HIPAA Compliance News

Timothy Noonan Becomes OCR’s Top HIPAA Enforcer, Replacing Deputy Director Iliana Peters

Posted by HIPAA Journal

After just 4 months in the position of deputy director for health information privacy at the Department of Health and Human Services’ Office for Civil Rights, Iliana Peters has departed for the private sector.

Peters took over as deputy director following the departure of acting deputy director Deven McGraw in November, only to leave the post on February 2 to join the healthcare team at law firm Polsinelli.

This is the third major change of staff at the Department of Health and Human Services in a little over four months. First, there was the departure of HHS Secretary Tom Price in late September, McGraw left in October to join health tech startup Citizen, and now Iliana Peters has similarly quit for the private sector.

Peters has been working at the Office for Civil Rights for the past 12 years, including 5 years as a senior advisor. During her time at OCR Peters has worked closely with regional offices helping them enforce HIPAA Rules and has been instrumental in building up OCR’s HIPAA enforcement program.

Peters has trained regional OCR staff on HIPAA enforcement and the handling of cases and played a key role in OCR’s latest enforcement actions – the $3.5 million settlement with Fresenius Medical Care North America over five data breaches reported to OCR in 2012 and the $2.3 million settlement with 21st Century Oncology over its 2015 cyberattack.

Peters has also trained state attorneys general on HIPAA policies and played a key role in the development of OCR’s second phase of HIPAA compliance audits, as well helping with the development of guidance for HIPAA covered entities on HIPAA Privacy and Security Rules.

Now, instead of helping OCR punish organizations for HIPAA violations, Peters will be working on the other side and will be helping healthcare organizations avoid HIPAA violations and OCR penalties.

Peters has become a shareholder at Polsinelli and will be based at its Health Care Operations practice in Washington D.C. According to a February 7 Polsinelli press release. Peters will be helping to develop the law firm’s healthcare presence in DC.

“Iliana brings key insights into the government’s investigation, enforcement, and settlement processes and will enhance our ability to guide our clients in responding to ever-changing threats and risks,” said Polsinelli Health Care Department Chair Matt Murer. “We know that our clients look forward to having Iliana as a strategic member of their privacy and security teams.”

OCR’s southeast regional manager Timothy Noonan was appointed as acting deputy director for health information privacy at OCR on January 29, 2018. Noonan has spent the past four years working as the Southeast regional manager and has served as acting associate deputy director for regional operations and OCR’s acting director for centralized case management operations.

While the loss of Peters will certainly be felt at OCR, there is unlikely to be any easing of OCR’s HIPAA enforcement efforts. OCR’s regional offices have been well trained and will continue to ensure that HIPAA Rules are being followed and action is taken over serious violations of HIPAA Rules.

The post Timothy Noonan Becomes OCR’s Top HIPAA Enforcer, Replacing Deputy Director Iliana Peters appeared first on HIPAA Journal.

What is HIPAA Authorization?

Posted by HIPAA Journal

We are often asked to clarify certain elements of HIPAA Rules. One recent question relates to disclosures of protected health information (PHI) and medical records – ‘What is HIPAA authorization?’

What is HIPAA Authorization?

The HIPAA Privacy Rule (effective since April 14, 2003) introduced standards covering allowable uses and disclosures of health information, including to whom information can be disclosed and under what circumstances protected health information can be shared.

The HIPAA Privacy Rule permits the sharing of health information by healthcare providers, health plans, healthcare clearinghouses, business associates of HIPAA-covered entities, and other entities covered by HIPAA Rules under certain circumstances. In general terms, permitted uses and disclosures are for treatment, payment, or health care operations.

HIPAA authorization is consent obtained from a patient or health plan member that permits a covered entity or business associate to use or disclose PHI to an individual/entity for a purpose that would otherwise not be permitted by the HIPAA Privacy Rule. Without HIPAA authorization, such a use or disclosure of PHI would violate HIPAA Rules and could attract a severe financial penalty and may even be determined to be a criminal act.

When is HIPAA Authorization Required?

45 CFR §164.508 details the uses and disclosures of PHI that require an authorization to be obtained from a patient/plan member before information can be shared or used. HIPAA authorization is required for:

  • Use or disclosure of PHI otherwise not permitted by the HIPAA Privacy Rule
  • Use or disclosure of PHI for marketing purposes except when communication occurs face to face between the covered entity and the individual or when the communication involves a promotional gift of nominal value.
  • Use or disclosure of psychotherapy notes other than for specific treatment, payment, or health care operations (see 45 CFR §164.508(a)(2)(i) and (a)(2)(ii))
  • Use or disclosure of substance abuse and treatment records
  • Use or disclosure of PHI for research purposes
  • Prior to the sale of protected health information

What Must Be Included on a HIPAA Authorization Form?

A HIPAA authorization is a detailed document in which specific uses and disclosures of protected health are explained in full.

By signing the authorization, an individual is giving consent to have their health information used or disclosed for the reasons stated on the authorization. Any use or disclosure by the covered entity or business associate must be consistent with what is stated on the form.

The authorization form must be written in plain language to ensure it can be easily understood and as a minimum, must contain the following elements:

  • Specific and meaningful information, including a description, of the information that will be used or disclosed
  • The name (or other specific identification) of the person or class of persons authorized to make the requested use or disclosure
  • The name(s) or other specific identification of the person or class of persons to whom information will be disclosed
  • A description of the purpose of the requested use or disclosure. In cases where a statement of the purpose is not provided, “at the request of the individual” is sufficient
  • A specific time frame for the authorization including an expiration date. In the case of uses and disclosures related to research, “at the end of the study” can be used or ‘none’ in the case of the creation of a research database or research repository
  • A date and signature from the individual giving the authorization. If the authorization is being given by an individual’s authorized representative, a description of the person’s authority to act on behalf of the individual must be detailed.

Statements must also be included on the HIPAA authorization to notify the individual of:

The right to revoke the authorization in writing and either:

  1. Exceptions to the right to revoke and a description of how the right to revoke can be exercised; or
  2. The extent to which the information in A) is included in the organization’s notice of privacy practices

The ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization by stating either:

  1. That the covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization; or
  2. The consequences of a refusal to sign the authorization when the covered entity is permitted to condition treatment, enrollment in the health plan, or eligibility for benefits on a failure to obtain authorization.

The individual providing consent must be provided with a copy of the authorization form for their own records.

The post What is HIPAA Authorization? appeared first on HIPAA Journal.

Is HelloFax HIPAA Compliant?

Posted by HIPAA Journal

Is HelloFax HIPAA compliant? Can HelloFax be used by healthcare organizations to send files containing protected health information, or would doing so be considered a violation of HIPAA Rules? In this post we explore the protections in place and attempt to determine whether HelloFax can be considered a HIPAA compliant fax service.

The HIPAA Conduit Exception and Fax Transmissions

It is important to make a distinction between standard faxes and digital faxing services. Standard fax machines, those which are used to transmit a physical document from one fax machine to another, have long been used by healthcare organizations, and in many cases, to transmit documents containing protected health information.

Transmissions are sent without first entering into a business associate agreement – or BAA – with telecommunications companies. That is because telecoms firms, such as AT&T, are covered by the HIPAA conduit exception rule.

The HIPAA conduit exception is covered in more detail here, although in short, it details the types of communications services do not require a business associate agreement – Services that are merely conduits through which information flows.  Any information sent by standard fax, or is communicated over the telephone, is not subject to HIPAA laws in the same way that other communications channels such as SMS and VOIP are.

However, digital fax services such as HelloFax are not included under the HIPAA conduit exception rule, therefore, the use of the service for sending any documents containing PHI would be subject to HIPAA Rules. So, is HelloFax HIPAA compliant, and can it be used by healthcare organizations and other entities bound by HIPAA Rules?

Is HelloFax HIPAA Compliant?

It is important to note that no software, product, or service can be considered truly HIPAA compliant, as HIPAA compliance depends on users of the software, product, or service. It is more a case of whether a product or service can be used in a HIPAA compliant manner without violating the HIPAA Privacy or Security Rules.

In order for any communications channel to be considered by a HIPAA-covered entity or business associate of a covered entity, it is necessary to ensure that appropriate safeguards are in place to ensure the confidentiality, integrity, and availability of PHI.

In this regard, HelloFax ticks the right boxes. Fax transmissions are protected with end-to-end encryption from sender to receiver. The method of encryption used for data in transit and at rest is AES-256-bit, which certainly meets the minimum standards for data encryption required by HIPAA.

In addition, each unique key is encrypted with a regularly rotated master key, so even if the hard drive on the machine on which the fax was sent/received was accessed, it would not be possible to view data. HelloFax also has strict controls in place to ensure its data center is physically secured. The company claims it has “bank-grade” physical and digital security.

While security appears not to be an issue, there is the issue of the business associate agreement, which is a requirement. There is no mention of a BAA on the main website at the time of writing, although there is a post in the company blog – dated May 17, 2017 – confirming that the service is now SOC 2 and HIPAA compliant. HelloFax has been independently verified as meeting HIPAA security standards by an (unnamed) independent third-party. HelloSign will sign a BAA with HIPAA-covered entities who wish to use its HelloFax service.

HelloSign states, “For customers who are subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), HelloSign can also support HIPAA compliance. HelloSign now has the ability to sign a Business Associate Agreement (BAA) with any of our customers in the healthcare, pharmaceutical, and insurance industries. Under a BAA we are bound to operate specific controls to protect your electronic protected health information (ePHI).”

So, is HelloFax HIPAA compliant? In our opinion, HelloFax is not covered by the HIPAA conduit exception rule, so provided a business associate agreement has been obtained, and users ensure access controls are implemented, HelloFax can be considered a HIPAA compliant fax service.

The post Is HelloFax HIPAA Compliant? appeared first on HIPAA Journal.

Is iCloud HIPAA Compliant?

Posted by HIPAA Journal

Is iCloud HIPAA compliant? Can healthcare organizations use iCloud for storing files containing electronic protected health information (ePHI) or sharing ePHI with third-parties? This article assesses whether iCloud is a HIPAA compliant cloud service.

Cloud storage services are a convenient way of sharing and storing data. Since files uploaded to the cloud can be accessed from multiple devices in any location with an Internet connection, information is always at hand when it is needed.

There are many cloud storage services to choose from, many of which are suitable for use by healthcare providers for storing and sharing ePHI. They include robust access and authentication controls and data uploaded to and stored in the cloud is encrypted. Logs are also maintained so it is possible to tell who accessed data, when access occurred, and what users did with the data once access was granted.

iCloud is a cloud storage service that owners of Apple devices can easily access through their iPhones, iPads, and Macs. iCloud has robust authentication and access controls, and data is encrypted in storage and during transfer. The level of encryption used by Apple certainly meets the minimum standard demanded by HIPAA. iCloud certainly appears to tick all the right boxes in terms of security, but is iCloud HIPAA compliant?

Will Apple Sign a Business Associate Agreement with HIPAA Covered Entities?

Cloud storage services are not covered by the HIPAA Conduit Exception Rule and are therefore classed as business associates. As a business associate, the service provider is required to enter into a contract with a HIPAA covered entity – in the form of a business associate agreement – before its service can be used in connection with any ePHI.

It is the responsibility of the covered entity to ensure a BAA is obtained prior to the use of any cloud service for sharing, storing, or transmitting ePHI.

That business associate agreement must explain the responsibilities the service provider has with respect to any ePHI uploaded to its cloud storage platform. The BAA should also explain the uses and disclosures of PHI, and the need to alert the covered entity of any breaches that expose data.

If a BAA is not obtained from Apple, its iCloud service cannot be used with any ePHI. So, will Apple sign a BAA with HIPAA covered entities?

Apple could not have made it any clearer in its iCloud terms and conditions that the use of iCloud by HIPAA-covered entities or their business associates for storing or sharing ePHI is not permitted, and that doing so would be a violation of HIPAA Rules.

“If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”

Is iCloud HIPAA Compliant?

It doesn’t matter what security controls are in place to ensure ePHI cannot be accessed by unauthorized individuals. If a communications channel is not covered by the conduit exception rule and the service provider will not enter into a contract with a HIPAA covered entity in the form of a business associate agreement, the service cannot be used with any ePHI. So, is iCloud HIPAA compliant? Until such point that Apple decides to sign a BAA, iCloud is not a HIPAA compliant cloud service and should not be used by healthcare organizations for sharing, storing, or transmitting ePHI.

The post Is iCloud HIPAA Compliant? appeared first on HIPAA Journal.

Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss

Posted by HIPAA Journal

A mail service – Press America, Inc – used by a pharmacy benefit manager – CVS Pharmacy – is being sued over an accidental disclosure of 41 individuals’ protected health information.

CVS Pharmacy is a business associate of a health plan and is contracted to provide a mail-order pharmacy service for the health plan. The mail service is a subcontractor of CVS Pharmacy, and both entities are bound by HIPAA Rules.

CVS Pharmacy signed a business associate agreement with the health plan, and Press America did likewise with CVS Pharmacy as PHI was required in order to perform the mailings.

CVS Pharmacy alleges the HIPAA Privacy Rule was violated by Press America when it inadvertently disclosed PHI to unauthorized individuals due to a mismailing incident.

The disclosure of some plan members’ PHI was accidental, but the privacy breach violated a performance standard in the CVS Pharmacy’s contract with the health plan. By violating the performance standard, the CVS Pharmacy was required to pay the health plan $1.8 million.

A lawsuit was filed by the CVS Pharmacy seeking indemnification from the mail service under the terms of its BAA and common law principles. CVS Pharmacy alleges the mismailing was due to negligence by its subcontractor, and the $1.8 payment was made as a direct result of that negligence. CVS Pharmacy maintains the breach was fully under the control of its subcontractor.

CVS Pharmacy alleged the mail service owed it a duty of reasonable care and that duty of care was breached. Since PHI was improperly disclosed and the HIPAA Privacy Rule was violated, CVS Pharmacy was required to send notifications to the 41 plan members, which the complainant claims caused damage its reputation.

The mail service sought to dismiss the claim of negligence, and in its motion to dismiss the lawsuit, challenged the validity of the contractual obligation CVS Pharmacy had to the health plan that required the $1.8 million payment. The mail service also contended that its indemnification provisions were not intended to cover this type of payment.

However, the federal court declined to dismiss the CVS Pharmacy’s lawsuit. The court ruled that the indemnification provisions of the subcontractor were broad enough to encompass CVS Pharmacy’s payment to the health plan, and the subcontractor had no right to challenge the contractual obligation since it was not a party or third-party beneficiary to the contact. The court also ruled that CVS Pharmacy sufficiently alleged negligence based on the breach of duty.

Losses were also suffered as a result of that negligence, as CVS Pharmacy had to make a sizeable payment to the health plan in addition to covering the cost of issuing notifications to the plan members whose PHI was disclosed. Consequently, the motion to dismiss the case was denied.

The post Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss appeared first on HIPAA Journal.

$3.5 Million Settlement to Resolve HIPAA Violations That Contributed to Five Data Breaches

Posted by HIPAA Journal

The first HIPAA settlement of 2018 has been announced by the Department of Health and Human Services’ Office for Civil Rights (OCR). Fresenius Medical Care North America (FMCNA) has agreed to pay OCR $3.5 million to resolve multiple potential HIPAA violations that contributed to five separate data breaches in 2012.

The breaches were experienced at five separate covered entities, each of which was owned by FMCNA. Those breached entities were:

  • Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility in Jacksonville, Florida (FMC Duval)
  • Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove in Semmes, Alabama (FMC Magnolia Grove)
  • Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin in Maricopa, Arizona (FMC Ak-Chin)
  • Fresenius Vascular Care Augusta, LLC (FVC Augusta)
  • WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (FMC Blue Island)

Breaches Experienced by FMCNA HIPAA Covered Entities

The five security breaches were experienced by the FMCNA covered entities over a period of four months between February 23, 2012 and July 18, 2012:

  • The theft of two desktop computers from FMC Duval during a February 23, 2012 break-in. The computers contained the ePHI – including Social Security numbers – of 200 individuals
  • The theft of an unencrypted USB drive from FMC Magnolia Grove on April 3, 2012. The device contained the PHI – including insurance account numbers – of 245 individuals
  • On April 6, 2012 FMC Ak-Chin discovered a hard drive was missing. The hard drive had been removed from a computer that had been taken out of service and the drive could not be located. The hard drive contained the PHI – including Social Security numbers – of 35 individuals
  • An unencrypted laptop computer containing the ePHI of 10 patients – including insurance details – was stolen from the vehicle of an employee on June 16, 2012. The laptop had been left in the vehicle overnight. The bag containing the laptop also contained the employee’s list of passwords
  • Three desktop computers and one encrypted laptop were stolen from FMC Blue Island on or around June 17-18, 2012. One of the computers contained the PHI – including Social Security numbers – of 35 patients

Multiple HIPAA Failures Identified

OCR launched an investigation into the breaches to establish whether they were the result of failures to comply with HIPAA Rules. The investigation revealed a catalogue of HIPAA failures.

OCR established that the FMCNA covered entities had failed to conduct a comprehensive and accurate risk analysis to identify all potential risks to the confidentiality, integrity, and availability of ePHI: One of the most common areas of non-compliance with HIPAA Rules. If an accurate risk assessment is not performed, risks are likely to be missed and will therefore not be managed and reduced to an acceptable level.

OCR also discovered the FMCNA covered entities had impermissibly disclosed the ePHI of many of its patients by providing access to PHI that is prohibited under the HIPAA Privacy Rule.

Several other potential HIPAA violations were discovered at some of the FMCNA covered entities.

FMC Magnolia Grove did not implement policies and procedures governing the receipt and removal of computer hardware and electronic storage devices containing ePHI from its facility, and neither the movement of those devices within its facility.

FMC Magnolia Grove and FVC Augusta had not implemented encryption, or an equivalent, alternative control in its place, when such a measure was reasonable and appropriate given the risk of exposure of ePHI.

FMC Duval and FMC Blue were discovered not to have sufficiently safeguarded their facilities and computers, which could potentially lead to unauthorized access, tampering, or theft of equipment.

FMC Ak-Chin had no policies and procedures in place to address security breaches.

Financial Penalty Reflects the Seriousness and Extent of HIPAA Violations

The $3.5 million settlement is one of the largest issued to date by OCR to resolve violations of HIPAA Rules. In addition to paying the sizeable financial penalty, FMCNA has agreed to adopt a robust corrective actin plan to address all HIPAA failures and bring its policies and procedures up to the standard demanded by HIPAA.

The FMCNA covered entities must conduct comprehensive, organization wide risk analyses to identify all risks to the confidentiality, integrity, and availability of PHI and develop a risk management plan to address all identified risks and reduce them to a reasonable and acceptable level.

Policies and procedures must also be developed and implemented covering device, media, and access controls and all staff must receive training on current and new HIPAA policies and procedures.

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

Settlement Shows it is Not the Size of the Breach that Matters

All of the five breaches resulted in the exposure of relatively few patients’ PHI. No breach involved more than 235 records, and three of the breaches exposed fewer than 50 records.

The settlement shows that while the scale of the breach is considered when deciding on an appropriate financial penalty, it is the severity and the extent of non-compliance that is likely to see financial penalties pursued.

The settlement also clearly shows that OCR does investigate smaller breaches and will do so when breaches suggest HIPAA Rules have been violated.

The post $3.5 Million Settlement to Resolve HIPAA Violations That Contributed to Five Data Breaches appeared first on HIPAA Journal.

Aetna Agrees to Pay $115 Million Settlement to Resolve NY Attorney General Data Breach Case

Posted by HIPAA Journal

Last July, Aetna sent a mailing to members in which details of HIV medications were clearly visible through the plastic windows of envelopes, inadvertently disclosing highly sensitive HIV information to individuals’ house mates, friends, families, and loved ones.

Two months later, a similar privacy breach occurred. This time the mailing related to a research study regarding atrial fibrillation (AFib) in which the term IMACT-AFIB was visible through the window of the envelope. Anyone who saw the envelope could have deduced the intended recipient had an AFib diagnosis.

The July breach triggered a class action lawsuit which was recently settled by Aetna for $17.2 million. Aetna must now also cover a $115 million settlement with the New York Attorney General to resolve violations of federal and state laws.

Attorney General Schneiderman launched an investigation following the breach of HIV information in July, which violated the privacy of 2,460 Aetna members in New York. The September privacy breach was discovered during the course of that investigation. 163 New York Aetna members had their privacy violated by the September mailing.

The settlement agreement explains that more than 90% of patients diagnosed with HIV face discrimination and prejudice, and approximately one in eight individuals with HIV are denied health services as a result of the stigma associated with HIV and AIDS. A breach of HIV information can therefore have severe repercussions for the victims.

New York has implemented strict laws that require HIV information to be kept secure and confidential to ensure its residents are not discouraged from coming forward to be tested and treated for HIV. It is therefore important that action is taken against organizations and individuals who violate state laws by disclosing HIV information.

As a HIPAA-covered entity, Aetna is bound by the regulations and is required to implement safeguards to ensure the confidentiality of health and HIV information. Several laws in New York also require safeguards to be implemented to protect personal health information and personally identifiable information.

Not only were state and federal laws violated by the mailing, Aetna provided the personal health information of its members to outside counsel who in turn gave that information to a settlement administrator. While the outside counsel was a business associate of Aetna and had signed a business associate agreement, its subcontractor, the settlement administrator, was also a business associate yet no business associate agreement was entered into prior to the disclosure of PHI. A further violation of HIPAA Rules.

The office of the attorney general determined Aetna’s two mailings violated 45 C.F.R § 164.502; 42 U.S.C. § 1320d-5 of HIPAA, N.Y General Business Law § 349, N.Y Public Health Law § 18(6), and N.Y Executive Law § 63(12).

The settlement agreement also draws attention to the fact that Aetna had reported a further three HIPAA breaches to the Office for Civil Rights in the past 24 months, which in total impacted more than 25,000 individuals.

In addition to the financial penalty, Aetna has agreed to update its policies, procedures and controls to enhance the privacy protections for its members and protect them from negligent disclosures of personal health information and personally identifiable information through its mailings.

“Through its own carelessness, Aetna blatantly violated its promise to safeguard members’ private health information,” said Attorney General Eric T. Schneiderman. “Health insurance companies handle personal health information on a daily basis and have a fundamental responsibility to be vigilant in protecting their members. We won’t hesitate to act to ensure that insurance companies live up to their responsibilities to the New Yorkers they serve.”

This may not be the last financial penalty Aetna has to cover in relation to the mailings. This $115 million settlement only resolves the privacy violations of 2,460 Aetna members in New York state. The mailing was sent to around 13,000 Aetna members across the United States. It is possible that other states will similarly take action over the privacy violations. The Department of Health and Human Services’ Office for Civil Rights is also investigating the data breach and may choose to penalize the insurer for violating HIPAA Rules.

The post Aetna Agrees to Pay $115 Million Settlement to Resolve NY Attorney General Data Breach Case appeared first on HIPAA Journal.

Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records

Posted by HIPAA Journal

The Topeka, KS-based healthcare company Pearlie Mae’s Compassion and Care LLC and its owners have been fined by the Kansas Attorney General for failing to protect patient and employee records. The healthcare provider has agreed to pay a civil monetary of $8,750.

The HITECH Act gave attorneys general the authority to enforce HIPAA rules and take action against HIPAA-covered entities and business associates that are discovered not to be in compliance with HIPAA regulations. Only a handful of state attorneys general have exercised those rights, with many opting to pursue privacy violations under state laws.

In this case, Attorney General Derek Schmidt issued the civil monetary penalty for violations of the Wayne Owen Act, which is part of the Kansas Consumer Protection Act.

Special agents of the Kansas attorney general’s office were assisting the Topeka Police Department execute a search warrant in June 2017 at the home of Ann Marie Kaiser, one of the owners of Pearlie Mae’s Compassion and Care. Kaiser’s home was used as an office location for the company. While at the property, the agents noticed unsecured medical records in open view.

The paperwork included personal information, which includes, social security numbers, driver’s license numbers, financial account numbers, which could be used to harm the persons whose information is compromised. Such information could have been viewed by anyone in the property, including individuals unauthorized to access the information.

The civil penalty was issued for the failure to maintain reasonable procedures and practices appropriate to the nature of information held, the failure to exercise reasonable care to protect personal information, and the failure to take reasonable steps to destroy records when they were no longer required – violations of K.S.A. 50-6,139b(b)(l) and K.S.A. 50-6,139b(b)(2).

In addition to covering the financial penalty, Pearlie Mae’s has agreed to update its policies and procedures to ensure compliance with the Wayne Owen Act and will also cover the costs – $1,250 – incurred by the Attorney general office during its investigation.

The post Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records appeared first on HIPAA Journal.

Is Google Docs HIPAA Compliant?

Posted by HIPAA Journal

Is Google Docs HIPAA compliant? Is it permitted to upload documents containing protected health information to Google Docs, or would that violate HIPAA Rules? In this post we will assess Google Docs and determine whether Google is a HIPAA compliant and whether it can be used safely and securely by HIPAA-covered entities and business associates for sharing PHI.

Does Google Docs Encrypt Data?

In order for Google Docs to be HIPAA compliant, stored data must be encrypted. Data must also be encrypted during uploading and downloading. We can confirm that Google uses 28-bit or stronger Advanced Encryption Standard (AES) to protect data in transit to the platform, and between and in its data centers.

Is Google Considered a Conduit?

The Department of Health and Human Services has made it clear in recent guidance that cloud service providers are not – in the vast majority of cases – considered conduits, so the HIPAA Conduit Exception Rule does not apply. Instead, cloud service providers are classed as business associates, even if the service provider does not access data stored in customer accounts.

Will Google Sign a BAA for Google Docs?

As a business associate, prior to the use of Google Docs for sharing or storing documents containing PHI, a business associate agreement must be obtained from Google. Many cloud companies offer BAA’s to covered entities, but it is important to check that a particular product is listed as covered by the BAA prior to use.

Google is willing to sign a BAA with G Suite enterprise customers. We have checked the terms of the BAA and Google Docs is specifically mentioned as part of Google Drive, and is covered by its BAA.

Google clearly states that healthcare organizations covered by HIPAA Rules must not use G Suite in connection with PHI until a business associate agreement has been obtained. Once that BAA has been obtained, Google is not liable for misuse of its service. It is the responsibility of the covered entity or business associate using the service to ensure that HIPAA Rules are followed. That means configuring access controls, amendment, and accounting in accordance with HIPAA Rules. Google offers a useful guide for HIPAA covered entities to help them configure G Suite correctly.

Is Google Docs HIPAA Compliant?

Our opinion is no software or cloud platform can be called HIPAA compliant. HIPAA compliance depends on how a service is used. That said, it is possible to use Google Docs without violating HIPAA Rules.

Before any documents containing PHI are uploaded to Google Docs, the covered entity or business associate must first obtain a signed business associate agreement from Google. Once that BAA has been obtained, staff that are required to use Google Docs must receive training on its use and should be made aware of the restrictions in place with respect to PHI.

Documents containing PHI must only be uploaded to accounts that are not publicly accessible, and permissions must be set to ensure only authorized individuals can access the documents/account.  Any PHI included in files uploaded to Google Docs must be in the document itself, and not used in the file name.

Provided these precautions are taken, Google Docs is HIPAA compliant.

The post Is Google Docs HIPAA Compliant? appeared first on HIPAA Journal.