HIPAA News

AMIA Suggests it’s Time for a HIPAA Update

Posted by HIPAA Journal

The American Medical Informatics Association has suggested now is the time to update the Health Insurance Portability and Accountability Act (HIPAA) to make sure the legislation fits today’s connected world.

The legislation was first introduced more than 20 years ago at a time when the Internet was just in its infancy. Over the past two decades, technology has advanced in ways that could not have been predicted when the legislation was written. Updates are now required to ensure HIPAA maintains pace with technology.

HIPAA is perhaps best known for its privacy provisions, although these are commonly misunderstood by patients and healthcare providers alike. The HIPAA Privacy Rule allows patients to access their health data; although many patients are confused about what data they are able to access and what their rights actually are.

The Department of Health and Human Services produced video guides last year to help patients understand their right to access their healthcare data under HIPAA; however, AMIA suggests more should be done to clarify the HIPAA right to access.

Healthcare providers often provide access to a limited range of patients’ health information via patient portals – information such as prescribed medications, allergies and lab test results; however, AMIA suggests the HIPAA Privacy Rule should be clarified so patients are aware they have the right to access all health data held by a covered entity in a designated record set or to obtain a digital copy of their legal health record. In the paper it is suggested this could be clarified in guidance from the Office for Civil Rights rather than a HIPAA legislation update.

However, an update to the legislation has been suggested to cover mHealth apps and related technologies. Currently, health data is collected, stored, and transmitted by a wide range of non-HIPAA-covered entities, yet non-covered entities are not required to provide users with access to their data.

If HIPAA is not extended to include these non-covered entities, AMIA suggests there should at least be HIPAA-like requirements for non-covered entities that would allow users of mHealth apps to gain access to their data. An alternative would be for industry stakeholders to develop codes of conduct that could be followed to ensure patients are able to access their data, if required.

Currently, non-covered entities are able to collect, use, and share ‘PHI’ in ways that may place patients’ data at risk of exposure or could result in data being shared improperly. The researchers suggest “HIPAA should be strengthened and extended, in particular to accommodate the broader set of data and stakeholders that are relevant to patient health, such as data from the use of Fitbit and Apple Watch.”

AMIA also suggests more needs to be done to make it easier not only for patients to access their data, but to pass on the information to other healthcare organizations. “EHR certification and health care system accreditation should be tied to making it easy for patients not only to obtain their data, but to obtain the data in a manner that preserves “computability” and standardization such that the data can be readily transferred to and consumed by other health IT systems with little or no need for further processing.”

AMIA also recommends federal officials and private sector stakeholders develop a process for vetting mHealth applications to ensure they have a minimum level of privacy, security, and safety protections.

Federal agencies should also collaborate to create a policy framework for research and innovation; “a framework that includes “common rule” updates to facilitate secondary use of data for research, common Data Use and Reciprocal Support Agreements, common enforced technical functionalities and specifications based on standard APIs, and data portability from HIPAA-covered entities.”

In total,  17 policy recommendations were made. The paper was recently published in JAMIA.

The post AMIA Suggests it’s Time for a HIPAA Update appeared first on HIPAA Journal.

Can HIPAA Violations Occur Through Our Smart Watches or Fitbits?

Posted by admin

CSO Online published an article discussing the “10 Security Risks of Wearables”. The article presents an informative breakdown of the security risks wearables potentially bring into the work environment.

“IT should treat wearables like any other computing device on their network, Manzuik says. ‘When possible, consider segregating IoT devices to their own network and don’t connect them directly to the internet.’ Because some IoT devices have ‘a history of poor security,’ organizations should keep these devices on a dedicated network that doesn’t provide any access to internal resources, such as a guest Wi-Fi network…”

To read the full article on CSO Online’s website click here.

For daily HIPPA News visit our HIPAA News sidebar at https://hipaanews.net

If you would like to receive an email update every time HIPAA news posts a blog, sign up on our website at https://hipaanews.net 

Health Records and Cybercriminals

Posted by admin

E Commerce Times recently posted an article titled, “Why are Health Records so Valuable to Cybercriminals?” The article describes why cybercriminals like to target electronic health records (EHR) and explains how HIPAA does, and at times does not, protect EHRs. To check out the full article visit: http://www.ecommercetimes.com/story/84417.html 

For daily HIPPA News visit our HIPAA News sidebar at https://hipaanews.net

If you would like to receive an email update every time HIPAA news posts a blog, sign up on our website at https://hipaanews.net 

Roger Severino Named New Director of HHS’ Office for Civil Rights

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has a new leader. The Trump Administration has chosen former civil rights trial attorney Roger Severino to lead the HIPAA enforcement efforts of the Office for Civil Rights.

Severino joins OCR from the Heritage Foundation’s DeVos Center for Religion and Civil Society, Institute for Family, Community, and Opportunity, where he served as Director since May 2015.

A formal announcement about the appointment of the new OCR Director has yet to be issued; however, the Heritage Foundation has confirmed that Severino is no longer on the staff and his name has been added to the HHS website. A spokesperson for OCR has also confirmed that Severino will be the new director and Severino’s LinkedIn profile has also been updated to include his new position as OCR chief.

Severino has a background in civil rights litigation, having worked as a trial attorney for the Department of Justice for seven years in the Housing and Civil Enforcement division. During his time at the DOJ, Severino enforced the Fair Housing Act, Title II and Title VI of the Civil Rights Act of 1964 and the Religious Land Use and Institutionalized Persons Act. Severino has also worked as Legal Counsel for the Becket Fund for Religious Liberty between July 2003 and May 2008.

While Severino has civil rights experience and has spent time working in the section of the DOJ that enforces criminal HIPAA statutes, he does not appear to have much experience of privacy and security issues.

LGBT Groups Express Concern About New OCR Appointment

Many human rights organizations have expressed concern over the appointment of Severino as head of OCR due to the views he has previously expressed about transgender people and same-sex marriages. Severino has authored a number of reports in which he has spoken out in opposition of LGBT rights and pro-LGBT legislation. Severino has also spoken out against Planned Parenthood.

JoDee Winterhof, senior vice president of policy and political affairs at the Human Rights Campaign went as far as saying ‘There isn’t a more dangerous person to lead HHSGov’s Office for Civil Rights than LGBTQ opponent Roger Severino.”

Wade Henderson, president and CEO of The Leadership Conference on Civil and Human Right, said “The Office for Civil Rights at HHS is essential to ensuring that all people can lead healthy lives, free of discriminatory barriers. Section 1557 of the Affordable Care Act, which bans discrimination based on race, sex, disability and age in health programs and activities, is key to achieving this goal. Henderson went on to say, “Strong and experienced leadership at OCR committed to fully enforcing Section 1557 is therefore critical. Mr. Severino is not that leader.”

OCR is likely to be taken in a different direction under Severino’s leadership than it was under the directorship of Jocelyn Samuels. What impact Severino will have on OCR’s HIPAA enforcement activity and HIPAA guidance remains to be seen.

The post Roger Severino Named New Director of HHS’ Office for Civil Rights appeared first on HIPAA Journal.

American Health Information Management Association (AHIMA) Reviews Patient Data Access

Posted by admin

According to Patient Engagement HIT, American Health Information Management Association (AHIMA) recently posted data guiding patients through the appropriate process of obtaining their medical records from their providers and navigating through HIPPA privacy regulations.

“Per HIPAA, patients may ask to view and obtain a copy of their health records, receive records in paper or electronic copies, and have records sent to another entity for treatment, billing, or operations purposes, explained Mary Butler, the author of the slideshow and associate editor of the Journal of AHIMA.

Patients can request medical record access at their practice’s health information management (HIM) department. They should come prepared with their photo ID and will be asked to sign a waiver verifying their identity.”

Check out the full article here: http://patientengagementhit.com/news/ahima-reviews-the-basics-of-hipaa-compliant-patient-data-access 

For daily HIPPA news please visit our HIPAA News sidebar.

 

 

AHIMA Published New Resource Confirming Patients PHI Access Rights under HIPAA

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) permits patients to obtain a copy of their medical records in electronic or paper form. Last year, the Department of Health and Human Services released a series of videos and documentation to explain patients’ right to access their health data.

Yesterday, the American Health Information Management Association (AHIMA) also published guidance – in the form of a slideshow – further explaining patients’ access rights, what to expect when requests are made to healthcare providers, possible fees, and the timescale for obtaining copies of PHI.

AHIMA explains that copies will not be provided immediately. Under HIPAA Rules, healthcare providers have up to 30 days to provide copies of medical records, although many will issue designated record sets well within that timeframe. However, in some cases, provided there is a justifiable reason for doing so, a healthcare provider may request a 30-day extension. In such cases, it may take up to 60 days for patients to obtain copies of their health data.

AHIMA has explained to whom healthcare providers are allowed to disclose the information: Patients or a nominated personal representative. In the case of the latter, guidance has been issued on who that person may be.

There are various models that can be adopted by healthcare providers for charging patients for copies of PHI. While the actual cost for providing copies of medical records may not be provided at the time the request is made, healthcare providers must advise patients of the approximate cost at the time the request is made. AHIMA points out that if electronic health data is being provided via a patient portal, a charge will not apply.

Since HIPAA serves to protect patient privacy, healthcare providers are required to verify the identity of the person making the request or a personal representative if one is used. A healthcare provider will therefore require a photographic ID to be produced prior to any records being released. A waiver will also need to be signed verifying identity.

AHIMA explains that obtaining copies of medical records is important. Access to health data improves patient engagement and empowers them to make more informed choices about their healthcare.

While providers should be able to obtain health data from other providers, that process is not always straightforward due to data incompatibility issues. It is therefore important that patients have complete copies of their medical records so they can provide complete sets to new providers. Doing so improves the coordination of care.

Patients should also check their health records for any errors and omissions – known allergies for instance. If an error or omission is discovered, a request to change the records should be submitted to the appropriate healthcare provider.

The AHIMA slideshow can be viewed here. Further information for patients on medical record access can be found in an accompanying blog post.

Penalties for Failing to Provide Patients with Copies of their Medical Records

Healthcare providers should be aware that failure to provide patients with copies of their medical records can result in a financial penalty for non-compliance with HIPAA Rules.

41 patients of Cignet Health of Prince George’s County in Maryland were denied access to their medical records and complained to OCR. The investigation revealed that the HIPAA Privacy Rule had been violated. Cignet eventually settled with OCR for more than $4.3 million.

AHIMA recommends that healthcare providers regularly review their policies and procedures for providing patients with copies of their medical records. Many healthcare providers have unintended barriers in place that make it difficult for patients to exercise their right to access their health data. Only by understanding HIPAA Rules on patient PHI access rights – and ensuring HIPAA Rules are followed – will healthcare providers be able to ensure that their patients enjoy the benefits that come from them taking a more active role in their healthcare.

The post AHIMA Published New Resource Confirming Patients PHI Access Rights under HIPAA appeared first on HIPAA Journal.

$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years.

It is relatively rare for OCR a HIPAA Civil Monetary Penalty to be paid by a HIPAA-covered entity to resolve HIPAA violations discovered during OCR data breach investigations. In the vast majority of cases when serious violations of the Health Insurance Portability and Accountability Act are discovered by OCR investigators, the covered entity in question enters into a voluntary settlement with OCR.

Typically, this sees the covered entity pay a lower amount to OCR to resolve the HIPAA violations. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30,2016, before issuing a Notice of Proposed Determination on September 30, 2016. In the Notice of Proposed Determination, OCR explained that Children’s Medical Center of Dallas could file a request for a hearing, although no request was received. Consequently, Children’s Medical Center of Dallas was required to pay the full civil monetary penalty of $3,217,000, making this the biggest HIPAA violation penalty of 2017, eclipsing the payments made by Presense Health ($475,000) and MAPFRE Life Insurance Company of Puerto Rico ($2.2 million).

Children’s Medical Center of Dallas is run by Children’s Health, a Dallas-based healthcare system comprising three hospitals and numerous clinics in North Texas. On January 18, 2010, OCR was notified by Children’s Medical Center that a breach of patients’ electronic protected health information (ePHI) had occurred. The breach involved the loss of a Blackberry device containing the ePHI of 3,800 patients. The device had not been encrypted and was not protected with a password, allowing any individual who found the device to access the ePHI of patients.

An investigation into the breach was launched on or around June 14, 2010. As part of the investigation, Children’s Medical Center provided OCR with a Security Gap Analysis conducted by Strategic Management Systems, Inc., (SMS) between December 2006 and February 2007. That analysis revealed a lack of risk management at Children’s Medical Center. In the report, SMS recommended that Children’s Medical Center implement encryption on portable devices such as laptop computers to prevent the exposure of ePHI in the event that a device be lost or stolen. Children’s Medical Center failed to act on that recommendation.

PricewaterhouseCoopers (PwC) conducted an analysis of threats and vulnerabilities to ePHI in August 2008. In the PwC report, it was also recommended that Children’s Medical Center implement encryption on laptop computers, workstations, mobile devices, and portable storage devices such as USB thumb drives. PwC determined that the use of encryption was “necessary and appropriate.” Children’s Medical Center failed to act on PwC’s recommendations, even though encryption was rated as a “high priority” item.

To OCR it was clear that Children’s Medical Center was aware of the risks to the confidentiality, integrity, and availability of ePHI and that were was a lack of appropriate safeguards for ePHI at rest. Children’s Medical Center was aware of the risks as early as March 2007, more than a year before the security incident occurred and ePHI was exposed. Had Children’s Medical Center acted on the recommendations of SMS or PwC the breach could have been avoided.

In addition to the lost Blackberry in 2010, Children’s Medical Center reported the loss of an unencrypted iPod containing the ePHI of 22 patients. The loss occurred in December 2010. On July 5, 2013, Children’s Medical Center notified OCR of another breach involving an unencrypted device. In this case, the laptop theft resulted in the exposure of 2,462 individuals’ ePHI.

Even after the data breaches were experienced, Children’s Medical Center failed to act; only implementing encryption on portable devices in April, 2013. From 2007 to April 9, 2013, nurses were using unprotected Blackberry devices that contained ePHI, while other workers were using unencrypted laptop computers and mobile devices until April 9, 2013.

Encryption of ePHI is not mandatory for HIPAA-covered entities. The use of encryption to safeguard the confidentiality, integrity, and availability of ePHI is an ‘addressable’ issue.

HIPAA-covered entities are required to conduct a comprehensive, organization-wide risk assessment to determine vulnerabilities that could potentially result in the exposure of ePHI. If, after performing the risk assessment, the covered entity determines that encryption is not ‘reasonable and appropriate’, the reasons why encryption is not deemed necessary must be documented and an equivalent measure must still be implemented to ensure ePHI is appropriately secured. Children’s Medical Center failed to document why encryption had not been used and also failed to implement an equivalent security measure.

Furthermore, OCR determined that prior to November 9, 2012, Children’s Medical Center did not have sufficient policies and procedures governing the removal of hardware and electronic equipment from its facilities or movement of the devices within its facilities. Until November 9, 2012, Children’s Medical Center could not tell how many devices those policies and procedures should apply to: A full inventory was only completed on November 9, 2012. While devices had been inventoried prior to November 9, 2012, devices managed by the Biomedical department were not included in that inventory, breaching the HIPAA Security Rule (45 C.P.R. § 164.310(d)(l)).

While efforts were made to resolve the HIPAA violations informally, Children’s Medical Center was unable to ‘provide written evidence of mitigating factors or affirmative defenses and/or its written evidence in support of a waiver of a CMP.’

OCR determined that the violations were due to reasonable cause and not willful neglect of HIPAA Rules. Had that not been the case, the penalty would have been considerably higher. OCR considered the fact that there had been no apparent harm caused to patients as a result of the lost devices, and chose the minimum penalty amount of $1,000 per day that the violations were allowed to persist.

OCR’s Final Notice of Determination can be viewed on this link.

According to OCR Acting Director Robinsue Frohboese, “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential.” Frohboese also explained that the lack of risk management can be costly for covered entities, “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”

The post $3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas appeared first on HIPAA Journal.

$2.2 Million Settlement for Impermissible Disclosure of ePHI

Posted by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed to a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers and dates of birth. The device was not protected by a password and data on the device were not encrypted.

MAPFRE reported the device theft to OCR, which launched an investigation to determine whether HIPAA Rules had been violated, as is customary with all breaches of ePHI that impact more than 500 individuals.

Multiple Areas of Noncompliance with HIPAA Rules Discovered

During the course of the investigation, OCR discovered numerous HIPAA noncompliance issues:

45 C.F.R. 164.502(a) – Impermissible disclosure of the ePHI of 2,209 individuals.

5 C.F.R. 164.308(a)(1)(i) – A failure to conduct a comprehensive risk assessment to evaluate risks and vulnerabilities to the confidentiality, integrity and availability of ePHI and a failure to implement measures to reduce risks to an appropriate level.

45 C.F.R. 164.308(a)(5)(i) – A failure to implement a security awareness training program for all members of the workforce.

45 C.F.R. 164.312(a)(2)(iv) – A failure to implement data encryption or an equivalent measure to safeguard the ePHI stored on portable storage devices.

45 C.F.R. 164.316 (a) – A failure to implement reasonable and appropriate policies and procedures to safeguard ePHI to comply with HIPAA standards implementation specifications.

Additionally, the corrective measures MAPFRE said it would undertake following the submission of a breach report to OCR on August 5, 2011 were delayed. MAPFRE did not start encrypting data on laptop computers and portable storage devices until September 1, 2014.

OCR considered the financial position of MAPFRE along with the number and severity of HIPAA violations when determining the resolution amount. In addition to paying OCR $2,204,182, MAPFRE is required to adopt a corrective action plan to address all areas of noncompliance.

HIPAA and Data Encryption

HIPAA does not require covered entities to implement encryption on portable devices used to store ePHI. Data encryption is only an addressable issue. However, covered entities must conduct a thorough risk assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. If, after assessing risks, covered entities determine that other controls are in place to safeguard ePHI and data encryption is not appropriate, the reasons for not implementing encryption must be documented.

Recent HIPAA Settlements

OCR has stepped up its enforcement of HIPAA Rules in recent years, with more settlements agreed in 2016 than in any other year to date. Last year, 12 healthcare organizations settled potential HIPAA violations with OCR, and one civil monetary penalty (CMP) was imposed.

MAPFRE is the second HIPAA-covered entity to settle potential HIPAA violations with OCR in 2017. Last week, OCR announced a settlement of $475,000 had been agreed with Presense Health for violations of the HIPAA Breach Notification Rule.

The post $2.2 Million Settlement for Impermissible Disclosure of ePHI appeared first on HIPAA Journal.