on Google Drive. Healthcare organizations must ensure that any files created can only be accessed by individuals authorized to view the files and links to the files can only be shared with specific people. Sharing permissions should be carefully configured to prevent any accidental disclosures of ePHI.

It is important that no ePHI is included in the titles of any files created on Google Drive and third-party applications should be disabled. If applications need to be used, the security of those applications must be assessed and the developer’s documentation carefully checked. Third-party application developers would also be considered business associates and BAAs would be necessary.

Provided a BAA has been obtained from Google, Google Drive permissions are configured correctly, and best practices are followed, the Google Drive suite of products can be used by healthcare organizations in connection with ePHI.

The post Is Google Slides HIPAA Compliant? appeared first on HIPAA Journal.