HIPAA News for Small and Mid-Sized Practices

What is the Civil Penalty for Knowingly Violating HIPAA?

What is the civil penalty for knowingly violating HIPAA Rules? What is the maximum financial penalty for a HIPAA violation and when are fines issued? In this post we answer these questions and explain about the penalties for violating HIPAA Rules

What is HIPAA?

The Health Insurance Portability and Accountability Act – HIPAA – is a federal law that applies to healthcare organizations and healthcare employees. HIPAA requires healthcare organizations to develop policies and procedures to protect the privacy of patients and implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). HIPAA places restrictions on the uses of health data, who can be provides with copies of health information, and gives patients the right to obtain copies of their health data.

HIPAA covered entities are typically healthcare providers, health plans, and healthcare clearinghouses. HIPAA also applies to vendors and suppliers (business associates) that require access to PHI to perform their contracted duties.

As with other federal laws, there are penalties for noncompliance. The financial penalties for HIPAA violations can be severe, especially when HIPAA has been “knowingly” violated – When HIPAA Rules have been consciously violated with intent.

Financial Penalties for Healthcare Organizations Who Knowingly Violating HIPAA

The civil penalty tier system for healthcare organizations is based on the extent to which the HIPAA covered entity was aware that HIPAA Rules were violated. The maximum civil penalty for knowingly violating HIPAA is $50,000 per violation up to a maximum of $1.5 million per violation category.

Penalty Structure for HIPAA Violations


Civil penalties will be dictated by the nature and extent of the violation, the number of individual affected, and the harm that has been caused to those individuals.

Healthcare Employees May Have to Pay a Civil Penalty for Knowingly Violating HIPAA

As with healthcare organizations, healthcare employees can also be fined for violating HIPAA Rules. Civil penalties can be issued to any person who is discovered to have violated HIPAA Rules. The Office for Civil Rights can impose a penalty of $100 per violation of HIPAA when an employee was unaware that he/she was violating HIPAA Rules up to a maximum of $25,000 for repeat violations.

In cases of reasonable cause, the fine rises to $1,000 per violation with a maximum of $100,000 for repeat violations, for willful neglect of HIPAA Rules where the violation was corrected the fine is $10,000 and up to $250,000 for repeat violations and willful neglect with no correction carries a penalty of $50,000 per violation and up to $1.5 million for repeat violations.

Criminal Charges for HIPAA Violations

The Office for Civil Rights enforces HIPAA Rules in conjunction with the Department of Justice and will refer cases of possible criminal violations of HIPAA Rules to the DoJ. Directors, officers, and employees may be deemed to be criminally liable for violations of HIPAA Rules under the principle of corporate criminal liability, and if not directly liable, could be charged with aiding and abetting or conspiracy.

The penalty tiers are based on the extent to which an employee was aware that HIPAA Rules were being violated. At the lowest level, a violation of HIPAA Rules could attract a maximum penalty of $50,000 and/or up to one year imprisonment.

If HIPAA Rules are violated under false pretenses the maximum fine rises to $100,000 and/or up to 5 years imprisonment. The maximum civil penalty for knowingly violating HIPAA Rules is $250,000, such as when healthcare information is stolen with the intent to sell, transfer, or use for personal gain, commercial advantage, or malicious harm. In addition to a fine, the maximum jail term is 10 years.

In addition to the punishment provided, aggravated identity theft carries a prison term of 2 years. When PHI has been stolen and patients have been defrauded, restitution may also need to be paid.

The post What is the Civil Penalty for Knowingly Violating HIPAA? appeared first on HIPAA Journal.

Healthcare Data Breach Statistics

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website.

The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR.

Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2017 seeing more data breaches reported than any other year since records first started being published.

There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches is now hacking/IT incidents, with unauthorized access/disclosures also commonplace.

Healthcare Data Breaches by Year

Between 2009 and 2017 there have been 2,181 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 176,709,305 healthcare records.  That equates to more than 50% of the population of the United States (54.25%). Healthcare data breaches are now being reported at a rate of more than one per day.

Healthcare data breaches 2019-2017

Healthcare Records Exposed by Year

While there has been a general upward trend in the number of records exposed each year, there was a massive improvement in 2017 – the best year since 2012 in terms of the number of records exposed. However, while breaches were smaller in 2017, it was a record breaking year in terms of the number of healthcare data breaches reported – 359 incidents.

Records Exposed in Healthcare data breaches

Average/Median Healthcare Data Breach Size by Year

Average Size of Healthcare Data Breaches


Median Size of Healthcare Data Breaches


Largest Healthcare Data Breaches (2009-2017)

Rank Year Entity Entity Type Records Exposed/Stolen Cause of Breach
1 2015 Anthem, Inc. Affiliated Covered Entity Health Plan 78800000 Hacking/IT Incident
2 2015 Premera Blue Cross Health Plan 11000000 Hacking/IT Incident
3 2015 Excellus Health Plan, Inc. Health Plan 10000000 Hacking/IT Incident
4 2011 Science Applications International Corporation Business Associate 4900000 Loss
5 2014 Community Health Systems Professional Services Corporation Business Associate 4500000 Theft
6 2015 University of California, Los Angeles Health Healthcare Provider 4500000 Hacking/IT Incident
7 2013 Advocate Medical Group Healthcare Provider 4029530 Theft
8 2015 Medical Informatics Engineering Business Associate 3900000 Hacking/IT Incident
9 2016 Banner Health Healthcare Provider 3620000 Hacking/IT Incident
10 2016 Newkirk Products, Inc. Business Associate 3466120 Hacking/IT Incident
11 2016 21st Century Oncology Healthcare Provider 2213597 Hacking/IT Incident
12 2014 Xerox State Healthcare, LLC Business Associate 2000000 Unauthorized Access/Disclosure
13 2011 IBM Business Associate 1900000 Unknown
14 2011 GRM Information Management Services Business Associate 1700000 Theft
15 2010 AvMed, Inc. Health Plan 1220000 Theft
16 2015 CareFirst BlueCross BlueShield Health Plan 1100000 Hacking/IT Incident
17 2014 Montana Department of Public Health & Human Services Health Plan 1062509 Hacking/IT Incident
18 2011 The Nemours Foundation Healthcare Provider 1055489 Loss
19 2010 BlueCross BlueShield of Tennessee, Inc. Health Plan 1023209 Theft
20 2011 Sutter Medical Foundation Healthcare Provider 943434 Theft

Healthcare Hacking Incidents by Year

Our healthcare data breach statistics show hacking is now the leading cause of healthcare data breaches, although healthcare organizations are now much better at detecting breaches when they do occur. The low hacking/IT incidents in the earlier years is likely to be due, in part, to the failure to detected hacking incidents and malware infections quickly. Many of the hacking incidents in 2014-2017 occurred many months, and in come cases years, before they were detected.

Healthcare Data Breaches - Hacking


Records Exposed in Healthcare Data Breaches - Hacking

Unauthorized Access/Disclosures by Year

As with hacking, healthcare organizations are getting better at detecting internal breaches and also reporting those breaches to the Office for Civil Rights. While hacking is the main cause of breaches, unauthorized access/disclosure incidents are in close second.

Healthcare Data Breaches - unauthorized access/disclosures


records exposed in authorized access/disclosures

Loss/Theft of PHI and Unencrypted ePHI by Year

Our healthcare data breach statistics show HIPAA covered entities and business associates have got significantly better at protecting healthcare records with administrative, physical, and technical controls such as encryption, although unencrypted laptops and other electronic devices are still being left unsecured in vehicles and locations accessible by the public.

healthcare theft/loss data breaches


records exposed by healthcare theft/loss data breaches

Improper Disposal of PHI/ePHI by Year

healthcare data breaches - improper disposal incidents


records exposed in healthcare improper disposal incidents


Breaches by Entity Type

Year Provider Health Plan Business Associate Other Total
2009 14 1 3 0 18
2010 134 21 44 0 199
2011 137 20 42 1 200
2012 155 22 36 4 217
2013 199 18 56 5 278
2014 202 71 41 0 314
2015 196 62 11 0 269
2016 257 51 19 0 327
2017 288 52 19 0 359
Total 1582 318 271 10 2181

OCR Settlements and Fines for HIPAA Violations

The penalties for HIPAA violations can be severe with multi-million-dollar fines possible when violations have been allowed to persist for several years or when multiple violations of HIPAA Rules have been allowed to occur.

The penalty structure for HIPAA violations is detailed in the infographic below:

Penalty Structure for HIPAA Violations

OCR Settlements and Fines Over the Years

The data for the healthcare data breach statistics on fines and settlements can be viewed on our HIPAA violation fines page, which details all HIPAA violation fines issued by OCR between 2008 and 2018. As the graph below shows, there has been a steady increase in HIPAA enforcement over the past 9 years.

HIPAA Fines and Settlements 2008-2017


How Much Has OCR Fined HIPAA Covered Entities and Business Associates?

In addition to an increase in fines and settlements, the level of fines has increased substantially. Multi-million-dollar fines for HIPAA violations are now the norm.

HIPAA Fine and Settlement Amounts 2008-2017


average HIPAA Fines and Settlements 2008-2017


Median HIPAA Fines and Settlements 2008-2017

As the graphs above show, there has been a sizable increase in both the number of settlements and civil monetary penalties and the fine amounts in recent years. OCR’s budget has been cut so there are fewer resources to put into pursuing financial penalties in HIPAA violation cases. 2018 is likely to see fewer fines for HIPAA covered entities than the past two years, although settlement amounts are likely to remain high and even increase in 2018.OCR Director Roger Severino has indicated financial penalties are most likely to be pursued for particularly egregious HIPAA violations.

State Attorneys General HIPAA Fines and Other Financial Penalties for Healthcare Organizations

State attorneys general can issue fines ranging from $100 per HIPAA violation up to a maximum of $25,000 per violation category, per year.

Even when action is taken by state attorneys general over potential HIPAA violations, healthcare organizations are typically fined for violations of state laws. Only a handful of U.S. states have issued fines solely for HIPAA violations

Some of the major fines issued by state attorneys general for HIPAA violations and violations of state laws are listed below.


Year State Covered Entity Amount Individuals affected Settlement/CMP Reason
2018 NY EmblemHealth $575,000 81,122 Settlement Mailing error
2018 NY Aetna $1,150,000 12,000 Settlement Mailing error
2017 CA Cottage Health System $2,000,000 More than 54,000 Settlement Failure to adequately protect medical records
2017 MA Multi-State Billing Services $100,000 2,600 Settlement Theft of unencrypted laptop containing PHI
2017 NJ Horizon Healthcare Services Inc., $1,100,000 3.7 million Settlement Loss of unencrypted laptop computers
2017 VT SAManage USA, Inc. $264,000 660 Settlement Spreadsheet indexed by search engines and PHI viewable
2017 NY CoPilot Provider Support Services, Inc $130,000 221,178 Settlement Delayed breach notification
2015 NY University of Rochester Medical Center $15,000 3,403 Settlement List of patients provided to nurse who took it to a new employer
2015 CT Hartford Hospital/ EMC Corporation $90,000 8,883 Settlement Theft of unencrypted laptop containing PHI
2014 MA Women & Infants Hospital of Rhode Island $150,000 12,000 Settlement Loss of backup tapes containing PHI
2014 MA Boston Children’s Hospital $40,000 2,159 Settlement Loss of laptop containing PHI
2014 MA Beth Israel Deaconess Medical Center $100,000 3,796 Settlement Loss of laptop containing PHI
2013 MA Goldthwait Associates $140,000 67,000 Settlement Improper disposal
2012 MN Accretive Health $2,500,000 24,000 Settlement Mishandling of PHI
2012 MA South Shore Hospital $750,000 800,000 Settlement Loss of backup tapes containing PHI
2011 VT Health Net Inc. $55,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications
2011 IN WellPoint Inc. $100,000 32,000 Settlement Failure to report breach in a reasonable timeframe
2010 CT Health Net Inc. $250,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications

The post Healthcare Data Breach Statistics appeared first on HIPAA Journal.

Analysis of February 2018 Healthcare Data Breaches

Our February 2018 healthcare data breach report details the major data breaches reported by healthcare providers, health plans, and business associates in February 2018.

Summary of February 2018 Healthcare Data Breaches

February may have been a shorter month, but there was an increase in the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. In February, HIPAA covered entities and business associates reported 25 breaches – a 19% month on month increase in breaches.

Healthcare Data Breaches by Month

While there was a higher breach tally this month, the number of healthcare records exposed as a result of healthcare data breaches fell by more than 100,000. In January 428,643 healthcare records were exposed. February 2018 healthcare data breaches saw 308,780 healthcare records exposed.

Records exposed in Healthcare Data Breaches

Largest Healthcare Data Breaches of February 2018

The largest healthcare data breaches reported to the Office for Civil Rights in February are listed below.

Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of PHI
St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134,512 Hacking/IT Incident Network Server
Tufts Associated Health Maintenance Organization, Inc. Health Plan 70,320 Unauthorized Access/Disclosure Paper/Films
Triple-S Advantage, Inc. Health Plan 36,305 Unauthorized Access/Disclosure Paper/Films
CarePlus Health Plan Health Plan 11,248 Unauthorized Access/Disclosure Paper/Films
Union Lake Supermarket, LLC Healthcare Provider 9,956 Improper Disposal Other Portable Electronic Device

The top five data breaches were responsible for 85% of all exposed healthcare records in February. The largest data breach – a malware-related incident at St. Peter’s Surgery & Endoscopy Center – accounted for 43.6% of the exposed healthcare records in February.

Main Causes of February 2018 Healthcare Data Breaches

Unauthorized access/disclosures topped the list of the main causes of healthcare data breaches in February 2018 with 12 incidents and included three of the most serious breaches. Hacking incidents were in close second with 9 breaches, followed by three loss/theft incidents and one case of improper disposal of ePHI.

Causes of February 2018 Healthcare Data Breaches

Records Exposed by Breach Type

Hacking/IT incidents were the second biggest cause of healthcare data breaches in February, but the incidents resulted in the exposure/theft of the largest amount of healthcare data.

Records Exposed by Breach Type

Location of Breached Records

Overall, there were more breaches involving electronic health data than physical records, although breaches involving paper/films were the most numerous with 6 incidents. The breach reports show that while technological controls are essential to prevent hacks and unauthorized access/disclosures of electronic records, physical security is important for paper records and administrative safeguards are necessary to prevent unauthorized access. All six of the breaches involving paper/films were unauthorized access/disclosures.

Location of breached healthcare records (February 2018)

Data Breaches by Covered Entity

Healthcare providers were the worst affected by data breaches in February with 15 incidents (reported by 14 healthcare providers). There were three breaches reported by pharmacies in February. 8 data breaches were reported by 7 health plans and two security incidents were reported by business associates.

Data Breaches by Covered Entity (February 2018)

Healthcare provider breaches exposed the most health records in February. 168,732 records were exposed by healthcare providers. The mean breach size was 11,248 records and the median breach size was 1,670 records.

Health plans experienced fewer breaches, but the incidents were more severe. 133,580 records were exposed by health plans. The mean breach size was 16,698 records and the median breach size was 6,075 records. The mean and median breach size for business associate data breaches was 3,234 records.

Records exposed by covered entity (February 2018)

February 2018 Healthcare Data Breaches by State

Healthcare organizations based in 18 states reported data breaches in February 2018. There were six states that experienced 2 data breaches– Alabama, California, Massachusetts, Mississippi, Rhode Island, and Wisconsin.

Arkansas, Connecticut, Illinois, Kentucky, Maine, Michigan, Missouri, North Carolina, New Jersey, New York, Tennessee, and Virginia each had one data breach reported.

Financial Penalties for HIPAA Covered Entities in February 2018

The Office for Civil Rights settled one HIPAA violation case in February. Filefax Inc, agreed to settle potential HIPAA violations with OCR for $100,000. The financial penalty sent a message to HIPAA-covered entities and their business associates that HIPAA responsibilities do not end when a business ceases trading. The fine relates to HIPAA violations that occurred after the business closed – the improper disposal of paperwork containing protected health information.

The post Analysis of February 2018 Healthcare Data Breaches appeared first on HIPAA Journal.

Survey Reveals 62% of Healthcare Organizations Have Experienced a Data Breach in the Past Year

A recent Ponemon Institute survey has revealed 62% of healthcare organizations have experienced a data breach in the past 12 months. More than half of those organizations experienced data loss as a result.

The Merlin International sponsored survey was conducted on 627 healthcare industry leaders from hospitals and payer organizations. 67% of respondents worked in hospitals with 100-500 beds and had an estimated 10,000 to 100,000 networked devices.

Last year more than 5 million healthcare records were exposed or stolen, and the healthcare was the second most targeted industry behind the business sector. 2017 was the fourth consecutive year that the healthcare industry has been second for data breaches and there are no signs that cyberattacks are likely to reduce over the coming year.

Even though there is a high probability of experiencing a cyberattack, 51% of surveyed organizations have yet to implement an incident response program. This lack of preparedness can hamper recovery if a cyberattack is experienced. As the Cost of a Data Breach Study by the Ponemon Institute showed, a fast response to a data breach can limit the harm caused to breach victims and reduce the cost of mitigating such an attack. Respondents reported that the cost of mitigating an attack and dealing with the fallout from a network compromise was approximately $4 million.

When asked about the biggest threats to their organization and the types of attack that caused the most concern there was little to choose between internal and external threats, which were rated as a top concern by 64% and 63% of respondents respectively. The main perceived targets for hackers were electronic medical records (77%), patient billing information (56%), login credentials (54%), other authentication credentials (49%), and research information (45%).

The methods used to gain access to networks and data were highly varied. The main method of attack was the exploitation of software and operating system vulnerabilities and the use of malware. 71% of respondents said vulnerabilities were exploited while 69% said attacks involved the use of malware. 37% of organizations had experienced ransomware attacks.

The security of medical devices is a major concern, especially since they are a blind spot in many organizations. 65% of respondents said medical devices were not included in their overall cybersecurity strategy or they didn’t know if they were. 31% of respondents said they did not have any plans to include medical devices in their cybersecurity strategies in the near future.

The HHS’ Office for Civil Rights has raised awareness of the need to provide ongoing security awareness training to staff and companies such as Cofense have published data to show how security awareness training and phishing simulations can greatly reduce susceptibility to phishing attacks. However, many healthcare organizations are not heeding that advice and are not providing training regularly. Many healthcare organizations are still only providing security awareness training to employees annually. It is therefore unsurprising that 52% of respondents said a lack of employee security awareness was hampering their ability to improve their security posture.

74% believed the biggest obstacle preventing them from improving security was staffing issues and 60% said they do not have staff with the right cybersecurity qualifications in-house. 51% of respondents said that have not yet appointed a Chief Information Security Officer (CISO).

The post Survey Reveals 62% of Healthcare Organizations Have Experienced a Data Breach in the Past Year appeared first on HIPAA Journal.

What is a HIPAA Violation?

Barely a day goes by without a news report of a hospital, health plan, or healthcare professional violating HIPAA, but what is a HIPAA violation and what happens when a violation occurs?

What is a HIPAA Violation?

The Health Insurance Portability and Accountability Act of 1996 is a landmark piece of legislation that was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs.

There have been notable updates to HIPAA to improve privacy protections for patients and health plan members over the years which help to ensure healthcare data is safeguarded and the privacy of patients is protected. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.

A HIPAA violation is a failure to comply with any aspect of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164.

The combined text of all HIPAA regulations published by the Department of Health and Human Services Office for Civil Rights runs to 115 pages and contains many provisions. There are hundreds of ways that HIPAA Rules can be violated, although the most common HIPAA violations are:

  • Impermissible disclosures of protected health information (PHI)
  • Unauthorized accessing of PHI
  • Improper disposal of PHI
  • Failure to conduct a risk analysis
  • Failure to manage risks to the confidentiality, integrity, and availability of PHI
  • Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
  • Failure to maintain and monitor PHI access logs
  • Failure to enter into a HIPAA-compliant business associate agreement with vendors prior to giving access to PHI
  • Failure to provide patients with copies of their PHI on request
  • Failure to implement access controls to limit who can view PHI
  • Failure to terminate access rights to PHI when no longer required
  • The disclosure more PHI than is necessary for a particular task to be performed
  • Failure to train employees on HIPAA Rules or the failure to provide security awareness training
  • Theft of patient records
  • Unauthorized release of PHI to individuals not authorized to receive the information
  • Sharing of PHI online or via social media without permission
  • Mishandling and mismailing PHI
  • Texting PHI
  • Failure to encrypt PHI or use an alternative, equivalent measure to prevent unauthorized access/disclosure
  • Failure to notify an individual (or the Office for Civil Rights) of a security incident involving PHI within 60 days of the discovery of a breach
  • Failure to document compliance efforts

How are HIPAA Violations Uncovered?

Many HIPAA violations are discovered by HIPAA-covered entities through internal audits. Supervisors may identify employees who have violated HIPAA Rules and employees often self-report HIPAA violations and potential violations by co-workers.

The HHS’ Office for Civil Rights is the main enforcer of HIPAA Rules and investigates complaints of HIPAA violations reported by healthcare employees, patients, and health plan members. OCR also investigates all covered entities who report breaches of more than 500 records and conducts investigations into certain smaller breaches. OCR also conducts periodic audits of HIPAA covered entities and business associates.

State attorneys general also have the power to investigate breaches and investigations are often conducted due to complaints about potential HIPAA violations and when reports of breaches of patient records are received.

What are the Penalties for Violations of HIPAA Rules?

The penalties for violations of HIPAA Rules can be severe. State attorneys general can issue fines up to a maximum of $25,000 per violation category, per calendar year. OCR can issue fines of up to $1.5 million per violation category, per year. Multi-million-dollar fines can be – and have been – issued.

While healthcare providers, health plans, and business associates of covered entities can be fined, there are also potential fines for individuals who violate HIPAA Rules and criminal penalties may be appropriate. A jail term for violating HIPAA is a possibility, with some violations carrying a penalty of up to 10 years in jail.

You can find out more about the penalties for HIPAA violations on this page.

Recent HIPAA violation penalties and the HIPAA penalty structure are detailed in the infographic below.

HIPAA Violation Penalties

HIPAA Violation penalties

The post What is a HIPAA Violation? appeared first on HIPAA Journal.

Is it a HIPAA Violation to Email Patient Names?

We have been asked is it a HIPAA violation to email patient names and other protected health information? In answer to this and similar questions, we will clarify how HIPAA relates to email and explain some of the precautions HIPAA covered entities and healthcare employees should take to ensure compliance when using email to send electronic protected health information.

Is it a HIPAA Violation to Email Patient Names?

Patient names (first and last name or last name and initial) are one of the 18 identifiers classed as protected health information (PHI) in the HIPAA Privacy Rule.

HIPAA does not prohibit the electronic transmission of PHI. Electronic communications, including email, are permitted, although HIPAA-covered entities must apply reasonable safeguards when transmitting ePHI to ensure the confidentiality and integrity of data.

It is not a HIPAA violation to email patient names per se, although patient names and other PHI should not be included in the subject lines of emails as the information could easily be viewed by unauthorized individuals. Even when messages are protected with encryption in transit, message headers – which include the subject line and to and from fields – are often not encrypted and could potentially be intercepted and viewed.

Patients names and other PHI should only be sent to individuals authorized to receive that information, so care must be taken to ensure the email is addressed correctly. Sending an email containing PHI to an incorrect recipient would be an unauthorized disclosure and a violation of HIPAA.

Must all Emails Containing PHI be Encrypted?

HIPAA does not require the use of encryption. Encryption is only an addressable standard. However, if, following a risk assessment, the decision is taken not to use encryption, an alternative and equivalent security measure must be used in its place.

In the case of internal emails, it would not be necessary for messages containing ePHI to be encrypted provided the messages are only sent via an internal email system and do not leave the protection of a firewall. Access controls would also need to be in place to prevent messages from being opened by individuals not authorized to receive the information.

If emails containing PHI are sent outside the protection of an internal network there is considerable potential for PHI to be viewed by unauthorized individuals. This is not a problem when emailing patients, provided consent to use email to send PHI has been obtained from the patient in advance. The patient must have been made aware of the risks of sending PHI via unencrypted email and must have given authorization to use such a potentially insecure method of communication.

Emailing ePHI to all other individuals using unencrypted email is a risky strategy. While HIPAA encryption requirements are somewhat vague, in the event of a HIPAA audit or data breach investigation, it would be hard to argue that ePHI sent via unencrypted mail was reasonably protected, especially when there are many secure methods of data sharing available – Dropbox, Google Drive, Box etc.

The post Is it a HIPAA Violation to Email Patient Names? appeared first on HIPAA Journal.

2018 HIPAA Changes and Enforcement Outlook

Are there likely to be major 2018 HIPAA changes? What does this year have in store in terms of new HIPAA regulations? OCR Director Roger Severino has hinted there could be some 2018 HIPAA changes and that HIPAA enforcement in 2018 is unlikely to slowdown.

Are Major 2018 HIPAA Changes Likely?

The Trump administration has made it clear that there should be a decrease rather than an increase in regulation in the United States. In January 2017, Trump signed an executive order calling for a reduction in regulation, which was seen to be hampering America’s economic growth. At the time Trump said, “If there’s a new regulation, they have to knock out two. But it goes far beyond that, we’re cutting regulations massively for small business and for large business.”

While Trump was not specifically referring to healthcare, it is clear we are currently in a period of deregulation. Trump’s words were recently echoed by Severino at the HIMSS conference who confirmed the HSS understands deregulation in some areas is required before further regulations can be introduced.

Therefore, there are unlikely to be major 2018 HIPAA changes, at lease not in terms of increased regulation. What is more likely is an easing of the administrative burden on healthcare organizations in 2018.

OCR is currently reviewing existing HIPAA regulations to determine whether all aspects of HIPAA Rules are still relevant and if there are any areas where the administrative burden on healthcare organizations can be eased. OCR is looking at the benefit of various provisions of HIPAA and whether those benefits outweigh the costs.

The HHS has said its goals are “reducing the burden of compliance” and “streamlining its regulations,” while promoting “meaningful information sharing”.

2018 HIPAA changes could make life simpler for many healthcare organizations as the HHS attempts to minimize duplication and burdensome requirements and eliminate outdated restrictions and obsolete regulations.

HIPAA Enforcement in 2018

In 2016 there was a significant increase in HIPAA enforcement activities by OCR with more settlements reached with covered entities and business associates than any other year since the HIPAA Enforcement Rule was signed into law. In 2016 there were 12 settlements and one civil monetary penalty issued and 2017 HIPAA settlements were well above average levels, with 9 settlements and one civil monetary penalty. So, what can we expect for HIPAA enforcement in 2018?

At HIMSS 2018, Roger Severino gave a presentation on HIPAA compliance, enforcement, and policy updates from the Office for Civil Rights and made it clear OCR will continue to pursue settlements with HIPAA covered entities for egregious violations of HIPAA Rules. Severino said OCR still has the same enforcement mindset and that there will be “no slowdown in our enforcement efforts,” and “we’re still looking for big, juicy, egregious cases.” That does not necessarily mean large healthcare organizations. OCR treats potential HIPAA violations on a case by case basis, and smaller healthcare organizations may similarly be punished if they are discovered to have violated HIPAA Rules.

Severino said OCR does not want to fine healthcare organizations for violating HIPAA Rules and wants the settlements to reduce, but for that to happen, healthcare organizations must improve their compliance programs. 2018 HIPAA enforcement is likely to continue to see financial penalties issued for common HIPAA violations such as the failure to conduct regular risk assessments.  Already, 2018 has seen two settlements announced. A $100,000 penalty for Filefax, Inc., and a $3,500,000 settlement with Fresenius Medical Care North America. Time will tell if this was a blip or if that pace will be maintained throughout the year.

OCR is not the only enforcer of HIPAA Rules. State attorneys general can also issue fines for HIPAA violations, and the New York AG has been active in this area in recent weeks, fining EmblemHealth $575,000 in March and Aetna $1,150,000 in January. Further financial settlements are likely to be pursued in NY and other states to resolve HIPAA violations and privacy and security-related breaches of state laws.

The post 2018 HIPAA Changes and Enforcement Outlook appeared first on HIPAA Journal.

Is Office 365 HIPAA Compliant?

Is Microsoft Office 365 HIPAA compliant? Can healthcare organizations use Office 365 and remain in compliance with HIPAA and HITECH Act Rules?

What is Office 365?

Office 365 is a suite of subscription products developed by Microsoft that includes Word, Excel, PowerPoint, OneNote, Outlook, Publisher, and Access.

Office 365 for Healthcare

Microsoft is willing to enter into a business associate agreement (BAA) with HIPAA covered entities for Office 365 and Microsoft Dynamics CRM Online, provided the latter is purchased through Volume Licensing Programs or the Dynamics CRM Online Portal. The Microsoft BAA also covers the use of the Microsoft Azure cloud platform.

Microsoft does not demand that a BAA be obtained prior to use of Office 365, as the BAA is automatically made available to customers with an online service contract. However, HIPAA covered entities should obtain a BAA prior to use of Office 365 in conjunction with any electronic protected health information (ePHI). They should also specify an administrative contact. In the event of a security breach, the administrative contact will be notified of a breach by Microsoft.

While there are companies that offer HIPAA certification to confirm that a company or product complies with HIPAA Rules, there is no official certification recognized by the HHS’ Office for Civil Rights or other federal agencies. However, Microsoft has undergone independent audits under ISO 27001 which incorporate assessments of security practices recommended by the HHS. Office 365 has been verified as having all necessary privacy and security controls to comply with HIPAA Rules.

Office 365 Security

All data uploaded to or stored on Microsoft servers is protected by encryption and any data transferred outside of Microsoft facilities is similarly encrypted.  However, packet headers and message headers are not encrypted.

Provided ePHI is not entered into the subject line of emails, the names of files attached to emails, or is used in the to and from fields of emails, email can be used securely.

Microsoft Office 365 meets HIPAA auditing requirements and logs of access to stored data are maintained. Reports on access logs can be obtained from Microsoft on request.

Microsoft offers 2-factor authentication to prevent Office 365 and Outlook email accounts from being accessed if a password is compromised and an unfamiliar device attempts to log into an account.

Is Microsoft Office 365 HIPAA Compliant?

So, is Microsoft Office 365 HIPAA compliant? Provided a HIPAA-covered entity has entered into a business associate agreement with Microsoft, Office 365 can be used in a manner compliant with HIPAA Rules.

While all appropriate privacy and security controls have been implemented by Microsoft to ensure that Office 365 can be used by HIPAA-covered entities while remaining compliant with HIPAA and the HITECH Act, use of Office 365 does not guarantee compliance, even if a BAA has been obtained from Microsoft.

It is the responsibility of covered entities to ensure access controls are configured correctly, administrator access tracking is turned on, Microsoft Dynamics CRM Online for supported devices is turned off, access control reports are obtained and checked regularly, and all users are trained how to use Office 365 in a manner compliant with HIPAA Rules.

The post Is Office 365 HIPAA Compliant? appeared first on HIPAA Journal.

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook were launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees. Healthcare organizations must therefore implement a HIPAA social media policy to reduce the risk of privacy violations.

There are many benefits to be gained from using social media. Social media channels allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media websites. However, there is also considerable potential for HIPAA Rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules?

HIPAA and Social Media

The first rule of using social media in healthcare is to never disclose protected health information on social media channels. The second rule is to never disclose protected health information on social media. (see the definition of protected health information for further information).

The HIPAA Privacy Rule prohibits the use of PHI on social media networks. That includes any text about specific patients as well as images or videos that could result in a patient being identified. PHI can only be included in social media posts if a patient has given their consent, in writing, to allow their PHI to be used and then only for the purpose specifically mentioned in the consent form.

Social media channels can be used for posting health tips, details of events, new medical research, bios of staff, and for marketing messages, provided no PHI is included in the posts.

Employees Must be Trained on HIPAA Social Media Rules

In 2017, 71% of all Internet users visited social media websites. The popularity of social media networks combined with the ease of sharing information means HIPAA training should include the use of social media. If employees are not specifically trained on HIPAA social media rules it is highly likely that violations will occur.

Training on HIPAA should be provided before an employee starts working for the company or as soon as is possible following appointment. Refresher training should also be provided at least once a year to ensure HIPAA social media rules are not forgotten.

HIPAA Violations on Social Media

In 2015, ProPublica published the results of an investigation into HIPAA social media violations by nurses and care home workers. The investigation primarily centered on photographs and videos of patients in compromising positions and patients being abused.

In some cases, images and videos were widely shared, in others photographs and videos were shared in private groups. ProPublica uncovered 47 HIPAA violations on social media since 2012, although there were undoubtedly many more that were not discovered and were never reported.

In most cases, the HIPAA violations on social media resulted in disciplinary action against the employees concerned, there were several terminations for violations of patient privacy, and in some cases, the violations resulted in criminal charges. A nursing assistant who shared a video of a patient in underwear on Snapchat was fired and served 30 days in jail.

It is not only employees that can be punished for violating HIPAA Rules. There are also severe penalties for HIPAA violations for healthcare providers.

Common Social Media HIPAA Violations

  • Posting of images and videos of patients without written consent
  • Posting of gossip about patients
  • Posting of any information that could allow an individual to be identified
  • Sharing of photographs or images taken inside a healthcare facility in which patients or PHI are visible
  • Sharing of photos, videos, or text on social media platforms within a private group

HIPAA Social Media Guidelines

Listed below are some basic HIPAA social media guidelines to follow in your organization, together with links to further information to help ensure compliance with HIPAA Rules.

  • Develop clear policies covering social media use and ensure all employees are aware of how HIPAA relates to social media platforms
  • Train all staff on acceptable social media use as part of HIPAA training and conduct refresher training sessions annually
  • Provide examples to staff on what is acceptable – and what is not – to improve understanding
  • Communicate the possible penalties for social media HIPAA violations – termination, loss of license, and criminal penalties
  • Ensure all new uses of social media sites are approved by your compliance department
  • Review and update your policies on social media annually
  • Develop policies and procedures on use of social media for marketing, including standardizing how marketing takes place on social media accounts
  • Develop a policy that requires personal and corporate accounts to be totally separated
  • Create a policy that requires all social media posts to be approved by your legal or compliance department prior to posting
  • Monitor your organization’s social media accounts and communications and implement controls that can flag potential HIPAA violations
  • Maintain a record of social media posts using your organization’s official accounts that preserves posts, edits, and the format of social media messages
  • Do not enter into social media discussions with patients who have disclosed PHI on social media.
  • Encourage staff to report any potential HIPAA violations
  • Ensure social media accounts are included in your organization’s risk assessments
  • Ensure appropriate access controls are in place to prevent unauthorized use of corporate social media accounts
  • Moderate all comments on social media platforms

The Department of Health and Human Services’ Office for Civil Rights has issued guidance on HIPAA social media regulations, detailing the specific aspects of HIPAA that apply to social media networks. A HIPAA compliance checklist for social media can be viewed on the HHS website.

The post HIPAA Social Media Rules appeared first on HIPAA Journal.