HIPAA Compliance News

HHS Seeks Volunteers for HIPAA Administrative Simplification Optimization Project Pilot

Posted by HIPAA Journal

The Department of Health and Human Services is running a HIPAA Administrative Simplification Optimization Project Pilot and is currently seeking volunteers to have compliance reviews. The aim of the pilot is to streamline HIPAA compliance reviews for health plans and healthcare clearinghouses.

Currently, a variety of different data formats are used for conducting electronic transitions. That variety can cause problems when transferring and sharing data. If communications about billing and insurance related matters are streamlined and healthcare organizations comply with the HIPAA Administrative Simplification transaction standards, providers and health plans can devote fewer resources to these tasks. Compliance with the Administrative Simplification transaction standards will also reduce the burden on compliant entities having to exchange healthcare data with trading partners that are not compliant.

According to the 2016 CAQH Index, industry-wide compliance with the HIPAA Administrative Simplification transaction standards could result in savings of almost $9 billion each year for the healthcare industry. However, for those savings to be made, there must be industry-wide compliance.

One of the ways that the HHS can help to make these savings is by conducting proactive compliance reviews. The purpose of the reviews is to help health plans and other healthcare organizations take action to ensure compliance.

The reviews are not intended to identify noncompliance in order to punish healthcare organizations, instead the aim is to help covered entities comply with the Administrative Simplification transaction standards. According to a recent email communication from the Centers for Medicare and Medicaid Services (CMS), there will be “a progressive penalty process with the goal of remediation, not punishment.”

The reviews will commence with a pilot, for which the HHS is now seeking volunteers. In total, the HSS requires six volunteer organizations for the HIPAA Administrative Simplification Optimization Project pilot – three health plans and three healthcare clearinghouses. Organizations that participate in the pilot will be subjected to a review of their transactions to assess compliance with the HIPAA Administrative Simplification standards, and will cover code sets, adopted standards, unique identifiers, and operating rules.

Health plans and clearinghouse that join the HIPAA Administrative Simplification Optimization Project pilot will be able to verify compliance or identify noncompliance issues.  The compliance reviews will start in January 2018 and will inform the rollout of the Administrative Simplification Optimization Program.

The reviews will require volunteer organizations to submit electronic transaction files, which will be reviewed and tested by the HHS. The HHS suggests the process of submitting electronic files for review should take no longer than 10 hours. Further details of the pilot reviews will be supplied to participants that are selected to take part in the pilot.

Once the reviews have been conducted, all participants that have successfully passed a review will be provided with a certificate by the HHS, which volunteers will be able to share with their partners and business associates.

If non-compliance is discovered, the HHS will provide guidance on areas for optimization and a corrective action plan will need to be developed by the volunteers to address compliance issues.

Any organization that takes part in the pilot will not be selected for a further review for one year following the launch of the HHS Administrative Simplification Optimization Program.

The HHS is accepting applications for the HIPAA Administrative Simplification Optimization Project pilot by email – HIPAAcompliant@cms.hhs.gov – with volunteers chosen from the pool of applicants that have applied by December 13, 2017. All organizations that apply will be notified whether they have been selected or not by December 27, 2017.

The post HHS Seeks Volunteers for HIPAA Administrative Simplification Optimization Project Pilot appeared first on HIPAA Journal.

Effective Identity and Access Management Policies Help Prevent Insider Data Breaches

Posted by HIPAA Journal

The HIPAA Security Rule administrative safeguards require information access to be effectively managed. Only employees that require access to protected health information to conduct their work duties should be granted access to PHI.

When employees voluntarily or involuntarily leave the organization, PHI access privileges must be terminated. The failure to implement procedures to terminate access to PHI immediately could all too easily result in a data breach. Each year there are many examples of organizations that fail to terminate access promptly, only to discover former employees have continued to login to systems remotely after their employment has come to an end.

If HIPAA-covered entities and business associates do not have effective identity and access management policies and controls, there is a significant risk of PHI being accessed by former employees after employment has terminated. Data could be copied and taken to a new employer, or used for malicious purposes. The Department of Health and Human Services’ Office for Civil Rights’ breach portal includes many examples of both.

In its November cybersecurity newsletter, OCR has drawn attention to the risk of these types of insider threats and explains the importance of implementing effective identity and access management policies.

When an employee is terminated or quits, access to PHI must be terminated immediately, preferably before the individual has left the building. There are several ways that access to PHI can be terminated, although most commonly this is achieved by deleting user accounts.

While the employee’s account must be terminated, covered entities must also ensure that other accounts that the employee had access to are secured. Passwords for administrative or privileged accounts should also be changed.

In addition to terminating user accounts to prevent unauthorized accessing of electronic protected health information, OCR reminds covered entities and business associates of the need to also terminate physical access to facilities and health records. Keys and keycards must be returned, users should be removed from access lists, security codes should be changed, and ID cards returned.

If an employee has been issued with a laptop, mobile phone, or other electronic device, they must be recovered. If there is a BYOD policy and employees have been allowed to use their own devices to access or store ePHI, personal devices must be purged.

Since employees may have access to multiple accounts, logs should be created whenever access to PHI or systems is granted, privileges are increased, or equipment is issued. The logs can be used to make sure all accounts are secured and all equipment can be retrieved.

OCR suggests developing a set of standard procedures that can be applied and followed whenever an employee or other workforce member quits or is terminated. A checklist is a good way to ensure that nothing is missed.

Identity and access management policies will only be effective if they are followed 100% of the time. To ensure that is the case, covered entities and business associates should consider conducting audits to confirm procedures are being followed. Audits should also include checking user logs to ensure former employees are not continuing to access systems and data after their employment has been terminated.

Further tips to prevent unauthorized accessing of PHI and ePHI by former employees can be found on this link.

The post Effective Identity and Access Management Policies Help Prevent Insider Data Breaches appeared first on HIPAA Journal.

Cottage Health Fined $2 Million By California Attorney General’s Office

Posted by HIPAA Journal

Santa Barbara-based Cottage Health has agreed to settle a data breach case with the California attorney general’s office. Cottage Health will pay $2 million to resolve multiple violations of state and federal laws.

Cottage Health was investigated by the California attorney general’s office over a breach of confidential patient data in 2013. The breach was discovered by Cottage Health on December 2, 2013, when someone contacted the healthcare network and left a message on its voicemail system warning that sensitive patient information had been indexed by the search engines and was freely available via Google.

The sensitive information of more than 50,000 patients was available online, without any need for authentication such as a password and the server on which the information was stored was not protected by a firewall. The types of information exposed included names, medical histories, diagnoses, prescriptions, and lab test results. In addition to the individual who alerted Cottage Health to the breach, the server had been accessed by other individuals during the time that it was unsecured.

As is required under state laws, the incident was reported to state attorney general Kamala D. Harris. Two years later, while the attorney general’s office was investigating the incident, Cottage Health experienced a second breach. The second breach involved the records of 4,596 patients, and similarly, were left exposed and accessible online without any need for authentication.

The information was accessible for almost two weeks before the error was identified and protections put in place to prevent unauthorised access. The information exposed in the second breach included personally identifiable information and protected health information such as names, addresses, medical record numbers, account numbers, employment information, Social Security numbers, and admission and discharge dates.

Cottage Health claims that while both incidents resulted in the exposure of patient data, there are no indications to suggest any patient information was used inappropriately. The breaches prompted Cottage Health to review its information security controls and strengthen its policies, procedures, and security protections to prevent similar breaches from occurring in the future. In each case, the health network’s security teams acted quickly to limit harm and secure the exposed information. New system monitoring tools have now been implemented, and advanced security solutions are in place that allow vulnerabilities to be identified and mitigated much more rapidly.

The response to the breach may have been reasonable and appropriate, and protections now far better, but it is the lack of protections leading up to the data breaches that warranted a financial penalty. The California state attorney general’s office alleges that Cottage Health breached California’s Confidentiality of Medical Information Act, its Unfair Competition Law, and HIPAA Rules were also violated. According to the complaint, “Cottage failed to employ basic security safeguards.” Cottage Health was running outdated software, patches were not applied promptly, default configurations had not been changed, strong passwords were not used, access to sensitive PII was not limited, and regular risk assessments were not conducted.

Announcing the settlement, California Attorney General Xavier Becerra said, “When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” Becerra explained that “The law requires health care providers to protect patients’ privacy. On both of these counts, Cottage Health failed.”

In addition to the $2 million settlement, Cottage Health is required to update and maintain information security controls and ensure security practices and procedures match industry standards.

Specifically, the judgement requires Cottage Health to:

  • Assess hardware and software for vulnerabilities to the confidentiality, integrity, and availability of patients’ medical information.
  • Update access controls and security settings as appropriate
  • Evaluate the response to and protections from external threats, including firewall security
  • Encrypt patients’ medical information in transit to industry standards
  • Maintain reasonable policies and protocols for all information practices regarding data retention, internal audits, security incident tracking reports, risk assessments, incident management, and remediation plan
  • Conduct periodic vulnerability scans and penetration tests to identify and assess vulnerabilities, and remediate any vulnerabilities discovered
  • Conduct employee training on the correct use and storage of patients’ medical information.

The post Cottage Health Fined $2 Million By California Attorney General’s Office appeared first on HIPAA Journal.

Is Slack HIPAA Compliant?

Posted by HIPAA Journal

Slack is a powerful communication tool for improving collaboration, but is Slack HIPAA compliant? Can Slack be used by healthcare organizations for sharing protected health information without risking a HIPAA violation?

Is Slack HIPAA Compliant?

There has been considerable confusion about the use of Slack in healthcare and whether Slack is HIPAA compliant.

Since its launch, Slack has not been HIPAA compliant, although steps have been taken to develop a version of the platform that can be used by healthcare organizations. That version is called Slack Enterprise Grid.

In 2017, Geoff Belknap, Chief Security Officer at Slack, said “our team has spent over a year investing our time and effort into meeting the rigorous security needs of our customers who work in highly regulated industries.”

Slack Enterprise Grid was announced at the start of 2017. It should be noted that Slack Enterprise Grid is not the same as Slack. It has been built on different code, and has been developed specifically for use by companies with more than 500 employees.

Slack Enterprise Grid incorporates several security features that support HIPAA compliance. Those features include data encryption at rest and in transit, customer message retention to create an audit trail, and support for data loss prevention to ensure that audit trail is maintained.

Slack Enterprise Grid creates detailed access logs, and administrators can remotely terminate connections and sign users out from all connected devices. Team owners can delete all customer data within 24 hours – useful for when users leave the company. Slack also includes team-wide two-factor authentication, creates offsite backups, and is compliant with NIST standards, as well as SOC2 and SOC3.

As Slack explains on its website, “Slack Enterprise Grid customers in regulated industries can benefit from our DLP and eDiscovery support to become HIPAA and FINRA compliant.”

On February 4, 2018, Slack confirmed on Twitter that the only version of the platform that supports HIPAA compliance is Enterprise Grid. Slack has also recently updated its website to confirm that it supports HIPAA compliance and can be used to share patients’ protected health information securely.

is Slack HIPAA compliant

At present (February 2019), the platform only supports HIPAA compliance for file uploads. Use of its direct messaging and channel communications features are not compliant and cannot be used in connection with PHI. Those features are expected to be made HIPAA compliant later in 2019.

So is Slack HIPAA compliant? No. Is Slack Enterprise Grid HIPAA compliant? It can be.

However, before Slack Enterprise Grid can be used by healthcare organizations for any activities involving PHI, there is the matter of the HIPAA business associate agreement (BAA).

Will Slack Sign a Business Associate Agreement?

A business associate agreement must be signed with a company prior to its platform being used to send or receive protected health information (PHI). And as Slack points out on its website, “Customer must not use, disclose, transmit or otherwise process any “Protected Health Information” as defined in HIPAA.”

Slack also states that, “Unless Customer has entered into a written agreement with Slack to the contrary, Customer acknowledges that Slack is not a “Business Associate,” suggesting Slack is prepared to sign a BAA for Slack Enterprise Grid.

However, the BAA is not universally offered and is not available on the Slack website. Healthcare organizations considering using Slack Enterprise Grid must contact Slack and request a copy, and scrutinize the BAA – if one is offered.

With a signed BAA, healthcare organizations must then carefully configure the platform. An audit trail must be maintained, user logins carefully set up, policies and procedures developed covering the use of the platform, and staff must be trained. The eDiscovery function must also be activated.

Even with a BAA in place, it will be possible for Slack Enterprise Grid to be used in a manner that is not HIPAA compliant.

 

 

The post Is Slack HIPAA Compliant? appeared first on HIPAA Journal.

October 2017 Healthcare Data Breaches

Posted by HIPAA Journal

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed.

Healthcare data breaches by month (July-October 2017)

October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months.

healthcare records breached July-October 2017

Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities.

October 2017 Healthcare Data Breaches by Covered Entity Type

October 2017 healthcare data breaches by covered entity type

Main Causes of October 2017 Healthcare Data Breaches

Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8 hacking incidents, four cases of theft, and one unencrypted laptop computer was lost.

cause of october 2017 healthcare data breaches

Unauthorized access/disclosures were the leading causes of October 2017 healthcare data breaches, although hacking/IT incidents exposed more records – Over twice the number of records exposed by unauthorized access/disclosures and hacking/IT incidents exposed more records than all other breach types combined.

october 2017 healthcare data breaches - records exposed

Location of Exposed and Stolen Protected Health Information

Email was the most common location of breached PHI in October. Five of the nine incidents involving email were the result of hacking/IT incidents such as phishing. The remaining four incidents were unauthorized access/disclosures such as healthcare employees sending emails containing PHI to incorrect recipients. Five incidents involved paper records, highlighting the importance of securing physical records as well as electronic protected health information.

october 2017 healthcare data breaches - location of breached PHI

October 2017 Healthcare Data Breaches by State

In October, healthcare organizations based in 22 states reported data breaches. The state that experienced the most data breaches was Florida, with 3 reported breaches. Maryland, Massachusetts, and New York each had two breaches.

Alabama, Arizona, California, Connecticut, Georgia, Iowa, Illinois, Kansas, Kentucky, Louisiana, Missouri, North Carolina, Ohio, Rhode Island, Tennessee, Texas, Virginia, and Washington each had one reported breach.

Largest Healthcare Data Breaches in October 2017

 

Breached Entity Entity Type Breach Type Individuals Affected
Chase Brexton Health Care Healthcare Provider Hacking/IT Incident 16,562
East Central Kansas Area Agency on Aging Business Associate Hacking/IT Incident 8,750
Brevard Physician Associates Healthcare Provider Theft 7,976
MHC Coalition for Health and Wellness Healthcare Provider Theft 5,806
Catholic Charities of the Diocese of Albany Healthcare Provider Hacking/IT Incident 4,624
MGA Home Healthcare Colorado, Inc. Healthcare Provider Hacking/IT Incident 2,898
Orthopedics NY, LLP Healthcare Provider Unauthorized Access/Disclosure 2,493
Mann-Grandstaff VA Medical Center Healthcare Provider Theft 1,915
Arch City Dental, LLC Healthcare Provider Unauthorized Access/Disclosure 1,716
John Hancock Life Insurance Company (U.S.A.) Health Plan Unauthorized Access/Disclosure 1,715

The post October 2017 Healthcare Data Breaches appeared first on HIPAA Journal.

5 Year Jail Term Upheld for Clinic Worker Who Stole PHI

Posted by HIPAA Journal

A clinic worker who stole the protected health information of mentally ill patients and sold the data to identity thieves has failed to get his 5-year jail term reduced.

Jean Baptiste Alvarez, 43, of Aldan, PA, stole daily census sheets from the Kirkbride Center, a 267-bed behavioral health care facility in Philadelphia. The census sheets contained all the information needed to steal the identities of patients and submit fraudulent tax returns in their names – Names, Social Security numbers, dates of birth and other personally identifiable information.

Alvarez had the opportunity to steal the data undetected, as the floor where the sheets were kept did not have security cameras.

Alvarez was paid $1,000 per census sheet by his to-co-conspirators, who used the information to submit 164 fraudulent tax returns in the names of the patients, resulting in a loss of $232,612 in tax revenue for the IRS.

In early 2016, Alvarez was found guilty of conspiracy to defraud, misuse of Social Security numbers, and aggravated identity theft. The latter carried a minimum sentence of 2 years. The maximum sentence for all counts was 24 years in jail, a maximum of three years of supervised release, and potentially a fine.

Judge Michael M. Baylson invoked the vulnerable victim enhancement, and Alvarez was sentenced to 5 years in jail for his crimes, 3 years of supervised release, was ordered to pay $266,985 in restitution, and a $500 special assessment fine.

Alvarez appealed the sentence claiming it was excessively harsh as his victims were not “vulnerable.” He also explained that he did not target the patients because they were mentally ill and had drug addiction issues. He only stole the information because he had access to it.

However, the U.S. Court of Appeals for the Third Circuit rejected his appeal to have the sentence reduced, ruling that Alvarez’s argument was without merit. The victims were suffering from mental health and addition issues and were vulnerable.  Judge D. Michael Fisher also noted that since the patients were not working, the IRS was unlikely to detect the fraud as there would not be any duplicate claim. The patients would similarly be unlikely to discover they had been defrauded due to their mental health issues. The 5-year jail term stands.

The case serves as a warning to healthcare workers that the theft of patients’ personal information can result in lengthy jail terms. The Department of Justice is aggressively pursuing cases of PHI theft, identity theft, and tax fraud, and is punishing criminals to the full extent of the law.

The post 5 Year Jail Term Upheld for Clinic Worker Who Stole PHI appeared first on HIPAA Journal.

How to Handle A HIPAA Privacy Complaint

Posted by HIPAA Journal

Healthcare providers need to be prepared to deal with a HIPAA privacy complaint from a patient. In order for an efficient response to be conducted, policies should be developed covering the complaints procedure and staff must be trained to handle HIPAA privacy complaints correctly.

Patients must also be clearly informed how they can make a HIPAA privacy complaint if they feel that their privacy has been violated or HIPAA Rules have been breached. This should be clearly stated in your Notice of Privacy Practices.

A HIPAA Privacy Complaint Should be Taken Seriously

When a HIPAA privacy complaint is filed, it is important that it is dealt with quickly and efficiently. Fast action will help to reassure patients that that you treat all potential privacy and security violations seriously.

While patients may be annoyed or upset that an error has been made, in many cases, patients are not looking to cause trouble. They want the issue to be investigated, any risks to be mitigated, the problem to be addressed to ensure it does not happen again, and in many cases, they seek an apology. If the complaint is dealt with quickly and efficiently, it may not be taken any further.

If a verbal complaint is made, the patient should be asked to submit the complaint in writing. You should provide a form for the patient to do this. The HIPAA privacy complaint form can then be passed on to your Privacy Officer to investigate.

Investigate All Complaints and Take Prompt Action

All HIPAA privacy complaints should be investigated to determine who was involved, and how the privacy of the patient was violated. The privacy breach may not be a one-off mistake. It could be an indication of a widespread problem within your organization. The Privacy Officer must identify the root cause of the privacy violation and take action to ensure that any issues are corrected to prevent similar privacy breaches from occurring in the future.

All individuals involved in the breach must be identified and appropriate action taken – disciplinary action and/or additional training. A report of the incident should be given to law enforcement if a crime is suspected, and policies and procedures may need to be updated to introduce new safeguards to prevent a recurrence.

The Privacy Officer will need to determine whether there has been a HIPAA breach, and if the incident must be reported. The investigation must determine whether any other patients are likely to have had their privacy violated. If so, they will need to be notified within 60 days.

If a HIPAA breach has occurred, the Breach Notification Rule requires covered entities to report the breach to OCR without unnecessary delay. State laws may also require healthcare organizations to notify appropriate state attorneys general of the breach.

A breach impacting 500 or more individuals must be reported to OCR within 60 days of the discovery of the breach, and within 60 days of year end for smaller breaches. The failure to investigate promptly may see that deadline missed. In 2017, OCR issued its first HIPAA penalty solely for a Breach Notification Rule violation.

It is important that all stages of the complaint and investigation are documented. Those documents are likely to be requested in the event of an audit or investigation by OCR or state attorneys general. If any documents are missing, that aspect of the complaint investigation cannot be easily proven to have taken place.

Once the investigation into the HIPAA privacy complaint has been completed, it is important to report back to the complainant and explain that their complaint has been investigated, and the actions taken to mitigate harm and prevent similar incidents from occurring in the future should be explained.

Summary of How to Correctly Handle a HIPAA Complaint

  • Request the HIPAA privacy complaint is made in writing
  • Pass the compliant to the Privacy Officer
  • Privacy Officer should find out who was involved and what PHI was breached
  • The root cause of the breach must be established
  • Action should be taken to mitigate harm
  • Pass information to HR to take disciplinary action against employees (if appropriate)
  • Report the breach to law enforcement (if appropriate)
  • Policies and procedures should be updated to prevent a recurrence
  • Retrain staff
  • Determine whether the breach is a reportable incident
  • Collate all documentation in relation to the breach and investigation
  • Contact the complainant and explain the findings of the investigation

If the breach is determined to be a reportable incident

  • Submit a breach report to OCR
  • Submit breach reports to appropriate state attorneys general
  • Provide a toll-free number for patients to find out more information
  • Notify all affected individuals by mail
  • Post a breach notice in a prominent place on the home page of your organization’s website for 90 days if current contact information for 10 or more individuals is not held

If the breach is discovered to affect more than 500 individuals

  • Issue a press release to a prominent media outlet

Privacy Violations Can Result in Financial Penalties

When patients believe their privacy has been violated, or HIPAA Rules have been breached, they may report the incident to the Department of Health and Human Services’ Office for Civil Rights. Some patients may choose to take this course of action rather than contact the covered entity concerned.

OCR is likely to take an interest in an organization’s HIPAA policies covering privacy complaints. Financial penalties await organizations that do not have documented policies and procedures in place, and the penalties for HIPAA violations can be severe.

OCR wants to see that complaints are treated seriously, they are adequately investigated and resolved, and that prompt action is taken to ensure they do not happen again. A fast and efficient response to a HIPAA privacy complaint – and correction of any HIPAA violations uncovered – will reduce the risk of a HIPAA violation penalty, and the amount of the penalty if it cannot be avoided.

The post How to Handle A HIPAA Privacy Complaint appeared first on HIPAA Journal.

Is Google Hangouts HIPAA Compliant?

Posted by HIPAA Journal

Is Google Hangouts HIPAA compliant? Can Google Hangouts be used by healthcare professionals to transmit and receive protected health information (PHI)?

Is Google Hangouts HIPAA Compliant?

Healthcare organizations frequently ask about Google services and HIPAA compliance, and one product in particular has caused some confusion is Google Hangouts. Google Hangouts is the latest incarnation of the Hangouts video chat system, and has taken the place of Huddle (Google+ Messenger). Google Hangouts is a cloud-based communication platform that incorporates four different elements: Video chat, SMS, VOIP, and an instant messaging service.

Google will sign a business associate agreement for G Suite, which currently covers the following Google core services

  • Gmail
  • Calendar
  • Google Drive (Includes Google Docs, Google Sheets, Google Slides, and Google Forms)
  • Apps Script
  • Keep
  • Sites
  • Jamboard
  • Google Cloud Search
  • Vault (If applicable)
  • Google Hangouts (Chat messaging)
  • Hangouts Meet

The Business Associate Agreement does not cover Google Groups, Google Contacts, and Google+, none of which can be used in conjunction with protected health information. Google also advises users to disable the use of non-core services in relation to G suite – for example YouTube, ​Blogger ​and Google ​Photos.

So, certain elements of Google Hangouts are HIPAA compliant and can be used by HIPAA covered entities without violating HIPAA Rules, provided that prior to the use of the services with PHI, the covered entity has entered into a business associate agreement with Google.

However, even with a BAA in place, not all elements of Google Hangouts are HIPAA compliant, so covered entities must exercise caution. Video chat for instance, is not covered by the BAA so cannot be used, and neither the SMS and VOIP options.

To help make Google Hangouts HIPAA compliant, Google has released a guide for healthcare organizations.

Google Hangouts HIPAA Compliance Depends on Users

If you decide to allow the use of Google Hangouts in your organization, it important to address the allowable uses of Google Hangouts with respect to PHI through policies and procedures. Staff must be trained on the correct use of the platform, and instructed which elements of Google Hangouts can be used and which are prohibited. If video chat is important for your organization, you should seek a HIPAA-compliant alternative platform.

As we have mentioned in a previous post, simply obtaining a BAA from Google is no guarantee of HIPAA compliance – that will depend on how Google services are configured and how they are used – See this page for further information of G Suite HIPAA Compliance.

Don’t Forget to Implement Additional Safeguards for Mobile Devices

One area where HIPAA-covered entities could easily violate HIPAA Rules is the use of Google Hangouts on mobile devices. Google does have excellent security controls that can alert users to potential unauthorized access of their Google account. These should be configured to ensure inappropriate access attempts are identified rapidly. Controls should also be implemented on mobile devices to ensure that the devices are protected in case of loss or theft.

Access controls on the device should be implemented to prevent the device, and any ePHI stored on it, from being easily accessed. Policies and procedures should also be developed to ensure lost and stolen devices are reported promptly, and actions taken to secure accounts. It is also recommended to implement controls that allow lost and stolen devices to be located, locked, and remotely wiped.

The post Is Google Hangouts HIPAA Compliant? appeared first on HIPAA Journal.

President Trump Nominates Alex Azar for HHS Secretary

Posted by HIPAA Journal

Former Deputy Secretary of the Department of Health and Human Services, Alex Azar, is tipped to take over from former Secretary Tom Price after receiving the presidential nomination for the role. Azar previously served as general counsel to the HHS and Deputy Secretary during the George W. Bush administration.

President Trump confirmed on Twitter that he believes Azar is the man for the job, tweeting “Happy to announce, I am nominating Alex Azar to be the next HHS Secretary. He will be a star for better healthcare and lower drug prices!”

The position of Secretary of the Department of Health and Human Services was vacated by former Secretary Tom Price in September, following revelations about his controversial use of military aircraft and expensive charter flights to travel around the country.

While there were several potential candidates tipped to receive the nomination, including commissioner of the Food and Drug Administration, Scott Gottlieb, and administrator of the Centers for Medicare and Medicaid Services, Seema Verma, President Trump has made a controversial choice.

Alex Azar is a trained lawyer, but has spent the past ten years working in the pharmaceutical industry – an industry regulated by the HHS. In 2007, Azar joined pharmaceutical giant Eli Lilly taking on the role of senior vice president of corporate affairs and communications before becoming the head of the U.S. division of the firm until January 2017, when he left to start up his own consulting firm.

The nomination of Azar has raised many eyebrows. While President Trump has tweeted that he sees Azar as the man to help lower drug prices, Eli Lilly has attracted considerable criticism in the past for hikes in drug prices, notably for price rises to Insulin, one of the firm’s major pharmaceutical products. President Trump has previously claimed the pharmaceutical industry is ‘getting away with murder’ setting prices for their products.

Democrats have already expressed skepticism about how Azar would be able to help lower healthcare costs, not sharing Trump’s optimistic view that Azar can help drive prices down.

Azar has also been a harsh critic of the Affordable Car Act, sharing President’s Trump’s view that the ACA should be repealed. Despite repeated attempts, the failure to repeal ACA will mean that if appointed, Azar will be responsible for overseeing enforcement of the ACA.

Before Azar can take the helm of the Department of Health and Human Services, he must first be approved by Congress. Azar’s record while serving in the pharmaceutical industry is certain to be scrutinized, as will his commitment to enforcing the Affordable Care Act that he has previously strongly opposed.

The post President Trump Nominates Alex Azar for HHS Secretary appeared first on HIPAA Journal.