HIPAA News

OCR Reminds CEs of HIPAA Audit Control Requirements to Identify Inappropriate ePHI Access

In the past few weeks, a number of HIPAA-covered entities have announced that employees have been discovered to have inappropriately accessed the medical records/protected health information of patients.

Two of the recent cases were discovered when covered entities performed routine audits of access logs. In both instances, the employees were discovered to have inappropriately accessed the electronic protected health information (ePHI) of patients over a period of more than 12 months. Once case involved the viewing of a celebrity’s medical records by multiple staff members.

Late last week, OCR released its January Cyber Awareness Newsletter which covered the importance of implementing audit controls and periodically reviewing application, user, and system-level audit trails. NIST defines audit logs as records of events based on applications, system or users, while audit trails are audit logs of applications, system or users.

Most information systems include options for logging user activity, including access and failed access attempts, the devices that have been used to log on, and the duration of login periods, and whether data have been viewed.

Audit trails are particularly useful when security incidents occur as they can be used to determine whether ePHI access has occurred and which individuals have been affected. Logs can be used to track unauthorized disclosures, potential intrusions, attempted intrusions, and in forensic analyses of data breaches and cyberattacks. Covered entities can also use logs and trails to review the performance of applications and to help identify potential flaws.

OCR confirmed that recording data such as these, and reviewing audit logs and audit trails is a requirement of the HIPAA Security Rule. (45 C.F.R. § 164.312(b)).

The HIPAA Security Rule requires covered entities to record audit logs and audit trails for review, although the types of data that should be collected are not specified by the legislation. The greater the range of information collected, the more thoroughly security incidents can be investigated. However, covered entities should carefully assess and decide on which data elements are stored in logs. It will be quicker and easier to review audit logs and trails if they only contain relevant information.

The HIPAA Security Rule does not specify how often covered entities should conduct reviews of user activities, instead this is left to the discretion of the covered entity. Information gathered from audit logs and trails should be reviewed ‘regularly’.

A covered entity should determine the frequency of reviews based on the results of their risk analyses. Organizations should also consider organizational factors such as their technical infrastructure and hardware/software capabilities when determining the review period.

OCR also points out that a review of audit logs and trails should take place after any security incident, such as a suspected breach, although reviews should also be conducted during real-time operations. Due to the potential for audit log tampering, OCR reminds covered entities that “Access to audit trails should be strictly restricted, and should be provided only to authorized personnel.”

The post OCR Reminds CEs of HIPAA Audit Control Requirements to Identify Inappropriate ePHI Access appeared first on HIPAA Journal.

$475,000 Settlement for Delayed HIPAA Breach Notification

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the first HIPAA settlement of 2017. This is also the first settlement to date solely based on an unnecessary delay to breach notification after the exposure of patients’ protected health information. Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations.

Following a breach of PHI, the HIPAA Breach Notification Rule requires covered entities to issue breach notification letters to all affected individuals advising them of the breach. Those letters need to be issued within 60 days of the discovery of the breach, although covered entities should not delay the issuing of breach notifications to patients or health plan members unnecessarily.

Additionally, if the breach affects more than 500 individuals, a breach report must be submitted to Office for Civil Rights within 60 days and the Breach Notification Rule also requires covered entities to issue a breach notice to prominent media outlets. Covered entities should also place a substitute breach notice in a prominent place the company website to alert patients or plan members to the breach.

Smaller breaches impacting fewer than 500 individuals must also be reported to OCR, although covered entities can report these smaller breaches annually within 60 days of the end of the calendar year. Covered entities should note that state data breach laws may not permit such delays and that regardless of the number of individuals impacted by a breach, HIPAA requires patients to always be notified within 60 days of a PHI breach.

Presence Health experienced a breach of physical protected health information (PHI) in late 2013. Operating room schedules had been removed from the Presense Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois, and could not be located. The documents contained sensitive data on 836 patients, including names, birth dates, medical record numbers, details of procedures performed, treatment dates, the types of anaesthesia provided, and names of the surgeons that performed operations.

Presence Health became aware that the documents were missing on October 22, 2013, yet OCR was not notified of the breach until January 31, 2014, more than a month after the 60-day HIPAA Breach Notification Rule deadline.

OCR investigates all breaches of more than 500 records – and selected branches of fewer than 500 records. The OCR investigation revealed notification to OCR was issued 104 days after the breach was discovered – 34 days after the deadline for reporting the incident had passed. A media notice was issued, although not until 106 days after the breach was discovered – 36 days after the HIPAA Breach Notification Rule deadline. Patients were notified of the breach 101 days after discovery – 31 days after the HIPAA Breach Notification Rule deadline had passed.

Investigators determined that this was not the only instance where breach notifications to patients had been delayed. Presense Health had experienced a number of smaller PHI breaches in 2015 and 2016, yet for several of those breaches, Presense Health did not provide affected individuals with timely breach notifications.

Announcing the resolution agreement and settlement, OCR Director Jocelyn Samuels said “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements.” She went on to explain the reason why individuals need to be notified of PHI breaches promptly, saying “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

The settlement should serve as a warning to HIPAA covered entities that unnecessary breach notification delays can have serious financial repercussions. 60-days is the maximum time frame for reporting (and announcing) PHI breaches, not a recommendation.

The post $475,000 Settlement for Delayed HIPAA Breach Notification appeared first on HIPAA Journal.

New York Rule Change Allows Clinicians to Access Minors’ PHI via State HIE

Healthcare providers that participate in the Western New York health information exchange – HEALTHeLINK – are now able to access the health information of minors aged between 10 and 17 after the passing of a new rule covering patient data access through qualified information exchanges.

The new rule allows the information of minors to be accessed if prior consent has been obtained by from parents or legal guardians via signed consent forms. To date, more than 870,000 adults in Western New York have already signed consent forms allowing their children’s information to be shared.

The rule change will ensure that treating pediatricians have access to the most up to date information, thus allowing them to make informed decisions about the best treatments to provide.

The move will help to ensure that full access to the full range of health information can always be obtained, which has previously been an issue when minors have received medical services from multiple healthcare providers. The rule change will help to ensure safer and more efficient provision of clinical care. This is of particular importance when children are taken to healthcare facilities by non-parental caregivers such as grandparents, who may not have access to a child’s full medical history.

Dan Porreca, executive director of HEALTHeLINK, announced the rule update this week saying “This change in state policy gives parents and legal guardians the peace of mind that their child’s treating pediatrician or specialist will have the most up to date health information.”

However, while the information can now be accessed, some of the data contained in patients’ records may still be covered by state laws which prohibit re-disclosure to the minor’s parents without written consent being first obtained from the minor concerned.

Such situations may arise in the case of emancipated minors – Those who are freed from control by parents or legal guardians and the parents or legal guardians are freed from responsibility toward the child.  There may be cases when the minor may not wish information about their reproductive health, HIV tests, STD treatments, or substance abuse to be disclosed, for instance.

The post New York Rule Change Allows Clinicians to Access Minors’ PHI via State HIE appeared first on HIPAA Journal.

Joint Commission Ban on Secure Messaging for Orders Remains in Place

The Joint Commission on Accreditation of Healthcare’s (Joint Commission) ban on the use of secure text messaging platforms for patient care orders will remain in place, according to its December newsletter.

In April 2016, the Joint Commission took the decision to allow the use of a secure texting platform for sending orders. The ban was not totally lifted, as the Joint Commission required certain components to be in place and certain standards to be followed to ensure patient safety was not placed at risk.

The ban was originally put in place as SMS messages were not secure. It was also not possible to verify the sender of a message nor for original message to be retained for auditing purposes. Since the original ban was introduced, a number of companies developed secure text messaging platforms that incorporated all of the necessary security features to ensure messages could not be intercepted.

Those messaging platforms also allowed the identity of the sender to be verified, ensured that messages were retained for auditing purposes, and a slew of other privacy and security controls were incorporated to ensure compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.

The advances made in secure text messaging technology led to the decision to lift the ban, which was announced in the May perspectives newsletter. Then in July 2016, the Joint Commission reversed its decision and reinstated the ban, calling for further guidance for healthcare organizations due to concerns over patient privacy.

Guidance for healthcare organizations on the use of secure text messaging platforms would be developed in collaboration with the Centers for Medicare & Medicaid Services (CMS). Those guidelines were expected to be released by September this year.

However, the Joint Commission said in its December newsletter that its position has not changed and the ban is to remain in place, although it will continue to monitor the advances in secure texting technology and may update its position in the future.

In the meantime, CMS and the Joint Commission continue to ban the use of unsecure SMS messages and secure messaging platforms for sending patient care orders, although clinicians are permitted to use HIPAA-compliant secure messaging platforms to send messages to each other.

The decision to further delay the lifting of the ban on secure text messaging for orders is due to the Joint Commission still having a number of concerns over privacy and security.

The preferred method for sending orders is a computerized provider order entry (CPOE), as this method allows providers to directly enter orders into their electronic health record system.

The Joint Commission says, “CPOE helps ensure accuracy and allows the provider to view and respond to clinical decision support (CDS) recommendations and alerts. CPOE is increasingly available through secure, encrypted applications for smartphones and tablets, which will make following this recommendation less burdensome.”

If a CPOE is not possible, orders can be communicated verbally, but not by SMS message or even a secure messaging platform. The Joint Commission said, “After extensive discussion weighing the pros and cons of using secure text messaging systems to place orders, the Joint Commission and CMS have concluded that the impact of secure text orders on patient safety remains unclear.”

The Joint Commission also believes the use of an additional method of transmitting orders may increase the burden on nurses to manually enter the orders into the EHR. It was also pointed out that transmission of verbal orders allows synchronous clarification and confirmation of orders in real time, and if alerts or a CDS recommendation is triggered during the order process, an individual manually entering the order into an EHR may need to contact the ordering practitioner to request further information.

The post Joint Commission Ban on Secure Messaging for Orders Remains in Place appeared first on HIPAA Journal.

ONC Publishes Final 2017 Interoperability Standards Advisory

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has published its Final 2017 Interoperability Standards Advisory (ISA).

The ISA is a catalog of standards and implementation specifications that can be used by healthcare organizations to address specific interoperability needs. The purpose of the ISA is to serve as a single resource for the healthcare industry to obtain standards and implementation specifications to meet their specific interoperability needs.

The ISA covers healthcare data stored in electronic health records, although the resource is intended to be used for a range of health IT that support interoperability needs. ONC points out that the scope of the resource is limited to ‘what’ could be used to address an organization’s interoperability needs, and not necessarily ‘how’ those needs should be met, such as the specific interfaces or tools that should be used.

The resource also has a broader scope than the version released in 2016. This year, ONC transitioned from a static document to an online platform to enable stakeholders to “fully engage with and shape the ISA on an ongoing basis.”

The ISA is a fluid resource and will be updated periodically to cover a much broader range of health IT interoperability needs. This year’s updates include specific references to public health and research as well as including interoperability needs relating to personal health devices, research, nutritional health, Social Determinant, and nursing.

Since there may be more than one standard for any specific interoperability need, discussion will take place via the ISA public comment process. The new web version will make this process more transparent and threaded discussions will be viewable which should help to promote further dialogue.

Following the publication of the draft ISA in August this year, ONC has made a number of updates after taking on board the feedback received from the public and the Health IT Standards Committee.

ONC has dropped the use of ‘best available’ as a concept in the ISA. This is to ensure that stakeholders do not take that to mean standards and interoperability specifications are ‘the best’, when each may have a number of limitations or may not have been widely adopted. This will also help distinguish between standards that may be better suited for organizations’ needs.

The scope of the 2017 ISA has been expanded to include public health and health research interoperability and covers electronic health information that is created by healthcare providers and subsequently used for purposes for which interoperability is required. However, the ISA falls short of including interoperability standards for administrative and payment oriented HIPAA transactions, which are covered by the standards maintained by the Centers for Medicare & Medicaid Services (CMS).

The Final 2017 ISA is split into the following categories:

  • Section I – Vocabulary/Code Sets/TerminologyStandards and Implementation Specifications (i.e., “semantics”).
  • Section II – Content/StructureStandards and Implementation Specifications (i.e., “syntax”).
  • Section III – Standards and Implementation Specifications for Services (i.e., the infrastructure components deployed and used to address specific interoperability needs)
  • Section IV – Models and Profiles
  • Section V– Questions and Requests for Stakeholder Feedback

The post ONC Publishes Final 2017 Interoperability Standards Advisory appeared first on HIPAA Journal.

ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has challenged designers, developers, and health data privacy experts to create a new online Model Privacy Notice (MPN) generator.

At present, the MPN is a voluntary resource that helps health technology developers who collect electronic health data provide information to consumers about how health data is collected, used, and protected.

The purpose of the MPN is to improve transparency and clearly display information about an organization’s privacy practices to enable consumers to make an informed decision about whether to use a particular product.

While the ONC, in conjunction with the Federal Trade Commission (FTC), developed a Model Privacy Notice in 2011, technology has moved on considerably in the past five years. The MPN was intended to be used for personal health records, but the range of products that collect health data is now considerable, and include wearable devices and mobile applications. The current MPN is therefore somewhat dated.

ONC notes that the number of consumers that are using devices that record electronic health information has grown considerably since 2011. It is has now become increasingly important for consumers to be able to make decisions about products based on how their information will be used and stored. In particular, how their data will be protected and with whom health information will be shared. The current MPN does not make it easy for consumers to find out this information.

While many consumers are aware of the Health Insurance Portability and Accountability Act and know that HIPAA covered entities are required to implement controls to protect stored data and limit disclosures of health information, many product developers that collect and store health information are not in fact HIPAA-covered entities.

Fitness trackers for example may record data types that are classed as protected health information (PHI) when collected and stored by a HIPAA-covered entity, yet are not subject to HIPAA Rules when collected and stored by a product developer.

It is therefore essential to clarify privacy and security policies to ensure consumer are aware what will happen to their data so they can make an informed decision about whether to use a particular product.

To make it easier for developers to use the MPN and easier for consumers to understand the information provided via the MPN, the ONC has launched The Privacy Policy Snapshot Challenge.

The Challenge involves creating “an online tool that can generate a user-friendly snapshot of a product’s privacy practices.” ONC explains that submissions must include “code for an open source, web-based tool that allows health technology developers who collect digital health data to generate a customized privacy notice.”

The first prize is $20,000, the second prize $10,000, and third prize is $5,000. Entries must be submitted by April 10, 2017

Designers, developers, and health data privacy experts can find out more and sign up for the Privacy Policy Snapshot Challenge on this link.

The post ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator appeared first on HIPAA Journal.

National Governors Association Releases Roadmap for States to Improve Heath Data Sharing

To support effective decision making, improve the care provided to patients, and cut the costs of healthcare provision, healthcare data must be readily available to all healthcare providers.

While other industry sectors have taken great strides toward improving the flow of information to increase efficiency, the healthcare industry still lags behind other industries. There are still many barriers in place which are preventing the meaningful exchange of health information.

There is currently considerable confusion about the restrictions imposed by the Health Insurance Portability and Accountability Act (HIPAA) and state laws on health information privacy. State governments in particular require assistance navigating these rules and regulations so they can play their part in improving the flow of healthcare data and can more effectively drive forward policies that support a fully interoperable nationwide healthcare system.

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) previously awarded a cooperative funding agreement to the National Governors Association  (NGA) to evaluate interoperability barriers and identify steps that could be taken to improve the flow of healthcare data within and among states.

NGA interviewed more than 90 state health policy officials, provider organizations, payers, and health information organizations to gain insight into the current problems preventing health data flow. Federal, state, and healthcare industry stakeholders were also brought together to discuss the issues that were preventing meaningful exchange of healthcare data and to provide some insight into how those problems could be resolved.

NGA has now published a roadmap for governors, senior healthcare policy officials, state lawmakers, and legislative councils. The roadmap identifies the key barriers that are preventing meaningful exchange of health information and provides useful advice on how those barriers can be removed. The roadmap outlines a 5-step strategy that can be adopted by states to improve information flow between healthcare providers and includes case studies of successful strategies that have been adopted by states.

In addition to publishing the roadmap, the NGA has started helping states to execute its recommendations and will be issuing a progress report in 2017.

The roadmap – “Getting the Right Information to the Right Health Care Providers at the Right Time: A Road Map for States to Improve Health Information Flow Between Providers” – can be viewed on this link.

The post National Governors Association Releases Roadmap for States to Improve Heath Data Sharing appeared first on HIPAA Journal.

National Governors Association Releases Roadmap for States to Improve Heath Data Sharing

To support effective decision making, improve the care provided to patients, and cut the costs of healthcare provision, healthcare data must be readily available to all healthcare providers.

While other industry sectors have taken great strides toward improving the flow of information to increase efficiency, the healthcare industry still lags behind other industries. There are still many barriers in place which are preventing the meaningful exchange of health information.

There is currently considerable confusion about the restrictions imposed by the Health Insurance Portability and Accountability Act (HIPAA) and state laws on health information privacy. State governments in particular require assistance navigating these rules and regulations so they can play their part in improving the flow of healthcare data and can more effectively drive forward policies that support a fully interoperable nationwide healthcare system.

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) previously awarded a cooperative funding agreement to the National Governors Association (NGA) to evaluate interoperability barriers and identify steps that could be taken to improve the flow of healthcare data within and among states.

NGA interviewed more than 90 state health policy officials, provider organizations, payers, and health information organizations to gain insight into the current problems preventing health data flow. Federal, state, and healthcare industry stakeholders were also brought together to discuss the issues that were preventing meaningful exchange of healthcare data and to provide some insight into how those problems could be resolved.

NGA has now published a roadmap for governors, senior healthcare policy officials, state lawmakers, and legislative councils. The roadmap identifies the key barriers that are preventing meaningful exchange of health information and provides useful advice on how those barriers can be removed. The roadmap outlines a 5-step strategy that can be adopted by states to improve information flow between healthcare providers and includes case studies of successful strategies that have been adopted by states.

In addition to publishing the roadmap, the NGA has started helping states to execute its recommendations and will be issuing a progress report in 2017.

The roadmap – “Getting the Right Information to the Right Health Care Providers at the Right Time: A Road Map for States to Improve Health Information Flow Between Providers” – can be viewed on this link.

The post National Governors Association Releases Roadmap for States to Improve Heath Data Sharing appeared first on HIPAA Journal.

ONC Issues Fact Sheet Explaining Exchange of Health Information for Public Health Activities

The U.S. Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) and Office of Civil Rights (OCR) have published a new fact sheet explaining some of the circumstances under which the sharing of electronic healthcare information without patients’ written consent is permitted by Health Insurance Portability and Accountability Act (HIPAA) Rules.

The HIPAA Privacy Rule came into effect in April 2003 and set new standards to protect individuals’ personal health information. The HIPAA Privacy Rule sets limits and conditions on when personal health information can be used or disclosed without prior consent being obtained from patients. For example, the HIPAA Privacy Rule allows HIPAA-covered entities (healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities) to share the personal health information of patients for treatment purposes and healthcare operations.

Health information many need to be shared between two healthcare providers involved in the treatment of a patient and personal health information may need to be shared between a healthcare provider and a health plan for example.

The ONC has previously released fact sheets explaining HIPAA Rules concerning the sharing of health information for the purpose of treatment and for healthcare operations. The latest fact sheet covers the sharing of health information for public health activities.

The sharing of health information has been essential for containing Ebola and monitoring Zika virus infections, and well as supporting other public health activities such as responding to natural disasters and tackling major health crises such as lead poisoning.

HIPAA does not permit healthcare organizations to share entire medical histories, instead healthcare organizations are required to limit disclosure to the “minimum necessary” for a specific purpose.

The fact sheet lists nine different hypothetical scenarios where health information could be shared without the consent of patients. The scenarios apply to all covered entities, although business associates of covered entities are only permitted to share ePHI if they have been authorized to do so by a covered entity in their business associate agreement (BAA).

The fact sheet covers:

  • Reportable Diseases: Exchanging ePHI with the U.S. Centers for Disease Control (CDC).
  • Public Health Surveillance: Exchanging patient data with health departments to monitor cancer occurrence.
  • Public Health Investigations: Exchange of ePHI with the Department of Health to monitor and investigate disease outbreaks.
  • Public Health Interventions: Exchanging data with health departments on lead poisoning.
  • Product Recalls: Exchanging information on patients regarding medical devices that are under Food and Drug Administration (FDA) jurisdiction.
  • Medical Surveillance in the Workplace: Exchange of ePHI to evaluate work-related illness and injuries.
  • Sharing data using EHR technology

The Fact Sheet – Permitted Uses and Disclosures: Exchange for Public Health Activities can be downloaded on this link.

The post ONC Issues Fact Sheet Explaining Exchange of Health Information for Public Health Activities appeared first on HIPAA Journal.