HIPAA Compliance News

How to Report a HIPAA Violation Anonymously

Posted by HIPAA Journal

One of the questions we are sometimes asked is how to report a HIPAA violation anonymously. This is because, in many cases, complaints and reports will not be reviewed or investigated without your contact details.

When you file a health information privacy complaint or a security rule violation complaint via the Office for Civil Rights´ (OCR) online Complaints Portal, the first page you are asked to complete is your name and contact details. The reason for this is because, if OCR reviews your complaint and decides to investigate it, the agency may want to contact you for further information.

You cannot go beyond the first page of the complaints process without entering any contact details; and, if you complete the form using fictitious contact details, OCR will be unable to contact you to obtain the information it needs to conduct an investigation. Consequently, it is not possible to report a HIPAA violation anonymously via the OCR Complaints Portal.

There are Other Ways of Filing a Complaint with OCR

The Complaints Portal is not the only way to file a complaint with OCR. You can download a complaint form, complete it, send it to OCR by mail or as an email attachment. The form allows you to deny consent for revealing your name or any identifying information – which is not the same as reporting a HIPAA violation anonymously and “may result in the closure of the investigation”.

You can also write anonymously to OCR, send an email from a disposable temporary email address, or call the agency directly on (800) 368-1019. If you find none of these approaches work because OCR does not want people to report a HIPAA violation anonymously, you could try one of OCR´s Regional Offices to see if one of these are willing to accept an anonymous report.

OCR is Not the Only Agency You Can Complain To

HHS´ Office for Civil Rights is not the only “enforcer” of HIPAA. Violations of the Administrative Requirements can be reported to the Centers for Medicare and Medicaid Services (CMS), violations of the Breach Notification Rule by organizations not covered by HIPAA can be reported to the Federal Trade Commission, and criminal violations can be reported to the Department of Justice.

All these agencies have complaints processes similar to OCR inasmuch as it is difficult to report a HIPAA violation anonymously. This is also usually the case with Offices of State Attorneys General. However, if you have a strong case for an investigation and explain why you are unwilling to reveal your identity, you may be able to report a HIPAA violation anonymously to a state agency.

How Else to Report a HIPAA Violation Anonymously

State and federal agencies are not the only bodies you can approach with a health information privacy complaint or a security rule violation complaint. You can also directly approach the organization responsible for the HIPAA violation. This gives you more options to report a HIPAA violation anonymously and a greater likelihood the violation you are reporting is addressed.

It is important to note that, unless the complaint involves a data breach subsequently reported to OCR by the organization, there will be no enforcement action taken by any state or federal agency. However, while there will be no record of an organization “getting into trouble” for failing to comply with HIPAA, your anonymous report may prevent somebody else experiencing an adverse event attributable to a privacy or security violation.

How to Report a HIPAA Violation Anonymously FAQs

Why doesn´t OCR want people to report a HIPAA violation anonymously?

Not only does it make it very difficult to investigate a privacy complaint without knowing who the complaint relates to, but malicious individuals could make unsubstantiated complaints that waste the time of both OCR investigators and the organization being investigated. By insisting on verifiable contact details, OCR can prevent malicious and unsubstantiated complaints – even though this requirement could dissuade some individuals from making justifiable complaints.

If I have to give my name, what protection do I have against retaliation?

§160.316 of the HIPAA Administrative Simplification Regulations prohibits Covered Entities and Business Associates from threatening, intimidating, coercing, harassing, discriminating against, or taking any retaliatory action against an individual who reports a HIPAA violation. This not only applies to patients and health plan members, but to any individual – including members of a Covered Entity´s or Business Associate´s workforce.

Can I report a HIPAA violation anonymously if the violation affects someone else?

Even if you are reporting a HIPAA violation on behalf of another person, OCR, CMS, the Federal Trade Commission, and Department of Justice will require your verifiable contact details to ensure the report is not malicious and unsubstantiated. You may be able to report a HIPAA violation anonymously to a State Attorney General´s office; but the best way to make a report anonymously is to approach the noncompliant organization directly.

How do I report a criminal violation of HIPAA anonymously to the Department of Justice?

Unlike some crime “tip lines”, the Department of Justice does not accept anonymous reports. The only route to reporting a criminal violation anonymously is to contact the noncompliant organization´s Privacy Officer who should investigate your complaint (subject to you having a strong case). If the Privacy Officer believes a criminal violation has occurred, they will report it to OCR, who will refer it to the Department of Justice for investigation.

What should I do if I complain anonymously to an organization, but nothing happens?

It may be difficult to know if your complaint to an organization has been ignored because the organization has no way of contacting you to explain what it is doing to correct the violation – which may take some time if it involves the development of new policies and additional workforce training. However, if you are certain your complaint has been ignored and it is still within 180 days of the violation being identified, you can escalate your complaint to OCR – albeit not anonymously.

Are HIPAA complaints anonymous?

Although you can request that your name is withheld when you make a complaint to OCR, complaints made anonymously will not be investigated. This not only applies to complaints made to OCR, but also to State Attorneys General, county HHS offices, and – where applicable – CMS, and the FTC. The option exists to phone an agency and make a complaint anonymously, but without your name, it is unlikely any further action will be taken.

The post How to Report a HIPAA Violation Anonymously appeared first on HIPAA Journal.

Is Google Slides HIPAA Compliant?

Posted by HIPAA Journal

Is Google Slides HIPAA compliant? Can Google Slides be used by healthcare organizations without violating HIPAA Rules? This post explores whether Google Slides is HIPAA compliant and whether it is possible to use the presentation editor in connection with electronic protected health information.

Google Slides is a presentation editor that allows users to create slide shows, training material, and project presentations. It is an ideal option for users who do not regularly create slide shows or presentations and do not have a software package that offers the same functionality. Google Slides is available free of charge for consumers to use and is equivalent to Microsoft’s PowerPoint.

Healthcare organizations that are looking to create training courses and slideshows that involve the use of data protected by HIPAA need to exercise caution. Use of Google Slides with electronic protected health information could potentially violate HIPAA Rules and patient privacy. That could all too easily result in a financial penalty.

Google Slides is a web-based presentation program that is not exempt from HIPAA under the HIPAA Conduit Exception Rule. The use of any ePHI with Google Slides is prohibited by the Privacy Rule unless healthcare organizations enter into a business associate agreement with Google prior to the use of Google Slides.

How to Make Google Slides HIPAA Compliant

The first step to take before using Google Slides in connection with any ePHI is to enter into a business associate agreement with Google. Google offers a BAA for healthcare organizations covering G Suite and Google Drive, which includes Google Docs, Google Sheets, Google Forms, and Google Slides.

As with all Google Drive services, it is essential to control who has access to files created on Google Drive. Healthcare organizations must ensure that any files created can only be accessed by individuals authorized to view the files and links to the files can only be shared with specific people. Sharing permissions should be carefully configured to prevent any accidental disclosures of ePHI.

It is important that no ePHI is included in the titles of any files created on Google Drive and third-party applications should be disabled. If applications need to be used, the security of those applications must be assessed and the developer’s documentation carefully checked. Third-party application developers would also be considered business associates and BAAs would be necessary.

Provided a BAA has been obtained from Google, Google Drive permissions are configured correctly, and best practices are followed, the Google Drive suite of products can be used by healthcare organizations in connection with ePHI.

The post Is Google Slides HIPAA Compliant? appeared first on HIPAA Journal.

Is Google Forms HIPAA Compliant?

Posted by HIPAA Journal

Google Forms is a convenient tool for creating surveys and gaining feedback from customers, but is it suitable for use by healthcare organizations? Is Google Forms HIPAA compliant or is its use likely to be a violation of HIPAA Rules?

Before any cloud-based service can be used by HIPAA covered entities or their business associates in connection with PHI, it is first necessary to enter into a business associate agreement with the service provider. Without a business associate agreement in place, use of the service would be considered a HIPAA violation.

Google and Business Associate Agreements with HIPAA Covered Entities

Google is prepared to enter into a business associate agreement with HIPAA covered entities and their business associates and offers its own BAA in which Google provides satisfactory assurances – as required by HIPAA – that the Privacy, Security, and Breach Notification Rule requirements will be followed. The BAA does not cover all Google services, but Google Drive – of which Google Forms is part – is covered by the BAA.

Obtaining a BAA from a service provider is only one part of the requirements of HIPAA. HIPAA covered entities and their business associates should also assess the security controls in place and should conduct a risk analysis to determine risks to the confidentiality, integrity, and availability of PHI. Any risks identified must be subjected to a risk management process and reduced to an appropriate and acceptable level.

The use of any cloud-based service is potentially risky, so care should be taken to ensure that appropriate controls are in place to prevent unauthorized access and disclosures. This is explained quite clearly in Google’s HIPAA Implementation Guide.

Google explains that care should be taken configuring the privacy settings of any elements of Google Drive (Forms, Docs, Sheets, and Slides) to limit the individuals who can access the data, which also applies when inserting Google Drive content into a website.

Is Google Forms HIPAA Compliant?

No software solution can be truly HIPAA compliant, as HIPAA compliance depends on the actions of users. However, Google does support HIPAA compliance and Google Forms is covered by its business associate agreement. Therefore, Google Forms can be considered a HIPAA compliant solution that is suitable for use in healthcare.

The post Is Google Forms HIPAA Compliant? appeared first on HIPAA Journal.

Is Google Sheets HIPAA Compliant?

Posted by HIPAA Journal

Is Google Sheets HIPAA compliant? Can HIPAA-covered entities use Google Sheets to create, view, or share spreadsheets containing identifiable protected health information or would using Google Sheets violate HIPAA Rules? In this post we assess whether Google Sheets supports HIPAA compliance. 

Under HIPAA Rules, healthcare organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of PHI. While it is straightforward to implement controls internally to keep data secure, oftentimes third parties are contracted to provide services that require access to PHI. They too must abide by HIPAA Rules covering privacy, security, and breach notifications.

A third-party that requires access to PHI – or copies of health data – to perform services on behalf of a covered entity is considered a business associate. A covered entity and business associate must enter into a contract – a business associate agreement – in which the business associate agrees to comply with certain aspects of the HIPAA Privacy, Security, and Breach Notification Rules. Without a business associate agreement in place, any sharing of PHI would be considered a HIPAA violation.

While Google does not look at the information uploaded to Google Sheets, since Google can potentially access the information, and data is stored on its servers, a business associate agreement would be required.

Will Google Sign a BAA with HIPAA Covered Entities for Google Sheets?

Google is committed to protecting the privacy of its customers’ data and ensuring all of its services are secure and data can always be accessed. Google is aware of the requirements of the Health Insurance Portability and Accountability Act and the firm is prepared to enter into a business associate agreement with HIPAA covered entities for certain services.

Google offers a BAA for G Suite, which includes Google Drive. Google Sheets, Google Docs, Google Slides, and Google Forms are all part of Google Drive and are covered by the BAA.

Google explains in its terms and conditions that any HIPAA covered entity or business associate of a HIPAA covered entity that wishes to use G Suite in connection with any PHI must enter into a BAA with Google before any of its services are used in connection with PHI.

Is Google Sheets HIPAA Compliant?

Since Google offers a BAA, is Google Sheets HIPAA compliant? Google can be considered a HIPAA compliant service provider as Google supports HIPAA compliance for G Suite Basic, G Suite for Education, G Suite Business, and G Suite Enterprise domains and will enter into a BAA with healthcare customers.

Once a BAA has been obtained, it is the responsibility of the covered entity or business associate to ensure that Google Sheets and all other Google Drive and G Suite products and services are used correctly in a manner that does not violate HIPAA Rules.

The post Is Google Sheets HIPAA Compliant? appeared first on HIPAA Journal.

Is IBM Cloud HIPAA Compliant?

Posted by HIPAA Journal

Is IBM Cloud HIPAA compliant? Is the cloud platform suitable for healthcare organizations in the United States to host infrastructure, develop health applications and store files? In this post we assess whether the IBM Cloud supports HIPAA compliance and the platform’s suitability for use by healthcare organizations.

IBM offers a cloud platform to help organizations develop their mobile and web services, build native cloud apps, and host their infrastructure along with a wide range of cloud-based services for the capture, analysis, and processing of data.

The platform has already been adopted by many healthcare providers, payers, and health plans, and applications and portals have been developed to provide patients with better access to their health information.

IBM Cloud Security

IBM is a leader in the field of network and data security, and its expertise has meant its cloud platform is highly secure. Security is built into the core of all of the firm’s software and services to ensure that sensitive data remains confidential and cannot be accessed by unauthorized individuals. Its audit and security reports are made available to its clients to assess during risk analysis and risk management processes.

Business Associate Agreement for the IBM Cloud Platform

Since 2014, IBM has been offering its cloud services to healthcare clients and has been entering into business associate agreements for its social, mobile, meetings, and mail cloud offerings.

IBM’s business associate agreements covers the IBM Cloud and details its responsibilities for security, including technical and physical controls in its data centers, permitted uses and disclosures of PHI, use of subcontractors, and its reporting requirements in the event of a security breach.

Healthcare customers must ensure they have a signed copy of the business associate agreement from IBM before any IBM cloud services are used in conjunction with protected health information.

IBM also offers HIPAA covered entities and their business associates services to help them configure their cloud applications correctly and create appropriate privacy and security solutions.

Is the IBM Cloud HIPAA Compliant?

Is the IBM Cloud HIPAA compliant? IBM meets its responsibilities as a business associate by ensuring its cloud platform meets and exceeds the minimum requirements of the HIPAA Security Rule and IBM agrees to abide by the HIPAA Privacy Rule and Breach Notification Rule.

IBM will enter into a business associate agreement with HIPAA covered entities covering the IBM Cloud, So the IBM Cloud can be considered a HIPAA compliant cloud platform.

However, HIPAA compliance is a shared responsibility. IBM only provides the security and the tools to ensure its cloud platform can be used without violating HIPAA Rules. It is the responsibility of HIPAA-covered entities to ensure that cloud-based infrastructure and applications are not misconfigured, and that stored files are appropriately secured.

The post Is IBM Cloud HIPAA Compliant? appeared first on HIPAA Journal.

Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days

Posted by HIPAA Journal

In January, a new data breach notification bill was introduced in Colorado that proposed updates to state laws to improve protections for residents affected by data breaches. The bill introduced a maximum time frame of 45 days for companies to notify individuals whose personal information was exposed or stolen as a result of a data breach. The definition of personal information was also updated to include a much wider range of information including data covered by HIPAA – medical information, health insurance information, and biometric data.

Last week, Colorado’s House Committee on State, Veterans, and Military Affairs unanimously passed an updated version of the bill, which has now been passed to the Committee on Appropriations for consideration.

The updated bill includes further new additions to the list of data elements classed as personal information – passport numbers, military, and student IDs. There has also been a shortening of the time frame organizations have to issue notifications. Instead of the 45 days proposed in the original bill, the time frame has been cut to just 30 days following the date of determination that a security breach has occurred.

Typically, when states propose legislation to improve protections for state residents whose personal information is exposed, organizations in compliance with federal data breach notification laws are deemed to be in compliance with state laws.

However, the new bill clarifies that will not necessarily be the case. Healthcare organizations covered by HIPAA laws have up to 60 days to issue notifications to breach victims. The amended bill states that when federal laws require notifications to be sent, the breached entity will be required to comply with the law with the shortest time frame for issuing notices.

That means HIPAA covered entities who experience a data breach that impacts Colorado residents would have half as long to issue notifications.

The original bill required breached entities to issue notifications to the state attorney general within 7 days of the discovery of a breach impacting 500 or more Colorado residents. The amended bill has seen that requirement relaxed to 30 days following the discovery of a breach of personal information. Further, the state attorney general does not need to be notified of a breach if there has been no misuse of breached data or if data misuse is unlikely to occur in the future.

If the new legislation is passed, Colorado residents will be among the best protected individuals in the United States. Only Florida has introduced such strict time scales for sending notifications to breach victims. Colorado residents would also be much better protected when their data is exposed by a healthcare organization, with the time frame for notification cut in half.

The post Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days appeared first on HIPAA Journal.

Is the Google Cloud Platform HIPAA Compliant?

Posted by HIPAA Journal

Is the Google Cloud Platform HIPAA compliant?  Is the Google Cloud Platform a suitable alternative to Azure and AWS for healthcare organizations? In this post we determine whether the Google Cloud platform is HIPAA compliant and if it can be used by healthcare organizations to build applications, host infrastructure, and store files containing protected health information.

Healthcare organizations are increasingly taking advantage of cloud platforms. The healthcare cloud computing market was valued at $4.65 billion in 2016 and is expected to increase to more than $14.76 billion by 2022.

Amazon AWS is still the leading platform with a market share of 62% according to KeyBlanc, with Microsoft Azure second on 20%, but Google is gaining ground, with a market share of around 12%.

Amazon and Microsoft both offering platforms that support HIPAA compliance, but what about Google? Is the Google Cloud Platform HIPAA compliant?

Will Google Sign a Business Associate Agreement Covering its Cloud Platform?

Since the Omnibus Rule came into effect in September 2013, Google has been signing business associate agreements with HIPAA covered entities for G-Suite and in early 2014, Google extended its BAA to include the Google Cloud Platform.

Google’s BAA now covers most of its cloud services including Compute Engine, Cloud Storage, Cloud SQL for MySQL, Cloud SQL for PostgreSQL, Cloud Dataproc, Genomics, BigQuery, Kubernetes Engine, Container Registry, Cloud Dataflow, Cloud Bigtable, Cloud Pub/Sub, Cloud Translation API, Cloud Speech API, Stackdriver Logging, Stackdriver Error Reporting, Stackdriver Trace, Stackdriver Debugger, Cloud Datalab, Cloud Machine Learning Engine, Cloud Natural Language, Cloud Data Loss Prevention API, Cloud Vision API, Google App Engine, Cloud Load Balancing, Cloud VPN, and Cloud Spanner.

Further, in 2016, a partnership between Google and the backend-as-a-service mobile provider Kinvey saw its mBaaS available on Google Cloud. The mBaaS incorporates connectors to electronic health record systems to support healthcare apps.

Is the Google Cloud Platform HIPAA Compliant?

Google will sign a BAA with HIPAA covered entities, so does that mean the Google Cloud Platform is HIPAA compliant?

The BAA is only one requirement of HIPAA. It means that Google has had its security and data protection mechanisms assessed and they have been found to exceed the minimum requirements of the HIPAA Security Rule. The cloud services offered by Google also meet Privacy Rule requirements, and Google is aware of its responsibilities as a HIPAA business associate. It agrees to provide a secure and HIPAA-compliant infrastructure for the storage and processing of PHI.

However, it is up to healthcare organizations to ensure that HIPAA Rules are followed when using the Google Cloud Platform and that their cloud-based infrastructure and applications are correctly configured and secured.

It is the responsibility of covered entities to disable all Google services not covered by its business associate agreement, access controls must be carefully implemented, controls set up to prevent accidental data deletion, audit log export destinations must be set, and audit logs regularly checked. Care must also be taken to uploading any PHI to the cloud to ensure it is appropriately secured and PHI is not accidentally shared with unauthorized individuals.

While the Google Cloud Platform can be HIPAA compliant, healthcare organization can easily violate HIPAA Rules using Google’s or any other provider’s platform.

The post Is the Google Cloud Platform HIPAA Compliant? appeared first on HIPAA Journal.

Research Institutions Given Additional 6 Months to Comply with Updated Common Rule

Posted by HIPAA Journal

Updates to the Common Rule – The Federal Policy for the Protection of Human Subjects – that were initially due to come into effect on January 19, 2018 have been delayed by 6 months, giving research organizations more time to comply with the new provisions. The new compliance date is July 19, 2018, although the provision covering cooperative research still has a compliance date of Jan 20, 2020.

Several healthcare organizations, including the American Medical Informatics Association (AMIA), the Associated of American Medical Colleges (AAMC), and the Association of American Universities (AAU), called for the compliance date to be pushed back due to uncertainty surrounding the final rule. A delay would allow institutions additional time to ensure compliance and would allow federal agencies more time to issue guidance to researchers to help them implement the updated regulations.

16 federal departments, including the Department of Health and Human Services, made revisions to the Common Rule. In a notice of proposed Rulemaking, the need for the delay to the compliance date was explained. “Without a delay, and without guidance, institutions that have expected a delay who hastily attempt to implement the revised rule without adequate preparation are bound to make mistakes, the consequences of which may jeopardize the proper conduct of research and the safety and wellbeing of human subjects.”

While the delay will be welcomed by many organizations, those that had already prepared to comply with the new provisions of the Common Rule ahead of the January 19 compliance date will now need to continue with their old policies and procedures for a further six months, which may cause some conflicts.

Changes to the Common Rule

The final rule update to the Common Rule was issued on January 19, 2017 on the last day of the Obama administration. One of the main reasons for the update was since the Common Rule was introduced in 1991, there have been many changes to how research is conducted.

At the time, research was mainly conducted in universities and medical institutions, with studies taking place at a single site. Today, the scale of research studies has increased, they often involve multiple sites, data is now digital, and the research is now more diverse. An update to the Common Rule was therefore long overdue.

The changes will improve privacy protections for research participants. The updated Common Rule is closely with the HIPAA Privacy Rule and introduces further safeguards to protect the privacy of research participants, while also improving the availability of health data for secondary research.

The update sees consent requirements changed to require information about research studies to be detailed on consent forms in language that a reasonable person would understand. The changes also make it possible for broad consent for secondary research to be obtained, which will improve the availability of patient-reported data and biospecimens for research.  The changes will also help research institutions obtain up-to-the-minute data from mobile applications and devices used by patients.

The updates clarify that certain public health surveillance activities are exempt from Common Rule restrictions, which will help with monitoring the spread of disease in the United States. Certain low-risk studies conducted by HIPAA Covered entities will also be exempt.

The HHS has also pointed out that the oversight system will not add an unnecessary administrative burden and the update has introduced greater flexibility to match today’s dynamic research environment.

Comments on the Interim Final Rule are being accepted until March 23, 2018 and guidance to help institutions comply with the Common Rule changes will be released over the coming weeks.

The post Research Institutions Given Additional 6 Months to Comply with Updated Common Rule appeared first on HIPAA Journal.

Is SharePoint HIPAA Compliant?

Posted by HIPAA Journal

Is SharePoint HIPAA compliant? Does the platform incorporate all the required administrative and technical controls to meet HIPAA requirements? This post explores whether SharePoint supports HIPAA compliance and its suitability for use in the healthcare industry.

What is SharePoint?

SharePoint is a web-based document management and storage system and one of the leading collaborative platforms on the market, used by 78% of Fortune 500 companies. The platform is based on Microsoft’s OpenXML document standard and therefore integrates seamlessly with Microsoft Office.

SharePoint offers many of the same functions as Google Drive and Dropbox, although SharePoint is a much more powerful platform and can also be used for internet portals, intranet sites and can form the basis of a CRM system.

With such a wide range of functions it is naturally a good fit for healthcare organizations, but is SharePoint HIPAA compliant? Does the platform incorporate all the necessary functions and security controls required by HIPAA?

Is SharePoint Covered by Microsoft’s Business Associate Agreement?

The first question when considering the suitability of a platform for use in healthcare in the United States is whether the platform provider is willing to sign a business associate agreement with a HIPAA covered entity or one of its business associates. Without a BAA, a platform cannot be used in conjunction with any protected health information (PHI).

Microsoft is prepared to sign a business associate agreement with HIPAA covered entities for Office 365 and Yammer, but what about SharePoint?

Microsoft clearly states on its website that SharePoint Online supports HIPAA compliance when used with Office 365 Enterprise, and that its BAA for Office 365 Enterprise does cover SharePoint Online.

Is SharePoint HIPAA Compliant?

Can we consider SharePoint HIPAA compliant? While no software platform can be truly HIPAA compliant, SharePoint does incorporate the necessary administrative and technical safeguards to meet HIPAA Rules and HIPAA covered entities can use the platform in a HIPAA compliant manner.

Microsoft will also ensure that it meets its responsibilities as a business associate, but it is the responsibility of users to ensure that HIPAA Rules are followed and the platform is configured correctly. Covered entities must set access controls for individuals or roles, audit controls must be set, logs must be monitored, appropriate security controls configured, and users must receive training on use of the platform and the restrictions of HIPAA.

Provided a BAA is obtained, the platform is configured and used correctly, SharePoint can be considered a HIPAA compliant document management, document storage, and collaborative platform.

The post Is SharePoint HIPAA Compliant? appeared first on HIPAA Journal.