HIPAA Compliance News

Want to Prevent Data Breaches? Time to Go Back to Basics

Posted by HIPAA Journal

Intrusion detection systems, next generation firewalls, insider threat management solutions and data encryption will all help healthcare organizations minimize risk, prevent security breaches, and detect attacks promptly when they do occur. However, it is important not to forget the security basics. The Office for Civil Rights Breach portal is littered with examples of HIPAA data breaches that have been caused by the simplest of errors and security mistakes.

Strong security must start with the basics, as has recently been explained by the FTC in a series of blog posts. The blog posts are intended to help businesses improve data security, prevent data breaches and avoid regulatory fines. While the blog posts are not specifically aimed at healthcare organizations, the information covered is relevant to organizations of all sizes in all industry sectors.

The blog posts are particularly relevant for small to medium sized healthcare organizations that are finding data security something of a challenge.

The blog posts are an ideal starting point to ensure all the security basics are covered.  They cover 10 basic security principles the FTC looks at when investigating complaint and data breaches. The blog posts use examples from FTC cases and 60+ complaints and orders, including settlements reached with organizations that have failed to implement appropriate security controls. The FTC has also listened to the challenges faced by businesses when attempting to secure sensitive information and offers practical tips to address those challenges.

While the FTC has taken action against organizations, in the majority of cases investigations have been closed without any further action necessary. Companies may have experienced data breaches, yet they got the basics right and had implemented reasonable data security controls. They may not have been enough to prevent cyberattacks and other security incidents, but they were sufficient to avoid a financial penalty.

The same applies to Office for Civil Rights investigations into HIPAA data breaches. OCR investigates all breaches of more than 500 records, yet only a very small percentage of the 2,000+ data breaches reported to OCR have resulted in a financial penalty. If you want to avoid a FTC or HIPAA fine, it is essential to get the basics right. Getting the basics wrong can prove very costly indeed.

The FTC blog services covers the following aspects of data security:

  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

The blog posts have been combined into the FTC’s Start with Security brochure, which is a “nuts-and-bolts brochure that distills the lessons learned from FTC cases down to 10 manageable fundamentals applicable to companies of any size.” The blog posts and brochure can be viewed on this link.

HIPAA-covered entities should also sign up with OCRs cybersecurity newsletter, which details new threats and further steps that covered entities should take to improve security and keep ePHI secure. To sign up for the newsletter, visit this link and be sure to check out the Security Rule guidance material published by HHS.

The post Want to Prevent Data Breaches? Time to Go Back to Basics appeared first on HIPAA Journal.

Delaying Breach Notifications is a Violation of the Breach Notification Rule

Posted by HIPAA Journal

The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) requires covered entities to notify the HHS’ Office for Civil Rights of a breach of unsecured protected health information and send notification letters to affected individuals without unreasonable delay and no later than 60 days after the discovery of the breach.

As last year’s monthly Breach Barometer reports from Protenus have shown, many covered entities have struggled to comply with the HIPAA Breach Notification Rule and have disclosed their breaches to OCR after the deadline has passed.

This year has seen a major improvement in reporting times. The Protenus 2017 Breach Barometer Mid-Year Review shows that between January and June, it took an average of 54.5 days from the discovery of a breach to notify OCR.

A look back at the Breach Barometer report for January shows just how much the situation has improved. In January, there were 31 data breaches disclosed. 40% of those breaches were reported later than the 60-day deadline.

The improvement in breach reporting time is likely due, in part, to the decision by OCR to enter into a settlement agreement with a covered entity for unnecessarily delaying the issuing of a breach report. In January, Presense Health agreed to a $475,000 settlement after delaying the issuing of breach notifications to patients/OCR.

A look at the breach notification letters sent to breach victims by covered entities shows many healthcare organizations are delaying sending notifications until the deadline approaches. It is extremely common for breach notification letters to be sent just a few days before the 60-day deadline is reached.

There are often reasons for delaying the issuing of notifications. Law enforcement may request the issuing of notifications be delayed so as not to interfere with a criminal investigation of the breach. Covered entity may not have all the facts about the breach, or it may not be apparent which individuals have been affected and need to be notified.

However, when affected individuals have been identified, breach notification letters should be sent as soon as possible. Even if notification letters are sent inside the 60-day deadline, a covered entity can still be in violation of the Breach Notification Rule.

At the Allscripts user conference in Chicago, Deven McGraw, deputy director for health information privacy for the HHS Office for Civil Rights, explained that the Breach Notification Rule sets a deadline of 60 days to report a breach and notify patients, but that is not a recommendation. She explained that the HIPAA Breach Notification Rule clearly states notice of a breach must be provided “without unreasonable delay”.

McGraw said, “You can be in violation of HIPAA Rules if you are sitting on your notification, waiting for those 60 days.”

No organization wants to have to notify patients or health plan members that their protected health information has been exposed or stolen, but it is essential that notifications are issued promptly to reduce the harm caused.

Back in January, then OCR Director Jocelyn Samuels explained the reason why breach notifications must be issued promptly when the settlement with Presense Health was announced. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

The more an organization delays the sending of breach notifications, the greater the potential for patients and plan members to suffer financial losses as a result of the breach.

The post Delaying Breach Notifications is a Violation of the Breach Notification Rule appeared first on HIPAA Journal.

Protenus Provides Insight into 2017 Healthcare Data Breach Trends

Posted by HIPAA Journal

Protenus, in conjunction with Databreaches.net, has produced its Breach Barometer mid-year review. The report covers all healthcare data breaches reported over the past 6 months and provides valuable insights into 2017 data breach trends.

The Breach Barometer is a comprehensive review of healthcare data breaches, covering not only the data breaches reported through the Department of Health and Human Services’ Office for Civil Rights’ breach reporting tool, but also media reports of incidents and public findings. Prior to inclusion in the report, all breaches are independently confirmed by databreaches.net. The Breach Barometer reports delve into the main causes of data breaches reported by healthcare providers, health plans and their business associates.

In a webinar on Wednesday, Protenus Co-Founder and president Robert Lord and Dissent of databreaches.net discussed the findings of the mid-year review.

Lord explained that between January and June 2017 there have been 233 reported data breaches. Those breaches have impacted 3,159,236 patients. The largest reported breach in the first half of the year resulted in the theft of 697,800 records and was caused by a rogue insider – one of 96 incidents involving insiders.

Out of those 96 incidents, 57 were due to insider error – 423,000 records – and 36 incidents due to insider wrongdoing –743,665 records. The remaining three breaches could not be classified.

Insider incidents are likely to be far higher than the figures in the Breach Barometer report. Dissent explained that many incidents are not being disclosed publicly or reported to HHS. One of the best examples being misconfigured MongoDB databases. Dissent explained that many organizations have not reported that protected health information has been exposed online, even though security researchers have discovered data could be accessed, without authentication, via the Internet. When these incidents are reported, they are often reported to HHS as hacking incidents, even though the root cause is human error.

The first six months of the year saw 75 hacking incidents and 29 ransomware incidents reported. As was explained, ransomware incidents are similarly underreported, even though OCR has made it clear that ransomware attacks are reportable breaches. The true figure is likely to be far worse.

The breakdown for the year was 41% of incidents caused by insiders, 32% due to hacking, 18% due to loss/theft of records and devices and the cause of 9% of the breaches is still unknown.

Hacking may be the second biggest cause of breaches, but hacking has resulted in the exposure/theft of the most records. 1,684,904 records were exposed/stolen as a result of hacking, 1,166,674 records were exposed/stolen by insiders, 112,302 records exposed due to theft/loss and 178,420 records exposed in incidents with unknown causes.

To put the figures into perspective, between January and December 2016 there were 450 incidents reported. Data breaches have been occurring at a similar rate to last year. While the number of reported incidents has remained fairly constant, there has been an increase in the severity of those breaches with this year likely to see far more individuals impacted by breaches than last year.

Last year, approximately 2 million patients were affected by insider incidents. This year, 1.17 million individuals have already been impacted by insider incidents. Hacking incidents are also up. Last year there were 120 confirmed hacking incidents for the entire year. This year there have already been 75 reported incidents.

In June, 52 healthcare data breaches were reported, the highest total for any month of the year to date by some distance. The second biggest monthly breach total was 39 incidents. June also saw the third highest number of individuals impacted by the breaches, with 729,930 records confirmed as exposed or stolen.

Robert Lord explained that the time from the initial breach date to discovery is particularly bad in the healthcare industry. The mean time to discover a breach was 325.6 days, with a median of 53 days. Healthcare organizations are not discovering breaches quickly enough. Fast detection can greatly reduce the harm caused to patients, and as the Ponemon Institute has shown, also the cost of mitigation.

There is some good news however. The time taken to report breaches to OCR has improved over the past 6 months. The mean time to report breaches is 54.5 days and the median 57 days. HIPAA allows 60 days to report data breaches and notify affected individuals. In June, both the mean and the median were under the maximum time frame allowed by the HIPAA Breach Notification Rule.

So, what does the rest of 2017 has in store? Dissent explained that 2017 has been a “no good, horrible, very bad year.” Unfortunately, there is no indication that the rest of the year will be any better. The next six months are likely to be just as bad, and 2017 may surpass last year for both the number of breaches and the number of patients impacted by those incidents.

While other industry sectors have hacking/malware as the main breach cause, insider incidents are the biggest problem for the healthcare industry. Healthcare organizations need to take steps to prevent these breaches. As Robert Lord explained, technologies can be deployed to help prevent insider incidents and detect them promptly when they occur.

One of the most important take home messages from the report is that people’s lives are seriously affected by healthcare data breaches. More must be done to prevent breaches and ensure they are detected promptly. Fast detection and notification allows patients and health plan members to take action to reduce the harm caused.

The post Protenus Provides Insight into 2017 Healthcare Data Breach Trends appeared first on HIPAA Journal.

Nuance Communications Decides Not to Report NotPetya Attack to OCR

Posted by HIPAA Journal

As the Department of Health and Human Services’ Office for Civil Rights has previously explained in its ransomware guidance, if ePHI is encrypted, ransomware attacks are usually HIPAA breaches and are reportable incidents.

OCR says out in its ransomware guidance that “Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination,” going on to explain that the definition of a breach in HIPAA is “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”

A ransomware attack qualifies as a HIPAA breach because the actions of the attackers have resulted in the acquisition of PHI, in the sense that unauthorized individuals have taken control of the data.

The only time that a breach report – and notifications to patients – would not be required would be if the covered entity can demonstrate “a low probability that the PHI has been compromised.” OCR suggest covered entities can make that determination after a risk assessment has been performed, basing the decision on the nature of PHI involved, who used the PHI or to whom PHI was disclosed, whether PHI was actually viewed or acquired and the extent to which risk has been mitigated.

However, what about the recent NotPetya ransomware attacks? Many organizations were attacked, including some healthcare organizations in the United States that are HIPAA covered entities. One of those organizations is Nuance Communications, a business associate of several healthcare providers.

Nuance Communications has previously announced it had been attacked with NotPetya, and severely. More than three weeks after the attack, only 75% of its clients had regained access to its systems. The disruption to business services has been considerable.

Since Nuance Communications holds PHI, the incident would appear to require a breach notice to be submitted to OCR and for affected individuals to be notified. However, the decision was taken not to report the incident or to send notification letters.

Interestingly, rather than simply not sending notices, Nuance Communications has published a notice that states it will not be sending notifications. In that notice, Nuance Communications explains the rationale behind the decision.

A ransomware incident may usually be a HIPAA breach, although Nuance Communications has explained that NotPetya was not ransomware. In the letter, Nuance said the malware “was not designed to give its perpetrators any capability to control data on affected systems. To date, we have seen no indication that the malware functioned differently in practice on affected Nuance systems.”

Nuance also pointed out that the malware had not been developed to provide access to data on affected systems and neither was it developed to copy any information nor target the types of PHI that Nuance holds.

Nuance said, “Accordingly, based on facts presently known, while Nuance has determined that the incident constitutes a security incident for purposes of the HIPAA Security Rule, Nuance also has determined the incident does not constitute a breach of unsecured PHI for purposes of the Breach Notification Rule.”

Nuance explained that the notice and explanation were provided as a courtesy and to explain to its healthcare customers that a security incident had occurred, fulfilling its obligations under the business associate agreements the firm had signed. However, OCR will not be notified and individuals will not receive breach notification letters in the mail.

The post Nuance Communications Decides Not to Report NotPetya Attack to OCR appeared first on HIPAA Journal.

How Often Should Healthcare Employees Receive Security Awareness Training?

Posted by HIPAA Journal

Security awareness training is a requirement of HIPAA, but how often should healthcare employees receive security awareness training?

Recent Phishing and Ransomware Attacks Highlight Need for Better Security Awareness Training

Phishing is one of the biggest security threats for healthcare organizations. Cybercriminals are sending phishing emails in the millions in an attempt to get end users to reveal sensitive information such as login credentials or to install malware and ransomware. While attacks are often ransom, healthcare employees are also being targeted with spear phishing emails.

In December last year, anti-phishing solution provider PhishMe released the results of a study showing 91% of cyberattacks start with a phishing email. Spear phishing campaigns rose 55% last year, ransomware attacks increased by 400% and business email compromise (BEC) losses were up by 1,300%.

In recent weeks, there have been several phishing attacks reported to the Department of Health and Human Services’ Office for Civil Rights. Those attacks have resulted in email accounts being compromised. In July alone, 9 email-related security incidents have been reported to OCR.

The recent WannaCry ransomware attacks may have exploited unaddressed vulnerabilities, but email remains the number one vector for spreading ransomware and malware. Many of these email attacks could have been prevented if employees had been trained to detect threats and knew how to respond appropriately.

Regular Security Awareness Training is a Requirement of HIPAA

Security awareness training is more than just a checkbox item to tick off to demonstrate compliance with HIPAA Rules. If fact, a one-off training session does not meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

45 C.F.R. § 164.308(a)(5)(i) requires covered entities to “Implement a security awareness and training program for all members of its workforce (including management)”. As OCR recently pointed out in its July Cybersecurity Newsletter, all members of staff in an organization “can, knowingly or unknowingly, be the cause of HIPAA violations or data breaches.” It may not be possible to reduce risk to zero, but security awareness training can help to reduce risk to an acceptable level.

How Often Should Healthcare Employees Receive Security Awareness Training?

Cybercriminals are constantly changing tactics and new threats are emerging on an almost daily basis.  An effective security awareness program must therefore provide ongoing training; raising awareness of new threats as they emerge and when threat intelligence is shared by Information Sharing and Analysis Organization (ISAOs).

After the provision of initial training, HIPAA requires healthcare employees to receive periodic security updates – 45 C.F.R. § 164.308(a)(5)(ii)(A). While HIPAA does not stipulate how often these “periodic security updates” should be issued, OCR points out that monthly security updates work well for many healthcare organizations, with additional training provided bi-annually.

Some healthcare organizations may require less or more frequent updates and training sessions, which should be determined through the organization’s risk analyses.

The security updates should include details of the latest security threats including phishing and social engineering scams that have been reported by other covered entities or shared by an ISAO. The security alerts can take many forms – email bulletins, posters, newsletters, team discussions, classroom-based training or CBT sessions. It is up to the covered entity to determine which are the most appropriate. Annual or biannual training sessions should be more in-depth and should cover new risks faced by an organization and recap on previous training.

OCR also points out in its recent newsletter that covered entities must document any training provided to employees. Without documentation on the training provided, newsletters sent, updates issued and evidence of workforce participation, it will not be possible to demonstrate to OCR auditors that training has taken place. HIPAA requirements for documenting training are covered in 45 C.F.R. §§ 164.316(b) and 164.530(j).

OCR provides some training materials on privacy and security, with third-party training companies and anti-phishing solution providers offering specific training courses on the full range of cybersecurity threats.

Tailoring training to the needs of the individual will help to ensure that all employees become security assets and organizations develop a robust last line of defense against phishing attacks.

The post How Often Should Healthcare Employees Receive Security Awareness Training? appeared first on HIPAA Journal.

Only One Third of Patients Use Patient Portals to View Health Data

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits patients to access the health information held by their providers, yet relatively few patients are exercising that right, according to a recent U.S. Government Accountability Office (GAO) report, at least through patient portals.

The Medicare Electronic Health Record Incentive Program encouraged healthcare providers to transition from paper to electronic medical records and now almost 90% of patients of participating providers have access to patient portals where they can view their health data. Even though patients have been provided with access, fewer than a third of patients are using patient portals to view their health information.

GAO looked at patient health information access from the patients’ perspective, conducting interviews with patients to find out why they are not taking advantage of this valuable resource.

Out of the healthcare organizations that participated in the Medicare EHR Program, 88% of hospitals and 87% of professionals offered patients access to their health information online, yet only 15% of hospital patients and 30% of other providers’ patients accessed their data online.

When patient portals are used to access health data it is usually preceding a medical appointment or soon afterwards to view medical test results. Information is also commonly accessed in order to share health data with a new healthcare provider. However, mostly, patients were using the portals to schedule appointments, set reminders or order medication refills.

The problem does not appear to be a lack of interest in viewing or obtaining health information, rather it is one of frustration. The process of setting up access to patient portals and viewing health data is time consuming. Patients usually have multiple healthcare providers and must repeat the process for each provider. In order to view all their health information, they must use a different portal for each provider and manage separate login information for each. Further, patient portals are not standardized. Each requires patients to learn how to access their information and familiarize themselves with the portal.

When the patient portals have been set up, patients often discover incomplete or inaccurate information, with information inconsistent among different providers. It would make life easier if all information could be transferred electronically between each provider or aggregated in one place, yet patients were confused by the process and were unaware if this was possible, and if so, how it could be done. Many patients did not even know if their health information could be downloaded or transmitted.

GAO pointed out that while the HHS has been encouraging healthcare providers to give patients access to health data via patient portals, there does not appear to have been any follow up. GAO says the HHS appears to be unaware of how effective its program has been. GAO has recommended HHS set up some performance measures to determine whether its efforts are actually working.

The post Only One Third of Patients Use Patient Portals to View Health Data appeared first on HIPAA Journal.

OCR Data Breach Portal Update Highlights Breaches Under Investigation

Posted by HIPAA Journal

Last month, the Department of Health and Human Services confirmed it was mulling over updating its data breach portal – commonly referred to as the OCR ‘Wall of Shame’.

Section 13402(e)(4) of the HITECH Act requires OCR to maintain a public list of breaches of protected health information that have impacted more than 500 individuals. All 500+ record data breaches reported to OCR since 2009 are listed on the breach portal.

The data breach list contacts a wide range of breaches, many of which occurred through no fault of the covered entity and involved no violations of HIPAA Rules.

OCR has received some criticism for its breach portal for this very reason, most recently from Rep. Michael Burgess (R-Texas) who said the breach portal was ‘unnecessarily punitive’ in its current form.

For example, burglaries will occur even with reasonable physical security in place and even with appropriate controls in place, rogue healthcare employees will access PHI out of curiosity or with malicious intent on occasion, with some considering it unfair for those breaches to remain on public display indefinitely.

OCR Director Roger Severino said last month that “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved.”

While the HITECH Act requires OCR to maintain the portal, the Act does not specify for how long that information must be displayed. One possibility for change would be a time limit for displaying the breach summaries. There was concern from some privacy advocates about the loss of information from the portal, which would make it hard for information about past breaches to be found for research purposes or by patients whose PHI may have been exposed.

This week, changes have been made to the breach portal. The breach list now displays all data breaches that are currently under investigation by OCR. OCR investigates all reported data breaches impacting more than 500 individuals. Currently, the list shows there are 354 active investigations dating back to July 2015.

The order of the list has also been changed so the most recent breach reports are displayed first – A much more convenient order for checking the latest organizations to report data breaches.

Data breaches that were reported to OCR more than 24 months ago along with breach investigations that have now been closed have not been lost, instead they have been moved to an archive. The archive can still be accessed through the site and is searchable, as before.

Since recent data breaches could be in the archive or main list, it has potential to make research and searches more complicated. OCR has tackled this issue by offering a research report containing the full list of breaches dating back to 2009.

The post OCR Data Breach Portal Update Highlights Breaches Under Investigation appeared first on HIPAA Journal.

Model HIPAA-Compliant PHI Access Request Form Released by AHIMA

Posted by HIPAA Journal

The American Healthcare Informatics Management Association (AHIMA) has announced it has released a model PHI access request form for healthcare providers to give to patients who want to exercise their right under HIPAA to obtain copies of their health data.

The model PHI access request form is compliant with HIPAA regulations and can be easily customized to suit the needs of each healthcare organization.

AHIMA claims that until now, a model PHI access request form was not available to healthcare providers. HIPAA-covered entities have had to develop their own forms and there is considerable variation in the forms used by different healthcare organizations. Patients with multiple healthcare providers often find the process of obtaining their health data confusing.

AHIMA has listened to feedback from its members and industry stakeholders who explained that the process of accessing medical records was often confusing for patients. Even some healthcare organizations are confused about what is permitted and not permitted under HIPAA Rules when it comes to providing access to health data. The new model form should help clear up confusion.

It is hoped that the new form will be used as a standard across the industry which will make it easier for patients to exercise their rights under HIPAA, regardless of which healthcare providers they use.

AHIMA interim CEO Pamela Lane said, “Our hope is that it will help connect patients with their health information and make them more empowered healthcare consumers.”

Streamlining the Process of Providing Copies of Health Data to Patients

The ONC recently issued a report in which HIPAA-covered entities were given tips to help streamline the process of providing patients with access to their healthcare data.

The ONC report explained its research has shown that oftentimes patients are confused about the process of accessing their health data. Forms are confusing and patients are often unaware of their rights under HIPAA. For example, many are unaware that under HIPAA Rules they are permitted to have PHI provided in the format of their choosing. Paper copies can be requested or they are entitled to have their health data in electronic form – electronic copies can be sent via email or provided on a portable storage device such as a CD or zip drive.

The new model PHI access request form ties in with the advice given by the ONC and patients can stipulate how they would like their PHI copies to be delivered. The form should also make processing requests straightforward for healthcare providers and help them to streamline the processing of PHI access requests.

The form is suitable for use by all types of healthcare providers, from large multi-hospital health systems to individual physicians, clarifying what patients have the right to access and what healthcare organizations must provide.

Lane said the the model PHI access request form is “Written in easy-to-understand language for all patients” explaining, “this model form and explanation of use provides healthcare providers with a customizable tool that both ensures their compliance and captures patient request information in a clear, simple format.”

The final version of the PHI access request form can be downloaded from AHIMA on this link.

Recommendations for HIPAA Covered Entities Wishing to Use the Model PHI Access Request Form

The model PHI access request is self-explanatory for patients, but AHIMA has given additional recommendations for healthcare providers who wish to start using the new form.

AHIMA suggests the form should be customized to match the capabilities of healthcare providers’ systems and can be updated as required when systems are upgraded. Healthcare providers can also add their address, logos and barcodes to the forms should they so wish.

While the form is HIPAA-compliant in its original form, healthcare providers that customize the form must ensure that any changes comply with HIPAA Rules. Healthcare providers are told they should read 45 CFR 164.524(c)(3) to ensure the form stays compliant.

Internal policies can be developed by HIPAA-covered entities, but AHIMA stresses those policies must be in line with HIPAA guidance and should not serve as a barrier to health data access. HIPAA Rules allow covered entities to charge patients fees for providing copies of their health data. AHIMA recommends providers consult OCR guidance on fees as well as state laws to ensure compliance.

The post Model HIPAA-Compliant PHI Access Request Form Released by AHIMA appeared first on HIPAA Journal.

Is Google Drive HIPAA Compliant?

Posted by HIPAA Journal

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant?

Is Google Drive HIPAA Compliant?

The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a manner that violates HIPAA Rules.

G Suite – formerly Google Apps, of which Google Drive is a part – does support HIPAA compliance. The service does not violate HIPAA Rules provided HIPAA Rules are followed by users.

G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied.

The use of any software or cloud platform in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business associate agreement (BAA) prior to the service being used with any PHI. Google offers a BAA for Google Drive (including Docs, Sheets, Slides, and Forms) and other G Suite apps for paid users only.

Prior to use of any Google service with PHI, it is essential for a covered entity to review, sign and accept the business associate agreement (BAA) with Google. It should be noted that PHI can only be shared or used via a Google service that is specifically covered by the BAA. The BAA does not cover any third-party apps that are used in conjunction with G Suite. These must be avoided unless a separate BAA is obtained from the provider/developer of that app.

The BAA does not mean a HIPAA covered entity is then clear to use the service with PHI. Google will accept no responsibility for any misconfiguration of G Suite. It is down to the covered entity to make sure the services are configured correctly.

Covered entities should note that Google encrypts all data uploaded to Google Drive, but encryption is only server side. If files are downloaded or synced, additional controls will be required to protect data on devices. HIPAA-compliant syncing is beyond the scope of this article and it is recommended syncing is turned off.

To avoid a HIPAA violation, covered entities should:

  • Obtain a BAA from Google prior to using G Suite with PHI
  • Configure access controls carefully
  • Use 2-factor authentication for access
  • Use strong passwords
  • Turn off file syncing
  • Set link sharing to off
  • Restrict sharing of files outside the domain (Google offers advice if external access is required)
  • Set the visibility of documents to private
  • Disable third-party apps and add-ons
  • Disable offline storage for Google Drive
  • Disable access to apps and add-ons
  • Audit access and account logs and shared file reports regularly
  • Configure ‘manage alerts’ to ensure the administrator is notified of any changes to settings
  • Back up all data uploaded to Google Drive
  • Ensure staff are training on the use of Google Drive and other G Suite apps
  • Never put PHI in the titles of files

To help HIPAA-covered entities use G Suite and Google Drive correctly, Google has released a Guide for HIPAA Compliance with G Suite to assist with implementation.

The post Is Google Drive HIPAA Compliant? appeared first on HIPAA Journal.