HIPAA Compliance News

How Should You Respond to an Accidental HIPAA Violation?

Posted by HIPAA Journal

The majority of HIPAA-covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA

The majority of HIPAA-covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is an accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond?

How Should Employees Report an Accidental HIPAA Violation?

Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, if an email containing PHI is sent to the wrong person, or if any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer.

The first thing a Privacy Officer should determine is whether the accidental HIPAA violation is indeed a HIPAA violation or a violation of the organization´s policies. For example, forgetting to document a patient´s agreement to be included in a hospital directory is not a violation of HIPAA but could be a violation of the hospital´s policies.

If the accidental violation is indeed a violation of HIPAA, the Privacy Office will need to determine whether or not the violation constitutes an impermissible use or disclosure which qualifies as a data breach.

If so, the Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a HIPAA risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR).

You should explain that a mistake was made and what has happened. You will need to explain which patient’s records were viewed or disclosed. The failure to report such a breach promptly can turn a simple error into a major incident, one that could result in disciplinary action and potentially, penalties for your employer.

How Should Covered Entities Respond to an Accidental HIPAA Violation?

Any accidental HIPAA violation that may qualify as a data breach must be treated seriously and warrants a risk assessment to determine the probability of PHI having been compromised, the level of risk to individuals whose PHI has potentially been compromised, and the risk of further disclosures of PHI.

The risk assessment should determine:

  • The nature of the breach
  • The person who viewed or acquired PHI
  • The types of information involved
  • The patients potentially impacted
  • To whom information has been disclosed
  • The potential for re-disclosure of information
  • Whether PHI was actually acquired or viewed
  • The extent to which risk has been mitigated

Following the risk assessment, risk must be managed and reduced to an appropriate and acceptable level. The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) also requires notifications to be issued. Not all breaches of PHI are reportable. There are three exceptions when there has been an accidental HIPAA violation.

1) An unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. 

Example: A fax or email is sent to a member of staff in error. The information is accessed and viewed, but the mistake is realized and the fax is securely destroyed or the email is deleted and no further disclosure is made.

2) An inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.

Example: Providing the medical information of a patient to another individual authorized to receive it, but a mistake is made and the information of a different patient is disclosed.

3) If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Example: A physician gives X-ray films or a medical chart to a person not authorized to view the information but realizes that a mistake has been made and retrieves the information before it is likely that any PHI has been read and information retained.

In each case, while breach notifications are not required, any member of staff that finds themselves in one of the above situations should still report the incident to their Privacy Officer.

In all other cases when there has been a breach of unsecured PHI, the incident must be reported to OCR, and individuals impacted by the breach should be notified within 60 days of the discovery of the breach. HIPAA breach reporting requirements have been summarized here.

Examples of Unintentional HIPAA Violations

Lost or stolen USB flash drives could be considered by some to be examples of unintentional HIPAA violations as nobody intended for the USB flash drives to be lost or stolen. However, the loss or theft could have been reasonably foreseen and potential breaches of ePHI avoided by encryption. The following examples of unintentional HIPAA violations were less foreseeable.

In 2022, an investigation was conducted by The Markup into the use of third-party tracking technologies on hospital websites, namely a code snippet provided by Meta Platforms called Meta Pixel. The code snippet is used for tracking visitor activity on websites and provides insights into how the website users are accessing the sites. The data provided can be used to improve the website, services, and user experience. The analysis was conducted on the top 100 hospitals in the United States, and one-third were found to have used the code on their websites. The problem? The code was transmitting individually identifiable information to Meta, which could potentially be used to serve Facebook users with targeted advertisements related to their health conditions. No business associates were in place, no patient authorizations were obtained, and those disclosures were therefore impermissible under HIPAA. The code acted as it should. The problem was where it was added and how it was configured. Several hospitals and health systems accidentally violated HIPAA as a result, including Novant Health, WakeMed Health and Hospitals, and Advocate Aurora Health. Millions of patients of these and other healthcare providers have been affected.

In May 2017, Olivia O’Leary – a twenty-four-year-old medical technician – claims to have been dismissed from her job at the Onslow Memorial Hospital in Jacksonville, NC, after commenting on a Facebook post. Her warning that the victim of an auto accident should have worn a seat belt was not seen by her employer as a reminder to always wear a seatbelt – O´Leary alleges – but rather as a HIPAA violation.

In April 2016, the Raleigh Orthopedic Clinic in North Carolina was fined $750,000 for contracting an outside vendor to convert X-ray films to digital form and then allowing the vendor to harvest the silver from the films. The clinic´s error was not having a Business Associate Agreement in place; and, as well as the fine, the clinic had to implement a Corrective Action Plan overseen by OCR.

The Dallas, TX-based dental practice Elite Dental Associates responded to a post by a patient on the Yelp review website. The patient who posted on the site had identified herself as a patient of the practice, but when the practice responded, information was included in the post that revealed her health condition, treatment plan, insurance, and payment information. In October 2019 the practice was fined $10,000 for the HIPAA violation.

If an intern requires access to systems containing protected health information and a colleague allows their own credentials to be used, the intern can get the information they need to complete their work tasks. However, the sharing of login credentials is not permitted by HIPAA as it makes it impossible to track information system activity accurately. The sharing of login credentials contributed to a $202,400 financial penalty for the City of New Haven in Connecticut.

The HIPAA Right of Access provision of the HIPAA Privacy Rule gives patients the right to obtain a copy of their health information. There is an exception to this right concerning psychotherapy notes, which should not be provided. Riverside Psychiatric Medical Group received such a request from a patient and did not provide a copy of the requested records. Not providing psychotherapy notes doesn’t violate HIPAA but failing to respond to the request and notify the patient why the records are not being provided does. In such cases, records can be provided minus the psychotherapy notes. In November 2020, OCR fined the practice $25,000.

In a further example of an unintentional HIPAA violation listed on the OCR’s website, the staff was required to undergo HIPAA training when one member of staff discussed HIV testing procedures with a patient in a waiting room – disclosing the patient´s PHI to other patients in the waiting room. After the OCR investigation, computer monitors were also repositioned to prevent the accidental disclosure of PHI.

How Should Business Associates Respond to an Accidental HIPAA Violation?

The correct response to an accidental HIPAA violation should be detailed in your business associate agreement. The HIPAA Rules require all accidental HIPAA violations and security incidents that result in data breaches to be reported to the covered entity within 60 days of discovery, although the covered entity should be notified as soon as possible and notification should not be unnecessarily delayed. Business associates should provide their covered entity with as many details of the accidental HIPAA violation or breach as possible to allow the covered entity to make a determination on the best course of action to take.

HIPAA Compliance Infographics

Have You Mitigated Your Mobile Security Risks?Have You Mitigated Your Mobile Security Risks?

Milestones of the Health Insurance Portability and Accountability ActMilestones of the Health Insurance Portability and Accountability Act

The Cost of HIPAA Non-ComplianceThe Cost of HIPAA Non-Compliance

How to Spot a Phishing EmailHow to Spot a Phishing Email

How to Respond to a Healthcare Data BreachHow to Respond to a Healthcare Data Breach

10 HIPAA Breach Costs You Should Be Aware Of10 HIPAA Breach Costs You Should Be Aware Of

Accidental HIPAA Violations: FAQs

Can I get fired for an accidental HIPAA violation?

Although it sounds unlikely that a member of the workforce is fired for an accidental HIPAA violation, this will depend on the nature of the violation, its consequences, and the content of your employer´s sanctions policy. It may also be the case that you have a history of accidental HIPAA violations and have received prior warnings about what might happen when you next violate HIPAA.

What happens if you accidentally violate HIPAA and nobody notices?

If you accidentally violate HIPAA, and nobody notices, it is still in your best interest to report it. Not only will your report indicate your willingness to be a compliant employee, but the circumstances that led to the accidental violation may have been overlooked in a risk assessment. Your report could help your employer fill a gap in their compliance efforts which – if left unfilled – may lead to further accidental violations with more serious consequences.

What happens if someone accidentally, or unknowingly, violates the Privacy Rule?

These are really two different questions. If somebody accidentally violates the Privacy Rule, it is better for them to admit the error so potential consequences can be preempted (i.e., a complaint to HHS´ Office for Civil Rights). If somebody unknowingly violates the Privacy Rule, how do they know they have violated it unless a colleague or supervisor tells them? If the person finds out later they have accidentally violated the Privacy Rule, the previous answer applies.

Why would a report of an accidental HIPAA violation need to be sent to OCR?

A report of an accidental HIPAA violation only needs to be sent to the Department of Health and Human Services´ Office for Civil Rights (OCR) if it results in the unauthorized disclosure of unsecured PHI – for example, an email containing PHI being sent to the wrong patient. An accidental violation of HIPAA that does not result in a data breach does not have to be reported to OCR.

What is an example of an accidental violation of HIPAA that does not need reporting?

Patients must be given the opportunity to object to their religious affiliation being disclosed to members of the clergy. If a patient is not given the opportunity to object, it is a violation of HIPAA. However, if the patient´s religious affiliation is not disclosed to a member of the clergy, no data breach of unsecured PHI has occurred, and it is not necessary to report the violation to OCR.

What is the difference between an accidental disclosure and an incidental disclosure?

An accidental disclosure of PHI is an unintended disclosure – such as sending an email containing PHI to the wrong patient. An incidental disclosure is a by-product of a permissible disclosure – such as a hospital visitor overhearing a discussion about a patient´s healthcare. An incidental disclosure is not considered to be a violation of HIPAA by OCR if the disclosure could not reasonably be prevented if it was limited in nature, and if it occurs as a result of a disclosure permitted by the Privacy Rule.

What is the “burden of proof” in the Breach Notification Rule?

Prior to the Final Omnibus Rule in 2013, OCR had to prove a data breach resulted in a “significant risk of financial, reputational or other harm for the individual” before taking enforcement action. Since 2013, the burden of proof has shifted to Covered Entities and Business Associates – who can only refrain from reporting a breach if it can be proven there is a low probability PHI has been compromised in the breach (like the three exceptions to accidental HIPAA violations above).

Can OCR issue financial penalties to Business Associates for accidental HIPAA violations?

In May 2019, OCR issued a notice clarifying the circumstances in which a Business Associate is considered to be directly liable for a HIPAA violation; and, although it is hard to conceive how a HIPAA violation by a Business Associate might be accidental in these circumstances, the potential exists for Business Associates to be issued a financial penalty or required to comply with a corrective action plan.

The post How Should You Respond to an Accidental HIPAA Violation? appeared first on HIPAA Journal.

Do Medical Practices Need to Monitor Business Associates for HIPAA Compliance?

Posted by HIPAA Journal

Should covered entities monitor business associates for HIPAA compliance or is it sufficient just obtain a signed, HIPAA-compliant business associate agreement?

If a business associate provides reasonable assurances to a covered entity that HIPAA Rules are being followed, and errors are made by the BA that result in the exposure, theft, or accidental disclosure of PHI, the covered entity will not be liable for the BA’s HIPAA violations – provided the covered entity has entered into a business associate agreement with its business associate.

It is the responsibility of the business associate to ensure compliance with HIPAA Rules. The failure of a business associate to comply with HIPAA Rules can result in financial penalties for HIPAA violations for the business associate, not the covered entity.

A covered entity should ‘obtain satisfactory assurances’ that HIPAA Rules will be followed prior to disclosing PHI. While covered entities are not required by HIPAA to monitor business associates for HIPAA compliance, they should obtain proof that their business associate has performed an organization-wide risk analysis, has developed a risk management plan, and is reducing risks to an acceptable and appropriate level.

If information is provided to a covered entity which suggests noncompliance, a covered entity must act on that information. The failure of a covered entity to take appropriate action to resolve a known breach of HIPAA Rules by a business associate would be a violation of HIPAA Rules. If the business associate cannot resolve that breach, it is the responsibility of the covered entity to terminate the business associate agreement. 45 CFR § 164.504(e)

A covered entity will be in violation of HIPAA Rules if it “knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation.” If termination of the BAA is not feasible, the problem must be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

Even though a covered entity is not liable for business associate HIPAA violations, any business associate breach is likely to reflect badly on the covered entity and is likely to cause harm to its patients or members. It is therefore in the interests of both parties to ensure HIPAA Rules are being followed. It may help to provide business associates with a HIPAA compliance checklist to assist them with their compliance efforts, and access to other resources to help them prevent breaches and mitigate risk.

The post Do Medical Practices Need to Monitor Business Associates for HIPAA Compliance? appeared first on HIPAA Journal.

Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS

Posted by HIPAA Journal

In January 2014, the HHS proposed a new rule for certification of compliance for health plans. The rule would have required all controlling health plans (CHPs) to submit a range of documentation to HHS to demonstrate compliance with electronic transaction standards set by the HHS under HIPAA Rules. The main aim of the proposed rule – Administrative Simplification:
Certification of Compliance for Health Plans – was to promote more consistent testing processes for CHPs. The HHS has now announced that the proposed rule has now been withdrawn.

Had the proposed rule made it to the final rule stage, CHPs would have been required to demonstrate compliance with HIPAA administration simplification standards for three electronic transactions: Eligibility for a health plan, health care claim status, and health care electronic funds transfers (EFT) and remittance advice. The failure to comply with the new rule would have resulted in financial penalties for CHPs.

Most employers’ health plans were handled by their insurance carriers, so the proposed rule would not have affected them directly, although a significant burden would have been placed on self-funded employers by the rule change. Following publication of the proposed rule in the federal register in January 2014, HHS received more than 72 public comments. After examining those comments, the HHS made the decision to withdraw the proposed rule.

HHS will be re-examining the issues raised in the comments and will be exploring options and alternatives to comply with statutory requirements.

The Secretary of the HHS explained that regulations have already been established for compliance with HIPAA administration simplification standards, and enforcement of compliance with those standards. While the proposed rule has been withdrawn, the HHS has confirmed that covered entities are still required to comply with 45 CFR parts 160 and 162.

The post Proposed Rule for Certification of Compliance for Health Plans Withdrawn by HHS appeared first on HIPAA Journal.

53% of Businesses Have Misconfigured Secure Cloud Storage Services

Posted by HIPAA Journal

The healthcare industry has embraced the cloud. Many healthcare organizations now use secure cloud storage services to host web applications or store files containing electronic protected health information (ePHI).

However, just because secure cloud storage services are used, it does not mean data breaches will not occur, and neither does it guarantee compliance with HIPAA. Misconfigured secure cloud storage services are leaking sensitive data and many organizations are unaware sensitive information is exposed.

A Business Associate Agreement Does Not Guarantee HIPAA Compliance

Prior to using any cloud storage service, HIPAA-covered entities must obtain a signed business associate agreement from their service providers.

Obtaining a signed, HIPAA-compliant business associate agreement prior to the uploading any ePHI to the cloud is an important element of HIPAA compliance, but a BAA alone will not guarantee compliance. ePHI can easily be exposed if cloud storage services are not configured correctly.

As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Configure your account correctly and your data will be secure. Make a mistake and data will be exposed and you could easily violate HIPAA Rules.

Misconfigured Secure Cloud Storage Services

When it comes to secure cloud storage, many organizations believe their cloud environments have been secured, but that is often not the case. How many businesses are leaving data exposed? According to a recent study by cloud threat defense firm RedLock, more than half of businesses have made mistakes that have exposed sensitive data in the cloud.

The report reveals many organizations are not following established security best practices, such as using multi-factor authentication for all privileged account users. To make matters worse, many businesses are failing to monitor their cloud environments which means data is being exposed, but not detected.

The problem appears to be getting worse. RedLock’s last analysis for Q2 revealed 40% of businesses had misconfigured at least one of their cloud storage services – Amazon Simple Storage Service (Amazon S3) for example. A new analysis, published in its latest Cloud Security Trends Report, shows that percentage jumped to 53% between June and September 2017.

Key Findings

  • 53% of organizations have at least one exposed cloud storage service
  • 38% of users exposed data through compromised administrative user accounts
  • 81% are not managing host vulnerabilities in the cloud
  • 37% of databases accept inbound connection requests from suspicious IP addresses
  • 64% of databases are not encrypted
  • 45% of Center of Internet Security (CIS) compliance checks are failed
  • 48% of Payment Card Industry Data Security Standard (PCI DSS) compliance checks fail
  • 250 organizations were found to be leaking credentials to their cloud environments on internet-facing web servers

Cloud Misconfigurations Result in Data Breaches

One need look no further than the widespread misconfigured MongoDB installations that were discovered by hackers in January 2017. Misconfigured databases were plundered, data deleted, and ransom demands issued. More than 26,000 MongoDB databases were hijacked and held for ransom.

Is it not just small organizations that are making errors that are resulting in data exposure and data breaches. The Equifax data breach, which saw the records of more than 143 million Americans exposed, was the result of the failure to address a known vulnerability in Apache Struts; a framework that supported its dispute portal web application. Equifax CEO Richard Smith recently told the House Energy and Commerce Committee that the missed patch was due to a mistake by a single employee.

British insurance giant Aviva found out one of its cloud environments had been ‘hacked’ and was being used to mine Bitcoin. Kubernetes administration consoles were used to gain access to its cloud environment with ease. Its administration consoles lacked passwords.

RedLock is not the only company to report on the problem. IBM X-Force said it has tracked more than 1.3 billion records that were exposed as a result of misconfigured servers up to September 2017.

Training will only go so far. You can train your employees never to leave the firewall turned off, yet occasionally that happens. Bad errors can also occur in the cloud that will similarly lead to data breaches. Leave the door open to hackers and they will infiltrate cloud environments, steal data, and hold organizations to ransom.

What organizations must do is to make sure all doors have been closed and locked. Unless organizations proactively monitor their cloud environments, they will be unaware there is a problem until it is too late.

The post 53% of Businesses Have Misconfigured Secure Cloud Storage Services appeared first on HIPAA Journal.

Is WhatsApp HIPAA Compliant?

Posted by HIPAA Journal

When WhatsApp announced it was introducing end-to-end encryption, it opened up the prospect of healthcare organizations using the platform as an almost free secure messaging app, but is WhatsApp HIPAA compliant?

Many healthcare employees have been asking if WhatsApp is HIPAA compliant, and some healthcare professionals are already using the text messaging app to send protected health information (PHI).

However, while WhatsApp does offer far greater protection than SMS messages and some other text messaging platforms, WhatsApp is NOT HIPAA compliant for several reasons.

Why Isn’t WhatsApp HIPAA Compliant?

First, it is important to point out that no software platform or messaging app can be truly HIPAA compliant, because HIPAA compliance is not about software. It is about users. Software can support HIPAA compliance and incorporate all the necessary safeguards to ensure the confidentiality, integrity, and availability of ePHI, but those controls can easily be undone by users.

HIPAA does not demand that encryption is used. Provided an alternate, equivalent measure is implemented in its place, encryption is not required. Since WhatsApp now includes end-to-end encryption, this aspect of HIPAA is satisfied.

Access controls are also required – See 45 CFR § 164.312(a)(1). This is one area where WhatsApp is not HIPAA compliant. If WhatsApp is installed on a smartphone, anyone with access to that smartphone will be able to view the messages in the user’s WhatsApp account, without the need to enter in any usernames and passwords. That means any ePHI included in conversations would also be accessible. Additional security controls may be installed on a smartphone to authenticate users before the device can be accessed, but even when those controls have been applied, notifications about new messages can often be seen without opening the App or unlocking the device.

HIPAA also requires audit controls – See 45 CFR § 164.312(b). This is another area where WhatsApp is not HIPAA compliant. Messages and attachments are saved, although they can easily be deleted. There is also no HIPAA compliant audit trail maintained in WhatsApp. All data in the account would also need to be backed up. Currently, if you switch phones, your account will be preserved, but your messages will not.

Then there is the issue of what happens to ePHI in a WhatsApp account on a personal device after the user leaves the company. Controls would need to be incorporated to ensure all messages containing ePHI are permanently erased. That would be a logistical nightmare for any covered entity, as it could not be performed remotely, finding messages would be next to impossible, and users would likely object to their WhatsApp being deleted.

Regardless of the features of WhatsApp and how well data is protected in transit, at the time of writing, WhatsApp will not sign a business associate agreement with a HIPAA covered entity. If HIPAA covered entities want to use WhatsApp, before any ePHI is sent, a HIPAA compliant business associate agreement must be signed with WhatsApp. Even though WhatsApp does not read text messages, that does not mean that no business associate agreement would be required.

So, Is WhatsApp HIPAA compliant? In its current form no. When it comes to WhatsApp and HIPAA compliance, even if covered entities were to use additional controls to prevent accidental disclosures, until WhatsApp is willing to sign a BAA, the service cannot be used to send ePHI without violating HIPAA Rules.

The post Is WhatsApp HIPAA Compliant? appeared first on HIPAA Journal.

Does HIPAA Require Identity Theft Protection Services to Be Offered to Data Breach Victims?

Posted by HIPAA Journal

The HIPAA Breach Notification Rule requires covered entities to issue notifications to individuals after their ePHI has been exposed or stolen, but what about credit monitoring and identity theft protection services? Must they be offered?

HIPAA does not stipulate whether credit monitoring and identity theft protection services should be provided to individuals impacted by a data breach. The decision whether or not to provide those services is left to the discretion of the covered entity.

However, following a breach of unsecured protected health information, HIPAA-covered entities are required to provide breach victims with details of the steps that should be taken to mitigate risk and protect themselves from harm.

Those steps include obtaining a credit report from credit reporting agencies – Equifax, Experian, and TransUnion. The credit reporting bureaus must provide consumers with a free credit report once every 12 months if requested.

Breach victims should be instructed to monitor their accounts for any sign of fraudulent activity and should be told what to do if suspicious activity is identified. They should also be told to monitor their Explanation of Benefits statements for benefits that they have not received. Information should also be provided on placing a fraud alert and freeze on their credit files.

While HIPAA does not require covered entities to offer credit monitoring and identity theft protection services, state laws may differ. From October 1, 2015, a breach of Connecticut residents’ names and Social Security numbers requires the breached entity to provide a minimum of 12 months of “appropriate identity theft prevention services, and if applicable, identity theft mitigation services.”

In California, while it is not mandatory to provide credit monitoring and identity theft protection services to breach victims, if those services are provided they must be free of charge and for a minimum of 12 months. State laws are frequently updated, so covered entities should keep up to date with new legislation introduced in the states in which their patients and members reside.

Even though it may not be mandatory for healthcare organizations to provide identity theft protection services to breach victims, many choose to do so. Providing those services can help to reducing the fallout from a data breach.

Credit monitoring services should be provided to data breach victims for 12 or 24 months, if credit/debit card numbers, Social Security numbers, and/or bank account information is believed to have been stolen.

Credit monitoring services inform breach victims when credit monitoring companies receive notifications of applications for credit, loans, or when personal information is changed – changes of address or phone number for example.

Identity theft protection services cover a much broader range of activities, some of which may not show up on credit reports. These include the use of personal documentation such as Social Security numbers, Driver’s license numbers, medical ID numbers, and passport numbers.

The decision about which services to offer should be based on the level of risk breach victims are likely to face. The level of risk will be determined by the nature of the attack, the likelihood of data being used for identity theft and fraud, the risk of data being sold on, and types of data that have been exposed.

The post Does HIPAA Require Identity Theft Protection Services to Be Offered to Data Breach Victims? appeared first on HIPAA Journal.

OCR Clarifies HIPAA Rules on Disclosures to Family, Friends and Other Individuals

Posted by HIPAA Journal

The recent attack in Las Vegas has prompted the Department of Health and Human Services’ Office for Civil Rights to clarify HIPAA Rules on disclosures to family, friends and other individuals.

Following Hurricane Irma and Hurricane Maria, OCR issued a partial waiver of certain provisions of the HIPAA Privacy Rule in the disaster areas of both hurricanes. OCR sometimes, but not always, issued such a waiver after a natural disaster when a public health emergency has been declared.

However, OCR did not issue a HIPAA Privacy Rule waiver after the attack in Las Vegas, and neither was a waiver issued following the Orlando nightclub shootings in 2016. OCR does not usually issue waivers of HIPAA Rules following shootings and other man-made disasters. Healthcare organizations involved in the treatment of victims of the Las Vegas shootings were required to continue to follow the provisions of the HIPAA Privacy Rule.

In its reminder about HIPAA Rules on disclosures to family, friends and other individuals, OCR explained that the HIPAA Privacy Rule allows healthcare organizations to disclose PHI to family, friends, and other individuals that have been identified by a patient as being involved in his or her care. PHI may also be shared to help identity or locate individuals involved in a patient’s care, or to notify them of the patient’s location, health status, or death.

In an emergency situation, covered entities should try to obtain verbal permission from the patient to share information, although when this is not possible, such as when a patient is incapacitated, it is down to the professional judgement of the covered entity to determine whether sharing information is in the patient’s best interest.

In the case of natural disasters, PHI may need to be shared with disaster relief organizations to assist with disaster relief efforts. While permission should be obtained, it is not necessary if obtaining permission would interfere with the organization’s ability to respond to an emergency situation.

The HIPAA Privacy Rule permits covered entities to inform the media about a specific patient’s general health condition (critical, stable, deceased, or treated and released) if a request is made about a patient that is mentioned by name, provided the patient has not previously objected to the sharing of such information, in which case the patient’s request should be honored.

Any sharing of other information, such as test results, details of an illness, or other health information, must generally only be shared if permission has first been obtained from the patient in writing.

Whenever PHI is shared, the minimum necessary standard applies and any PHI shared must be limited to the minimum necessary information to achieve the purpose for which the information is shared.

The provisions of the HIPAA Privacy Rule are detailed in: 45 CFR 164.510(b) – Disclosures to family, friends, and other individuals involved in a patient’s care; 45 CFR 164.510(a) – Disclosures to the media and individuals not involved in a patient’s care; 45 CFR 164.508 – HIPAA authorizations; 45 CFR §§ 164.502(b) and 45 CFR §§ 164.514(d) – The minimum necessary standard.

The post OCR Clarifies HIPAA Rules on Disclosures to Family, Friends and Other Individuals appeared first on HIPAA Journal.

What are the HIPAA Breach Notification Requirements?

Posted by HIPAA Journal

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information (PHI) is discovered. HIPAA training for staff must also include the procedures for reporting breaches of unsecured PHI.

While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started providing a service to Covered Entities may similarly be unsure of the reporting requirements and actions that must be taken following a breach.

The issuing of notifications following a breach of unencrypted PHI is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty in additional to that impose for the data breach itself. With this in mind, we have compiled a summary of the HIPAA breach notification requirements for covered entities and their business associates.

Summary of the HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule – 45 CFR §§ 164.400-414 – requires covered entities and their business associates to report breaches of unsecured electronic protected health information and physical copies of protected health information. A breach is defined as the acquisition, access, use, or disclosure of unsecured protected health information in a manner not permitted by HIPAA Rules.

According to the HHS´ guidance on the HIPAA Breach Notification Rule, an impermissible use or disclosure of unsecured protected health information is presumed to be a breach unless the covered entity or business associate demonstrates there is a low probability the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

HIPAA breaches include unauthorized access by employees as well as third parties, improper disclosures, the exposure of protected health information, and ransomware attacks. Exceptions include: Breaches of secured protected health information such as encrypted data when the key to unlock the encryption has not been obtained; “any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure;” An inadvertent disclosure by a person who is authorized to access PHI, to another member of the workforce at the organization who is also authorized to access PHI; When the covered entity or business associate makes a disclosure and has a good faith belief that the information could not have been retained by the person to whom it was disclosed.

In the event of a reportable HIPAA breach being experienced, the HIPAA breach notification requirements are:

Notify Individuals Impacted – or Potentially Impacted – by the Breach

All individuals impacted by a data breach, who have had unsecured protected health information accessed, acquired, used, or disclosed, must be notified of the breach. Breach notifications are also required for any individual who is reasonably believed to have been affected by the breach.

Breach notification letters must be sent within 60 days of the discovery of a breach unless a request to delay notifications has been made by law enforcement. In such cases, notifications should be sent as soon as that request has expired. While it is permissible to delay reporting of a breach to the HHS for breaches impacting fewer than 500 individuals (see below), that delay does not apply to notifications to breach victims.

Breach notification letters should be sent by first class mail to the last known address of breach victims, or by email if individuals have given authorization to be contacted electronically.

The HIPAA breach notification requirements for letters include writing in plain language, explaining what has happened, what information has been exposed/stolen, providing a brief explanation of what the covered entity is doing/has done in response to the breach to mitigate harm, providing a summary of the actions that will be taken to prevent future breaches, and giving instructions on how breach victims can limit harm. Breach victims should also be provided with a toll-free number to contact the breached entity for further information, together with a postal address and an email address.

Notify the Department of Health and Human Services

Notifications must be issued to the Secretary of the Department of Health and Human Services, via the Office for Civil Rights breach reporting tool. The HIPAA breach notification requirements differ depending on how many individuals have been impacted by the breach.

When the breach has impacted more than 500 individuals, the maximum permitted time for issuing the notification to the HHS is 60 days from the discovery of the breach, although breach notices should be issued without unnecessary delay. In the case of breaches impacting fewer than 500 individuals, HIPAA breach notification requirements are for notifications to be issued to the HHS within 60 days of the end of the calendar year in which the breach was discovered.

Notify the Media

HIPAA breach notification requirements include issuing a notice to the media. Many covered entities that have experienced a breach of protected health information notify the HHS, relevant state attorneys general, and the patients and health plan members impacted by the breach, but fail to issue a media notice – a violation of the HIPAA Breach Notification Rule.

A breach of unsecured protected health information impacting more than 500 individuals must be reported to prominent media outlets in the states and jurisdictions where the breach victims reside – See 45 CFR §§ 164.406. This is an important requirement, as up-to-date contact information may not be held on all breach victims. By notifying the media, it will help to ensure that all breach victims are made aware of the potential exposure of their sensitive information. As with the notifications to the HHS and breach victims, the media notification must be issued within 60 days of the discovery of the breach.

Post a Substitute Breach Notice on the Home Page of the Breach Entity’s Website

In the event that up-to-date contact information is not held on 10 or more individuals that have been impacted by the breach, the covered entity is required to upload a substitute breach notice to their website and link to the notice from the home page. The link to the breach notice should be displayed prominently and should remain on the website for a period of 90 consecutive days. In cases where fewer than 10 individuals’ contact information is not up-to-date, alternative means can be used for the substitute notice, such as a written notice or notification by telephone.

Data Breaches Experienced by HIPAA Business Associates

Business associates of HIPAA-covered entities must also comply with the HIPAA breach notification requirements and can be fined directly by the HHS’ Office for Civil Rights and state attorney generals for a HIPAA Breach Notification Rule violation.

Any breach of unsecured protected health information must be reported to the covered entity within 60 days of the discovery of a breach. While this is the absolute deadline, business associates must not delay notification unnecessarily. Unnecessarily delaying notifications is a violation of the HIPAA Breach Notification Rule.

It is usually the covered entity that will issue breach notifications to affected individuals, so any breach notification will need to be accompanied with details of the individuals impacted. It is a good practice to issue a breach notification to a covered entity rapidly, and to provide further information on the individuals impacted once the investigation has been completed. Under the terms of a HIPAA-compliant Business Associate Agreement (BAA), a business associate may be required to issue breach notifications to affected individuals.

Timeline for Issuing Breach Notifications

Breach notifications should be issued as soon as possible and no later than 60 days after the discovery of the breach, except when a delay is requested by law enforcement. Investigating a breach of protected health information can take some time, but once all the necessary information has been obtained to allow breach notifications to be sent they should be mailed.

HIPAA-covered entities must not delay sending breach notification letters. It is possible to receive a HIPAA violation penalty for delaying notifications, even if they are sent within 60 days of the discovery of the breach. There have been several recent cases of HIPAA breach notification requirements not being followed within the appropriate time frame, which can potentially result in financial penalties.

State Breach Notification Laws May Be Stricter than HIPAA

U.S. states have their own breach notification laws. Typically, notifications must be issued to breach victims promptly and a notice also submitted to the state attorney general’s office. Some states require breach notifications to be issued well within the HIPAA deadline.

Delaying breach notifications until the 60-day limit of HIPAA could well see state laws violated, leading to financial penalties from state attorney generals. State laws frequently change so it is important to keep up to date on breach notification laws in the states in which you operate.

Penalties for Violations of HIPAA Breach Notification Requirements

HIPAA covered entities must ensure the HIPAA breach notification requirements are followed or they risk incurring financial penalties from state attorneys general and the HHS’ Office for Civil Rights.

In 2017, Presense Health became the first HIPAA-covered entity to settle a case with the Office for Civil Rights solely for a HIPAA Breach Notification Rule violation – after it exceeded the 60-day maximum time frame for issuing breach notifications. Presense Health took three months from the discovery of the breach to issue notifications – A delay that cost the health system $475,000. The maximum penalty for a HIPAA Breach Notification Rule violation is $1,500,000, or more if the delay is for more than 12 months.

Responding to a Healthcare Data Breach

how-to-respond-to-a-healthcare-data-breach

HIPAA Breach Notification Requirements FAQs

What is the difference between a HIPAA breach and a HIPAA violation?

A HIPAA breach is when unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted by the Privacy and Security Rules. A HIPAA violation occurs when a Covered Entity, Business Associate, or a member of the workforce fails to comply with any standard in the Privacy, Security, or Breach Notification Rules. It is not necessary for a breach to occur in order for there to be a HIPAA violation – for example, the failure to respond to a patient access request within 30 days is a HIPAA violation, but not a HIPAA breach.

Why must staff be trained on reporting HIPAA breaches?

Staff must be trained on reporting HIPAA violations to their supervisors, managers, or the Privacy Officer. It is not necessary for staff to know the mechanics of the HIPAA breach notification requirements beyond that point, but they must be aware of the consequences of delaying a report in terms of the impact it will have on patients impacted by the breach, the consequences for their employer if notifications are delayed longer than necessary, and on their own jobs if a breach comes to light weeks after it has happened.

What is the difference between secured PHI and unsecured PHI?

Secured PHI is generally defined as Protected Health Information that has been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technologies or methodologies specified in § 13402 of the HITECH Act. HIPAA is technology neutral, but the implementation specifications relating to Access Controls and Transmission Security state encryption is required unless an equivalent protection is implemented, or the use of encryption is unreasonable and inappropriate in the circumstances.

What is an example of a “good faith belief” that PHI has not been retained?

If, for example, a healthcare professional shows an X-ray image to a person not authorized to view the image but realizes a mistake has been made before it is likely any information relating to the image has been read, it is highly likely that PHI has not been retained and the Covered Entity can reasonably accept – in good faith – there has been no disclosure of unsecured PHI. In this scenario, it is important the healthcare professional reports the unauthorized disclosure to a higher authority, and that the report – along with the good faith determination – is documented.

Why do individuals have to give authorization before they receive email notifications?

Because email is not a secure communication channel, Covered Entities must obtain the authorization of an individual before sending an email that contains PHI. (If the email does not contain PHI, no authorization is necessary). Breach notifications have to inform individuals what PHI was accessed, so therefore Covered Entities can only communicate a breach by email if they have a prior authorization.

When must a HIPAA breach be reported?

A HIPAA breach must be reported whenever unsecured PHI or ePHI has been used or disclosed impermissibly unless there is a low probability that data has been comprised based on the risk assessment mentioned above. Also mentioned above was the timetable for reporting HIPAA breaches – within sixty days if the breach involves 500 or more records, and by the end of the calendar year if the breach involves fewer than 500 records.

The post What are the HIPAA Breach Notification Requirements? appeared first on HIPAA Journal.

How Employees Can Help Prevent HIPAA Violations

Posted by HIPAA Journal

Employees can help prevent HIPAA violations by fully understanding what PHI is, knowing when PHI can permissibly be used and disclosed, and by following their employers’ policies on the compliant use of healthcare technologies and communication devices. Employees can also help prevent HIPAA violations by reporting ongoing poor practices to a manager or compliance officer.

One of the key goals of compliance officers is to prevent HIPAA compliance violations whenever possible. To achieve this goal, many compliance officers rely on technological solutions or sanctions policies to deter employees from noncompliant behaviors. However, by taking a more positive approach, employees can help prevent HIPAA violations.
Ten Most Common HIPAA Violations

Use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full compliance. Please use the form on this page to arrange for your copy.

Most Frequent Complaints

According to the Department of Health and Human Services´ Enforcement Highlights web page, the most frequent complaint received by HHS´ Office for Civil Rights relates to impermissible uses and disclosure of PHI. This is not surprising considering the variety of scenarios in which an authorization to use or disclose PHI is required, when individuals may or may not have the right to object to a use or disclosure, or when permissible uses or disclosures are subject to “other requirements”.

However, it is not only the variety of scenarios that can result in HIPAA violations. Many impermissible uses and disclosures occur due to a lack of understanding of what PHI is. The failure to understand what PHI is – and what it isn´t – can result in the next four most frequent violations occurring:

  • Lack of Privacy Rule safeguards for PHI
  • Lack of patient access to PHI
  • Lack of Security Rule safeguards for ePHI
  • Use or disclosure of more than the minimum necessary PHI

How to Prevent HIPAA Violations of this Nature

The obvious way to prevent HIPAA violations of this nature is to train all members of the workforce – not just employees – on what is considered PHI under HIPAA. Many HIPAA training courses fail to include this fundamental basic of HIPAA compliance in their curriculum – focusing on the HIPAA training requirements of §164.530 and §164.308 to tick the box of compliance, rather than putting policy and procedure training and security and awareness training into context.

However, if members of the workforce do not fully understand what PHI is, it is not hard to imagine why it may be used or disclosed impermissibly, why patients allege access requests are not being acted on, and why more than the minimum necessary PHI is being disclosed. It may also explain why those with a responsibility for the privacy and security of PHI fail to implement reasonable and appropriate Privacy Rule policies or Security Rule safeguards.

How to Prevent Other Types of HIPAA Violations

In addition to providing training on what PHI is, it can help prevent HIPAA violations to highlight the most common violations by members of the workforce and explain how to follow HIPAA guidelines in order to send the message “we know this happens – we don´t want it happening here”. The most common violations of HIPAA by members of the workforce include (but are not limited to).

Sharing passwords to systems containing PHI

Healthcare workers often share passwords to EHRs and other health IT systems – not out of malice, but “to get the job done” when their credentials are not sufficient to access required information. This is a violation of §164.312; and while it is the responsibility of the IT team to ensure each member of the workforce has “unique user identification”, employees should not share passwords, but rather pester the IT team to provide them with the credentials they need.

Leaving devices unsecured and unattended

Devices that can access PHI must have security features such as automatic logoff and PIN-lock (or other device locking process) enabled. All PHI on the device – or accessible by the device – should be encrypted. If a device or workstation used by a member of the workforce does not have these security features enabled, the risk of a data breach exists if a device or workstation is left unattended. This is a risk that is easy to prevent with the right technology.

Using unsecure channels of communication

There are two potential HIPAA violations here. The first relates to transmission security when communicating PHI, while the second relates to an individual´s right to request how they are contacted. HIPAA allows for Covered Entities to use unsecure channels of communication to contact individuals, but individuals should be warned of the risks, and both the warning and the individual´s consent to use the channel of communication should be documented.

Disposing of PHI improperly

While most healthcare organizations have now transitioned to electronic health records, paper documents are still widely used. Any document containing PHI must be kept secure while in use and disposed of properly at end of life. The rules relating to the disposal of PHI also apply to electronic PHI – particularly when systems on which PHI is stored are decommissioned or when removable media and backup tapes are purged for re-use.

Accessing PHI out of curiosity

The accessing of patient health records by employees, without any legitimate reason for doing so, is a serious violation of HIPAA. While most healthcare employees respect the privacy of patients, there have been numerous cases over the years of patients snooping on the records of patients. It is important for all members of the workforce to be made aware that audit logs are implemented to protect patient health information in the workplace and can identify when employees have access PHI without good reason.

Sharing PHI on social media without authorization

One of the reasons it is important that all members of the workforce know what is considered PHI under HIPAA is so that they do not inadvertently or deliberately share PHI on social media without authorization. Even something as apparently innocuous as commenting on a personality being seen at a medical center is a HIPAA violation that could lead to a sanction being applied or a complaint by the personality being made to HHS´ Office for Civil Rights.

The Benefits of Training Employees How to Avoid HIPAA Violations

Training employees how to avoid HIPAA violations not only reduces the number of violations but can also help reduce the number of unjustified complaints made to the organization and to HHS´ Office for Civil Rights. A significant statistic on HHS´ Enforcement Highlights web page, is that many reported violations are not violations at all. Of more than 300,000 complaints received since 2003, more than 200,000 have been rejected because “they did not present an eligible case for enforcement”. Among the reasons given by HHS for rejecting two-thirds of complaints were:

  • The complaint was made against an organization not subject to HIPAA
  • The activity described in the complaint did not violate any HIPAA Rules
  • The complaint was withdrawn by the individual on review.

Training employees to avoid HIPAA violations so they understand what PHI is can be beneficial in reducing unjustified complaints made by individuals who themselves do not know what PHI is. Employees can pass their knowledge on to patients and plan members to reduce the number of complaints made about impermissible uses and disclosures or disclosing more than the minimum necessary PHI – saving compliance officers valuable time replying to unjustified complaints or responding to HHS enquiries in the complaints review process.

How Employees Can Help Prevent HIPAA Violations: FAQs

Where does the Privacy Rule state the permissible uses and disclosures of PHI?

The Privacy Rule states the permissible uses and disclosures of PHI – including those requiring an authorization or in circumstances when an individual has the right to object – in sections §164.502 to §164.514 of the Administrative Simplification Regulations. Many of the standards apply to infrequent events, but it is important members of the workforce know what to do when these infrequent events occur.

How might somebody with a responsibility for security fail to implement safeguards?

The reason why somebody with a responsibility for security might fail to implement safeguards is that a lot of misinformation exists on the Internet. For example, if a Security Officer safeguards the so-called 18 HIPAA identifiers, but no other identifiers, details such as Medicare Beneficiaries Identifiers, social media handles, and emotional support animals (that could be used to identify an individual) could remain unsecured.

What is the problem with sharing passwords to systems containing PHI?

The problem with sharing passwords to systems containing PHI is that if an employee shares their login credentials with a colleague, and the colleague misuses PHI or disclosures PHI impermissibly, the HIPAA violation will be attributed to the owner of the login credentials rather than the colleague who was using them.

Does a personal mobile device have to have HIPAA security features enabled?

A personal mobile device must have HIPAA security features enabled if it is used to access systems containing PHI or communicate PHI with a colleague or patient. In such cases, the device has to be configured to meet the standards of the Security Rule. While applying the standards may seem like an imposition on the owner of the device, they are a best practice for personal data security even if the device is not used to access or communicate PHI.

Is it possible to share PHI on social media with authorization?

It is possible to share PHI on social media with authorization; but, in order to do so, the authorization form must state why PHI is being shared. It also has to be documented that the individual has been made aware that it may not be possible to revoke the authorization. This is because once content is posted on a social media platform, any further use or disclosure is out of the control of the person who posted it.

What is the best way to prevent HIPAA violations?

The best way to prevent HIPAA violations is to ensure HIPAA-compliant policies and procedures are developed, Security Rule safeguards are implemented, and all members of the workforce are thoroughly trained on HIPAA compliance. In addition, Covered Entities and Business Associates need to keep on top of monitoring compliance with the policies and procedures and ensure sanctions are applied consistently and fairly whenever necessary.

How can a healthcare organization avoid HIPAA violations?

A healthcare organization can avoid HIPAA violations by empowering members of the workforce to be the eyes and ears of HIPAA compliance. This can be achieved by implementing an anonymous communication channel through which members of the workforce can raise concerns about non-compliant practices and risks to the privacy of individually identifiable health information.

How is it possible to protect patient health information in the workplace?

There are several ways it is possible to protect patient health information in the workplace. One of the best ways is to minimize the number of designated record sets per patient. This makes it easier to identify where PHI is created, used, and maintained, so appropriate safeguards can be implemented to prevent impermissible disclosures and breaches of unsecure PHI.

What are the top five HIPAA tips for staff?

The five top HIPAA tips for staff can vary according to the role of the individual and the operations of their employer. For example, a nurse working in an ED will have very different compliance challenges than a claims processor working as a business associate. However, there are some common HIPAA tips that apply to all staff:

  • Pay attention to HIPAA training; and, if there is something you don´t understand, ask.
  • Ensure you are aware what PHI is and your employer´s policies for disclosing PHI.
  • If you identify a HIPAA violation in the workplace, report it and document your report.
  • Never share login credentials without first checking with a member of the IT team.
  • Don´t rely on colleagues if you are unsure about HIPAA compliance. Check with a manager or your Privacy/Security Officer.

What advice should a new member of the workforce be given on how to not violate HIPAA?

The advice a new member of the workforce should be given on how to not violate HIPAA is to follow the policies developed by your employer. This is because a member of the workforce cannot be held liable for a violation of HIPAA if their employer´s policies are not HIPAA compliant. It is important to be aware that an employer´s sanctions policy only applies to the policies the employer has developed – which are not necessarily the same as the HIPAA standards.

What are the key HIPAA do’s and don’ts for employees?

The key HIPAA do’s and don’ts for employees are to comply with your employer´s HIPAA policies and – if you feel they contradict HIPAA – don´t assume you know better. In addition, if you see a HIPAA violation in the workplace, do report it – don’t be afraid of alienating work colleagues. Finally, do make sure you participate in security and awareness training and don´t share login credentials.

Why is protecting PHI in the workplace important?

Protecting PHI in the workplace is important because impermissible uses and disclosures of PHI and breaches of unsecured PHI can result in loss, fraud, and reputational damage. This not only applies to the subject(s) of the PHI, but also to healthcare organizations and health plans who could end up providing – and paying for – expensive treatments to criminals in possession of stolen PHI.

How does reporting HIPAA violations in the workplace support HIPAA compliance?

Reporting HIPAA violations in the workplace supports HIPAA compliance in a number of ways. For example, reporting HIPAA violations can alert Privacy Officers to the need for more training, the need to fill gaps in HIPAA policies, and/or the need to better monitor workplace compliance. Once these needs are identified and resolved, the workplace will likely become more HIPAA compliant.

What are HIPAA reminders for staff?

HIPAA reminders for staff can take various forms. They can be verbal reminders from a supervisor who has observed a member of staff taking a compliance shortcut, they can be refresher training provided periodically by a conscientious employer, or they can be the HIPAA security reminders required by the Administrative Safeguards of the Security Rule (45 CFR §164.308(5)(ii)(A)).

What strategies are used to prevent HIPAA privacy violations?

The strategies used to prevent HIPAA privacy violations can vary from organization to organization, but generally they consist of education, supervision, and enforcement – Education being the HIPAA training all new members of the workforce are required to undergo, supervision being the monitoring of staff compliance and security technologies, and enforcement being the fair and consistent application of a HIPAA sanctions policy.

What is the HIPAA policy for healthcare employees?

There is no single HIPAA policy for healthcare employees. In many cases, there are hundreds of HIPAA policies for healthcare employees – although most employees will not be aware of them all. This is because the Privacy Rule only requires covered entities to train healthcare employees “on the policies and procedures […] necessary and appropriate for members of the workforce to carry out their functions with the covered entity”. Although healthcare employees are required to comply with HIPAA, they will only be trained on the HIPAA policies relevant to their roles.

What are the breach prevention best practices according to HIPAA?

HIPAA itself is technology neutral and does not provide breach prevention best practices per se. Indeed, even though the Security Rule stipulates Administrative, Physical, and Technical Safeguards must be implemented to protect the confidentiality, integrity, and confidentiality of electronic PHI, the Rule itself has a “flexibility of approach” clause in its “General Rules” (45 CFR §164.306(b)(1)).

However, since the publication of the Security Rule, the National Institute of Standards and Technology (NIST) Guide SP 800-53 has been widely acknowledged as the source of breach prevention best practices for HIPAA. In 2016, the Department of Health and Human Services published a “crosswalk” to help covered entities and business associates better comply with the Security Rule.

It is important for covered entities and business associates to be aware that adopting the measures in the crosswalk or in NIST´s latest guidance (SP 800-66r2) does not guarantee compliance with the Security Rule. However, the two publications contain what many experts believe to be the most comprehensive breach prevention best practices for HIPAA.

What HIPAA laws do healthcare providers have to comply with?

The HIPAA laws healthcare providers have to comply with are the Privacy Rule, the Security Rule, and the Breach Notification Rule if they qualify as a HIPAA covered entity. Not all healthcare providers qualify as a covered entity; however, if a non-qualifying healthcare provider provides a service to or on behalf of a covered entity as a “business associate”, they may also have to comply with the Privacy Rule (or parts thereof) as well as the Security Rule, and the Breach Notification Rule.

All covered entities and business associates must comply where appropriate with the General Provisions of 45 CFR Parts 160 and 164, while healthcare providers that conduct electronic transactions for which the Department of Health and Human Services has published standards have to comply with all applicable provisions of 45 CFR Part 162 (mostly relating to transactions between health plans and healthcare providers for eligibility, authorization, billing, and payment).

What are the Rules of HIPAA for healthcare organizations?

The Rules of HIPAA for healthcare organizations that qualify as HIPAA covered entities are:

  • The Privacy Rule – the standards for the privacy of individually identifiable health information.
  • The Security Rule – the standards for the protection of electronic protected health information.
  • The Enforcement Rule – the processes for HHS investigations and imposition of sanctions by HHS.
  • The Breach Notification Rule – the standards for notifying individuals and HHS of a data breach.
  • The Final Omnibus Rule – the amendments to existing HIPAA Rules introduced by the HITECH Act.

Most healthcare organizations are required to comply with the above Rules of HIPAA, plus – where applicable – the General Provisions of 45 CFR Parts 160 and 164 of the Administrative Simplification Regulations. Healthcare organizations and business associates that conduct transactions for which the Department of Health and Human Services has published standards are also  required to comply with the General Provisions and the Transactions, Identifier, and Code Set Rules in 45 CFR Part 162.

What is one good way to avoid violating HIPAA?

One good way to avoid violating HIPAA if you are a member of a covered entity´s or business associate´s workforce is to apply the information you learn in HIPAA training to your day-to-day roles – especially the information relating to permissible uses and disclosures of PHI because this is the most alleged HIPAA violation reported to HHS´ Office of Civil Rights via the Complaint Portal.

What can employees do to prevent a security breach in the workplace?

Employees can do a lot to prevent a security breach in the workplace. Possibly the most important thing employees can do is to use unique, complex passwords for each online account, never disclose or share passwords, and protect sensitive accounts and databases with 2-factor authentication – even if your employer does not require these basic security measures.

What does the mitigation of a violation of PHI mean?

The mitigation of a violation of PHI is a strange term to use because usually people talk in terms of HIPAA violations and PHI breaches – the two terms meaning different things. A HIPAA violation is any failure to comply with the standards of the Administrative Simplification Regulations (45 CFR Parts 160 – 164) and the Confidentiality of Substance Abuse Disorder Patient Records (42 CFR Part 2).

A violation of any of these standards doesn´t necessarily result in a breach of unsecured PHI; but when it does, lessening (or mitigating) the impact of the breach can reduce the amount of harm an individual suffers, the risk of compromised PHI being used to commit insurance fraud, and the amount an organization could be fined for failing to comply with the HIPAA standards.

Can an employer disclose medical information to other employees?

Whether or not an employer can disclose medical information to other employees depends on state privacy laws rather than HIPAA. Employers are exempt from HIPAA in their role as an employer, so any health information collected, maintained, or transmitted by an employer as part of an employee’s employment record is not subject to the protection of the Privacy Rule.

Can an employer request medical information?

An employer can request medical information about an employee from a healthcare provider if the information requested is required to comply with state and/or federal requirements for reporting workplace injuries and illnesses. However, the healthcare provider is only allowed to disclose the minimum necessary medical information to meet the reporting requirements.

An employer can also request medical information from an employee to justify an absence, to enroll an employee in a group health plan or wellness program, to maintain the health and safety of other members of the workforce, to comply with the Family Medical Leave Act, or to accommodate members of the workforce under the Americans with Disabilities Act.

My HIPAA rights were violated by my employer. What should I do?

It is unlikely that your HIPAA rights were violated by your employer because, except in a few circumstances, employers are exempt from HIPAA In their role as employer. However, there may be state privacy laws that limit what individually identifiable health information an employer can disclose, and you should discuss your options with your HR department or a legal professional.

The post How Employees Can Help Prevent HIPAA Violations appeared first on HIPAA Journal.