HIPAA Compliance News

Can A Patient Sue for A HIPAA Violation?

Posted by HIPAA Journal

Yes, a patient can sue for a HIPAA violation and there are an increasing number of class action suits for protected health information data breaches, although not under the provisions of the HIPAA law. There is no private cause of action in HIPAA, so it is not possible for a patient to directly sue for a HIPAA violation under the HIPAA law. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Laws. So, if it is not possible for a patient to directly sue for a HIPAA violation, does that mean legal action cannot be taken against a covered entity when HIPAA has clearly been violated? While HIPAA does not have a private cause of action, it is possible for patients to take legal action against healthcare providers and obtain damages for violations of state laws.

In some states, it is possible to file a lawsuit against a HIPAA covered entity on the grounds of negligence or for a breach of an implied contract, such as if a covered entity has failed to protect medical records. In such cases, it will be necessary to prove that damage or harm has been caused as a result of negligence or the theft of unsecured personal information.

Taking legal action against a covered entity can be expensive and there is no guarantee of success. Patients should therefore be clear about their aims and what they hope to achieve by taking legal action. An alternative course of action may help them to achieve the same aim.

Filing Complaints for HIPAA Violations

If HIPAA Rules are believed to have been violated, patients can file complaints with the federal government and in most cases complaints are investigated. Action may be taken against the covered entity if the compliant is substantiated and it is established that HIPAA Rules have been violated. The complaint should be filed with the Department of Health and Human Services’ Office for Civil Rights (OCR).

While complaints can be filed anonymously, OCR will not investigate any complaints against a covered entity unless the complainant is named and contact information is provided.

A complaint should be filed before legal action is taken against the covered entity under state laws. Complaints must be filed within 180 days of the discovery of the violation, although in limited cases, an extension may be granted.

Complaints can also be filed with state attorneys general, who also have the authority to pursue cases against HIPAA-covered entities for HIPAA violations.

The actions taken against the covered entity will depend on several factors, including the nature of the violation, the severity of the violation, the number of individuals impacted, and whether there have been repeat violations of HIPAA Rules.

The penalties for HIPAA violations are detailed here, although many complaints are resolved through voluntary compliance, by issuing guidance, or if an organization agrees to take corrective action to resolve the HIPAA issues that led to the complaint. Complaints may also be referred to the Department of Justice to pursue cases if there has been a criminal violation of HIPAA Rules.

Complaints about individuals can also be filed with professional boards such as the Board of Medicine and the Board of Nursing.

How to File a Lawsuit for a HIPAA Violation

If you have been informed that your protected health information has been exposed as a result of a healthcare data breach, or you believe your PHI has been stolen from a specific healthcare organization, you may be able to take legal action against the breached entity to recover damages for any harm or losses suffered as a result of the breach.

The first step to take is to submit a complaint about the violation to the HHS’ Office for Civil Rights. This can be done in writing or via the OCR website. If filing a complaint in writing, you should use the official OCR complaint form and should keep a copy to provide to your legal representative.

You will then need to contact an attorney to take legal action against a HIPAA covered entity. You can find attorneys through your state or local bar association. Try to find an attorney or law firm well versed in HIPAA regulations for the greatest chance of success and contact multiple law firms and speak with several attorneys before making your choice.

There will no doubt be many other individuals who are in the same boat, some of whom may have already taken legal action. Joining an existing class action lawsuit is an option. The more individuals involved, the stronger the case is likely to be.

Many class action lawsuits have been filed on behalf of data breach victims that have yet to experience harm due to the exposure or theft of their data. The plaintiffs claim for damages for future harm as a result of their data being stolen. However, without evidence of actual harm, the chances of success will be greatly reduced.

Can a Patient Sue for a HIPAA Violation? FAQs

What kind of lawyer deals with HIPAA violations?

Most lawyers will be prepared to offer advice about whether you have a claim for a HIPAA violation; and, if the violation occurred with the previous 180 days, may pursue a civil claim on your behalf against a Covered Entity or Business Associate. Often the lawyer´s willingness to take on a claim will depend on the nature of the violation, the nature of harm you suffered, and the state laws that apply in your location.

What happens after a HIPAA complaint is filed?

This depends on who you make the complaint to. If you complain directly to the organization that violated your HIPAA rights, the complaint will be dealt with internally (unless it involves a breach of unsecured PHI, in which case the organization is required by law to notify HHS´ Office for Civil Rights.

If you complain to a state Attorney General, the Office of the Attorney General may investigate the organization directly on your behalf or escalate your complaint to HHS´ Office for Civil. If the complaint is escalated – or you complain directly to the Office for Civil Rights – your compliant will be acknowledged and sent for review.

If the review confirms a HIPAA violation, the organization will be contacted to obtain their “side of the story”. Depending on how the organization responds, the Office for Civil Rights may initiate an investigation or reject your compliant. You will be informed of the decision and any subsequent outcome of an investigation.

Has a patient ever successfully sued for a HIPAA violation?

No. However, the HIPAA Privacy Standards have been used in court cases as a benchmark of the level of privacy an individual can reasonably expect. One of the most frequently-quoted cases in this respect is Byrne versus the Avery Center for Obstetrics and Gynecology. This case was originally denied when the plaintiff pursued compensation for a violation of HIPAA, but the decision was reversed on appeal when the claim was changed to a violation in the duty of confidentiality.

Have there ever been successful class actions for a HIPAA violation?

There have been several settled class actions involving HIPAA Covered Entities who have failed to adequately protect personal information (note: not for violating HIPAA). Furthermore, class actions are frequently settled without an admission of liability (as in Jessie Seranno et al. v. Inmediata Corp.), so it would be incorrect to classify the class actions as “successful”.

How can I find out if my state has a privacy law I can use to claim for a HIPAA violation?

The International Association of Privacy Professionals maintains a web page tracking privacy legislation by state. It is important to note that many of the privacy laws listed on the web page are still to be passed or enacted, and some may not contain provisions that could support a claim for a HIPAA violation. To establish whether you have a claim for a HIPAA violation under your state´s consumer rights legislation, you should speak with an attorney.

I have received a letter stating my health data has been breached. What should I do?

Your response to the breach should be appropriate to nature of the data disclosed. The nature of the data exposed should be explained to you in the letter as well as advice on the measures you should take to protect yourself from fraud and theft. The letter should also contain contact information to find out more about the breach. In several cases, healthcare organizations have provided free credit monitoring services, and it may be in your best interests to find out if these are available to you.

What happens after a HIPAA complaint is filed?

This depends on who the complaint is made to, the nature of the violation, and whether it involves a criminal motive. Complaints made by patients directly to their healthcare provider are usually dealt with internally unless they involve an impermissible disclosure of unsecured PHI – in which case the healthcare provider will escalate it to HHS´ Office for Civil Rights under the Breach Notification Rule.

When a complaint is escalated – or when a complaint is made directly to HHS´ Office for Civil Rights – the complaint is reviewed to see if it is justifiable and, if so, if it can be resolved via technical assistance. If the resolution of the complaint requires more than technical assistance, HHS´ Office for Civil Rights will conduct an investigation and potentially impose a correct action plan or fine.

Complaints can also be made to state attorneys general, who work with HHS´ Office for Civil Rights to resolve the violation. However, if a violation potentially involves a criminal motive, the Office for Civil Rights will refer the complaint to the Department of Justice for investigation. In these cases, the person making the complaint may be required to provide evidence for the investigation to proceed.

The post Can A Patient Sue for A HIPAA Violation? appeared first on HIPAA Journal.

When Should You Promote HIPAA Awareness?

Posted by HIPAA Journal

All employees must receive training on HIPAA Rules, but when should you promote HIPAA awareness? How often should HIPAA retraining take place?

HIPAA-covered entities, business associates and subcontractors are all required to comply with HIPAA Rules, and all workers must receive training on HIPAA. HIPAA training should ideally be provided before any employee is given access to PHI.

Training should cover the allowable uses and disclosures of PHI, patient privacy, data security, job-specific information, internal policies covering privacy & security, and HIPAA best practices.

The penalties for HIPAA violations, and the consequences for individuals discovered to have violated HIPAA Rules, must also be explained. If employees do not receive training, they will not be aware of their responsibilities and privacy violations are likely to occur.

Additional training must also be provided whenever there is a material change to HIPAA Rules or internal policies with respect to PHI, following the release of new guidance, or implementation of new technology.

HIPAA Training Cannot be a One-Time Event

The provision of training at the start of an employment contract is essential, but training cannot be a one-time event. It is important to ensure employees do not forget about their responsibilities, so retraining is necessary and a requirement for continued HIPAA compliance.

HIPAA does not specify how often retraining should occur, as this is left to the discretion of the covered entity. HIPAA only requires retraining to be conducted ‘regularly.’ The industry best practice is for retraining to take place annually.

The HIPAA Privacy Rule Administrative requirements, detailed in 45 CFR § 164.530, require all members of the workforce to receive training on HIPAA Rules and policies and procedures with respect to PHI. Training should be provided, as appropriate, to allow employees to conduct their work duties and functions within the covered entity. One training program therefore does not fit all. HIPAA training for the IT department is likely to be different to training provided to administrative workers. The Privacy Rule requires training to be provided for all new employees “within a reasonable timeframe”.

The HIPAA standard 45 CFR § 164.308(a)(5) covers two types of training – Job-specific training and security awareness training, neither of which can be a one-time event.

While it is important to provide training for HIPAA compliance and security awareness, it is also important to ensure that training has been understood, that it is remembered, and to ensure HIPAA Rules are followed on a day to day basis. It therefore recommended that you promote HIPAA awareness throughout the year.

How to Promote HIPAA Awareness

There is no hard and fast rule for HIPAA retraining and there are many ways that healthcare organizations can promote HIPAA awareness. While formal training sessions can be conducted on an annual basis, the use of newsletters, email bulletins, posters, and quizzes can all help to raise and maintain awareness of HIPAA Rules.

In the case of security awareness training this is especially important. Annual training on HIPAA is a good best practice, but it is important to promote HIPAA awareness with respect to security more frequently. It is a good best practice to provide security awareness training biannually and issue cybersecurity updates on a monthly basis. Any specific threats to the workforce should be communicated as necessary – new phishing threats for instance. However, care should be taken not to bombard employees with threat information, to avoid employees suffering from alert fatigue.

When HIPAA Retraining Required?

In addition to annual refresher training sessions, retraining on HIPAA Rules is recommended following any privacy or security violation and after a data breach has been experienced.

While the individuals concerned should be retrained, it is a good best practice to take these incidents as a training opportunity for all staff to ensure similar breaches do not occur in the future. If one employee makes a mistake with HIPAA, it is possible that others have failed to understand HIPAA requirements or are making similar mistakes.

The post When Should You Promote HIPAA Awareness? appeared first on HIPAA Journal.

Is G Suite HIPAA Compliant?

Posted by HIPAA Journal

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules?

Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider.

Making G Suite HIPAA Compliant (by default it isn’t)

As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules.

Obtain a BAA from Google

One important requirement of HIPAA is to obtain a signed, HIPAA-compliant business associate agreement (BAA).

Google first agreed to sign a business associate agreement with healthcare organizations in 2013, back when G Suite was known as Google Apps. The BAA must be obtained prior to G Suite being used to store, maintain, or transmit electronic protected health information. Even though privacy and security controls are in place, the failure to obtain a BAA would be a HIPAA violation.

Obtaining a signed BAA from Google is the first step toward HIPAA compliance, but a BAA alone will not guarantee compliance with HIPAA Rules.

Configure Access Controls

Before G Suite can be used with any ePHI, the G Suite account and services must be configured correctly via the admin console. Access controls must be set up to restrict access to the services that are used with PHI to authorized individuals only. You should set up user groups, as this is the easiest way of providing – and blocking – access to PHI, and logs and alerts must be also be configured.

You should also make sure all additional services are switched off if they are not required, switch on services that include PHI ‘on for some organizations,’ and services that do not involve PHI can be switched on for everyone.

Set Device Controls

HIPAA-covered entities must also ensure that the devices that are used to access G Suite include appropriate security controls. For example, if a smartphone can be used to access G Suite, if that device is lost or stolen, it should not be possible for the device to be used by unauthorized individuals. A login must be required to be entered on all mobiles before access to G Suite is granted, and devices configured to automatically lock. Technology that allows the remote erasure of all data (PHI) stored on mobile devices should also be considered. HIPAA-covered entities should also set up two-factor authentication.

Not All Google Services are Covered by the BAA

You may want to use certain Google services even if they are not covered by the BAA, but those services cannot be used for storing or communicating PHI. For example, Google+ and Google Talk are not included in the BAA and cannot be used with any PHI.

If you do decide to leave these services on, you must ensure that your policies prohibit the use of PHI with these services and that those policies are effectively communicated to all employees. Employees must also receive training on G Suite with respect to PHI to ensure HIPAA Rules are not accidentally violated.

What Services in G Suite are HIPAA Compliant?

At the time of writing, only the following core services of G Suite are covered by Google’s BAA, and can therefore be used with PHI:

  • Gmail (Not free Gmail accounts)
  • Calendar
  • Drive
  • Apps Script
  • Keep
  • Sites
  • Jamboard
  • Hangouts (Chat messaging only)
  • Google Cloud Search
  • Vault

Google Drive

In the case of Google Drive, it is essential to limit sharing to specific people. Otherwise it is possible that folders and files could be accessed by anyone over the Internet> drives should be configured to only allow access by specific individuals or groups. Any files uploaded to Google Drive should not include any PHI in titles of files, folders, or Team Drives.

Gmail

Gmail, the free email service offered by Google, is not the same as G Suite. Simply using a Gmail account (@gmail.com) to send PHI is not permitted. The content of Gmail messages is scanned by third parties. If PHI is included, it is potentially being ‘accessed’ by third parties, and deleting an email does not guarantee removal from Google’s servers. Free Gmail accounts are not HIPAA compliant.

G Suite HIPAA Compliance is the Responsibility of Users

Google encourages healthcare organizations to use G Suite and has done what it can to make G Suite HIPAA compliant, but Google clearly states it is the responsibility of the user to ensure that the requirements of HIPAA are satisfied.

Google help healthcare organziations make G Suite HIPAA compliant, Google has developed guidance for healthcare organizations on setting up G Suite: See Google’s G Suite HIPAA Implementation Guide.

The post Is G Suite HIPAA Compliant? appeared first on HIPAA Journal.

What Happens if a Nurse Violates HIPAA?

Posted by HIPAA Journal

What happens if a nurse violates HIPAA Compliance Rules? How are HIPAA violations dealt with and what are the penalties for individuals that accidentally or deliberately violate HIPAA and access, disclose, or share protected health information (PHI) without authorization?  

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be followed by all covered entities and their business associates. The failure to comply with HIPAA Rules can result in significant penalties for HIPAA covered entities. Business associates of covered entities can also be fined directly for HIPAA violations, but what about individual healthcare workers such as nurses? What happens if a nurse violates HIPAA Rules?

What are the Penalties if a Nurse Violates HIPAA?

Accidental HIPAA violations by nurses happen, even when care is taken to follow HIPAA Rules. While all HIPAA violations can potentially result in disciplinary action, most employers would accept that accidental violations are bound to occur from time to time. In many cases, minor violations of HIPAA Rules may not have negative consequences and can be dealt with internally. Employers may decide to provide additional training in some cases to ensure the requirements of HIPAA are fully understood.

If a nurse violates HIPAA by accident, it is vital that the incident is reported to the person responsible for HIPAA compliance in your organization – the Privacy Officer, if your organization has appointed one – or your supervisor. The failure to report a minor violation could have major consequences. You can read more about accidental HIPAA violations here.

Serious violations of HIPAA Rules, even when committed without malicious intent, are likely to result in disciplinary action, including termination and punishment by the board of nursing. Termination for a HIPAA violation does not just mean loss of current employment and benefits. It can make it very hard for a nurse to find alternative employment. HIPAA-covered entities are unlikely to recruit a nurse that has previously been fired for violating HIPAA Rules.

Willful violations of HIPAA Rules, including theft of PHI for personal gain or use of PHI with intent to cause harm, can result in criminal penalties for HIPAA violations. HIPAA-covered entities are likely to report such incidents to law enforcement and investigations will be launched. Complaints about HIPAA violations submitted to the Office for Civil Rights can be referred to the Department of Justice to pursue criminal penalties, including fines and imprisonment. Criminal prosecutions are rare, although theft of PHI for financial gain is likely to result in up to 10 years in jail.

There is no private cause of action in HIPAA. If a nurse violates HIPAA, a patient cannot sue the nurse for a HIPAA violation. There may be a viable claim, in some cases, under state laws.

Further information on the penalties for HIPAA violations are detailed here.

Examples of HIPAA Violations by Nurses

The list of possible HIPAA violations by nurses is long, although the most common nurse HIPAA violations are listed below.

  • Accessing the PHI of patients you are not required to treat
  • Gossiping – Talking about specific patients and disclosing their health information to family, friends & colleagues
  • Disclosing PHI to anyone not authorized to receive the information
  • Taking PHI to a new employer
  • Theft of PHI for personal gain
  • Use of PHI to cause harm
  • Improper disposal of PHI – Discarding protected health information with regular trash
  • Leaving PHI in a location where it can be accessed by unauthorized individuals
  • Disclosing excessive PHI and violating the HIPAA minimum necessary standard
  • Using the credentials of another employee to access EMRs/Sharing login credentials
  • Sharing PHI on social media networks (See below)

Nurses Who Violate HIPAA with Social Media

Sharing protected health information on social media websites should be further explained. There have been several instances in recent years of nurses who violate HIPAA with social media.

Posting any protected health information on social media websites, even in closed Facebook groups, is a serious HIPAA violation. The same applies to sharing PHI including photographs and videos of patients via messaging apps such as WhatsApp, Skype, and Facebook Messenger. Unless prior authorization has been received from a patient, in writing, nurses should avoid sharing photographs and videos of patients (or any PHI) on social media sites. The National Council of State Boards of Nursing (NCSBN) has released a useful guide for nurses on the use of social media (on this link).

There have been several recent cases of nurses taking photographs and videos of patients in compromising positions, recording abuse of patients in nursing homes, and taking embarrassing or degrading photographs and sharing them with friends via social media networks.

There has been considerable publicity surrounding the practice, following the publication of a report on the extent to which this is occurring by ProPublica (Summarized here). In that case it involved the sharing of photographs of patients on Snapchat. 35 separate cases were uncovered.

In January, a nursing assistant was fired for sharing videos and photos of abuse of a patient with Alzheimer’s on Snapchat. A criminal complaint was filed and the nursing assistant faces up to three and a half years in jail if convicted.

What Happens when a Nurse Violates HIPAA? FAQs

What are the most common causes of HIPAA violations by nurses?

Each year, HHS publishes a table indicating the top five issues in investigated cases. While the table does not distinguish between HIPAA violations by nurses and Covered Entities´ non-compliance, the most common causes of HIPAA violations in recent years that could be attributed to nurses include impermissible uses and disclosures of PHI, the failure to respond to – or a delay in responding to – patient access requests, and failing to comply with the Minimum Necessary Standard.

If a nurse accidently discloses ePHI due to a Covered Entity failing to implement a technical safeguard, who is at fault?

The designation of fault can depend on many factors. For example: Should the nurse have known their actions may have resulted in an accidental disclosure of ePHI? Had the actions been covered in security and awareness training? Was the technical safeguard an addressable or required safeguard? What was the impact of the accidental disclosure? Without knowing the answers to these questions, it is impossible to determine who is at fault for the accidental disclosure.

What happens if a nursing student violates HIPAA?

The consequences of HIPAA violation by a nursing student can also depend on many factors. For example: Had the nursing student received adequate training before being exposed to PHI/ePHI? Was the nursing student accompanied by a preceptor or supervisor who should have prevented the HIPAA violation? Was the HIPAA violation attributable to a lack of knowledge, or was it a malicious act? Had the nursing student been given a copy of the Covered Entity´s sanctions policy? Again, without knowing the answers to these questions, it is impossible to discuss potential consequences.

Can a nurse be held responsible for a HIPAA violation if the non-compliant event occurs frequently in the nursing unit?

Nurses are under intense pressure to work as efficiently as possible; and, due to this pressure, there may be times when shortcuts are taken with HIPAA compliance in order to “get the job done”. When shortcuts develop into a “cultural norm”, HIPAA violations can occur frequently without them being recognized as HIPAA violations. However, although the HIPAA violations might not be recognized as such within the nursing unit, a nurse can still be held responsible for a violation – albeit an unintentional violation – that results from an unofficial working practice.

Why is it a violation of HIPAA to share EMR login credentials?

Under the Administrative Safeguards of the Security Rule (45 CFR § 164.308) Covered Entities are required to implement procedures that record system activity including who accesses systems containing ePHI and when. If nurses share EMR login credentials, it is impossible for Covered Entities to accurately monitor system access or determine if a system containing ePHI has been access by a person without authorization.

The post What Happens if a Nurse Violates HIPAA? appeared first on HIPAA Journal.

Survey Reveals Sharing EHR Passwords is Commonplace

Posted by HIPAA Journal

While data on the practice of password sharing in healthcare is limited, one survey suggests the practice of sharing EHR passwords is commonplace, especially with interns, medical students, and nurses.

The research was conducted by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also involved researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center. The study was conducted on 299 medical students, nurses, medical residents, and interns and the results of the survey were recently published in Healthcare Informatics Research.

The information stored in EHRs is sensitive and must be protected. Regulations such as HIPAA control access to that information. All individuals that require access to the information in EHR systems must be issued with a unique user ID and password.

Any attempts to access protected health information must be logged to allow healthcare organizations to monitor for unauthorized access. If login credentials are shared with other individuals, it is no longer possible to accurately record which individuals have viewed health information – a violation of HIPAA Rules. The researchers note that sharing EHR passwords is one of the most common HIPAA violations and causes of healthcare data breaches.

The survey suggests that sharing EHR passwords is commonplace, even though the practice is prohibited by hospital policies and HIPAA Rules. 73% of all respondents admitted to using the password of another individual to access EHR records on at least one occasion. 57% of respondents estimated the number of times they had accessed EHR information – The average number of occasions was 4.75.

All medical students surveyed said they had accessed EHRs using the credentials of another individual, and 57% of nurses admitted to using another individual’s credentials to access EHRs. The reasons for doing so were highly varied.

Common reasons for sharing EHR passwords were permissions on the user’s account did not allow them to complete their work duties, technical problems prevented them from using their own credentials, and personal logins had not been issued, even though EHR access was required to complete work duties.

The researchers suggest the provision of timely and efficient care is often at odds with security protections. The researchers noted, “In an attempt to achieve better security, usability is hindered to the level the users feel that the right thing to do is to violate the security regulations altogether.”

The researchers made two recommendations: “Usability should be added as the fourth principal in planning EMRs and other PHI-containing medical records. Second, an additional option should be included for each EMR role that will grant it maximal privileges for one action. When this option is invoked, the senior physician/the PHI security officer would be informed. This would allow junior staff to perform urgent, lifesaving, decisions, without outwitting the EMR, and under formal retrospective supervision by the senior members in charge.”

The post Survey Reveals Sharing EHR Passwords is Commonplace appeared first on HIPAA Journal.

Tips for Reducing Mobile Device Security Risks

Posted by HIPAA Journal

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level.

As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI).

As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records.

17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand encryption for mobile devices, yet such a security measure could have prevented a high percentage of the 71 data breaches reported to OCR.

When a mobile device containing ePHI is lost or stolen, the HIPAA Breach Notification Rule requires the breach to be reported and notifications to be sent to affected individuals. If PHI has been encrypted and a device containing ePHI is lost or stolen, notifications need not be sent as it would not be a HIPAA data breach. A breach report and patient notifications are only required for breaches of unencrypted PHI, unless the key to decrypt data is also obtained.

Even though HIPAA does not demand the use of encryption, it must be considered. If the decision is taken not to encrypt data, the decision must be documented and an alternative safeguard – or safeguards – must be employed to ensure the confidentiality, integrity, and availability of ePHI. That alternative safeguard(s) must provide a level of protection equivalent to encryption.

Before the decision about whether or not to encrypt data can be made, HIPAA covered entities must conduct an organization-wide risk analysis, which must include all mobile devices. All risks associated with the use of mobile devices must be assessed and mitigated – see 45 C.F.R. § 164.308(a)(1)(ii)(A)–(B).

OCR Reminds Covered Entities of Need to Address Risks Associated with Mobile Devices

In its October 2017 Cybersecurity Newsletter, OCR reminded covered entities of the risks associated with mobile devices that are used to create, receive, maintain, or transmit ePHI. HIPAA covered entities were reminded of the need to conduct an organization-wide risk assessment and develop a risk management plan to address all mobile device security risks identified during the risk analysis and reduce them to an appropriate and acceptable level.

While many covered entities allow the use of mobile devices, some prohibit the use of those devices to create, receive, maintain, or transmit ePHI. OCR reminds covered entities that if such a policy exists, it must be communicated to all staff and the policy must be enforced.

When mobile devices can be used to create, receive, maintain, or transmit ePHI, appropriate safeguards must be implemented to reduce risks to an appropriate and acceptable level. While loss or theft of mobile devices is an obvious risk, OCR draws attention to other risks associated with the devices, such as using them to access or send ePHI over unsecured Wi-Fi networks, viewing ePHI stored in the cloud, or accessing or sharing ePHI via file sharing services.

OCR also remined covered entities to ensure default settings on the devices are changed and how healthcare employees must be informed of mobile device security risks, taught best practices, and the correct way to uses the device to access, store, and transmit ePHI.

OCR offers the following advice to covered entities address mobile security risks and keep ePHI secure at all times.

To access OCR’s guidance – Click here.

OCR’s Tips for Reducing Mobile Device Security Risks

  • Implement policies and procedures regarding the use of mobile devices in the work place – especially when used to create, receive, maintain, or transmit ePHI.
  • Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
  • Install or enable automatic lock/logoff functionality.
  • Require authentication to use or unlock mobile devices.
  • Regularly install security patches and updates.
  • Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
  • Use a privacy screen to prevent people close by from reading information on your screen.
  • Use only secure Wi-Fi connections.
  • Use a secure Virtual Private Network (VPN).
  • Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
  • Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
  • Include training on how to securely use mobile devices in workforce training programs.

Penalties for Failing to Address Mobile Security Risks

The failure to address mobile device security risks could result in a data breach and a penalty for noncompliance with HIPAA Rules. Over the past few years there have been several settlements reached between OCR and HIPAA covered entities for the failure to address mobile device security risks.

These include:

Covered Entity HIPAA Violation Individuals Impacted Penalty
Children’s Medical Center of Dallas Theft of unencrypted devices 6,262 $3.2 million
Oregon Health & Science University Loss of unencrypted laptop / Storage on cloud server without BAA 4,361 $2,700,000
Cardionet Theft of an unencrypted laptop computer 1,391 $2.5 million
Catholic Health Care Services of the Archdiocese of Philadelphia Theft of mobile device 412 $650,000

Addressing Mobile Device Security Risks

Mobile device security risks must be reduced to a reasonable and appropriate level.  Some of the mobile device security risks, together with mitigations, have been summarized in the infographic below. (Click image to enlarge)

mobile device security risks

The post Tips for Reducing Mobile Device Security Risks appeared first on HIPAA Journal.

HHS Privacy Chief Deven McGraw Departs OCR: Iliana Peters Now Acting Deputy

Posted by HIPAA Journal

Deven McGraw, the Deputy Director for Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR) has stepped down and left OCR. McGraw vacated the position on October 19, 2017.

McGraw has served as Deputy Director for Health Information Privacy since July 2015, replacing Susan McAndrew. McGraw joined OCR from Manatt, Phelps & Phillips, LLP where she co-chaired the company’s privacy and data security practice. McGraw also served as Acting Chief Privacy Officer at the Office of the National Coordinator for Health IT (ONC) since the departure of Lucia Savage earlier this year.

In July, ONC National Coordinator Donald Rucker announced that following cuts to the ONC budget, the Office of the Chief Privacy Officer would be closed out, with the Chief Privacy Officer receiving only limited support. It therefore seems an opportune moment for Deven McGraw to move onto pastures new.

OCR’s Iliana Peters has stepped in to replace McGraw in the interim and will serve as Acting Deputy Director until a suitable replacement for McGraw can be found. Peters has vacated her position as senior advisor for HIPAA Compliance and Enforcement at OCR. There are no plans to bring in a replacement for McGraw at the ONC.

One of the first tasks for Peters will be to ensure the statutory obligations of the 21st Century Cures Act are met, and to issue guidance for healthcare organizations and patients on health data access and guidance on the allowable uses and disclosures of protected health information for patients receiving treatment for mental health or substance use disorder.

McGraw is an expert in HIPAA and privacy laws and will be sorely missed at OCR. McGraw said on Twitter, “The HIPAA team at OCR is in good hands with Iliana Peters as Acting Deputy.”

Politico reports that McGraw will be heading to Silicon Valley and will be joining a health tech startup that will be focused on “empowering consumers.” At present, no announcement has been made about which company she is joining. Politico reports that McGraw will be “part of a very small team doing the thinking about what the product will look like, the data we’re collecting and how we’ll manage and secure it.”

The post HHS Privacy Chief Deven McGraw Departs OCR: Iliana Peters Now Acting Deputy appeared first on HIPAA Journal.

OCR Clarifies HIPAA Rules on Sharing Patient Information After Opioid Overdose

Posted by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights has cleared confusion about HIPAA Rules on sharing patient information after an opioid overdose. The HIPAA Privacy Rule permits healthcare providers to share limited PHI in certain emergency and dangerous situations. Those situations include natural disasters and during drug overdoses, if sharing information can prevent or lessen a serious and imminent threat to a patient’s health or safety.

Some healthcare providers have misunderstood the HIPAA Privacy Rule provisions, and believe permission to disclose information to the patient’s loved ones or caregivers must be obtained from the patient before any PHI can be disclosed.

In an emergency or crisis situation, such as during a drug overdose, healthcare providers are permitted to share limited PHI with a patient’s loved ones and caregivers without permission first having been obtained from the patient.

During an opioid overdose, healthcare providers can share health information with the patient’s family members, close friends, and caregivers if:

  • The healthcare provider determines, based on professional judgement, that sharing information about an incapacitated or unconscious patient is in the best interests of the patient, provided the information shared is limited to that directly related to the individual’s involvement in the patient’s care or payment of care. Information on the overdose can be shared, but not unrelated health information unless permission has been obtained.
  • Informing the above individuals would help to prevent or lessen a serious threat to the patient’s health and safety – Such as continued opioid abuse on discharge.

In cases when a patient is not unconscious or incapacitated and has decision-making capability, healthcare providers must give the patient the opportunity to object to the disclosure of their overdose to loved ones, close friends, caregivers, or individuals involved in the payment for care. If a patient has decision making capability, or if permission to share the information is denied, healthcare providers cannot share information unless “there is a serious and imminent threat of harm to health.”

There will be situations when a patient is only temporarily incapacitated, and their decision-making capability will be recovered during the course of treatment. In such cases, it is down to the discretion of the healthcare provider whether health information is shared while the patient is incapacitated, the type of information that is shared, and how much. When the patient regains consciousness and decision-making capability, permission must then be obtained before any further disclosures of health information are made.

OCR also points out that it is not only HIPAA Rules that may apply in such situations, explaining “HIPAA does not interfere with state laws or medical ethics rules that are more protective of patient privacy.”

The guidance on HIPAA Rules on sharing patient information after opioid overdose can be viewed on this link.

The post OCR Clarifies HIPAA Rules on Sharing Patient Information After Opioid Overdose appeared first on HIPAA Journal.

Is AWS HIPAA Compliant?

Posted by HIPAA Journal

Is AWS HIPAA compliant? Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes. And No. AWS can be HIPAA compliant, but it is also easy to make configuration mistakes that will leave protected health information (PHI) unprotected and accessible by unauthorized individuals, violating HIPAA Rules.

Amazon Will Sign a Business Associate Agreement for AWS

Amazon is keen for healthcare organizations to use AWS, and as such, a business associate agreement will be signed. Under that agreement, Amazon will support the security, control, and administrative processes required under HIPAA.

Previous, under the terms of the AWS BAA, the AWS HIPAA compliance program required covered entities and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer the case.

As part of its efforts to help healthcare organizations use AWS safely and securely without violating HIPAA Rules, Amazon has published a 26 page guide – Architecting for HIPAA Security and Compliance on Amazon Web Services – to help covered entities and business associates get to grips with securing their AWS instances, and setting access controls.

AWS HIPAA Compliance is Something of a Misnomer

Amazon supports HIPAA compliance, and AWS can be used in a HIPAA compliant way, but no software or cloud service can ever be truly HIPAA compliant. As with all cloud services, AWS HIPAA compliance is not about the platform, but rather how it is used.

The Amazon Simple Storage Service (S3) that is provided through AWS can be used for data storage, data analysis, data sharing, and many other purposes. Data can be accessed from anywhere with an Internet connection, including via websites, and mobile apps. AWS has been developed to be secure, otherwise no one would use the service. But it has also been developed to make data easy to access, by anyone with the correct permissions. Make a mistake configuring users or setting permissions and data will be left exposed.

Just because AWS is HIPAA compliant, it does not mean that using AWS is free from risk, and neither that a HIPAA violation will not occur. Leaving AWS S3 buckets unprotected and accessible by the public is a clear violation of HIPAA Rules. It may seem obvious to secure AWS S3 buckets containing PHI, but this year there have been multiple healthcare organizations that have left their PHI open and accessible by anyone.

Amazon S3 buckets are secure by default. The only way they can be accessed is by using the administrator credentials of the resource owner. It is the process of configuring permissions and providing other users with access to the resource that often goes awry.

When is AWS not HIPAA Compliant?

When is AWS HIPAA compliant? When a BAA has been signed, users have been instructed on the correct way to use the service, and when access controls and permissions have been set correctly. Misconfigure an Amazon S3 bucket and your data will be accessible by anyone who knows where to look.

Documentation is available on the correct way to configure Amazon S3 services and manage access and permissions. Unfortunately, since there are several ways to grant permissions, there are also several points that errors can occur, and simple mistakes can have grave consequences.

On numerous occasions, security researchers have discovered unprotected AWS S3 buckets and have alerted healthcare organizations that PHI has been left unprotected. However, security researchers are not the only ones checking for unsecured data. Hackers are always on the prowl. It is far easier for a hacker to steal data from cloud storage services that have had all protections removed than it is to attack organizations in other ways.

One of the mistakes that has been made time and again is setting access controls to allow access by ‘authenticated users.’ That could be taken to mean anyone who you have authenticated to have access to your data. However, that is not Amazon’s definition of an authenticated user. An authenticated user is anyone with an AWS account, and anyone can obtain an AWS account free of charge.

How Common are AWS Misconfigurations?

AWS misconfigurations are very common. So much so, that Amazon recently emailed users who had potentially misconfigured their S3 buckets to warn them that data could be accessed by anyone.

Amazon said in its email, “We’re writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) are currently configured to allow access from any user on the internet,” going on to explain, “While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available.”

Some of those public disclosures have been by healthcare organisations, but the list is long and varied, including military contractors, financial institutions, mobile carriers, entertainment companies, and cable TV providers. One data analytics firm left data unprotected, exposing the records of 200 million voters. Verizon exposed the data of between 6 and 14 million customers, and World Wide Entertainment exposed the data of 3 million individuals. Patient Home Monitoring, a HIPAA covered entity, left 47GB of data unprotected.

There is no excuse for these oversights. Checking for unprotected AWS buckets is not only a quick and easy process, software can be used free of charge for this purpose. A tool has been developed Kromtech called S3 Inspector that can be used to check for unsecured S3 buckets.

Is AWS HIPAA Compliant?

So, in summary, is AWS HIPAA compliant? Yes, it can be, and AWS offers healthcare organizations huge benefits.

Can the use of AWS violate HIPAA Rules and leave PHI unprotected? Very easily.

Would misconfiguration of AWS lead to a HIPAA violation penalty? That is a distinct possibility. AWS is secure by default. Only if settings are changed will stored data be accessible. It would be hard to argue with OCR auditors that manually changing permissions to allow anyone to access a S3 bucket containing PHI is anything other than a serious violation of HIPAA Rules.

The post Is AWS HIPAA Compliant? appeared first on HIPAA Journal.