HIPAA Compliance News

NY AG Fines Medical Management Company $550,000 for Patch Management Failures

Posted by HIPAA Journal

A medical management company has been fined $550,000 by the New York Attorney General for failing to prevent a cyberattack that exposed the personal and protected health information of 1.2 million individuals, including 428,000 New Yorkers.

Professional Business Systems Inc, which does business as Practicefirst Medical Management Solutions and PBS Medcode Corp, had its systems hacked in November 2020. The threat actor exfiltrated sensitive data from its systems and then deployed ransomware to encrypt files. As proof of data theft and to pressure Practicefirst into paying the ransom, files were uploaded to the threat actor’s dark web data leak site. The leaked data included screenshots of 13 patients’ protected health information. Practicefirst’s investigation confirmed the threat actor exfiltrated approximately 79,000 files from its systems, which contained names, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, medication information, and financial information.

The investigation conducted by the Office of the New York Attorney General determined that the hacker gained initial access to Practicefirst’s systems by exploiting a critical vulnerability in its firewall. The firewall provider released an updated version of the firewall software in January 2019, but Practicefirst failed to apply the update. Practicefirst did not conduct penetration tests or vulnerability scans, or perform other security tests that would have highlighted the vulnerability before it was exploited.  The protected health information stored on its systems was also not encrypted. The New York Attorney General determined that these failures violated state law and the federal Health Insurance Portability and Accountability Act (HIPAA).

Practicefirst agreed to settle the alleged violations of HIPAA and state law. In addition to the financial penalty, Practicefirst has agreed to strengthen its data security practices and will offer affected individuals complimentary credit monitoring services. The data security measures agreed upon as part of the settlement include the development, implementation, and maintenance of a comprehensive information security program, encryption for health information stored on its systems, implementation of a patch management system with timely patching of vulnerabilities, regular vulnerability scans and penetration tests, and updates to its data collection, retention, and disposal practices.

“When a person is seeking medical care, their last concern should be the security of their personal information,” said Attorney General Letitia James. “Each and every company charged with maintaining and handling patient data should take their responsibility to protect personal information, particularly health records, seriously. New Yorkers can trust that when companies fail at their duty, my office will step in to hold them accountable.

The post NY AG Fines Medical Management Company $550,000 for Patch Management Failures appeared first on HIPAA Journal.

April 2023 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 17.5% month-over-month fall in the number of reported healthcare data breaches with 52 breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR) – less than the 12-month average of 58 breaches per month, and one less than in April 2022.

April 2023 Healthcare Data Breaches

One of the largest healthcare data breaches of the year was reported in April, but there was still a significant month-over-month reduction in breached records, which fell by 30.7% to 4,425,891 records. The total is less than the 12-month average of 4.9 million records a month, although more than twice the number of records that were breached in April 2022.

Healthcare records breached in the last 12 months - April 2023

Largest Healthcare Data Breaches Reported in April 2023

As previously mentioned, April saw a major data breach reported that affected 3,037,303 individuals – The third largest breach to be reported by a single HIPAA-covered entity so far this year, and the 19th largest breach to be reported by a single HIPAA-regulated entity to date.  The breach occurred at the HIPAA business associate, NationsBenefits Holdings, and was a data theft and extortion attack by the Clop ransomware group involving the Fortra GoAnywhere MFT solution.  8 of the month’s 21 breaches of 10,000 or more records were due to these Clop attacks, including the top 5 breaches in April. Brightline Inc. was also hit hard by those attacks, which were reported separately for each covered entity client (9 reports). Together, the attacks on Brightline involved the PHI of more than 964,000 individuals.

18 of the 21 breaches of 10,000 or more records were hacking incidents. The remaining three breaches were unauthorized disclosures of protected health information, one due to tracking technologies and the other two due to mailing errors. While ransomware and data theft/extortion attacks dominated the breach reports, phishing, business email compromise, and other email account breaches are common, with 5 of the top 21 breaches involving hacked email accounts. End-user security awareness training is recommended to reduce susceptibility to these attacks and multifactor authentication should be implemented on all email accounts, ideally using phishing-resistant multifactor authentication.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Breach Cause
NationsBenefits Holdings, LLC FL Business Associate 3,037,303 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 462,241 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 199,000 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 180,694 Network Server, Other Hacking and extortion (Fortra GoAnywhere MFT)
California Physicians’ Services d/b/a Blue Shield of California CA Business Associate 61,790 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
MiniMed Distribution Corp. CA Healthcare Provider 58,374 Network Server Unauthorized disclosure of PHI to Google and other third parties (Tracking code)
Brightline, Inc. CA Business Associate 49,968 Network Server, Other Hacking and extortion (Fortra GoAnywhere MFT)
United Steelworkers Local 286 PA Health Plan 37,965 Email Hacked email account
Retina & Vitreous of Texas, PLLC TX Healthcare Provider 35,766 Network Server Hacking incident
Brightline, Inc. CA Business Associate 31,440 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 21,830 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Iowa Department of Health and Human Services – Iowa Medicaid Enterprise (Iowa HHS-IME) IA Health Plan 20,815 Network Server Hacking incident at business associate (Independent Living Systems)_
Lake County Health Department and Community Health Center IL Healthcare Provider 17,000 Email Hacked email account
Southwest Healthcare Services ND Healthcare Provider 15,996 Network Server Hacking incident (data theft confirmed)
La Clínica de La Raza, Inc. CA Healthcare Provider 15,316 Email Hacked email accounts
St. Luke’s Health System, Ltd. ID Healthcare Provider 15,246 Paper/Films Mailing error
Two Rivers Public Health Department NE Healthcare Provider 15,168 Email Hacked email account
Robeson Health Care Corporation NC Healthcare Provider 15,045 Network Server Malware infection
Northeast Behavioral Health Care Consortium PA Health Plan 13,240 Email Hacked email account (Phishing)
Centers for Medicare & Medicaid Services MD Health Plan 10,011 Paper/Films Mailing error at business associate (Palmetto GBA)
Modern Cardiology Associates PR Healthcare Provider 10,000 Network Server Hacking incident

Causes of April 2023 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 36 of the month’s breaches (69.2%) and the vast majority of the breached records. Across those incidents, 4,077,019 healthcare records were exposed or stolen – 92.1% of the records that were breached in April. The average breach size was 119,914 records and the median breach size was 9,675 records.

April 2023 Healthcare data breach causes

Ransomware attacks continue to be conducted by there has been a notable shift in tactics, with many ransomware gangs opting for data theft and extortion without encrypting files, as was the case with the attacks conducted by the Clop ransomware group which exploited a zero-day vulnerability in the Fortra GoAnywhere MFT solution. The BianLian threat group has previously conducted attacks using ransomware, but this year has been primarily conducting extortion-only attacks, which are quieter and faster. 12 of the month’s breaches (40%) involved hacked email accounts, highlighting the importance of security awareness training and multifactor authentication.

There were 13 unauthorized access/disclosure incidents in April, including a 58K-record incident involving tracking technologies that transferred sensitive data to third parties such as Google, instances of paper records not being secured, and PHI that had been exposed over the Internet. Across those 13 breaches, 105,155 records were impermissibly disclosed. The average breach size was 8,089 records and the median breach size was 1,304 records.

There were two theft incidents involving 3,321 records in total and one improper disposal incident. The improper disposal incident was reported as involving 501 records – a placeholder commonly used to meet the Breach Notification Rule reporting deadline when the total number of individuals affected has yet to be determined.  As the chart below shows, the majority of incidents involved ePHI stored on network servers and in email accounts.

Location of PHI in April 2023 healthcare data breaches

Where Did the Breaches Occur?

The raw data on the OCR breach portal shows the reporting entity, which in some cases is a HIPAA-covered entity when the breach actually occurred at a business associate. The breach portal shows 31 data breaches were reported by healthcare providers, 8 by health plans, and 13 by business associates. The charts below are based on where the breach occurred, rather than the entity that reported the data breach, to better reflect the extent to which data breaches are occurring at business associates.

April 2023 healthcare data breaches by HIPAA-regulated entity type

While healthcare providers were the worst affected HIPAA-regulated entity, the majority of the month’s breached records were due to data breaches at business associates.

Records exposed or stolen in April 2023 healthcare data breaches by hipaa-regulated entity type

Geographical Distribution of April 2023 Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 25 states and Puerto Rico, with California the worst affected state with 16 breaches, 9 of which were the same incident that was reported separately for each client by Brightline Inc., which is why the breach count was so high for California this month.

State Breaches
California 16
Florida 4
New York & Pennsylvania 3
Illinois, Kentucky, Ohio, & Texas 2
Alabama, Arizona, Idaho, Iowa, Indiana, Maryland, Michigan, Minnesota, Nebraska, North Carolina, North Dakota, Oregon, Utah, Virginia, Washington, West Virginia, Wisconsin & Puerto Rico 1

HIPAA Enforcement Activity in April 2023

No HIPAA enforcement actions were announced by OCR or state attorneys general in April 2023 to resolve violations of HIPAA and state laws, and no Health Breach Notification Rule enforcement actions were announced by the Federal Trade Commission.

The post April 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Will a HIPAA Violation Show Up on a Background Check?

Posted by HIPAA Journal

Whether or not a HIPAA violation will show up on a background check depends on the nature of the violation, the consequences of the violation, and the motive for the violation. While it is currently rare for a HIPAA violation to show up on a background check, this may change due to a proposed update to the Privacy Rule.

There are many different types of HIPAA violations. Some have minimal impact and no long-lasting consequences – i.e., an accidental disclosure of PHI that is overheard, but nothing comes of it – whereas others can have a major impact on an organization and serious consequences for individuals affected by the violation – i.e., the deliberate misuse of login credential that exposes a PHI database.

Most employee HIPAA violations are addressed according to a Covered Entity’s sanctions policy. Employees responsible for minor violations will likely be sanctioned with verbal or written warnings and additional HIPAA training. Those responsible for repeated or serious violations could be sanctioned with a suspension or termination of employment, or loss of license to practice.

A suspension, termination, or loss of license would be recorded in an employment record, but would not show up on a background check unless the motive for the HIPAA violation was the knowing and wrongful disclosure of individually identifiable health information without authorization – which is not only a violation of HIPAA, but also a violation of §1177 of the Social Security Act.

When a HIPAA Violation Will Show Up on a Background Check

When a HIPAA violation is also a violation of the Social Security Act, an employer is required to report the violation to a law enforcement agency as well as HHS’ Office for Civil Rights. The case will be referred to the Department of Justice, who will pursue a criminal conviction for the violation. If successful, the penalties for criminally violating HIPAA are:

  • For wrongfully and knowingly violating §1177 of the Social Security Act – a fine of up to $50,000 and/or a prison sentence of up to one year.
  • If the offence is committed under false pretenses (i.e., with someone else’s login credentials) – a fine of up to $100,000 and/or a prison sentence of up to five years.
  • If the offence is committed for personal gain, malicious harm, or a commercial advantage – a fine of up to $250,000 and/or a prison sentence of up to ten years.

Regardless of the sentence imposed, the HIPAA violation, the consequences of the HIPAA violation, and the penalty for the HIPAA violation will become public record and will show up on a background check. This will undoubtedly prevent a person obtaining employment in a healthcare role, and likely prevent employment in any other position in which the person will have access to sensitive data.

The Proposed Update to the Privacy Rule

In April 2023, HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking in the Federal Register. The Notice is in response to the Supreme Court’s decision in Dobbs v. Jackson Women`s Health Organization, which led to many states introducing anti-abortion legislation and women having to cross state lines to have terminations in states where abortions are still legal.

State with anti-abortion legislation cannot prevent women crossing state lines to have a termination, but some have introduced further legislation criminalizing the act of assisting with or facilitating a termination procedure. Because this could lead to the disclosure of PHI to pursue a criminal conviction relating to a medical procedure that was legal in the state it was administered, HHS` Office for Civil Rights is proposing an update to the Privacy Rule.

The update would add a new category of uses and disclosures (“attestation”) to those that already exist (“required”, “permitted”, “opportunity to agree”, and “authorized”). Thereafter, certain types of PHI considered more sensitive than other types could only be used or disclosed if the recipient attests the PHI will not be further used or disclosed for a prohibited purpose (in this case to pursue a criminal conviction relating to a legal procedure).

If finalized, the new category would not only apply to PHI relating to terminations, but to all reproductive healthcare – including contraception, fertility treatment, and miscarriages. The category could also be used to align the Privacy Rule more closely with 42 CFR Part 2 (the confidentiality of substance use disorder medical records), and protect other types of sensitive data from misuse or disclosures that contradict Health and Human Services’ messaging.

How the Update Could Increase §1177 Violations

The reason the update could increase §1177 violations is that, if a person to whom sensitive PHI is disclosed under an attestation subsequently uses or discloses the PHI for a prohibited purpose, they will be considered to have knowingly and wrongfully disclosed individually identifiable health information without authorization.

Importantly, not only will the person who gave a false attestation be guilty of a §1177 violation, but the Covered Entity (or employee of a Covered Entity) who disclosed the information may also be guilty of a §1177 violation if they knew – or should have known – that sensitive PHI was going to be used or disclosed for a prohibited purpose.

If an employee of a Covered Entity is found guilty of a §1177 violation, this will also be a HIPAA violation that will show up on a background check. Therefore – if the proposed update to the Privacy Rule is finalized – not only should Covered Entities make sure policies and procedures reflect the new category of uses and disclosures, but also that all members of the workforce are trained on the updated policies and procedures to prevent avoidable violations of HIPAA.

The post Will a HIPAA Violation Show Up on a Background Check? appeared first on HIPAA Journal.

EyeMed Vision Care Settles Multistate Data Breach Investigation for $2.5 Million

Posted by HIPAA Journal

In June 2020, the Luxottica Group PIVA-owned vision insurance company, EyeMed Vision Care, experienced a data breach involving the protected health information (PHI) of 2.1 million patients. An unauthorized individual gained access to an employee email account that contained approximately 6 years of personal and medical information including names, contact information, dates of birth, Social Security numbers, vision insurance account/identification numbers, medical diagnoses and conditions, and treatment information. The unauthorized third party then used the email account to distribute around 2,000 phishing emails.

State attorneys general have the authority to investigate data breaches and can fine organizations for HIPAA violations. A multi-state investigation was launched by state attorneys general in Oregon, New Jersey, and Florida into the EyeMed data breach, and Pennsylvania later joined the multistate action. The state attorneys general sought to establish whether the data breach was preventable and if it was the result of a failure to comply with the HIPAA Security Rule and state data protection laws.

The investigation identified data security failures that violated HIPAA and state laws. Under HIPAA and state data protection laws, entities that collect, maintain, or handle sensitive personal and medical information are required to implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of that information, yet those safeguards were found to be lacking at EyeMed. The investigation revealed a failure to ensure all individuals with access to protected health information had a unique login and password. Several EyeMed employees were found to be sharing a single password for an email account that was used to communicate sensitive information, including PHI related to vision benefits enrollment and coverage.

Under the terms of the settlement, EyeMed agreed to pay a financial penalty of $2.5 million which will be shared between Oregon, New Jersey, Florida, and Pennsylvania. The settlement also requires EyeMed to ensure compliance with state consumer protection acts, state personal information protection acts, and HIPAA law, and ensure EyeMed does not misrepresent the extent to which it maintains and protects the privacy, security, or confidentiality of consumer information.

The data security requirements of the settlement include the development, implementation, and maintenance of a written information security program; maintenance of reasonable policies and procedures governing the collection, use, and retention of patient information; and maintenance of appropriate controls to manage access to all accounts that receive and transmit sensitive information. ”New Jerseyans trusted EyeMed with their vision care and their personal information only to have that trust broken by the company’s poor security measures,” said Attorney General Platkin, who co-led the investigation. “This is more than just a monetary settlement, it’s about changing companies’ behavior to better protect crucial patient data.”

The Office of the New York Attorney General also investigated EyeMed over the data breach and entered into a separate settlement agreement last year, which required EyeMed to pay a $600,000 penalty. In October 2022, a $4.5 million settlement was agreed between EyeMed and the New York Department of Financial Services (NYDFS) to resolve alleged violations of the NYDFS (Part 500) cybersecurity regulations. The security failures included not limiting employee access privileges to email accounts for 9 employees, a partial rollout of multifactor authentication, risk assessment failures, the lack of a sufficient data minimization strategy, and inaccurate submissions of compliance with Part 500 for four years. The settlements with NYDFS and the New York Attorney General also had data security requirements, including the implementation and maintenance of a comprehensive information security program, encryption of data, multi-factor authentication for all administrative and remote access accounts, and penetration testing.

HIPAA compliance investigations by state attorneys general are independent of the HHS’ Office for Civil Rights (OCR), which may also choose to impose civil monetary penalties for HIPAA violations. No penalty has been announced by OCR as of May 2023 and the incident is marked as closed on the OCR breach portal.

The post EyeMed Vision Care Settles Multistate Data Breach Investigation for $2.5 Million appeared first on HIPAA Journal.

OCR Fines Arkansas Business Associate $350,000 for Impermissibly Disclosing ePHI

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has agreed to settle a HIPAA investigation of an Arkansas business associate that impermissibly disclosed the electronic protected health information (ePHI) of more than 230,000 individuals after failing to secure a File Transfer Protocol (FTP) server. MedEvolve, Inc. is a Little Rock, AR-based HIPAA business associate that provides practice management, revenue cycle management, and practice analytics software to HIPAA-regulated entities. The nature of MedEvolve’s business means it has access to ePHI from its HIPAA-regulated entity clients. Under HIPAA, MedEvolve is required to ensure that information is safeguarded at all times.

In July 2018, MedEvolve informed OCR that an error had been made configuring an FTP server. MedEvolve’s investigation revealed the server contained the ePHI of 230,572 individuals, which could be freely accessed over the Internet without authentication. The breach affected two HIPAA-regulated entities: Premier Immediate Medical Care, LLC (204,607 individuals) and Dr. Beverly Held (25,965 individuals). The exposed information included names, billing addresses, telephone numbers, health insurer information, doctor’s office account numbers, and, for some individuals, Social Security numbers.

OCR launched an investigation and identified three potential violations of the HIPAA Rules: An impermissible disclosure of the ePHI of 230,572 individuals – 45 C.F.R. § 164.502(a); a failure to enter into a business associate agreement with a subcontractor – 45 C.F.R. § 164.502(e)(1)(ii); and an insufficiently thorough and accurate assessment of potential risks to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. § 164.308(a)(1)(ii)(A).

MedEvolve chose to settle the case with no admission of liability or wrongdoing and paid a financial penalty of $350,000. The settlement also includes a corrective action plan that requires MEdEvolve to conduct accurate and thorough risk assessments, implement risk management plans to address identified risks, develop, implement, and maintain policies and procedures to comply with the HIPAA Privacy and Security Rules, and improve its workforce HIPAA and security training program.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA-regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the Internet.”

This is the fourth HIPAA penalty to be imposed by OCR this year and follows a $15,000 settlement with  David Mente, MA, LPC, and a $16,500 settlement with Life Hope Labs, LLC, to resolve HIPAA Right of Access violations, and a $1,250,000 settlement with Banner Health to resolve multiple HIPAA Security Rule violations.

The post OCR Fines Arkansas Business Associate $350,000 for Impermissibly Disclosing ePHI appeared first on HIPAA Journal.

OCR Fines Arkansas Business Associate $350,000 for Impermissibly Disclosing ePHI

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has agreed to settle a HIPAA investigation of an Arkansas business associate that impermissibly disclosed the electronic protected health information (ePHI) of more than 230,000 individuals after failing to secure a File Transfer Protocol (FTP) server. MedEvolve, Inc. is a Little Rock, AR-based HIPAA business associate that provides practice management, revenue cycle management, and practice analytics software to HIPAA-regulated entities. The nature of MedEvolve’s business means it has access to ePHI from its HIPAA-regulated entity clients. Under HIPAA, MedEvolve is required to ensure that information is safeguarded at all times.

In July 2018, MedEvolve informed OCR that an error had been made configuring an FTP server. MedEvolve’s investigation revealed the server contained the ePHI of 230,572 individuals, which could be freely accessed over the Internet without authentication. The breach affected two HIPAA-regulated entities: Premier Immediate Medical Care, LLC (204,607 individuals) and Dr. Beverly Held (25,965 individuals). The exposed information included names, billing addresses, telephone numbers, health insurer information, doctor’s office account numbers, and, for some individuals, Social Security numbers.

OCR launched an investigation and identified three potential violations of the HIPAA Rules: An impermissible disclosure of the ePHI of 230,572 individuals – 45 C.F.R. § 164.502(a); a failure to enter into a business associate agreement with a subcontractor – 45 C.F.R. § 164.502(e)(1)(ii); and an insufficiently thorough and accurate assessment of potential risks to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. § 164.308(a)(1)(ii)(A).

MedEvolve chose to settle the case with no admission of liability or wrongdoing and paid a financial penalty of $350,000. The settlement also includes a corrective action plan that requires MEdEvolve to conduct accurate and thorough risk assessments, implement risk management plans to address identified risks, develop, implement, and maintain policies and procedures to comply with the HIPAA Privacy and Security Rules, and improve its workforce HIPAA and security training program.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA-regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the Internet.”

This is the fourth HIPAA penalty to be imposed by OCR this year and follows a $15,000 settlement with  David Mente, MA, LPC, and a $16,500 settlement with Life Hope Labs, LLC, to resolve HIPAA Right of Access violations, and a $1,250,000 settlement with Banner Health to resolve multiple HIPAA Security Rule violations.

The post OCR Fines Arkansas Business Associate $350,000 for Impermissibly Disclosing ePHI appeared first on HIPAA Journal.

What is Considered PHI Under HIPAA?

Posted by HIPAA Journal

In a healthcare environment, you are likely to hear health information referred to as protected health information or PHI, but what is considered PHI under HIPAA? PHI is defined as different things by different sources. Some define PHI as patient health data (it isn´t), as the 18 HIPAA identifiers (it´s not those either), or as a phrase coined by the HIPAA Act of 1996 to describe identifiable information in medical records (close – except the term Protected Health Information was not used in relation to HIPAA until 1999).

What is Really Considered PHI Under HIPAA Rules?

To best explain what is really considered PHI under HIPAA compliance rules, it is necessary to review the definitions section of the Administrative Simplification Regulations (§160.103) starting with health information. According to this section, health information means any information, including genetic information, whether oral or recorded in any form or medium, that:

“Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”

From here, we need to progress to the definition of individually identifiable health information which states “individually identifiable health information […] is a subset of health information, including demographic information collected from an individual [that] is created or received by a health care provider, health plan, employer, or health care clearinghouse […] and that identifies the individual or […] can be used to identify the individual.”

Finally, we move onto the definition of protected health information, which states “protected health information means individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium”.

More about what is Considered PHI under HIPAA

To simplify a definition of what is considered PHI under HIPAA: health information is any information relating a patient´s condition, the past, present, or future provision of healthcare, or payment thereof. It becomes individually identifiable health information when identifiers are included in the same record set, and it becomes protected when it is transmitted or maintained in any form (by a covered entity).

Generally, HIPAA covered entities are limited to health plans, health care clearinghouses, and healthcare providers that conduct electronic transactions for which the Department of Health and Human Services (HHS) has published standards. The standards can be found in Subparts I to S of the HIPAA Administrative Data Standards. Therefore:

  • “A broken leg” is health information.
  • “Mr. Jones has a broken leg” is individually identifiable health information.
  • If a covered entity records “Mr. Jones has a broken leg” the health information is protected.

Where do Business Associates Enter the Equation?

As well as covered entities having to understand what is considered PHI under HIPAA, it is also important that business associates are aware of how PHI is defined. This is because any individually identifiable health information created, received, maintained, or transmitted by a business associate in the provision of a service for or on behalf of a covered entity is also protected.

Business associates are required to comply with the Security and Breach Notification Rules when providing a service to or on behalf of a covered entity. However, depending on the nature of service being provided, business associates may also need to comply with parts of the Administrative Requirements and the Privacy Rule depending on the content of the Business Associate Agreement.

When is PHI not PHI?

There is a common misconception that all health information is considered PHI under HIPAA, but this is not the case.

First, it depends on whether an identifier is included in the same record set. Under HIPAA, PHI ceases to be PHI if it is stripped of all identifiers that can tie the information to an individual. If identifiers are removed, the health information is referred to as de-identified PHI. HIPAA does not apply to de-identified PHI, and the information can be used or disclosed without violating any HIPAA Rules.

Health information is also not PHI when it is created, received, maintained, or transmitted by an entity not subject to the HIPAA Rules. For example, even though schools and colleges may have medical facilities, health information relating to students is covered by the Family Educational Rights and Privacy Act (FERPA) which classifies students´ health information as part of their educational records.

Health information maintained by employers as part of an employee´s employment record is not considered PHI under HIPAA. However, employers that administer a self-funded health plan do have to meet certain requirements with regards to keeping employment records separate from health plan records in order to avoid impermissible disclosures of PHI.

It is important to be aware that exceptions to these examples exist. One of the most complicated examples relates to developers, vendors, and service providers for personal health devices that create, collect, maintain, or transmit health information. Entities related to personal health devices are not covered entities or business associates under HIPAA unless they are contracted to provide a service for or on behalf of a covered entity or business associate.

However, entities related to personal health devices are required to comply with the Breach Notification Rule under Section 5 of the Federal Trade Commission Act if a breach of unsecured PHI occurs. This means that, although entities related to personal health devices do not have to comply with the Privacy and Security Rules, it is necessary for these entities to know what is considered PHI under HIPAA in order to comply with the Breach Notification Rule.

The complexity of determining if information is considered PHI under HIPAA implies that both medical and non-medical workforce members should receive HIPAA training on the definition of PHI. It is also important for all members of the workforce to know which standards apply when state laws offer greater protections to PHI or have more individual rights than HIPAA, as these laws will preempt HIPAA.

What is Considered PHI Under HIPAA FAQs

What are the 18 HIPAA Identifiers?

The 18 HIPAA identifiers are the identifiers that must be removed from a record set before any remaining health information is considered to be de-identified under the “safe harbor” method of de-identification (see §164.514). However, due to the age of the list, it is no longer a reliable guide. Since the list was first published in 1999, there are now many more ways to identify an individual,

Importantly, if a Covered Entity removes all the listed identifiers from a designated record set, the subject of the health information might be able to be identified through other identifiers not included on the list – for example, social media aliases, LBGTQ statuses, details about an emotional support animal, etc. Therefore, Covered Entities should ensure no further identifiers remain in a record set before disclosing health information to a third party (i.e., to researchers).

Also, because the list of 18 HIPAA identifiers is more than two decades out of date, the list should not be used to explain what is considered PHI under HIPAA – notwithstanding that any of these identifiers maintained separately from individually identifiable health information are not PHI in most circumstances and do not assume the Privacy Rule protections.

What is PHI under HIPAA?

PHI under HIPAA is individually identifiable health information that is collected or maintained by an organization that qualifies as a HIPAA Covered Entity or Business Associate. Additionally, any information maintained in the same designated record set that identifies – or could be used with other information to identify – the subject of the health information is also PHI under HIPAA.

What does PHI include?

PHI includes information about an individual´s physical or mental health condition, the treatment of that condition, or the payment for the treatment. Additionally, PHI includes any information maintained in the same record set that identifies – or that could be used to identify – the subject of the health, treatment, or payment information.

What are examples of PHI?

Examples of PHI include test results, x-rays, scans, physician’s notes, diagnoses, treatments, eligibility approvals, claims, and remittances. When combined with this information, PHI also includes names, phone numbers, email addresses, Medicare Beneficiary Numbers, biometric identifiers, emotional support animals, and any other identifying information.

Which format of PHI records is covered by HIPAA?

All formats of PHI records are covered by HIPAA. These include (but are not limited to) spoken PHI, PHI written on paper, electronic PHI, and physical or digital images that could identify the subject of health information. It is important to remember that PHI records are only covered by HIPAA when they are in the possession of a covered entity or business associate.

What is the difference between PHI and ePHI?

The different between PHI and ePHI is that ePHI refers to Protected Health Information that is created, used, shared, or stored electronically – for example on an Electronic Health Record, in the content of an email, or in a cloud database. Both PHI and ePHI are subject to the same protections under the HIPAA Privacy Rule, while the HIPAA Security Rule mostly relates to ePHI.

Does the Privacy Rule apply to both paper and electronic health information?

The Privacy Rule applies to both paper and electronic health information despite the language used in the original Health Insurance Portability and Accountability Act leading to a misconception that HIPAA only applies to electronic health records. While the protection of electronic health records was addressed in the HIPAA Security Rule, the Privacy Rule applies to all types of health information regardless of whether it is stored on paper or electronically, or communicated orally.

If an individual calls a dental surgery to make an appointment and leaves their name and telephone number, is that PHI?

If an individual calls a dental surgery to make an appointment and leaves their name and telephone number, the name and telephone number are not PHI at that time because there is no health information associated with them. Only once the individual undergoes treatment, and their name and telephone number are added to the treatment record, does that information become Protected Health Information.

How can future health information about medical conditions be considered “protected”?

Future health information about medical conditions can be considered protected if it includes prognoses, treatment plans, and rehabilitation plans that – if altered, deleted, or accessed without authorization – could have significant implications for a patient. For this reason, future health information must be protected in the same way as past or present health information.

Does the Privacy Rule apply when medical professionals are discussing a patient´s healthcare?

The Privacy Rule does apply when medical professionals are discussing a patient’s healthcare because, although PHI can be shared without authorization for the provision of treatment, when medical professionals discuss a patient´s healthcare, it must be done in private (i.e. not within earshot of the general public) and the Minimum Necessary Standard applies – the rule that limits the sharing of PHI to the minimum necessary to accomplish the intended purpose.

If a medical professional discusses a patient´s treatment with the patient´s employer, is that information protected?

If a medical professional discusses a patient’s treatment with the patient’s employer whether or not the information is protected depends on the circumstances. Usually, a patient will have to give their consent for a medical professional to discuss their treatment with an employer unless the discussion concerns payment for treatment or the employer is acting as an intermediary between the patient and a health plan.

However, disclosures of PHI to employers are permitted under the Privacy Rule if the information being discussed relates to a workplace injury or illness. In such circumstances, a medical professional is permitted to disclose the information required by the employer to fulfil state or OSHA reporting requirements. In these circumstances, medical professionals can discuss a patient’s treatment with the patient’s employer without an authorization.

Is an email PHI?

Whether or not an email is PHI depends on who the email is sent by, what the email contains, and where it is stored. To be PHI, an email has to be sent by a Covered Entity or Business Associate, contain individually identifiable health information, and be stored by a Covered Entity or Business Associate in a designated record set with an identifier (if the email does not already include one).

What is PHI is healthcare?

PHI in healthcare stands for Protected Health Information – information protected by the HIPAA Privacy Rule to ensure it remains private. PHI in healthcare can only be used or disclosed for permitted purposes without a patient´s authorization, and patients have the right to complain to HHS’ Office for Civil Rights if they believe a healthcare provider is failing to protect the privacy of their PHI.

What are HIPAA identifiers?

HIPAA identifiers are pieces of information that can be used – either separately or with other pieces of information – to identify an individual whose health information is protected by the HIPAA Privacy Rule. Several sources confuse HIPAA identifiers with PHI, but it is important to be aware identifiers not maintained with an individual´s health information do not have the same protection as PHI.

What qualifies as PHI?

What qualifies as PHI is individually identifiable health information and any identifying non-health information stored in the same designated record set. Please note that a Covered Entity can maintain multiple designated record sets about the same individual and that a designated record set can consist of a single item (i.e., a picture of a baby on a pediatrician’s baby wall qualifies as PHI).

Is a medical record number PHI?

A medical record number is PHI is it can identify the individual in receipt of medical treatment. However, a seemingly random alpha-numeric code by itself (which medical record numbers often are) does not necessarily identify an individual if the code is not proceeded with “medical record number”, or accompanied by a name or any other information that could be used to identify the individual.

What does PHI include?

PHI includes individually identifiable health information maintained by a Covered Entity or Business Associate that relates to an individual’s past, present, or future physical or mental health condition, treatment for the condition, or payment for the treatment. It can also include any non-health information that could be used to identify the subject of the PHI.

Is a person’s gender PHI?

A person’s gender is PHI if it is maintained in the same designated record set as individually identifiable health information by a HIPAA Covered Entity or Business Associate as it could be used with other information to identify the subject of the individually identifiable health information. However, if a person’s gender is maintained in a data set that does not include individually identifiable health information (i.e., a transportation directory), it is not PHI.

Is a patient’s name alone considered PHI?

A patient’s name alone is not considered PHI. Only when a patient’s name is included in a designated record set with individually identifiable health information by a Covered Entity or Business Associate is it considered PHI under HIPAA.

Under the Privacy Rule which information should be considered PHI?

Under the Privacy Rule, the information that should be considered PHI relates to any identifiers that can be used to identify the subject of individually identifiable health information. However, where several sources mistake what is considered PHI under HIPAA is by ignoring the definitions of PHI in the General Provisions at the start of the Administrative Simplification Regulations (45 CFR Part 160).

Is there a list of PHI identifiers?

There is no list of PHI identifiers in HIPAA – only an out-of-date list of identifiers that have to be removed from a designated record set under the safe harbor method before any PHI remaining in the designated record set is deidentified. Because the list is so out-of-date and excludes many ways in which individuals can now be identified, Covered Entities and Business Associates are advised to have a full understanding of what is considered PHI under HIPAA before developing staff policies.

Is a phone number PHI?

A phone number is PHI if it is maintained in a designated record set by a HIPAA Covered Entity or Business Associate because it could be used to identify the subject of any individually identifiable health information maintained in the same record set. However, if a phone number is maintained in a database that does not include individually identifiable health information, it is not PHI.

The post What is Considered PHI Under HIPAA? appeared first on HIPAA Journal.

HIPAA Continuity of Care

Posted by HIPAA Journal

Under HIPAA, continuity of care is not always as straightforward as it could be due to seemingly contradictory guidance issued by HHS’ Office of Civil Rights. Whereas the Privacy Rule would appear to allow disclosures of PHI for continuity of care and care coordination, the HHS’ guidance states disclosures of PHI between Covered Entities must be kept to the minimum necessary amount.  

The term “continuity of care” has various definitions. Some definitions imply care is continuous within the same healthcare organization (or Organized Health Care Arrangement), while others extend the definition to multiple healthcare settings. An example of this is a patient’s journey from a physician’s office to a hospital, then to a care home, then to a home health service.

With regards to HIPAA and continuity of care in a single healthcare setting – or within an Organized Health Care Arrangement – the Privacy Rule allows disclosures of Protected Health Information (PHI) for healthcare operations without patient consent or authorization. One of the permissible disclosures of PHI in this category is for “case management and care coordination”.

However, when continuity of care involves multiple providers in a linear process, some transfers of information can be incomplete due to the complicated language of the Privacy Rule and seemingly conflicting guidance issued by HHS’ Office for Civil Rights in 2019 with regard to HIPAA care coordination and HIPAA continuity of care.

Continuation of Care, HIPAA, and What the Privacy Rule Says

In the context of continuation of care, HIPAA §164.506(c)(4) states a Covered Entity may disclose PHI to another Covered Entity for health care operations if either Covered Entity has or had a relationship with the individual who is the subject of the PHI being disclosed, if the PHI being disclosed pertains to such relationship, and if it is for a purpose allowed by the definition of health care operations.

The Privacy Rule (HIPAA §164.502(b)(2)) also states the minimum necessary standard does not apply to disclosures to or requests by a health care provider for treatment. Therefore, in the example given above of a patient’s journey from a physician’s office to a home health service, there should be no problem with the home health service obtaining PHI from the physician to provide treatment.

However, in guidance issued by HHS’ Office for Civil Rights, several examples are given in which it is permissible to transfer PHI between Covered Entities to support care coordination and continuity of care under HIPAA. However, the HHS guidance concludes with a reminder that “although such disclosures are permitted, they are subject to the minimum necessary standard”.

Office for Civil Rights Guidance for HIPAA Coordination of Care

The conclusion to the guidance can appear to contradict the Privacy Rule – particularly the clause stating the minimum necessary standard does not apply to disclosures for treatment. However, when the examples in the guidance are more closely examined, they relate to disclosures of PHI between health plans – rather than healthcare providers – which are not for treatment purposes.

Nonetheless, because the term Covered Entity is used in the guidance, some providers have applied the guidance to their healthcare operations and only provide the minimum necessary PHI to the next provider “up the continuity line”.  Provider B then has an incomplete medical history to transfer to Provider C, who also limits disclosures to the minimum necessary when handing off to Provider D.

Provider D (in our example, the home health service) can acquire the PHI they need from Provider A (the physician) to ensure continuity of care under HIPAA; but, because Provider A believes they have to obtain an authorization from the patient before disclosing more than the minimum necessary PHI, there is an avoidable delay in Provider D receiving potentially vital healthcare data – which can impact patient care.

Proposed Changes to Clarify HIPAA Care Coordination Rules

To clarify the position between HIPAA and care coordination, several Rule changes have been proposed. The proposed changes – if finalized – will not only impact HIPAA compliance, but other federal Rules that govern uses and disclosures of PHI (i.e., 42 CFR Part 2). The key Notices of Proposed Rule Making (NPRMs) that will clarify the care coordination HIPAA rules are:

The Office of Civil Rights’ Proposed Modifications to the Privacy Rule

This NPRM published in January 2021 proposes multiple HIPAA updates to “support, and remove barriers to, coordinated care and individual engagement”. Among the proposed changes to the Privacy Rule:

  • Disclosures of PHI will be permitted without the need to obtain consent or authorization to help individuals with a substance use disorder in emergency circumstances.
  • Disclosures of PHI for continuity of care and individual-level care coordination will be specifically permitted to avoid misunderstanding about when consent is required.
  • An exception to the Minimum Necessary Standard will be created for disclosures of PHI relating to individual-level HIPAA care coordination and case management.

Update to CMS Interoperability and Patient Access Final Rule

In 2020, the Centers for Medicare and Medicaid Services (CMS) published the Interoperability and Patient Access Final Rule. As the title suggests, the Rule has the primary objectives of improving interoperability between Medicare Covered Entities and enabling better patient access to PHI. Among other measures, a proposed update to the Rule published in December 2022 seeks stakeholder comments on how best to enable data exchanges via a Trusted Exchange Framework.

Closer Alignment of 42 CFR Part 2 and  the HIPAA Privacy Rule

Also at the end of 2022, the Office for Civil Rights and the Substance Abuse and Mental Health Services Administration (SAMHSA) jointly published an NPRM that more closely aligns the Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2) with the uses and disclosures of PHI permitted by the HIPAA Privacy Rule. If finalized in its current format, the NPRM will better support compliance with HIPAA and care coordination for SUD and mental health patients.

The post HIPAA Continuity of Care appeared first on HIPAA Journal.

HIPAA Continuity of Care

Posted by HIPAA Journal

Under HIPAA, continuity of care is not always as straightforward as it could be due to seemingly contradictory guidance issued by HHS’ Office of Civil Rights. Whereas the Privacy Rule would appear to allow disclosures of PHI for continuity of care and care coordination, the HHS’ guidance states disclosures of PHI between Covered Entities must be kept to the minimum necessary amount.  

The term “continuity of care” has various definitions. Some definitions imply care is continuous within the same healthcare organization (or Organized Health Care Arrangement), while others extend the definition to multiple healthcare settings. An example of this is a patient’s journey from a physician’s office to a hospital, then to a care home, then to a home health service.

With regards to HIPAA and continuity of care in a single healthcare setting – or within an Organized Health Care Arrangement – the Privacy Rule allows disclosures of Protected Health Information (PHI) for healthcare operations without patient consent or authorization. One of the permissible disclosures of PHI in this category is for “case management and care coordination”.

However, when continuity of care involves multiple providers in a linear process, some transfers of information can be incomplete due to the complicated language of the Privacy Rule and seemingly conflicting guidance issued by HHS’ Office for Civil Rights in 2019 with regard to HIPAA care coordination and HIPAA continuity of care.

Continuation of Care, HIPAA, and What the Privacy Rule Says

In the context of continuation of care, HIPAA §164.506(c)(4) states a Covered Entity may disclose PHI to another Covered Entity for health care operations if either Covered Entity has or had a relationship with the individual who is the subject of the PHI being disclosed, if the PHI being disclosed pertains to such relationship, and if it is for a purpose allowed by the definition of health care operations.

The Privacy Rule (HIPAA §164.502(b)(2)) also states the minimum necessary standard does not apply to disclosures to or requests by a health care provider for treatment. Therefore, in the example given above of a patient’s journey from a physician’s office to a home health service, there should be no problem with the home health service obtaining PHI from the physician to provide treatment.

However, in guidance issued by HHS’ Office for Civil Rights, several examples are given in which it is permissible to transfer PHI between Covered Entities to support care coordination and continuity of care under HIPAA. However, the HHS guidance concludes with a reminder that “although such disclosures are permitted, they are subject to the minimum necessary standard”.

Office for Civil Rights Guidance for HIPAA Coordination of Care

The conclusion to the guidance can appear to contradict the Privacy Rule – particularly the clause stating the minimum necessary standard does not apply to disclosures for treatment. However, when the examples in the guidance are more closely examined, they relate to disclosures of PHI between health plans – rather than healthcare providers – which are not for treatment purposes.

Nonetheless, because the term Covered Entity is used in the guidance, some providers have applied the guidance to their healthcare operations and only provide the minimum necessary PHI to the next provider “up the continuity line”.  Provider B then has an incomplete medical history to transfer to Provider C, who also limits disclosures to the minimum necessary when handing off to Provider D.

Provider D (in our example, the home health service) can acquire the PHI they need from Provider A (the physician) to ensure continuity of care under HIPAA; but, because Provider A believes they have to obtain an authorization from the patient before disclosing more than the minimum necessary PHI, there is an avoidable delay in Provider D receiving potentially vital healthcare data – which can impact patient care.

Proposed Changes to Clarify HIPAA Care Coordination Rules

To clarify the position between HIPAA and care coordination, several Rule changes have been proposed. The proposed changes – if finalized – will not only impact HIPAA compliance, but other federal Rules that govern uses and disclosures of PHI (i.e., 42 CFR Part 2). The key Notices of Proposed Rule Making (NPRMs) that will clarify the care coordination HIPAA rules are:

The Office of Civil Rights’ Proposed Modifications to the Privacy Rule

This NPRM published in January 2021 proposes multiple HIPAA updates to “support, and remove barriers to, coordinated care and individual engagement”. Among the proposed changes to the Privacy Rule:

  • Disclosures of PHI will be permitted without the need to obtain consent or authorization to help individuals with a substance use disorder in emergency circumstances.
  • Disclosures of PHI for continuity of care and individual-level care coordination will be specifically permitted to avoid misunderstanding about when consent is required.
  • An exception to the Minimum Necessary Standard will be created for disclosures of PHI relating to individual-level HIPAA care coordination and case management.

Update to CMS Interoperability and Patient Access Final Rule

In 2020, the Centers for Medicare and Medicaid Services (CMS) published the Interoperability and Patient Access Final Rule. As the title suggests, the Rule has the primary objectives of improving interoperability between Medicare Covered Entities and enabling better patient access to PHI. Among other measures, a proposed update to the Rule published in December 2022 seeks stakeholder comments on how best to enable data exchanges via a Trusted Exchange Framework.

Closer Alignment of 42 CFR Part 2 and  the HIPAA Privacy Rule

Also at the end of 2022, the Office for Civil Rights and the Substance Abuse and Mental Health Services Administration (SAMHSA) jointly published an NPRM that more closely aligns the Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2) with the uses and disclosures of PHI permitted by the HIPAA Privacy Rule. If finalized in its current format, the NPRM will better support compliance with HIPAA and care coordination for SUD and mental health patients.

The post HIPAA Continuity of Care appeared first on HIPAA Journal.