HIPAA Compliance News

Is FaceTime HIPAA Compliant?

Posted by HIPAA Journal

Is FaceTime HIPAA compliant? Can FaceTime be used by HIPAA covered entities to communicate protected health information (PHI) without violating HIPAA Rules?

In this article we will examine the protections in place to keep transmitted information secure, whether Apple will sign a business associate agreement for FaceTime, and if a BAA is necessary.

Will Apple Sign A BAA for FaceTime?

An extensive search of the Apple website has revealed no sign that Apple will sign a business associate agreement with healthcare organizations for any of its services. The only mention of its services in relation to HIPAA-covered entities is in relation to iCloud, which Apple clearly states should not be used by healthcare providers or their business associates to create, receive, maintain or transmit PHI.

Since Apple is not prepared to sign a business associate agreement for FaceTime, that would indicate FaceTime is not a HIPAA compliant service. However, business associate agreements only need to be signed by business associates. So, is Apple a business associate?

The HIPAA Conduit Exception Rule

The HIPAA Conduit Exception Rule applies to organizations that act as conduits through which PHI is sent. The HIPAA Conduit Exception Rule covers entities such as the US Postal Service, some courier companies, and their electronic equivalents. Internet Service Providers (ISPs) fall under the description of “electronic equivalents,” as do telephone service providers such as AT&T. But what about FaceTime?

There is some debate about whether FaceTime is covered by the HIPAA Conduit Exception Rule. In order to be considered as a conduit, the service provider must not store any PHI, must not access PHI, and not have the key to unlock encryption.

The Office for Civil Rights has confirmed on its website that cloud service providers are generally not considered conduits, even if the CSP does not access ePHI, or cannot view the information because ePHI is encrypted and no key is held to unlock the encryption. That is because the HIPAA Conduit Exception Rule only applies to transmission-only services, where any ePHI storage is only transient. That is not the case with CSPs.

Apple has confirmed that all communications through FaceTime are protected by end to end encryption. Access controls are in place, via Apple IDs, to ensure the service can only be used by authorized individuals. Apple also does not store any information sent via FaceTime. FaceTime is a peer-to-peer communication channel, and voice and audio communications are transmitted between the individuals involved in the session. Apple also cannot decrypt sessions.

Apple says, “FaceTime uses Internet Connectivity Establishment (ICE) to establish a peer-to-peer connection between devices. Using Session Initiation Protocol (SIP) messages, the devices verify their identity certificates and establish a shared secret for each session. The cryptographic nonces supplied by each device are combined to salt keys for each of the media channels, which are streamed via Secure Real Time Protocol (SRTP) using AES-256 encryption.”

Is FaceTime HIPAA Compliant?

So, is FaceTime HIPAA compliant? No communications platform can be truly HIPAA compliant as HIPAA compliance is about users, not technology. It would be possible to use FaceTime in a noncompliant way, such as communicating PHI with an individual who is not authorized to have the information. However, protections are in place to ensure FaceTime can be used in a HIPAA compliant fashion.

The question is FaceTime HIPAA compliant depends entirely on whether it is classed as a conduit, since Apple will not sign a BAA. In our opinion, FaceTime could be classed as a conduit. The US Department of Veteran Affairs also believes FaceTime is HIPAA compliant and allows its use, which shows it is confident that the service is classed as a conduit.

However, other companies that provide video conferencing platforms do not feel the same way, and offer to sign BAAs with HIPAA-covered entities. Therefore, our advice is to use one of those business solutions rather than the consumer-focused FaceTime and err on the side of caution.

The post Is FaceTime HIPAA Compliant? appeared first on HIPAA Journal.

The HIPAA Conduit Exception Rule and Transmission of PHI

Posted by HIPAA Journal

The HIPAA Conduit Exception Rule is a source of confusion for many HIPAA covered entities, but it is essential that this aspect of HIPAA is understood. Failure to correctly classify a service provider as a conduit or a business associate could see HIPAA Rules violated and a significant financial penalty issued for noncompliance.

The HIPAA Omnibus Final Rule and Business Associates

On January 25, 2013, the HIPAA Omnibus Final Rule was issued. The HIPAA Omnibus Final Rule introduced a swathe of updates to HIPAA Rules, including the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

HIPAA Omnibus Final Rule included an update to the definition of a business associate. Prior to January 25, 2013, a business associate was a person or entity that creates, receives, or transmits protected health information (PHI) on behalf of a covered entity. The Omnibus rule added ‘maintains’ to that definition. That meant companies that store electronic information – or physical records – are considered business associates. The Omnibus Rule also confirmed that most data transmission service providers are also classed as business associates.

What is the HIPAA Conduit Exception Rule?

The HIPAA Conduit Exception Rule is detailed in the HIPAA Privacy Rule, but was defined in the HIPAA Omnibus Final Rule. The Rule allows HIPAA-covered entities to use certain vendors without having to enter into a business associate agreement. The HIPAA Conduit Exception Rule is narrow and excludes an extremely limited group of entities from having to enter into business associate agreements with covered entities. The Rule applies to entities that transmit PHI but do not have access to the transmitted information and do not store copies of data. They simply act as conduits through which PHI flows.

HIPAA Conduit Exception Rule covers organizations such as the US Postal Service and certain other private couriers such as Fed-Ex, UPS, and DHL as well as their electronic equivalents. Companies that simply provide data transmission services, such as internet Service Providers (ISPs), are considered conduits.

The HIPAA Conduit Exception Rule is limited to transmission-only services for PHI. If PHI is stored by a conduit, the storage must be transient in nature, and not persistent.

It does not matter if the service provider says they do not access transmitted information. To be considered a conduit, the service provider must not have access to PHI, must only store transmitted information temporarily, and should not have a key to unlock encrypted data.

Vendors that are often misclassified as conduits are email service providers, fax service providers, cloud service providers, and SMS and messaging service providers. These service providers are NOT considered conduits and all must enter into a business associate agreement with a covered entity prior to the service being used in conjunction with any PHI.

Some service providers claim that they are conduits when they are not, in order to avoid having to sign a business associate agreement. Certain fax service providers have claimed they are conduits, and while they appear at face value to be an electronic equivalent to an organization such as the US Postal Service, they are not covered by the HIPAA Conduit Exception Rule. Fax services do not simply send documents from the sender to the recipient. Faxes are stored, and the storage is not considered transient.

Penalties for Misclassifying a Business Associate as a Conduit

Any vendor that has routine access to PHI is considered a business associate (We have covered the definition of a HIPAA business associate on this page). All business associates must sign a business associate agreement with the HIPAA-covered entity before PHI is provided or access to PHI is granted.

Misclassifying a vendor as a conduit rather than a business associate can result in a significant financial penalty, since PHI will have been disclosed without first entering into a business associate agreement.

The Department of Health and Human Services’ Office for Civil Rights has financially penalized many covered entities that have been discovered to have disclosed PHI to a vendor without obtaining a BAA.

In 2017, the Center for Children’s Digestive Health settled with OCR for $31,000 to resolve business associate agreement failures. In 2016, Care New England Health System settled its HIPAA violation case for $400,000, North Memorial Health Care of Minnesota paid $1,550,000 and Oregon Health & Science University settled for $2,700,000.

The post The HIPAA Conduit Exception Rule and Transmission of PHI appeared first on HIPAA Journal.

Deadline for Reporting 2017 HIPAA Data Breaches Approaches

Posted by HIPAA Journal

The deadline for reporting 2017 HIPAA data breaches to the Department of Health and Human Services’ Office for Civil Rights is fast approaching.

HIPAA-covered entities have a maximum of 60 days from the discovery of a data breach to report security incidents to OCR and notify affected patients. Smaller breaches of PHI do not need to be reported to OCR within this time frame, instead covered entities can delay reporting those breaches to OCR until the end of the calendar year.

The maximum allowable time for reporting breaches impacting fewer than 500 individuals is 60 days from the end of the year in which the breach was experienced. The final day for reporting 2017 HIPAA data breaches to OCR is therefore March 1, 2018.

A HIPAA data breach is defined as an “acquisition, access, use, or disclosure” of unsecured protected health information (PHI) that is not permitted by the HIPAA Privacy Rule. Unsecured PHI is defined as PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology,” such as encryption. A breach of encrypted PHI is not reportable unless the key to unlock the encryption is also reasonably believed to have also been compromised.

Covered entities should be aware that ransomware incidents are usually reportable HIPAA data breaches, even if PHI has not been stolen in the attack. To avoid reporting a ransomware incident, a covered entity must be able to demonstrate a low probability of PHI being compromised in the attack. That determination must be based on a risk assessment (See 45 CFR § 164.402)

While covered entities can submit details of all ‘small’ PHI breaches at the same time, each breach must be reported as a separate event. They can not all be uploaded to the breach portal together.

While the HIPAA Breach Notification Rule allows covered entities additional time to report data breaches impacting fewer than 500 individuals, notifications for individuals impacted by those data breaches cannot be delayed. They must be issued within 60 days of the discovery of the breach, and without unnecessary delay, regardless how many individuals have been impacted by the breach.

It is a good best practice to report all breaches of PHI within 60 days of discovery. Oftentimes, full information about the breach is not available at the time of reporting, but it is possible to add further information to the OCR data breach reports when further information becomes available. If the number of individuals affected by the breach has not been confirmed, estimates should be provided. The final total can then be submitted to OCR as an update to the breach report when the number of individuals impacting has been determined.

The penalties for the late reporting of data breaches can be severe, and OCR made it clear in January 2017 that ignoring the deadline for reporting breaches, or unnecessarily delaying breach reports, is a HIPAA violation that will not be ignored. Presense Health became the first covered entity to be fined solely for delaying breach notifications and settled the HIPAA violation with OCR for $475,000.

OCR has yet to issue a financial penalty to a covered entity for the late reporting of small data breaches, but since OCR tends to set examples with its breach settlements, 2018 could well see the first penalty issued.

To avoid a HIPAA penalty, ensure all small breaches of PHI are reported to OCR between now and the end of February 2018 and no later than midnight on March 1.

The post Deadline for Reporting 2017 HIPAA Data Breaches Approaches appeared first on HIPAA Journal.

HHS Sued by CIOX Health Over Unlawful HIPAA Regulations

Posted by HIPAA Journal

The Department of Health and Human Services is being sued by CIOX Health, a medical record retrieval company, over updates to HIPAA laws that place restrictions on the amount that can be charged to patients for providing them with copies of their medical records.

CIOX Health claims the HIPAA Omnibus Rule updates in 2013, “unlawfully, unreasonably, arbitrarily and capriciously,” restrict the fees that can be charged by providers and their business associates for providing copies of the health information stored on patients.

Changes to HIPAA Rules not only placed a limit on the fees, but also expanded the types of information that must be provided to patients, on request. Accessing some of that information, in particular health information that is not stored in electronic medical records, is costly. Yet, even though the costs of processing some requests are high, HIPAA limits charges to $6.50 according to the lawsuit.

CIOX Health argues that this flat rate fee is an arbitrary figure that bears no relation to the actual cost of honoring patient requests for copies of their health information, and such a low fee is hurting its business. CIOX Health wants the HHS to reverse the changes made to HIPAA in 2013 and 2016 with respect to how much can be charged and the provision of copies of any type of medical information.

While the flat fee of $6.50 is the maximum that can be charged, it should be noted that the maximum fee only applies if the healthcare provider or company chooses that option. HIPAA does not prevent healthcare organizations from charging more. If they choose not to charge a flat fee, they are permitted to charge patients “actual or average allowable costs for requests for electronic copies of PHI maintained electronically.” The HHS confirmed this in May 2016 in response to questions asked via its web portal.

Tremendous Financial Burdens on Healthcare Providers

In the lawsuit, CIOX Health says, “HHS’s continued application and enforcement of these rules impose tremendous financial and regulatory burdens on healthcare providers and threatens to upend the medical records industry that services them.”

These changes to HIPAA Rules “threaten to bankrupt the dedicated medical-records providers who service the healthcare industry by effectively and quite deliberately mandating that they fulfill a rapidly growing percentage of requests for protected health information at a net loss.”

The changes to the types of health information that must be provided on request now includes medical information in any form whatsoever, including electronic medical records in EHR systems, but also paper records and films that have been transferred to third parties.

In the case of electronic records, they can be located in several different virtual locations, while paper records and films may be stored in several different physical locations. Providing copies of complete record sets requires staff to be sent to each of those locations to retrieve the records, and even accessing multiple virtual locations is a time consuming and costly process. Records must also be verified and compiled, which all takes time.

CIOX Health serves more than 16,000 physician practices and processes tens of millions of requests for copies of medical records every year. The restrictions on charges has potentially hurt its business, according to the lawsuit.

This is not the only legal action that CIOX Health is involved in which is related to providing patients with copies of their medical records. CIOX is the co-defendant in a November 2017 lawsuit that claims more than 60 Indiana hospitals have been failing to provide copies of medical records to patients within 3 days, as required by the HITECH Act, even though they accepted payments and claimed that they were meeting HITECT Act requirements. The defendants are also alleged to have overcharged patients for copies of medical records.

The post HHS Sued by CIOX Health Over Unlawful HIPAA Regulations appeared first on HIPAA Journal.

Achieving HIPAA Compliant File Sharing In and Outside the Cloud

Posted by HIPAA Journal

HIPAA compliant file sharing consists of more than selecting the right technology to ensure the security, integrity and confidentiality of PHI at rest or in transit. Indeed, you could implement the most HIPAA compliant file sharing technology available and still be a long way short of achieving HIPAA compliance.

It is not the technology that is at fault. Many Covered Entities and Business Associates fail to configure the technology properly or train employees how to use the technology in compliance with HIPAA. According to a recent IBM X-Force Threat Intelligence Report, 46% of data breaches in the healthcare industry are attributable to “inadvertent actors”.

Of the remaining 54% of data breaches in the healthcare industry, 29% are attributable to “outsiders”, while the remaining 25% are the work of “malicious insiders”. Therefore, if a Covered Entity implements HIPAA compliant file sharing technology, but fails to configure it properly, train employees how to use it compliantly, or introduce mechanisms to monitor access to PHI, it may only be 29% of the way towards achieving HIPAA compliance.

Understanding the Risks to PHI when Sharing Data

In order to fully understand the risks to PHI when sharing data, it is important to conduct a thorough risk assessment detailing how PHI is created, used, stored and shared – and what happens to the data once it has been shared. When the risk assessment is completed, it is necessary to conduct a risk analysis to identify vulnerabilities and weaknesses that could result in the unauthorized disclosure of PHI.

Part of the risk analysis should concern what happens to data shared with Business Associates. Business Associates should conduct their own risk assessments and risk analyses, and it is a HIPAA Security Officer´s duty to conduct due diligence on any Business Associate data is shared with, in order to ensure their file sharing procedures are also HIPAA compliant.

HIPAA Compliant File Sharing Exists Outside the Cloud

Most articles relating to file sharing and HIPAA compliance focus on the technology available to share files securely in the cloud. Although these articles provide valuable information about one specific area of sharing data, they do not address the subject of HIPAA compliant file sharing in its entirety – for example, when data is shared within a private network or in physical format.

As well as evaluating cloud-based technology for HIPAA compliant file sharing, HIPAA Security Officers should also consider access controls to files and folders stored on private networks and access logs to monitor when PHI is accessed – both online and in physical format. Done effectively, this should help prevent the #1 cause of HIPAA security breaches – employee snooping.

Explaining File Sharing and HIPAA Compliance to Employees

Employee snooping – viewing the healthcare records of family, friends, colleagues or personalities without authorization – may not result in headline data breaches, but it is a HIPAA violation – and a common one at that. However, without being told it is a violation, many employees would consider snooping no more than a misdemeanor with inquisitive intent.

Explaining that snooping is a HIPAA violation punishable by sanctions is a good foundation for explaining file sharing and HIPAA compliance to employees. It will help them better understand the seriousness of unauthorized disclosures of PHI and make them more careful about taking shortcuts “to get the job done” – a leading cause of data breaches in the healthcare industry attributable to “inadvertent actors”.

Train, Monitor, Sanction when Necessary, then Review

Whenever new HIPAA-related technology is introduced or working practices are changed, it is essential employees are provided with adequate training on the new technology or working practices. By using employee HIPAA training sessions to reinforce the message about file sharing and HIPAA compliance, the message will likely be better absorbed.

If the Covered Entity is able to support employee training with mechanisms to monitor access to PHI, and the enforcement of sanctions when necessary, the likelihood is “malicious insiders” will likely think twice before attempting to access PHI without authorization. Thereafter, HIPAA Security Officers should review policies and procedures to assess whether any further adjustments need to be made in order to ensure HIPAA compliant file sharing.

The post Achieving HIPAA Compliant File Sharing In and Outside the Cloud appeared first on HIPAA Journal.

What is Individually Identifiable Health Information?

Posted by HIPAA Journal

What is individually identifiable health information and what must HIPAA-covered entities do to the information before it can be shared for reasons not detailed in the permitted uses and disclosures of the HIPAA Privacy Rule?

What is Individually Identifiable Health Information?

Before answering the question, what is individually identifiable health information, it is necessary to define health information.

HIPAA defines health information as any information created or received by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or business associate of a HIPAA-covered entity.

Health information includes past, present, and future information about mental and physical health and the condition of an individual, the provision of healthcare to an individual, and information related to payment for healthcare, again in the past, present, or future. Health information also includes demographic information about an individual.

Individually identifiable health information is a subset of health information, and as the name suggests, is health information that can be linked to a specific person, or if it would be reasonable to believe that an individual could be identified from the information. (See 45 CFR 46.160.103).

The HIPAA Privacy Rule places restrictions on uses and disclosures of individually identifiable health information, but not on health information that does not allow an individual to be identified.

If a HIPAA-covered entity has a data set containing individually identifiable health information, before the information can be shared with an organization or individual for a reason that would otherwise be prohibited under the HIPAA Privacy Rule, the data must first be de-identified.

De-identifying health information requires the following 18 identifiers to be removed from the data set prior to sharing:

  1. Full name or last name and initial(s)
  1. Geographical identifiers smaller than a state, except the initial three digits of a zip code, provided the combination of all zip codes starting with those three digits. When the initial three digits of a zip code contains 20,000 or fewer people it is changed to 000
  2. Dates directly related to an individual, other than year
  3. Phone Numbers
  4. Fax numbers
  5. Email addresses
  6. Social Security numbers
  7. Medical record numbers
  8. Health insurance beneficiary numbers
  9. Account numbers
  10. Certificate/license numbers
  11. Vehicle identifiers
  12. Device identifiers and serial numbers;
  13. Web Uniform Resource Locators (URLs)
  14. IP addresses
  15. Biometric identifiers, including finger, retinal and voice prints
  16. Full face photographic images and any comparable images
  17. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Further information on how to deidentify health information can be viewed on this link.

The post What is Individually Identifiable Health Information? appeared first on HIPAA Journal.

What is Protected Health Information?

Posted by HIPAA Journal

The latest article in our HIPAA basics series answers the question what is protected health information?

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information, but what is protected health information?

First, it is worthwhile explaining two other important terms detailed in HIPAA regulations: A covered entity and a business associate. A covered entity is a healthcare provider, health plan, or healthcare clearinghouse which transmits health data electronically for transactions that the U.S. Department of Health and Human Services has adopted standards. A business associate is an organization or individual who performs services on behalf of a HIPAA-covered entity that requires access to, or the use of, protected health information.

What is Protected Health Information?

Protected health information is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment for healthcare services.  Protected health information is often shortened to PHI, or in the case of electronic health information, ePHI.

HIPAA Protected Health Information Definition

Protected health information “Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” that is:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

Protected Health Information Includes…

Protected health information includes all individually identifiable health information, including demographic data, medical histories, test results, insurance information, and other information used to identify a patient or provide healthcare services or healthcare coverage. ‘Protected’ means the information is protected under the HIPAA Privacy Rule.

Protected health information is defined in the Code of Federal Regulations and applies to health records, but not education records which are covered by other federal regulations, and neither records held by a HIPAA-covered entity related to its role as an employer. In the case of an employee-patient, protected health information does not include information held on the employee by a covered entity in its role as an employer, only in its role as a healthcare provider.

PHI does not include individually identifiable health information of persons who have been deceased for more than 50 years.

What is Individually Identifiable Health Information?

When individually identifiable information is used by a HIPAA covered entity or business associate in relation to healthcare services or payment it is classed as protected health information.

There are 18 identifiers that can be used to identify, contact, or locate a person. If health information is used with any of these identifiers it is considered identifiable. If PHI has all of these identifiers removed, it is no longer considered to be protected health information. (see de-identification of protected health information)

  1. Names (Full or last name and initial)
  2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. Dates (other than year) directly related to an individual
  4. Phone Numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers (including serial numbers and license plate numbers)
  13. Device identifiers and serial numbers;
  14. Web Uniform Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger, retinal and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

PHI Health Apps

There is some confusion around PHI and health apps as they often collect information that is classed as PHI when it is recorded or used by a healthcare provider. Health apps record information such as heart rate data and the data include personal identifiers. However, the data collected by these apps and trackers is not always covered by HIPAA Rules. App developers can be business associates, but in the most part they are not.

If a HIPAA covered entity develops a health app for use by patients or plan members and it collects, uses, stores, or transmits protected health information, the information must be protected in line with HIPAA Rules.

If a physician recommends a PHI health app be used by a patient, such as for tracking BMI or heart rate data, the information is not subject to HIPAA Rules as the app was not created for the physician.

A third-party health app developer would be classed as a business associate, and required to comply with HIPAA, if the app has been created for a HIPAA-covered entity and it collects, uses, stores, or transmits identifiable health information or if the developer is contracted with a HIPAA-covered entity to provide health monitoring services via the app.

PHI health app guidance was issued by OCR in 2016 and can be viewed on this link (PDF).

PHI Information Technology

The HIPAA Security Rule requires safeguards to be implemented by HIPAA-covered entities and their business associates to protect PHI that is created, used, received, stored, or transmitted in electronic format. Administrative, physical, and technical controls must be implemented to ensure the confidentiality, integrity, and availability of ePHI.

Failures to protect ePHI and subsequent privacy violations can result in significant fines, although since there is no private cause of action in HIPAA, patients affected by data breaches cannot sue HIPAA covered entities for the exposure, theft, or impermissible disclosure of their PHI.

The HIPAA Privacy Rules stipulates allowable uses and disclosures of PHI and gives patients the right to obtain a copy of the PHI that is held by their healthcare providers. HealthIT can be used to help patients access their PHI. Many healthcare providers now allow patients to access some or all of their health information via patient portals. If only partial information is available through a patient portal, patients can still exercise their right to obtain all PHI in a designated record set held by their healthcare providers by submitting a request in writing.

FAQs

Would patient information such as “Mrs. Green from Miami” be considered PHI?

Although there could be thousands of Mrs. Greens in Miami, there is likely to be fewer Mrs. Kawtowskis in Maryland. As it would be impractical for HIPAA to stipulate there has to be fewer than so many “Mrs. As” in a population of “B” before the two identifiers combined are considered to be PHI, all combinations of identifiers are consider PHI under HIPAA – even “Mrs. Green from Miami”.

What are allowable uses and disclosures of PHI?

Without an authorization from the patient, a covered entity is only allowed to use and disclose a patient´s PHI for its own treatment, payment, and health care operations. A covered entity can also disclose the patient´s PHI to a business associate provided both the covered entity and the business associated have signed a HIPAA-compliant business associate agreement.

What are incidental uses and disclosures of PHI?

Incidental uses and disclosures of PHI are those that occur accidentally as a by-product of another allowable use or disclosure. Provided the covered entity or business associate has applied reasonable safeguards and implemented the minimum necessary standard with respect to the primary use or disclosure, there is no violation of HIPAA.

Can you provide an example of an incidental disclosure?

An example of an incidental disclosure is when an employee of a business associate walks into a covered entity´s facility and recognizes a patient in the waiting room. Although the business associate does not need to know the identity of any patients at the covered entity´s facility, the business associate has a compliant business associate agreement in place and is visiting the facility to carry out work described in the agreement. Therefore the disclosure of PHI is incidental to the compliant work being done.

Would a personal wearable device such as a step counter be considered a PHI health app?

Unless the personal wearable device collects, uses, and/or stores data, and that data is transmitted to – or downloaded at – a physician´s office or healthcare facility, the device is not a PHI health app. So, in most cases, a wearable step counter would not be considered a PHI health app provided it is used for personal use only.

The post What is Protected Health Information? appeared first on HIPAA Journal.

Is Azure HIPAA Compliant?

Posted by HIPAA Journal

Is Azure HIPAA compliant? Can Microsoft’s cloud services be used by HIPAA covered entities without violating HIPAA Rules?

Many healthcare organizations are considering moving some of their services to the cloud, and a large percentage already have. The cloud offers considerable benefits and can help healthcare organizations lower their IT costs, but what about HIPAA?

HIPAA does not prohibit healthcare organizations from taking advantage of cloud services; however, it does place certain restrictions on the services that can be used, at least as far as protected health information is concerned.

Most healthcare organizations will consider the three main providers of cloud services. Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. We have already covered AWS HIPAA compliance here, but what about Azure? Is Azure HIPAA compliant?

Is Azure HIPAA Compliant?

Before any cloud service can be used by healthcare organizations, they must first enter into a business associate agreement with the service provider.

Under HIPAA Rules, cloud service providers are considered business associates. Before any PHI can be uploaded to the cloud, HIPAA-covered entities must obtain satisfactory assurances that the service incorporates all the appropriate privacy and security safeguards to meet the requirements of the HIPAA Privacy and Security Rules.

Those assurances come in the form of a business associate agreement – essentially a contract with a vendor in which the responsibilities of the vendor are explained. The BAA must be obtained before any cloud service can be used for storing, processing, or sharing PHI. It does not matter is the service provider does not access customers’ data. A BAA is still required.

Microsoft Will Sign a BAA for Azure

Microsoft is willing to sign a BAA with healthcare organizations that covers Azure*, so does that make Azure HIPAA compliant?

Unfortunately, it is not that simple. No cloud platform can be truly HIPAA compliant. Cloud HIPAA compliance is not so much about platforms and security controls, but how those services are used. Even a cloud service such as Azure can easily be used in a way that violates HIPAA Rules. It is the responsibility of the covered entity to ensure cloud instances are configured correctly.

So Azure is not HIPAA compliant per se, but it does support HIPAA compliance, and incorporates all the necessary safeguards to ensure HIPAA requirements can be satisfied.

Access, Integrity, Audit and Security Controls

Microsoft provides a secure VPN to connect to Azure, so any data uploaded to, or downloaded from, Azure is encrypted and all data stored in its cloud instances are encrypted.

HIPAA requires access controls to be implemented to limit who can access to PHI. Azure offers these controls and uses Active Directory to allow permissions to be set. Multi-factor authentication can also be added.

Audit controls are also necessary for HIPAA compliance. Azure includes detailed logging, so administrators can see who accessed, attempted to access PHI.

So, is Azure HIPAA compliant? Azure can be used in a way that satisfies HIPAA Rules, but note that it is the responsibility of the covered entity to ensure the service is configured and used correctly and staff are trained on its use. Microsoft will accept no responsibility for HIPAA violations caused as a result of the misuse of its services.

*Not all Azure services are included in the BAA. See here for up-to-date information.

The post Is Azure HIPAA Compliant? appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2017

Posted by HIPAA Journal

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches.

2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen.

2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations fared in 2017? Was 2017 another record-breaking year?

Healthcare Data Breaches Increased in 2017

The mega data breaches of 2015 were fortunately not repeated in 2017, and the decline in massive data breaches continued in 2017.

Last year, there were three breaches reported that impacted more than one million individuals and 14 breaches of more than 100,000 records.

In 2017, there was only one reported data breach that impacted more than 500,000 people and 8 breaches that impacted 100,000 or more individuals. The final total for individuals impacted by breaches last year was 14,679,461 – considerably less than the 112,107,579 total the previous year.

The final figures for 2017 cannot yet be calculated as there is still time for breaches to be reported to OCR. The HIPAA Breach Notification Rules allows covered entities up to 60 days to report data breaches of more than 500 records, so the final figures for 2017 will not be known until March 1, 2018. However, based on current data, 2017 has been a reasonably good year in terms of the number of exposed healthcare records. The current total stands at 3,286,498 records – A 347% reduction in breached records year on year.

While it is certainly good news that the severity of breaches has reduced, that only tells part of the story. Breaches of hundreds of thousands of records have reduced, but breaches of more than 10,000 records have remained fairly constant year over year. In 2015, there were 52 breaches of 10,000 or more records. That figure jumped to 82 in 2016. There were 78 healthcare data breaches in 2017 involving more than 10,000 records.

The bad news is there has been a significant rise in the number of healthcare data breaches in 2017.  As of January 4, 2017, there have been 342 healthcare security breaches listed on the OCR breach portal for 2017. It is likely more incidents will be added in the next few days.

The final total for 2015 was 270 breaches, and there were 327 breaches reported in 2016. The severity of healthcare security incidents may have fallen, but the number of incidents continues to rise year on year.

 

reported healthcare data breaches in 2017

 

Unfortunately, there is little evidence to suggest that the annual rise in healthcare data breaches will stop in 2018. Many cybersecurity firms have made predictions for the coming year, and they are united in the view that healthcare data breaches will continue to increase.

The 20 Largest Healthcare Breaches of 2017

The list of the 20 largest healthcare data breaches of 2017 is listed below.

Position Breached Entity Entity Type Records Exposed Cause of Breach
1 Commonwealth Health Corporation Healthcare Provider 697,800 Theft
2 Airway Oxygen, Inc. Healthcare Provider 500,000 Hacking/IT Incident
3 Women’s Health Care Group of PA, LLC Healthcare Provider 300,000 Hacking/IT Incident
4 Urology Austin, PLLC Healthcare Provider 279,663 Hacking/IT Incident
5 Pacific Alliance Medical Center Healthcare Provider 266,123 Hacking/IT Incident
6 Peachtree Neurological Clinic, P.C. Healthcare Provider 176,295 Hacking/IT Incident
7 Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident
8 McLaren Medical Group, Mid-Michigan Physicians Imaging Center Healthcare Provider 106,008 Hacking/IT Incident
9 Harrisburg Gastroenterology Ltd Healthcare Provider 93,323 Hacking/IT Incident
10 VisionQuest Eyecare Healthcare Provider 85,995 Hacking/IT Incident
11 Washington University School of Medicine Healthcare Provider 80,270 Hacking/IT Incident
12 Emory Healthcare Healthcare Provider 79,930 Hacking/IT Incident
13 Salina Family Healthcare Center Healthcare Provider 77,337 Hacking/IT Incident
14 Stephenville Medical & Surgical Clinic Healthcare Provider 75,000 Unauthorized Access/Disclosure
15 Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident
16 Primary Care Specialists, Inc. Healthcare Provider 65,000 Hacking/IT Incident
17 Enterprise Services LLC Business Associate 56,075 Unauthorized Access/Disclosure
18 ABCD Pediatrics, P.A. Healthcare Provider 55,447 Hacking/IT Incident
19 Network Health Health Plan 51,232 Hacking/IT Incident
20 Oklahoma Department of Human Services Health Plan 47,000 Hacking/IT Incident

The Largest Healthcare Data Breaches of 2017 Were Due to Hacking

One thing is abundantly clear from the list of the largest healthcare data breaches of 2017 is hacking/IT incidents affect more individuals than any other breach type. Hacking/IT incidents accounted for all but three of the largest healthcare data breaches of 2017.

In 2016, hacking incidents only accounted for 11 out of the top 20 data breaches and 12 of the top 20 in 2015. Hacking incidents therefore appear to be rising.

 

healthcare data breaches in 2017 (hacking)

 

The rise in hacking incidents can partly be explained by the increase in ransomware attacks on healthcare providers in 2017. Healthcare organizations are also getting better at discovering breaches.

Other Major Causes of Healthcare Data Breaches in 2017

Unauthorized access/disclosures continue to be a leading cause of healthcare data breaches, although there was a slight fall in numbers of these incidents in 2017. That decrease is offset by an increase in incidents involving the improper disposal of physical records and electronic devices used to store ePHI.

 

healthcare data breaches of 2017 (Unauthorized access/disclosures)

 

The use of encryption for stored data is more widespread, with many healthcare organizations having implemented encryption on all portable storage devices and laptops, which has helped to reduce the exposure of ePHI when electronic devices are stolen.

 

Healthcare Data Breaches of 2017 (loss/theft)

Minimizing the Risk of Healthcare Data Breaches

This year saw OCR publish the preliminary findings of its HIPAA compliance audits on HIPAA-covered entities. The audits revealed there is still widespread non-compliance with HIPAA Rules.

One of the biggest problems was not a lack of cybersecurity defenses, but the failure to conduct an enterprise-wide risk analysis.

Even with several layers of security, vulnerabilities are still likely to exist. Unless a comprehensive risk analysis is performed to identify security gaps, and those gaps are addressed, it will only be a matter of time before they are exploited.

Complying with HIPAA Rules will not prevent all data breaches, but it will ensure healthcare organizations achieve at least the minimum standard for data security, which will prevent the majority of healthcare data breaches.

There is a tendency to invest cybersecurity budgets in new technology, but it is important not to forget the basics. Many healthcare data breaches in 2017 could have been prevented had patches been applied promptly, if secure passwords had been chosen, and if cloud storage services and databases had been configured correctly. Many data breaches were caused as a result of employees leaving unencrypted laptops in risky locations – in unattended vehicles for instance.

Phishing remains one of the main ways that malicious actors gain access to protected health information, yet security awareness training is still not being provided frequently. As a result, employees are continuing to fall for phishing and social engineering scams. Technological solutions to block phishing emails are important, but healthcare organizations must also educate employees about the risks, teach them how to recognize scams, and reinforce training regularly. Only then will organizations be able to reduce the risk from phishing to an acceptable and appropriate level.

Insiders continue to be a major threat in healthcare. The value of data on the black market is high, and cash-strapped healthcare employees can be tempted to steal data to sell to identity thieves. Healthcare organizations can hammer the message home that data theft will be discovered and reported to law enforcement, but it is the responsibility of healthcare organizations to ensure policies and technologies are implemented to ensure that the unauthorized accessing of records – theft or snooping – is identified rapidly.  That means frequent audits of access logs and the use of automated monitoring solutions and user behavior analytics.

2017 was a bad year for ransomware attacks and extortion attempts on healthcare organizations. There is no sign that these attacks will slow in 2018, and if anything, they are likely to increase. Ensuring data is backed up will allow organizations to recover files in the event of an attack without having to pay a ransom. The rise in sabotage attacks – NotPetya for example – mean data loss is a real possibility if backups are not created.

By getting the basics right and investing in new technologies, it will be possible for the year on year rise in data breaches to be stopped. But until healthcare organizations get the basics right and comply with HIPAA Rules, healthcare data breaches are likely to continue to rise.

The post Largest Healthcare Data Breaches of 2017 appeared first on HIPAA Journal.