HIPAA Compliance News

Is Microsoft Outlook HIPAA Compliant?

Posted by HIPAA Journal

The latest in our series of posts on HIPAA compliant software and email services for healthcare organizations explores whether Microsoft Outlook is HIPAA compliant.

Is Microsoft Outlook HIPAA Compliant?

Software or an email platform can never be fully HIPAA compliant, as compliance is not so much about the technology but how it is used. That said, software and email services can support HIPAA compliance. In order for an email service to support HIPAA compliance, it must include a range of security features to ensure that any information uploaded to and transmitted through the service can be done so securely, without risking the exposure or the interception of sensitive data.

The platform provider must also be prepared to sign a business associate agreement with HIPAA-covered entities, and by doing so, agree to comply with the requirements of the HIPAA, Privacy, Security, and Breach Notification Rules.

Microsoft has already taken steps toward making many of its services suitable for healthcare providers by agreeing to enter into a business associate agreement. Crucially for healthcare organizations, the BAA does not cover all of Microsoft’s software and services.

So, what about Outlook? Is Outlook HIPAA compliant? Can it be used by healthcare organizations to transmit protected health information? That depends on which version of Outlook you use and how you use it.

Outlook.com and Office 365 Outlook

Outlook.com is a free, web-based email platform that may appear similar to the Outlook product available as part of the Office 365 package, but it is not the same product. Outlook.com is a consumer product and has not been developed for businesses and should not be used by healthcare organizations, at least not for sending ePHI.

Microsoft supports HIPAA compliance for its Office 365 suite of products, and will enter into a business associate agreement with healthcare organizations for the enterprise version of Office 365; however, in order to meet all requirements of HIPAA it is essential to purchase the right package. An important part of HIPAA compliance is maintaining audit logs, which are not available in Office 365 for Business. HIPAA compliance is only supported for certain enterprise plans, and all of the features required for HIPAA compliance are only available in the Enterprise E3 and E5 plans.

Office 365 and the associated Microsoft Exchange Online service can be HIPAA compliant and are covered by the BAA; however, care must be taken to configure these services correctly and additional controls are required before Office 365 Outlook can be HIPAA compliant. Microsoft offers enterprise-level encryption, Microsoft Exchange Online Protection, data loss prevention (DLP), and the ability to wipe data on mobile devices. Provided these services are used and configured correctly, access controls are set up, audit logs are maintained, single sign on and two factor authentication is enabled, data backups are performed, and staff receive training on the use of email for communicating ePHI, Outlook can be HIPAA compliant. Simply obtaining a business associate agreement with Microsoft will not, by itself, ensure compliance with HIPAA Rules.

Microsoft will sign a BAA but clearly states that simply having a BAA does not guarantee compliance with HIPAA Rules. “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Microsoft offers advice on making Office 365 (Exchange Online) HIPAA compliant here.

The post Is Microsoft Outlook HIPAA Compliant? appeared first on HIPAA Journal.

Termination for Nurse HIPAA Violation Upheld by Court

Posted by HIPAA Journal

A nurse HIPAA violation alleged by a patient of Norton Audubon Hospital culminated in the termination of the registered nurse’s employment contract. The nurse, Dianna Hereford, filed an action in the Jefferson Circuit Court alleging her employer wrongfully terminated her contract on the grounds that a HIPAA violation had occurred, when she claims she had always ‘strictly complied with HIPAA regulations.’

The incident that resulted in her dismissal was an alleged impermissible disclosure of PHI. Hereford had been assigned to the Post Anesthesia Care Unit at Norton Audubon Hospital and was assisting with a transesophageal echocardiogram. At the time of the alleged HIPAA violation, the patient was in an examination area that was closed off with a curtain. Hereford was present along with a physician and an echocardiogram technician.

Alleged Improper Disclosure of Sensitive Health Information

Before the procedure took place, Hereford performed a ‘Time-Out’ to ensure the patient understood what the procedure would entail, checked to make sure the site of the procedure was clearly marked and made sure appropriate diagnostic tools were available. Hereford also told the technician and the physician that they should wear gloves because the patient had hepatitis C.

After the procedure the patient filed a complaint, alleging Hereford had spoken sufficiently loudly so that other patients and medical staff in the vicinity would have heard that she had hepatitis C. While the complaint was investigated Hereford was placed on administrative leave, and was later terminated for the HIPAA violation – An unnecessary disclosure of confidential health information.

In her action for unfair dismissal, Hereford claimed this was an ‘incidental disclosure’, which is not a violation of HIPAA Rules. Hereford also obtained the professional opinion of an unemployment insurance referee that a HIPAA violation had not occurred. She also claimed defamatory statements had been made about her to the Metropolitan Louisville Healthcare Consortium.

Norton filed a motion to dismiss or, as an alternative, a motion for summary judgement. The Circuit Court granted the motion to dismiss the claim for wrongful termination, as it was deemed there was an unnecessary disclosure of PHI as a physician should not need to be reminded to wear gloves for a procedure to prevent the contraction of an infectious disease. However, the motion to dismiss the defamation claim was denied.

Norton sought summary judgement on the defamation claim and in October 2015, the defamation claim was dismissed with prejudice. The court determined that speaking the truth about the nurse HIPAA violation being the reason for termination could not have defamed Hereford.

Appeals Court Confirms Nurse HIPAA Violation

Hereford subsequently took her case to the Kentucky Court of Appeals. The Court of Appeals found that Hereford could not rely on HIPAA for a wrongful discharge claim as “HIPAA’s confidentiality provisions exist to protect patients and not healthcare employees.”

With respect to the wrongful dismissal claim, the court based its decision on the minimum necessary standard, which requires any disclosure of PHI to be limited to the minimum necessary to accomplish the necessary purpose – 45 CFR 164.502 – explaining, “Under “HIPAA, Hereford’s statement was not the minimum amount necessary to accomplish the warning.” The court concluded a nurse HIPAA violation had occurred. The Court of Appeals also found the decision of the lower court to dismiss the defamation claim to be correct as there could be no defamation when the Metropolitan Louisville Healthcare Consortium was told the truth about the reason for dismissal.

What Are the Potential HIPAA Violation Penalties for Nurses?

HIPAA violation penalties for nurses who breach HIPAA Rules are tiered, based on the level of negligence. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules.

The minimum fines are $100 per violation for tier 1, $1,000 per violation for tier 2, $10,000 per violation for tier 3, and $50,000 per violation for tier 4. The penalty amounts are determined by the Department of Health and Human Services, or by state attorneys general when they decide to issue penalties for HIPAA violations.

What is the Maximum HIPAA Violation Penalty for Nurses

The maximum penalty for a single HIPAA violation is $50,000 per violation or per record, with an annual maximum of $1.5 million per violation category.

Serious violations of HIPAA Rules can warrant criminal charges for HIPAA violations, and in addition to financial penalties jail time is possible. Criminal violations of HIPAA Rules are handled by the U.S. Department of Justice.

Nurses who knowingly obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and up to one year in jail. If an offense is committed under false pretenses, the criminal penalties rise to a fine of up to $100,000 and up to 5 years in jail. If there is intent to sell, transfer, or illegally use PHI for personal gain, commercial advantage, or malicious harm, the maximum penalty is a fine up to $250,000 and up to 10 years in jail.

When there has been aggravated identity theft, the Identity Theft Penalty Enhancement Act requires a mandatory minimum prison term of two years

Nurse HIPAA Violation Cases

Listed below are some of the recent nurse HIPAA violation cases covered on HIPAA Journal.

Glendale Adventist Medical Center Nurse Fired for HIPAA Violation

Minnesota BCBS Nurse Accused of Unauthorized Accessing of Minnesota Board of Pharmacy Database

Virginia Nurse Charged with Bank Fraud and Identity Theft

Wayne Memorial Hospital Fires Nurse Aide for Inappropriate PHI Access

Minnesota Hospital Fires 32 Over HIPAA Violation

Employees Fired over Sharing of Degrading Photos of Patients on Snapchat

The post Termination for Nurse HIPAA Violation Upheld by Court appeared first on HIPAA Journal.

Healthcare Data Breaches in September Saw Almost 500K Records Exposed

Posted by HIPAA Journal

Protenus has released its Breach Barometer report which shows there was a significant increase in healthcare data breaches in September. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and security incidents tracked by databreaches.net. The latter have yet to appear on the OCR ‘Wall of Shame.’

In total, Protenus/databreaches.net tracked 46 healthcare data breaches in September. While the total number of breach victims has not been confirmed for all incidents, at least 499,144 healthcare records are known to have been exposed or stolen. The number of records exposed or stolen in four of the month’s breaches has yet to be disclosed.

The high number of incidents makes September the second worst month of 2017 for healthcare industry data breaches. Only June was worse, when 52 data breaches were reported. In August, 33 data breaches were reported by healthcare organizations.

The report confirms the worst incident of the month was a ransomware attack that saw the records of 128,000 individuals made inaccessible. It is not known if those records were accessed or stolen.

The main causes of healthcare data breaches in September were hacking (50%) and insiders (32.6%). The hacking total includes extortion attempts by TheDarkOverlord hacking group, ransomware incidents, and malware attacks. Hacking incidents accounted for 80% of breached records for the month – 401,741 records – although figures for 4 of the incidents have not yet been disclosed. The hacking incidents in September included one confirmed ransomware incident, eight extortion attempts, and seven phishing attacks.

The 15 insider incidents resulted in the exposure of 73,926 records. Those incidents included six insider errors and eight instances of insider wrong doing. Four theft incidents were reported which impacted 17,295 patients.

The breaches occurred at 31 healthcare providers, 6 health plans, 6 business associates of HIPAA-covered entities, and 3 schools, with California the worst affected with 5 incidents.

While most healthcare organizations discovered their data breaches within 6 weeks – the medial time for discovery was 38 days – it took one healthcare provider 2108 days to discover that one of its employees had been improperly accessing medical records.

Most healthcare organizations reported their breaches inside the HIPAA Breach Notification Rule deadline of 60 days, although there were two exceptions. One healthcare organization took 249 days to report its breach, risking a significant HIPAA violation penalty.

The post Healthcare Data Breaches in September Saw Almost 500K Records Exposed appeared first on HIPAA Journal.

De-identification of Protected Health Information: How to Anonymize PHI

Posted by HIPAA Journal

Healthcare organizations and their business associates that want to share protected health information (PHI) in a HIPAA-compliant way must do so in accordance with the HIPAA Privacy Rule, which limits the possible uses and disclosures of PHI, whereas de-identification of PHI means HIPAA Privacy Rule restrictions no longer apply.

Guide To De-identify Your Protected Health InformationYou can use our free Protected Health Information Guide to learn how to de-identify and anonymize PHI. If you de-identify PHI so that the identity of individuals cannot be determined, and re-identification of individuals is not possible, PHI can be freely shared.

HIPAA Privacy Rule restrictions only covers individually identifiable protected health information. The de-identification of protected health information enables HIPAA covered entities to share health data for large-scale medical research studies, policy assessments, comparative effectiveness studies, and other studies and assessments without violating the privacy of patients or requiring authorizations to be obtained from each patient prior to data being disclosed.

HIPAA-Compliant De-identification of Protected Health Information

HIPAA-compliant de-identification of protected health information is possible using two methods: Safe Harbor and Expert Determination.

Neither method of de-identification of protected health information will remove all risk of re-identification of patients, but both methods will reduce risk to a very low and acceptable level.

Use either of the two methods below and PHI will no longer be considered ‘protected health information’ and not be subject to HIPAA Privacy Rule restrictions.

1.     Safe Harbor – The Removal of Specific Identifiers

How to de-identify protected health informationThe first HIPAA compliant way to de-identify protected health information is to remove specific identifiers from the data set. The identifiable data that must be removed according to 45 CFR §164.514(b)(2) are:

  • Names
  • Geographic subdivisions smaller than a state
  • All elements of dates (except year) related to an individual (including admission and discharge dates, birthdate, date of death, all ages over 89 years old, and elements of dates (including year) that are indicative of age)
  • Telephone, cellphone, and fax numbers
  • Email addresses
  • IP addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Device identifiers and serial numbers
  • Certificate/license numbers
  • Account numbers
  • Vehicle identifiers and serial numbers including license plates
  • Website URLs
  • Full face photos and comparable images
  • Biometric identifiers (including finger and voice prints)
  • Any unique identifying numbers, characteristics or codes

In the case of zip codes, covered entities are permitted to use the first three digits provided the geographic unit formed by combining those first three digits contains more than 20,000 individuals. When that geographical unit contains fewer than 20,000 individuals it should be changed to 000. According to the Bureau of the Census, that means 17 zip codes must have the first three digits changed to zero:

036, 692, 878, 059, 790, 879, 063, 821, 884, 102, 823, 890, 203, 830, 893, 556, 831

Covered entities should not that the above list of zip codes may change after future censuses. The list is based on 5-digit zip codes from the 2000 census.

IMPORTANT NOTE: The list of HIPAA identifiers was compiled in 1999 and is now out-of-date. Additional identifiers that must be removed from a designated record set before it can be considered de-identified include social media aliases, Medicare Beneficiary Numbers, and details relating to an emotional support animal if the animal could be used to identify the subject of the PHI.

2. Expert Determination

De-identify Protected Health InformationThe expert determination method carries a small risk that an individual could be identified, although the risk is so low that it meets HIPAA Privacy Rule requirements.

This method of de-identification of protected health information requires a HIPAA covered entity or business associate to obtain an opinion from a qualified statistical expert that the risk of re-identifying an individual from the data set is very small. In such cases, the methods used to make that determination and justification of the expert’s opinion must be documented and retained by the covered entity or business associate and made available to regulators in the event of an audit or investigation.

The expert must be a person with appropriate knowledge and experience of using generally accepted statistical and scientific principles and methods for removing or altering information to ensure that it is no longer individually identifiable.

When those methods and principles have been applied, the expert must determine that the risk of reidentification of an individual is very small. In such cases, the risk of reidentification must be very small when the information is used alone, and must remain very small should the data be combined with other reasonably available information by an anticipated recipient to identify an individual who is a subject of the information.

HIPAA does not define the level of risk of re-identification other than to say it should be ‘very small’. The expert should define ‘very small’ in relation to the context of the data set, the specific environment, and the ability of an anticipated recipient to be able to reidentify individuals.

Experts may come from a number of different fields and do not require any specific qualifications. What is important is experts have experience of deidentifying data. It is that experience that regulators will look at in the event of an audit, not specific qualifications or certifications.

For further information on de-identification of protected health information by expert determination see 45 CFR § 164.514(b)(1).

The U.S. Department of Health and Human Services’ Office for Civil Rights has issued guidance on de-identification of protected health information which can be viewed on this link.

De-identification of Protected Health Information FAQs

Why is the list of Safe Harbor identifiers the same as many definitions of PHI?

The list of Safe Harbor identifiers is the same as many definitions of PHI because some sources have mistakenly used the list to answer the question “what is PHI?” It is important to be aware this is not the case.

PHI – or Protected Health Information – is individually identifiable health information that relates to an individual’s past, present, or future health condition, treatment for the condition, or payment for the treatment. Only when identifiers are maintained in the same designated record set as PHI do the identifiers assume protected status.

The list of Safe Harbor identifiers is a (now incomplete) list of possible identifiers that could be maintained in the same designated record set as PHI. If so, they (and any other identifiers not included on the list) must be removed from the designated record set before any remaining PHI is considered de-identified.

Do doctors´ names have to be removed from a data set for PHI to be de-identified?

Doctors’ names have to be removed from a data set for PHI to be de-identified if the name of a doctor – individually or with other information – could be used to identify the subject of the data set. If there is very little chance of a patient being identified by a doctor´s name, then the name can remain in the de-identified data set subject to any state laws or confidentiality concerns.

Generally, with regards to the removal of names from designated data sets, the name of the patient (including nicknames, pet names, and any other names they may be known by) have to be removed, along with the names of relatives, employers, and household members. There is no requirement in HIPAA to remove the names of healthcare providers or any workforce members.

Must a Business Associate Agreement or Data Use Agreement be in place before disclosing de-identified health data to a business partner?

A Business Associate Agreement or Data Use Agreement does not have to be in place before disclosing de-identified health data to a business partner. However, covered entities can, if they wish, enter into a Data Use Agreement with the recipient of the data to specify how the recipient can use the data and prohibit its re-identification.

What is considered “appropriate knowledge and experience” for expert determination?

There is no definition of appropriate knowledge and experience for expert determination in HIPAA. However, in the event of a HIPAA compliance audit, the Department of Health & Human Services´ Office for Civil Rights would review the expert´s professional experience and academic training of the expert, and the processes used in the de-identification of the data set to assess their capabilities.

Is there an expiration date for de-identified health data?

There is no expiration date for de-identified health data stipulated in the Privacy Rule. However, the Department for Health & Human Services recognizes that “technology, social conditions, and the availability of information changes over time” and has suggested that covered entities periodically review the chosen de-identification method to ensure it meets the very low risk requirement.

Why is the list of Safe Harbor identifiers incomplete?

The list of Safe Harbor identifiers is incomplete because it was published quarter of a century ago in a time before (for example) social media and emotional support animals. If a patient has a social media handle maintained with PHI in a designated record set – or information relating to an emotional support animal – that information also needs to be removed from a designated record set before it can be considered de-identified.

What is the benefit of de-identifying Protected Health Information?

The benefit of de-identifying Protected Health Information is that the de-identified data can be used for medical research studies, policy assessments, comparative effectiveness studies, and other studies and assessments without violating patient privacy or requiring individual authorizations. Effectively, one PHI is de-identified, the restrictions of the Privacy Rule no longer apply.

What are the two HIPAA-compliant methods for de-identifying PHI?

The two HIPAA-compliant methods of de-identifying PHI are the Safe Harbor method and the Expert Determination method. It is important to be aware that the list of identifiers listed in the Safe Harbor method is out of date, and organizations considering this method of de-identification are advised to seek professional compliance advice before relying on the content of §164.514 to de-identify PHI.

How does the Expert Determination method of de-identifying PHI work?

The Expert Determination method of de-identifying PHI works by obtaining an opinion from a qualified statistical expert indicating that the risk of re-identifying an individual from the de-identified data set is very small. The methods used for this determination and justification of the expert’s opinion must be documented and retained by the covered entity or business associate.

Does the Privacy Rule define the level of risk of re-identification in the Expert Determination method?

The Privacy Rule does not define the level of risk of re-identification in the Expert Determination method other that stating it should be “very small”. This means the expert is required to define “very small” in relation to the context of the data set, the specific environment, what the data set will be used for, and the recipient’s reasonably anticipated ability to reidentify individuals.

The post De-identification of Protected Health Information: How to Anonymize PHI appeared first on HIPAA Journal.

Q3, 2017 Healthcare Data Breach Report

Posted by HIPAA Journal

In Q3, 2017, there were 99 breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), bringing the total number of data breaches reported in 2017 up to 272 incidents. The 99 data breaches in Q3, 2017 resulted in the theft/exposure of 1,767,717 individuals’s PHI. Up until the end of September, the records of 4,601,097 Americans have been exposed or stolen as a result of healthcare data breaches.

Q3 Data Breaches by Covered Entity

Healthcare providers were the worst hit in Q3, reporting a total of 76 PHI breaches. Health plans reported 17 breaches and there were 6 data breaches experienced by business associates of covered entities.

There were 31 data breaches reported in July, 29 in August, and 39 in September. While September was the worst month for data breaches, August saw the most records exposed – 695,228.

The Ten Largest Healthcare Data Breaches in Q3, 2017

The ten largest healthcare data breaches reported to OCR in Q3, 2017 were all the result of hacking/IT incidents. In fact, 36 out of the 50 largest healthcare data breaches in Q3 were attributed to hacking/IT incidents.

Covered Entity Entity Type Number of Records Breached

Type of Breach
Women’s Health Care Group of PA, LLC Healthcare Provider 300,000 Hacking/IT Incident
Pacific Alliance Medical Center Healthcare Provider 266,123 Hacking/IT Incident
Peachtree Neurological Clinic, P.C. Healthcare Provider 176,295 Hacking/IT Incident
Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident
McLaren Medical Group, Mid-Michigan Physicians Imaging Center Healthcare Provider 106,008 Hacking/IT Incident
Salina Family Healthcare Center Healthcare Provider 77,337 Hacking/IT Incident
Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident
Network Health Health Plan 51,232 Hacking/IT Incident
St. Mark’s Surgical Center, LLC Healthcare Provider 33,877 Hacking/IT Incident
Sport and Spine Rehab Healthcare Provider 31,120 Hacking/IT Incident

Main Cause of Healthcare Data Breaches in Q3, 2017

For much of 2017, the main cause of healthcare data breaches was unauthorized disclosures by insiders, although in Q3, 2017, hacking was the biggest cause of healthcare data breaches. These incidents involve phishing attacks, malware and ransomware incidents, and the hacking of network servers and endpoints. These hacking incidents involved the exposure/theft of considerably more data than all of the other breach types combined. In Q3, 1,767,717 healthcare records were exposed/stolen, of which 1,578,666 – 89.3% – were exposed/stolen in hacking/IT incidents.

Location of Breached PHI

If vulnerabilities exist, it is only a matter of time before they will be discovered by hackers. It is therefore essential for HIPAA covered entities and their business associates conduct regular risk assessments to determine whether any vulnerabilities exist. Weekly checks should also be conducted to make sure the latest versions of operating systems and software are installed and no patches have been missed. Misconfigured servers, unsecured databases, and the failure to apply patches promptly resulted in 31 data breaches in Q3, 2017.

In Q3, 34 incidents were reported that involved email. While some of those incidents involved misdirected emails and the deliberate emailing of ePHI to personal email accounts, the majority of those breaches saw login details disclosed or ransomware/malware installed as a result of employees responding to phishing emails.  The high number of phishing attacks reported in Q3 shows just how important it is to train employees how to recognize phishing emails and how to report suspicious messages. Training should be an ongoing process, involving classroom-based training, CBT sessions, and phishing simulations, with email updates sent to alert employees to specific threats.

The post Q3, 2017 Healthcare Data Breach Report appeared first on HIPAA Journal.

Is Skype HIPAA Compliant?

Posted by HIPAA Journal

Text messaging platforms such as Skype are a convenient way of quickly communicating information, but is Skype HIPAA compliant? Can Skype be used to send text messages containing electronic protected health information (ePHI) without risking violating HIPAA Rules?

There is currently some debate surrounding Skype and HIPAA compliance. Skype includes security features to prevent unauthorized access of information transmitted via the platform and messages are encrypted. But does Skype satisfy all requirements of HIPAA Rules?

This article will attempt to answer the question, Is Skype HIPAA compliant?

Is Skype a Business Associate?

Is Skype a HIPAA business associate? That is a matter that has been much debated. Skype could be considered an exception under the Conduit Rule – being merely a conduit through which information flows. If that is the case, a business associate agreement would not be necessary.

However, a business associate agreement is necessary if a vendor creates, receives, maintains, or transmits PHI on behalf of a HIPAA-covered entity or one of its business associates. Skype does not create PHI, but it does ‘receive’ and transmit PHI. That said, messages are encrypted and are not accessed by Microsoft.  But can Microsoft access the contents of messages? Does Microsoft hold a key to unlock the encryption?

Microsoft does comply with law enforcement requests and will supply information to law enforcement. Information is only disclosed when required to so do by law, if a subpoena or court order is issued for example.

For that to happen, data must first be decrypted. It is unclear whether providing information to law enforcement, and being able to decrypt messages, would mean Skype would satisfy the requirements of the conduit exception. Skype is also not a common carrier, it is software-as-service. While this has been debated, it is our opinion that Skype is classed as a business associate and a business associate agreement is required.

Microsoft will sign a HIPAA-compliant business associate agreement with covered entities for Office 365, and Skype for Business MAY be included in that agreement. If a business associate agreement has been obtained from Microsoft, covered entities must check it carefully to make sure if it does include Skype for Business. Microsoft has previously explained that not all BAAs are the same.

Skype and HIPAA Compliance: Encryption, Access, and Audit Controls

HIPAA does not demand the use of encryption for ePHI, although encryption must be considered. If encryption is not used, an alternative, equivalent safeguard must be implemented in its place. In the case of Skype, messages are encrypted using AES 256-bit encryption; therefore, this aspect of HIPAA compliance is satisfied.

However, Skype does not necessarily include appropriate controls for backing up of messages (and ePHI) communicated via the platform, and neither does it maintain a HIPAA-compliant audit trail. Skype for Business can be made HIPAA compliant, if the Enterprise E3 or E5 package is purchased. These include the ability to create an archive that stores all communications. Other versions would not satisfy HIPAA Rules.

Is Skype HIPAA Compliant?

So, is Skype HIPAA compliant? No. Is Skype for Business HIPAA compliant? It can be, if the Enterprise E3 or E5 package is purchased. In the case of the latter, it is down to the covered entity to ensure Skype is HIPAA compliant. That means a business associate agreement must be obtained from Microsoft prior to using Skype for Business to send any ePHI. Skype must also be configured carefully. In order to be HIPAA compliant Skype must maintain an audit trail and all messages must be backed up securely and all communications saved.

Access controls must also be applied on all devices that use Skype to prevent unauthorized disclosures of ePHI. Controls must also be set to prevent any ePHI from being sent outside the organization. Covered entities must also receive satisfactory assurances that in the event of a breach, they will be notified by Microsoft.

Even with a BAA and the correct package, there is still considerable potential for HIPAA Rules to be violated using Skype for Business. Since there are many secure text messaging options available to covered entities, including platforms that have been built specifically for use by the healthcare industry, they may prove to be a better choice. With those platforms, HIPAA compliance is made much more straightforward and it is far harder to accidentally violate HIPAA Rules.

The post Is Skype HIPAA Compliant? appeared first on HIPAA Journal.

How Should You Respond to an Accidental HIPAA Violation?

Posted by HIPAA Journal

The majority of HIPAA-covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA

The majority of HIPAA-covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is an accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond?

How Should Employees Report an Accidental HIPAA Violation?

Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, if an email containing PHI is sent to the wrong person, or if any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer.

The first thing a Privacy Officer should determine is whether the accidental HIPAA violation is indeed a HIPAA violation or a violation of the organization´s policies. For example, forgetting to document a patient´s agreement to be included in a hospital directory is not a violation of HIPAA but could be a violation of the hospital´s policies.

If the accidental violation is indeed a violation of HIPAA, the Privacy Office will need to determine whether or not the violation constitutes an impermissible use or disclosure which qualifies as a data breach.

If so, the Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a HIPAA risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR).

You should explain that a mistake was made and what has happened. You will need to explain which patient’s records were viewed or disclosed. The failure to report such a breach promptly can turn a simple error into a major incident, one that could result in disciplinary action and potentially, penalties for your employer.

How Should Covered Entities Respond to an Accidental HIPAA Violation?

Any accidental HIPAA violation that may qualify as a data breach must be treated seriously and warrants a risk assessment to determine the probability of PHI having been compromised, the level of risk to individuals whose PHI has potentially been compromised, and the risk of further disclosures of PHI.

The risk assessment should determine:

  • The nature of the breach
  • The person who viewed or acquired PHI
  • The types of information involved
  • The patients potentially impacted
  • To whom information has been disclosed
  • The potential for re-disclosure of information
  • Whether PHI was actually acquired or viewed
  • The extent to which risk has been mitigated

Following the risk assessment, risk must be managed and reduced to an appropriate and acceptable level. The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) also requires notifications to be issued. Not all breaches of PHI are reportable. There are three exceptions when there has been an accidental HIPAA violation.

1) An unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. 

Example: A fax or email is sent to a member of staff in error. The information is accessed and viewed, but the mistake is realized and the fax is securely destroyed or the email is deleted and no further disclosure is made.

2) An inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.

Example: Providing the medical information of a patient to another individual authorized to receive it, but a mistake is made and the information of a different patient is disclosed.

3) If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Example: A physician gives X-ray films or a medical chart to a person not authorized to view the information but realizes that a mistake has been made and retrieves the information before it is likely that any PHI has been read and information retained.

In each case, while breach notifications are not required, any member of staff that finds themselves in one of the above situations should still report the incident to their Privacy Officer.

In all other cases when there has been a breach of unsecured PHI, the incident must be reported to OCR, and individuals impacted by the breach should be notified within 60 days of the discovery of the breach. HIPAA breach reporting requirements have been summarized here.

Examples of Unintentional HIPAA Violations

Lost or stolen USB flash drives could be considered by some to be examples of unintentional HIPAA violations as nobody intended for the USB flash drives to be lost or stolen. However, the loss or theft could have been reasonably foreseen and potential breaches of ePHI avoided by encryption. The following examples of unintentional HIPAA violations were less foreseeable.

In 2022, an investigation was conducted by The Markup into the use of third-party tracking technologies on hospital websites, namely a code snippet provided by Meta Platforms called Meta Pixel. The code snippet is used for tracking visitor activity on websites and provides insights into how the website users are accessing the sites. The data provided can be used to improve the website, services, and user experience. The analysis was conducted on the top 100 hospitals in the United States, and one-third were found to have used the code on their websites. The problem? The code was transmitting individually identifiable information to Meta, which could potentially be used to serve Facebook users with targeted advertisements related to their health conditions. No business associates were in place, no patient authorizations were obtained, and those disclosures were therefore impermissible under HIPAA. The code acted as it should. The problem was where it was added and how it was configured. Several hospitals and health systems accidentally violated HIPAA as a result, including Novant Health, WakeMed Health and Hospitals, and Advocate Aurora Health. Millions of patients of these and other healthcare providers have been affected.

In May 2017, Olivia O’Leary – a twenty-four-year-old medical technician – claims to have been dismissed from her job at the Onslow Memorial Hospital in Jacksonville, NC, after commenting on a Facebook post. Her warning that the victim of an auto accident should have worn a seat belt was not seen by her employer as a reminder to always wear a seatbelt – O´Leary alleges – but rather as a HIPAA violation.

In April 2016, the Raleigh Orthopedic Clinic in North Carolina was fined $750,000 for contracting an outside vendor to convert X-ray films to digital form and then allowing the vendor to harvest the silver from the films. The clinic´s error was not having a Business Associate Agreement in place; and, as well as the fine, the clinic had to implement a Corrective Action Plan overseen by OCR.

The Dallas, TX-based dental practice Elite Dental Associates responded to a post by a patient on the Yelp review website. The patient who posted on the site had identified herself as a patient of the practice, but when the practice responded, information was included in the post that revealed her health condition, treatment plan, insurance, and payment information. In October 2019 the practice was fined $10,000 for the HIPAA violation.

If an intern requires access to systems containing protected health information and a colleague allows their own credentials to be used, the intern can get the information they need to complete their work tasks. However, the sharing of login credentials is not permitted by HIPAA as it makes it impossible to track information system activity accurately. The sharing of login credentials contributed to a $202,400 financial penalty for the City of New Haven in Connecticut.

The HIPAA Right of Access provision of the HIPAA Privacy Rule gives patients the right to obtain a copy of their health information. There is an exception to this right concerning psychotherapy notes, which should not be provided. Riverside Psychiatric Medical Group received such a request from a patient and did not provide a copy of the requested records. Not providing psychotherapy notes doesn’t violate HIPAA but failing to respond to the request and notify the patient why the records are not being provided does. In such cases, records can be provided minus the psychotherapy notes. In November 2020, OCR fined the practice $25,000.

In a further example of an unintentional HIPAA violation listed on the OCR’s website, the staff was required to undergo HIPAA training when one member of staff discussed HIV testing procedures with a patient in a waiting room – disclosing the patient´s PHI to other patients in the waiting room. After the OCR investigation, computer monitors were also repositioned to prevent the accidental disclosure of PHI.

How Should Business Associates Respond to an Accidental HIPAA Violation?

The correct response to an accidental HIPAA violation should be detailed in your business associate agreement. The HIPAA Rules require all accidental HIPAA violations and security incidents that result in data breaches to be reported to the covered entity within 60 days of discovery, although the covered entity should be notified as soon as possible and notification should not be unnecessarily delayed. Business associates should provide their covered entity with as many details of the accidental HIPAA violation or breach as possible to allow the covered entity to make a determination on the best course of action to take.

HIPAA Compliance Infographics

Have You Mitigated Your Mobile Security Risks?Have You Mitigated Your Mobile Security Risks?

Milestones of the Health Insurance Portability and Accountability ActMilestones of the Health Insurance Portability and Accountability Act

The Cost of HIPAA Non-ComplianceThe Cost of HIPAA Non-Compliance

How to Spot a Phishing EmailHow to Spot a Phishing Email

How to Respond to a Healthcare Data BreachHow to Respond to a Healthcare Data Breach

10 HIPAA Breach Costs You Should Be Aware Of10 HIPAA Breach Costs You Should Be Aware Of

Accidental HIPAA Violations: FAQs

Can I get fired for an accidental HIPAA violation?

Although it sounds unlikely that a member of the workforce is fired for an accidental HIPAA violation, this will depend on the nature of the violation, its consequences, and the content of your employer´s sanctions policy. It may also be the case that you have a history of accidental HIPAA violations and have received prior warnings about what might happen when you next violate HIPAA.

What happens if you accidentally violate HIPAA and nobody notices?

If you accidentally violate HIPAA, and nobody notices, it is still in your best interest to report it. Not only will your report indicate your willingness to be a compliant employee, but the circumstances that led to the accidental violation may have been overlooked in a risk assessment. Your report could help your employer fill a gap in their compliance efforts which – if left unfilled – may lead to further accidental violations with more serious consequences.

What happens if someone accidentally, or unknowingly, violates the Privacy Rule?

These are really two different questions. If somebody accidentally violates the Privacy Rule, it is better for them to admit the error so potential consequences can be preempted (i.e., a complaint to HHS´ Office for Civil Rights). If somebody unknowingly violates the Privacy Rule, how do they know they have violated it unless a colleague or supervisor tells them? If the person finds out later they have accidentally violated the Privacy Rule, the previous answer applies.

Why would a report of an accidental HIPAA violation need to be sent to OCR?

A report of an accidental HIPAA violation only needs to be sent to the Department of Health and Human Services´ Office for Civil Rights (OCR) if it results in the unauthorized disclosure of unsecured PHI – for example, an email containing PHI being sent to the wrong patient. An accidental violation of HIPAA that does not result in a data breach does not have to be reported to OCR.

What is an example of an accidental violation of HIPAA that does not need reporting?

Patients must be given the opportunity to object to their religious affiliation being disclosed to members of the clergy. If a patient is not given the opportunity to object, it is a violation of HIPAA. However, if the patient´s religious affiliation is not disclosed to a member of the clergy, no data breach of unsecured PHI has occurred, and it is not necessary to report the violation to OCR.

What is the difference between an accidental disclosure and an incidental disclosure?

An accidental disclosure of PHI is an unintended disclosure – such as sending an email containing PHI to the wrong patient. An incidental disclosure is a by-product of a permissible disclosure – such as a hospital visitor overhearing a discussion about a patient´s healthcare. An incidental disclosure is not considered to be a violation of HIPAA by OCR if the disclosure could not reasonably be prevented if it was limited in nature, and if it occurs as a result of a disclosure permitted by the Privacy Rule.

What is the “burden of proof” in the Breach Notification Rule?

Prior to the Final Omnibus Rule in 2013, OCR had to prove a data breach resulted in a “significant risk of financial, reputational or other harm for the individual” before taking enforcement action. Since 2013, the burden of proof has shifted to Covered Entities and Business Associates – who can only refrain from reporting a breach if it can be proven there is a low probability PHI has been compromised in the breach (like the three exceptions to accidental HIPAA violations above).

Can OCR issue financial penalties to Business Associates for accidental HIPAA violations?

In May 2019, OCR issued a notice clarifying the circumstances in which a Business Associate is considered to be directly liable for a HIPAA violation; and, although it is hard to conceive how a HIPAA violation by a Business Associate might be accidental in these circumstances, the potential exists for Business Associates to be issued a financial penalty or required to comply with a corrective action plan.

The post How Should You Respond to an Accidental HIPAA Violation? appeared first on HIPAA Journal.

Do Medical Practices Need to Monitor Business Associates for HIPAA Compliance?

Posted by HIPAA Journal

Should covered entities monitor business associates for HIPAA compliance or is it sufficient just obtain a signed, HIPAA-compliant business associate agreement?

If a business associate provides reasonable assurances to a covered entity that HIPAA Rules are being followed, and errors are made by the BA that result in the exposure, theft, or accidental disclosure of PHI, the covered entity will not be liable for the BA’s HIPAA violations – provided the covered entity has entered into a business associate agreement with its business associate.

It is the responsibility of the business associate to ensure compliance with HIPAA Rules. The failure of a business associate to comply with HIPAA Rules can result in financial penalties for HIPAA violations for the business associate, not the covered entity.

A covered entity should ‘obtain satisfactory assurances’ that HIPAA Rules will be followed prior to disclosing PHI. While covered entities are not required by HIPAA to monitor business associates for HIPAA compliance, they should obtain proof that their business associate has performed an organization-wide risk analysis, has developed a risk management plan, and is reducing risks to an acceptable and appropriate level.

If information is provided to a covered entity which suggests noncompliance, a covered entity must act on that information. The failure of a covered entity to take appropriate action to resolve a known breach of HIPAA Rules by a business associate would be a violation of HIPAA Rules. If the business associate cannot resolve that breach, it is the responsibility of the covered entity to terminate the business associate agreement. 45 CFR § 164.504(e)

A covered entity will be in violation of HIPAA Rules if it “knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation.” If termination of the BAA is not feasible, the problem must be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

Even though a covered entity is not liable for business associate HIPAA violations, any business associate breach is likely to reflect badly on the covered entity and is likely to cause harm to its patients or members. It is therefore in the interests of both parties to ensure HIPAA Rules are being followed. It may help to provide business associates with a HIPAA compliance checklist to assist them with their compliance efforts, and access to other resources to help them prevent breaches and mitigate risk.

The post Do Medical Practices Need to Monitor Business Associates for HIPAA Compliance? appeared first on HIPAA Journal.

Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS

Posted by HIPAA Journal

In January 2014, the HHS proposed a new rule for certification of compliance for health plans. The rule would have required all controlling health plans (CHPs) to submit a range of documentation to HHS to demonstrate compliance with electronic transaction standards set by the HHS under HIPAA Rules. The main aim of the proposed rule – Administrative Simplification:
Certification of Compliance for Health Plans – was to promote more consistent testing processes for CHPs. The HHS has now announced that the proposed rule has now been withdrawn.

Had the proposed rule made it to the final rule stage, CHPs would have been required to demonstrate compliance with HIPAA administration simplification standards for three electronic transactions: Eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice. The failure to comply with the new rule would have resulted in financial penalties for CHPs.

Most employers’ health plans were handled by their insurance carriers, so the proposed rule would not have affected them directly, although a significant burden would have been placed on self-funded employers by the rule change. Following publication of the proposed rule in the federal register in January 2014, HHS received more than 72 public comments. After examining those comments, the HHS made the decision to withdraw the proposed rule.

HHS will be re-examining the issues raised in the comments and will be exploring options and alternatives to comply with statutory requirements.

The Secretary of the HHS explained that regulations have already been established for compliance with HIPAA administration simplification standards, and enforcement of compliance with those standards. While the proposed rule has been withdrawn, the HHS has confirmed that covered entities are still required to comply with 45 CFR parts 160 and 162.

The post Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS appeared first on HIPAA Journal.