HIPAA Compliance News

City of Portland Apologizes for Sharing PHI of HIV Positive Patients Without Prior Consent

Posted by HIPAA Journal

information with third parties without first obtaining consent from patients. That has led some patients and healthcare officials to believe the City of Portland violated HIPAA by sharing information on HIV-positive patients with the University of Southern Maine without first obtaining consent.

Portland runs a HIV-positive health program, and individuals enrolled in that program were not informed that some of their information – their name, address, phone number and HIV positive status – would be shared with USM’s Muskie School of Public Service (MSPS).

The information was shared in order for MSPS to conduct a survey on behalf of the city.  When that survey was conducted, it became clear to patients that some of their PHI had been shared without their knowledge. Two patients complained that their privacy had been violated.  Following receipt of the complaints, the city suspended its survey and conducted an investigation into the alleged privacy violation.

While the HIPAA Privacy Rule does restrict the sharing of PHI with third parties, there are exceptions. Officials at the City of Portland maintain that HIPAA Rules were not violated. HIPAA does permit healthcare organizations to share PHI with third parties for research programs, and in such cases, consent from patients is not a requirement, provided certain conditions are met.

While HIPAA Rules may not have been violated, the City of Portland will be issuing a written apology to all affected patients – which number more than 200 – about the privacy violation. The letter, written by Portland’s public health director, Dr. Kolawole Bankole, said, “We have learned important lessons from this experience and are implementing new and updated policies and procedures for ensuring that our health care entities and programs better communicate with patients regarding uses and disclosures of their patient’s [PHI] for these types of research, program evaluation and business associate-related purposes going forward.”

While some city officials do not believe HIPAA Rules have been violated, that view is not shared by all. Dr. Ann Lemire, a former director of Portland’s India Street clinic had previously warned the city not to share the list of patients with USM researchers as doing so would be a violation of HIPAA. Lemire told the Press Herald, “I feel our patients have been violated and continue to be treated poorly and without respect.”

While HIPAA Rules may allow Portland to share PHI in this instance, information appears to have been shared before both parties entered into a business associate agreement. According to USM’s assistant provost for research, Ross Hickey, the list of patients was shared before a business associate agreement was obtained. After receiving the list, USM requested a BAA. That BAA was subsequently provided, in which the responsibilities USM had with respect to PHI were detailed.

In this case, the BAA made no difference to how USM secured the list and restricted access to the shared PHI, as strict privacy and security policies were already in place. However, the sharing of the list before entering into a BAA is something the Department of Health and Human Services’ Office for Civil Rights may choose to investigate, in addition to determining whether consent should have been obtained from patients before the information was shared.

If it is discovered that HIPAA Rules were violated there is potential for a financial penalty, either from OCR or the Maine attorney general, who since the HITECH Act was passed, is also permitted to take action against organizations discovered to have violated HIPAA Rules.

The post City of Portland Apologizes for Sharing PHI of HIV Positive Patients Without Prior Consent appeared first on HIPAA Journal.

Oklahoma Health Department Re-Notifies 47,000 of 2016 Data Breach

Posted by HIPAA Journal

In April 2016, the Oklahoma Department of Human Services experienced a data breach, and while notifications were sent to affected individuals and the DHS’ Office of Inspector General shortly after the breach was detected, a breach notice was not submitted to the HHS’ Office for Civil Rights – A breach of HIPAA Rules.

Now, more than 18 months after the 60-day reporting window stipulated in the HIPAA Breach Notification Rule has passed, OCR has been notified. OCR has instructed the Oklahoma Department of Human Services to re-notify the 47,000 Temporary Assistance for Needy Families clients that were impacted by the breach to meet the requirements of HIPAA.

The breach in question occurred in April 2016 when an unauthorized individual gained access to a computer at Carl Albert State College in Poteau, Oklahoma. The computer contained records of current and former Temporary Assistance for Needy Families clients. The data on the server included names, addresses, dates of birth, and Social Security numbers.

Once the breach was identified, Carl Albert State College secured its systems to prevent further access and implemented new controls to monitor for potential breaches. In May 2016, the HHS Office of Inspector General was notified of the breach, and breach notification letters were sent to all individuals impacted by the attack in August 2016. However, no breach report was sent to the HHS’ Office for Civil Rights.

Now, not only must the Oklahoma Department of Human Services cover the cost of re-notifying 47,000 clients, overlooking the requirements of HIPAA to notify the HHS Secretary of the breach places the health department at risk of a considerable fine for non-compliance.

Earlier this year, OCR sent a message to all healthcare organizations that HIPAA Breach Notification Rule failures would not be tolerated when Presense Health was fined $475,000 for unnecessarily delaying the issuing of breach notification letters. Notifications were issued one month after the 60-day Breach Notification Rule deadline.

The post Oklahoma Health Department Re-Notifies 47,000 of 2016 Data Breach appeared first on HIPAA Journal.

Is GoToMeeting HIPAA Compliant?

Posted by HIPAA Journal

Is GoToMeeting HIPAA complaint? Can GoToMeeting be used by HIPAA-covered entities and their business associates for communicating protected health information without violating HIPAA Rules?

GoToMeeting is an online meeting and video conferencing solution offered by LogMeIn. The service is one of many conferencing and desktop sharing solutions that can improve communication and collaboration, with many benefits for healthcare organizations.

In order for collaboration tools to be used by healthcare organizations that are required to comply with Health Insurance Portability and Accountability Act Rules, tools must a subject to a risk analysis and determined to meet the security standards demanded by HIPAA.

Fail to ensure that a particular service is HIPAA compliant and you could violate the privacy of patients, breach HIPAA Rules, and potentially have to cover a sizable financial penalty for non-compliance.

It should be pointed out that no software or communications platform can be truly HIPAA-compliant. Even if appropriate safeguards are incorporated to ensure the confidentiality, integrity, and availability of ePHI, it is still possible to use a ‘HIPAA-compliant’ service in a non-compliant manner. It is up to a HIPAA-covered entity or business associate to ensure that any software or communication platform is configured correctly, is used appropriately, that PHI is only shared or communicated to people authorized to receive the information, and that when information is disclosed, the minimum necessary standard applies.

How secure is GoToMeeting? Is GoToMeeting HIPAA compliant?

Is GoToMeeting HIPAA Compliant?

In order to consider GoToMeeting HIPAA compliant, technical safeguards would need to be incorporated to meet the requirements of the HIPAA Security Rule.

To protect data in transit, GoToMeeting employs full end-to-end data encryption. All transmitted data is protected using HMAC-SHA-1 message authentication codes, while chat, video, audio, and control data are protected in transit using AES 128-bit encryption. AES 128-bit encryption meets the current standards for encryption recommended by NIST.

Protecting data in transit is only one element of HIPAA compliance. If PHI is to be transmitted – via email, secure text messages, or conferencing solutions – there must be audit controls. An audit trail must be maintained allowing activity relating to PHI to be examined. GoToMeeting creates logs of connection and session activity, and access to reporting and management tools are available to account managers.

Controls must also be present that ensure only authorized individuals are able to gain access to the system. GoToMeeting is protected by unique meeting codes and includes the option of setting strong passwords. When meetings are set up they are not publicly listed, and meeting organizers have full control over who can join the meetings.

Each user that wishes to join a meeting must identify themselves using a unique email address and/or number along with a unique password, and users are automatically logged off after a period of inactivity, which can be set by the meeting organizer.

GoToMeeting also confirms on its website, “the technical security controls employed in the GoToMeeting service and associated host and client software meet or exceed HIPAA technical standards.”

While the technical safeguards meet HIPAA requirements, HIPAA-covered entities must also enter into a HIPAA-compliant business associate agreement with service providers prior to using a service for communicating PHI. GoToMeeting offers a business associate agreement which covers use of the service, meeting this regulatory requirement.

So, is GoToMeeting HIPAA-compliant? Provided HIPAA-covered entities and business associates enter into a BAA with GoToMeeting prior to using the service for communicating PHI, GoToMeeting can be used in a HIPAA-compliant manner.

However, as GoToMeeting explains, “Organizations should carefully review all configurable security features of GoToMeeting in the context of their specific environments, user population and policy requirements to determine which features should be enabled and how best to configure.”

The post Is GoToMeeting HIPAA Compliant? appeared first on HIPAA Journal.

How to Make Your Email HIPAA Compliant

Posted by HIPAA Journal

Many healthcare organizations would like to be able to send protected health information via email, but how do you make your email HIPAA compliant? What must be done before electronic PHI (ePHI) can be sent via email to patients and other healthcare organizations?

How to Make Your Email HIPAA Compliant

Whether you need to make your email HIPAA compliant will depend on how you plan to use email with ePHI. If you will only ever send emails internally, it may not be necessary to make your email HIPAA compliant.

If your email network is behind a firewall, it is not necessary to encrypt your emails.  Encryption is only required when your emails are sent beyond your firewall. However, access controls to email accounts are required, as it is important to ensure that only authorized individuals can access email accounts that contain ePHI.

If you want to use email to send ePHI externally – beyond your firewall – you will need to make your email HIPAA-compliant.

There are many email service providers that offer an encrypted email service, but not all are HIPAA compliant and incorporate all of the necessary safeguards to meet the requirements of the HIPAA Privacy and Security Rules. To make your email HIPAA compliant there are several things to consider:

Ensure you have end-to-end encryption for email

Email is a quick and easy way to communicate electronically, but it is not necessarily secure. Even services that encrypt messages in transit may not have the required level of security to make them HIPAA compliant. To make your email HIPAA compliant you should ensure you have end-to-end encryption, which encrypts both messages in transit and stored messages. Access controls are used to ensure only the intended recipient and the sender can access the messages.

Some email service providers require individual emails to be encrypted by clicking a button or using a portal. Since it is easy to forget to turn on encryption and accidentally send an unencrypted email, it is a better choice to encrypt all emails, not only those that contain ePHI. This will reduce the potential for human error.

The type of encryption used is also important. While previously Data Encryption Standard (DES) was considered secure, that is no longer the case. You should consult NIST for advice on suitable encryption standards. Currently AES 128, 192, or 256-bit encryption is recommended.

For many HIPAA-covered entities, especially smaller healthcare providers that do not have in-house IT staff to ensure their email is HIPAA-compliant, the use of a third-party HIPAA compliant email service provider is strongly recommended.

Research potential HIPAA compliant email service providers to ensure that they provide a service that is suitable for your requirements. A search on Google will produce several potential service providers.

Enter into a HIPAA-compliant business associate agreement with your email provider

If you use a third-party email provider, you should obtain a business associate agreement prior to using the service for sending ePHI. The business associate agreement outlines the responsibilities of the service provider and establishes that administrative, physical, and technical safeguards will be used to ensure the confidentiality, integrity and availability of ePHI.

If an email service provider is not prepared to enter into a business associate agreement, you should look elsewhere. There are several email service providers who are prepared to sign a BAA to allow them to work with HIPAA-covered entities and their business associates.

Ensure your email is configured correctly

Even when a BAA is obtained, there are still risks associated with email and it is possible to fail to configure the email service correctly and violate HIPAA Rules. Simply using an email service that is covered by a BAA does not make your email HIPAA compliant.

Google’s G Suite includes email and is covered by its business associate agreement. Though G Suite, email can be made HIPAA compliant provided the service is used alongside a business domain. Even if you want to use G Suite, care must be taken configuring the service to ensure end-to-end encryption is in place.

Note that G Suite is not the same as Gmail. Gmail is not intended for business use and cannot be made HIPAA compliant. Google does not sign a BAA for its free services, only for its paid services.

Develop policies on the use of email and train your staff

Once you have implemented your HIPAA compliant email service it is important to train staff on the correct use of email with respect to ePHI. There have been several data breaches that have occurred as a result of errors made by healthcare staff – The accidental sending of ePHI via unencrypted email and the sending of ePHI to individuals unauthorized to view the information. It is important to ensure that all staff are aware of their responsibilities under HIPAA and are trained on the use of the email service.

Ensure all emails are retained for 6 years

HIPAA requires covered entities and business associates to retain past email communications containing ePHI. The retention period is six years. Even for small to medium-sized healthcare organizations, storing 6 years of emails, including attachments, for all members of staff requires considerable storage space. Consider using a secure, encrypted email archiving service rather than email backups. Not only will this free up storage space, since an email archive is indexed, searching for emails in an archive is a quick and easy process. If emails need to be produced for legal discovery or for a compliance audit, they can be quickly and easily retrieved.

As with an email service provider, any provider of an email archiving service will also be subject to HIPAA Rules as they will be classed as a business associate. A BAA would need to be entered into with that service provider and reasonable assurances obtained that they will abide by HIPAA Rules.

Obtain consent from patients before communicating with them via email

HIPAA-covered entities should note that while it may be convenient to send emails containing ePHI to patients, consent to use email as a communication method must be obtained from the patient in writing before any ePHI is sent via email, even if a HIPAA compliant email provider is used. Patients must be advised that there are risks to the confidentiality of information sent via email. If they are prepared to accept the risks, emails containing ePHI can be sent without violating HIPAA Rules.

Seek legal advice on HIPAA compliance and email

If you are unsure of the requirements of HIPAA with respect to email, it is strongly recommended that you speak with a healthcare attorney that specializes in HIPAA to advise you of your responsibilities and the requirements of HIPAA with respect to email.

The post How to Make Your Email HIPAA Compliant appeared first on HIPAA Journal.

HHS Seeks Volunteers for HIPAA Administrative Simplification Optimization Project Pilot

Posted by HIPAA Journal

The Department of Health and Human Services is running a HIPAA Administrative Simplification Optimization Project Pilot and is currently seeking volunteers to have compliance reviews. The aim of the pilot is to streamline HIPAA compliance reviews for health plans and healthcare clearinghouses.

Currently, a variety of different data formats are used for conducting electronic transitions. That variety can cause problems when transferring and sharing data. If communications about billing and insurance related matters are streamlined and healthcare organizations comply with the HIPAA Administrative Simplification transaction standards, providers and health plans can devote fewer resources to these tasks. Compliance with the Administrative Simplification transaction standards will also reduce the burden on compliant entities having to exchange healthcare data with trading partners that are not compliant.

According to the 2016 CAQH Index, industry-wide compliance with the HIPAA Administrative Simplification transaction standards could result in savings of almost $9 billion each year for the healthcare industry. However, for those savings to be made, there must be industry-wide compliance.

One of the ways that the HHS can help to make these savings is by conducting proactive compliance reviews. The purpose of the reviews is to help health plans and other healthcare organizations take action to ensure compliance.

The reviews are not intended to identify noncompliance in order to punish healthcare organizations, instead the aim is to help covered entities comply with the Administrative Simplification transaction standards. According to a recent email communication from the Centers for Medicare and Medicaid Services (CMS), there will be “a progressive penalty process with the goal of remediation, not punishment.”

The reviews will commence with a pilot, for which the HHS is now seeking volunteers. In total, the HSS requires six volunteer organizations for the HIPAA Administrative Simplification Optimization Project pilot – three health plans and three healthcare clearinghouses. Organizations that participate in the pilot will be subjected to a review of their transactions to assess compliance with the HIPAA Administrative Simplification standards, and will cover code sets, adopted standards, unique identifiers, and operating rules.

Health plans and clearinghouse that join the HIPAA Administrative Simplification Optimization Project pilot will be able to verify compliance or identify noncompliance issues.  The compliance reviews will start in January 2018 and will inform the rollout of the Administrative Simplification Optimization Program.

The reviews will require volunteer organizations to submit electronic transaction files, which will be reviewed and tested by the HHS. The HHS suggests the process of submitting electronic files for review should take no longer than 10 hours. Further details of the pilot reviews will be supplied to participants that are selected to take part in the pilot.

Once the reviews have been conducted, all participants that have successfully passed a review will be provided with a certificate by the HHS, which volunteers will be able to share with their partners and business associates.

If non-compliance is discovered, the HHS will provide guidance on areas for optimization and a corrective action plan will need to be developed by the volunteers to address compliance issues.

Any organization that takes part in the pilot will not be selected for a further review for one year following the launch of the HHS Administrative Simplification Optimization Program.

The HHS is accepting applications for the HIPAA Administrative Simplification Optimization Project pilot by email – HIPAAcompliant@cms.hhs.gov – with volunteers chosen from the pool of applicants that have applied by December 13, 2017. All organizations that apply will be notified whether they have been selected or not by December 27, 2017.

The post HHS Seeks Volunteers for HIPAA Administrative Simplification Optimization Project Pilot appeared first on HIPAA Journal.

Effective Identity and Access Management Policies Help Prevent Insider Data Breaches

Posted by HIPAA Journal

The HIPAA Security Rule administrative safeguards require information access to be effectively managed. Only employees that require access to protected health information to conduct their work duties should be granted access to PHI.

When employees voluntarily or involuntarily leave the organization, PHI access privileges must be terminated. The failure to implement procedures to terminate access to PHI immediately could all too easily result in a data breach. Each year there are many examples of organizations that fail to terminate access promptly, only to discover former employees have continued to login to systems remotely after their employment has come to an end.

If HIPAA-covered entities and business associates do not have effective identity and access management policies and controls, there is a significant risk of PHI being accessed by former employees after employment has terminated. Data could be copied and taken to a new employer, or used for malicious purposes. The Department of Health and Human Services’ Office for Civil Rights’ breach portal includes many examples of both.

In its November cybersecurity newsletter, OCR has drawn attention to the risk of these types of insider threats and explains the importance of implementing effective identity and access management policies.

When an employee is terminated or quits, access to PHI must be terminated immediately, preferably before the individual has left the building. There are several ways that access to PHI can be terminated, although most commonly this is achieved by deleting user accounts.

While the employee’s account must be terminated, covered entities must also ensure that other accounts that the employee had access to are secured. Passwords for administrative or privileged accounts should also be changed.

In addition to terminating user accounts to prevent unauthorized accessing of electronic protected health information, OCR reminds covered entities and business associates of the need to also terminate physical access to facilities and health records. Keys and keycards must be returned, users should be removed from access lists, security codes should be changed, and ID cards returned.

If an employee has been issued with a laptop, mobile phone, or other electronic device, they must be recovered. If there is a BYOD policy and employees have been allowed to use their own devices to access or store ePHI, personal devices must be purged.

Since employees may have access to multiple accounts, logs should be created whenever access to PHI or systems is granted, privileges are increased, or equipment is issued. The logs can be used to make sure all accounts are secured and all equipment can be retrieved.

OCR suggests developing a set of standard procedures that can be applied and followed whenever an employee or other workforce member quits or is terminated. A checklist is a good way to ensure that nothing is missed.

Identity and access management policies will only be effective if they are followed 100% of the time. To ensure that is the case, covered entities and business associates should consider conducting audits to confirm procedures are being followed. Audits should also include checking user logs to ensure former employees are not continuing to access systems and data after their employment has been terminated.

Further tips to prevent unauthorized accessing of PHI and ePHI by former employees can be found on this link.

The post Effective Identity and Access Management Policies Help Prevent Insider Data Breaches appeared first on HIPAA Journal.

Cottage Health Fined $2 Million By California Attorney General’s Office

Posted by HIPAA Journal

Santa Barbara-based Cottage Health has agreed to settle a data breach case with the California attorney general’s office. Cottage Health will pay $2 million to resolve multiple violations of state and federal laws.

Cottage Health was investigated by the California attorney general’s office over a breach of confidential patient data in 2013. The breach was discovered by Cottage Health on December 2, 2013, when someone contacted the healthcare network and left a message on its voicemail system warning that sensitive patient information had been indexed by the search engines and was freely available via Google.

The sensitive information of more than 50,000 patients was available online, without any need for authentication such as a password and the server on which the information was stored was not protected by a firewall. The types of information exposed included names, medical histories, diagnoses, prescriptions, and lab test results. In addition to the individual who alerted Cottage Health to the breach, the server had been accessed by other individuals during the time that it was unsecured.

As is required under state laws, the incident was reported to state attorney general Kamala D. Harris. Two years later, while the attorney general’s office was investigating the incident, Cottage Health experienced a second breach. The second breach involved the records of 4,596 patients, and similarly, were left exposed and accessible online without any need for authentication.

The information was accessible for almost two weeks before the error was identified and protections put in place to prevent unauthorised access. The information exposed in the second breach included personally identifiable information and protected health information such as names, addresses, medical record numbers, account numbers, employment information, Social Security numbers, and admission and discharge dates.

Cottage Health claims that while both incidents resulted in the exposure of patient data, there are no indications to suggest any patient information was used inappropriately. The breaches prompted Cottage Health to review its information security controls and strengthen its policies, procedures, and security protections to prevent similar breaches from occurring in the future. In each case, the health network’s security teams acted quickly to limit harm and secure the exposed information. New system monitoring tools have now been implemented, and advanced security solutions are in place that allow vulnerabilities to be identified and mitigated much more rapidly.

The response to the breach may have been reasonable and appropriate, and protections now far better, but it is the lack of protections leading up to the data breaches that warranted a financial penalty. The California state attorney general’s office alleges that Cottage Health breached California’s Confidentiality of Medical Information Act, its Unfair Competition Law, and HIPAA Rules were also violated. According to the complaint, “Cottage failed to employ basic security safeguards.” Cottage Health was running outdated software, patches were not applied promptly, default configurations had not been changed, strong passwords were not used, access to sensitive PII was not limited, and regular risk assessments were not conducted.

Announcing the settlement, California Attorney General Xavier Becerra said, “When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” Becerra explained that “The law requires health care providers to protect patients’ privacy. On both of these counts, Cottage Health failed.”

In addition to the $2 million settlement, Cottage Health is required to update and maintain information security controls and ensure security practices and procedures match industry standards.

Specifically, the judgement requires Cottage Health to:

  • Assess hardware and software for vulnerabilities to the confidentiality, integrity, and availability of patients’ medical information.
  • Update access controls and security settings as appropriate
  • Evaluate the response to and protections from external threats, including firewall security
  • Encrypt patients’ medical information in transit to industry standards
  • Maintain reasonable policies and protocols for all information practices regarding data retention, internal audits, security incident tracking reports, risk assessments, incident management, and remediation plan
  • Conduct periodic vulnerability scans and penetration tests to identify and assess vulnerabilities, and remediate any vulnerabilities discovered
  • Conduct employee training on the correct use and storage of patients’ medical information.

The post Cottage Health Fined $2 Million By California Attorney General’s Office appeared first on HIPAA Journal.

Is Slack HIPAA Compliant?

Posted by HIPAA Journal

Slack is a powerful communication tool for improving collaboration, but is Slack HIPAA compliant? Can Slack be used by healthcare organizations for sharing protected health information without risking a HIPAA violation?

Is Slack HIPAA Compliant?

There has been considerable confusion about the use of Slack in healthcare and whether Slack is HIPAA compliant.

Since its launch, Slack has not been HIPAA compliant, although steps have been taken to develop a version of the platform that can be used by healthcare organizations. That version is called Slack Enterprise Grid.

In 2017, Geoff Belknap, Chief Security Officer at Slack, said “our team has spent over a year investing our time and effort into meeting the rigorous security needs of our customers who work in highly regulated industries.”

Slack Enterprise Grid was announced at the start of 2017. It should be noted that Slack Enterprise Grid is not the same as Slack. It has been built on different code, and has been developed specifically for use by companies with more than 500 employees.

Slack Enterprise Grid incorporates several security features that support HIPAA compliance. Those features include data encryption at rest and in transit, customer message retention to create an audit trail, and support for data loss prevention to ensure that audit trail is maintained.

Slack Enterprise Grid creates detailed access logs, and administrators can remotely terminate connections and sign users out from all connected devices. Team owners can delete all customer data within 24 hours – useful for when users leave the company. Slack also includes team-wide two-factor authentication, creates offsite backups, and is compliant with NIST standards, as well as SOC2 and SOC3.

As Slack explains on its website, “Slack Enterprise Grid customers in regulated industries can benefit from our DLP and eDiscovery support to become HIPAA and FINRA compliant.”

On February 4, 2018, Slack confirmed on Twitter that the only version of the platform that supports HIPAA compliance is Enterprise Grid. Slack has also recently updated its website to confirm that it supports HIPAA compliance and can be used to share patients’ protected health information securely.

is Slack HIPAA compliant

At present (February 2019), the platform only supports HIPAA compliance for file uploads. Use of its direct messaging and channel communications features are not compliant and cannot be used in connection with PHI. Those features are expected to be made HIPAA compliant later in 2019.

So is Slack HIPAA compliant? No. Is Slack Enterprise Grid HIPAA compliant? It can be.

However, before Slack Enterprise Grid can be used by healthcare organizations for any activities involving PHI, there is the matter of the HIPAA business associate agreement (BAA).

Will Slack Sign a Business Associate Agreement?

A business associate agreement must be signed with a company prior to its platform being used to send or receive protected health information (PHI). And as Slack points out on its website, “Customer must not use, disclose, transmit or otherwise process any “Protected Health Information” as defined in HIPAA.”

Slack also states that, “Unless Customer has entered into a written agreement with Slack to the contrary, Customer acknowledges that Slack is not a “Business Associate,” suggesting Slack is prepared to sign a BAA for Slack Enterprise Grid.

However, the BAA is not universally offered and is not available on the Slack website. Healthcare organizations considering using Slack Enterprise Grid must contact Slack and request a copy, and scrutinize the BAA – if one is offered.

With a signed BAA, healthcare organizations must then carefully configure the platform. An audit trail must be maintained, user logins carefully set up, policies and procedures developed covering the use of the platform, and staff must be trained. The eDiscovery function must also be activated.

Even with a BAA in place, it will be possible for Slack Enterprise Grid to be used in a manner that is not HIPAA compliant.

 

 

The post Is Slack HIPAA Compliant? appeared first on HIPAA Journal.

October 2017 Healthcare Data Breaches

Posted by HIPAA Journal

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed.

Healthcare data breaches by month (July-October 2017)

October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months.

healthcare records breached July-October 2017

Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities.

October 2017 Healthcare Data Breaches by Covered Entity Type

October 2017 healthcare data breaches by covered entity type

Main Causes of October 2017 Healthcare Data Breaches

Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8 hacking incidents, four cases of theft, and one unencrypted laptop computer was lost.

cause of october 2017 healthcare data breaches

Unauthorized access/disclosures were the leading causes of October 2017 healthcare data breaches, although hacking/IT incidents exposed more records – Over twice the number of records exposed by unauthorized access/disclosures and hacking/IT incidents exposed more records than all other breach types combined.

october 2017 healthcare data breaches - records exposed

Location of Exposed and Stolen Protected Health Information

Email was the most common location of breached PHI in October. Five of the nine incidents involving email were the result of hacking/IT incidents such as phishing. The remaining four incidents were unauthorized access/disclosures such as healthcare employees sending emails containing PHI to incorrect recipients. Five incidents involved paper records, highlighting the importance of securing physical records as well as electronic protected health information.

october 2017 healthcare data breaches - location of breached PHI

October 2017 Healthcare Data Breaches by State

In October, healthcare organizations based in 22 states reported data breaches. The state that experienced the most data breaches was Florida, with 3 reported breaches. Maryland, Massachusetts, and New York each had two breaches.

Alabama, Arizona, California, Connecticut, Georgia, Iowa, Illinois, Kansas, Kentucky, Louisiana, Missouri, North Carolina, Ohio, Rhode Island, Tennessee, Texas, Virginia, and Washington each had one reported breach.

Largest Healthcare Data Breaches in October 2017

 

Breached Entity Entity Type Breach Type Individuals Affected
Chase Brexton Health Care Healthcare Provider Hacking/IT Incident 16,562
East Central Kansas Area Agency on Aging Business Associate Hacking/IT Incident 8,750
Brevard Physician Associates Healthcare Provider Theft 7,976
MHC Coalition for Health and Wellness Healthcare Provider Theft 5,806
Catholic Charities of the Diocese of Albany Healthcare Provider Hacking/IT Incident 4,624
MGA Home Healthcare Colorado, Inc. Healthcare Provider Hacking/IT Incident 2,898
Orthopedics NY, LLP Healthcare Provider Unauthorized Access/Disclosure 2,493
Mann-Grandstaff VA Medical Center Healthcare Provider Theft 1,915
Arch City Dental, LLC Healthcare Provider Unauthorized Access/Disclosure 1,716
John Hancock Life Insurance Company (U.S.A.) Health Plan Unauthorized Access/Disclosure 1,715

The post October 2017 Healthcare Data Breaches appeared first on HIPAA Journal.