HIPAA Training and Advice

Is Qualtrics HIPAA Compliant?

Posted by HIPAA Journal

The issue with answering the question is Qualtrics HIPAA compliant is that, although the “experience management” platform appears to support HIPAA compliance, configuring and using the platform in a HIPAA compliant manner looks more complicated than some Covered Entities will be comfortable with.

For those who struggle with fancy terminology, Qualtrics is an online platform that enables businesses to create and send surveys, obtain customer/employee feedback, and address satisfaction issues using analytics and AI-powered automation. As an engagement and response tool, Qualtrics is a very advanced option. But is Qualtrics HIPAA compliant?

Certainly, Qualtrics appears to be HIPAA compliant in its role as a Business Associate to a Covered Entity. It has multiple security certifications – including self-certified compliance with the HiTRUST CSF Framework – and is willing to enter into a Business Associate Agreement with a Covered Entity if the platform is going to be used for collecting, storing, or transmitting PHI.

Qualtrics doesn’t provide previews of its Business Associate Agreements, but the draft Contractor Agreement for businesses Qualtrics might share PHI with is very comprehensive and covers everything required by the Administrative Simplification provisions. Assuming the Business Associate Agreement between Covered Entities and Qualtrics is equally as comprehensive, there should be no problem with clarifying Covered Entities’ and Qualtrics’ compliance obligations.

Can Qualtrics be Used in Compliance with HIPAA?

This is where the issue with HIPAA compliance exists. As mentioned previously, Qualtrics is a very advanced experience management platform. However, rather than explaining the platform’s capabilities – and how to use them – in a language people might understand, the limited information on the web site is garnished with fancy terminology. This can make it difficult to configure and use Qualtrics in compliance with HIPAA.

There is a rich resource library that contains product demonstrations, and you can also find demos on YouTube that don’t require you to register first. Both sources demonstrate that, if you don’t know what you are doing when using the platform, the range of options is complicated to navigate – potentially resulting in configuration challenges, user problems, project delays, and incomplete data analyses.

To help overcome the issue, Qualtrics has an online resource library with plenty of “how to” pages; but, again, we get the feeling you already have to be familiar with the software – and understand the terminology – to benefit from the advice offered. Phone, email, and chat customer service is also available depending on which level of plan you subscribe to, but the company’s live support services get very poor reviews on user-verified review sites.

Limited Use Cases Suggest Other Solutions May be More Viable

Like most online survey software, Qualtrics can be used to gain insights into patients’ health habits, track the effectiveness of patient safety programs, and solicit feedback from members of the workforce. Provided the platform is configured and used in compliance with HIPAA when PHI is being collected, stored, or transmitted, the platform can be an asset for these use cases.

However, in order to appear more valuable to healthcare providers than competing online survey software, Qualtrics also suggests additional use cases that are unrealistic – for example, solving the nationwide nursing shortage and diagnosing patients’ illnesses remotely with no reference to each patient’s medical history. Other examples tend to have an overreliance on the authenticity of customer reviews to prove a point.

In conclusion, Qualtrics is a HIPAA compliant platform that might be a nice toy to have, but it is an expensive toy that could create compliance issues due to the complexity of navigating the platform. Additionally, concerns exist about the steep learning curve, reportedly poor customer support, and limited use cases which suggest other solutions may be more viable. Certainly, simpler survey platforms which are easier to understand are less likely to be responsible for inadvertent HIPAA violations.

The post Is Qualtrics HIPAA Compliant? appeared first on HIPAA Journal.

Is Proton Mail HIPAA Compliant?

Posted by HIPAA Journal

Like most questions relating to HIPAA and technology, the answer to the question is Proton Mail HIPAA compliant is “it depends”. This is because no technology is HIPAA compliant. It is how the technology is configured and used that determines compliance with HIPAA.

Proton Mail offers mail, storage, and VPN services, and claims to be “the world’s largest end-to-end encrypted email service”. The “end-to-end” part of the claim does a lot of heavy lifting because emails are only fully encrypted between Proton Mail users. If you send an encrypted email to a (say) Outlook user, you have to set a password for the recipient to open the email.

Nonetheless, Proton Mail is an attractive option for businesses operating in regulated industries because of its zero-knowledge model and advanced privacy protections. It is also fairly easy to configure (compared to – for example – Microsoft365) and it is possible to “bridge” accounts between the Proton Mail client and third-party email service providers.

Do Covered Entities Need Encrypted Email?

Before considering is Proton Mail HIPAA compliant, it may be worth considering whether Covered Entities need encrypted email. This is because the Privacy and Security Rules do not stipulate that emails have to be encrypted – only that the privacy of PHI is protected and that measures are implemented to ensure the confidentiality, integrity, and availability of electronic PHI.

Therefore, although encrypted email services such as Proton Mail can prevent data breaches if emails are intercepted in transit or if a mail server is hacked, encrypted email services do not prevent emails containing PHI being sent to the wrong recipient, mail shots being sent with all recipients’ names in the “to” or “cc” boxes, or malicious insiders using encrypted email to steal PHI.

Furthermore, HHS has issued guidance that it is okay to communicate PHI with a patient via unencrypted email provided the patient has not specifically requested to be contacted via a more secure channel. Indeed, the guidance states Covered Entities can assume a patient has given their consent to be contacted by unencrypted email if the patient has initiated contact in this manner.

But Is Proton Mail HIPAA Compliant?

For Covered Entities that feel encrypted email is an essential part of a multi-layered defense strategy, Proton Mail meets the physical, technical, and administrative safeguards required of a Business Associate and will enter into a Business Associate Agreement with Covered Entities – even though the vendor does not have access to the content of emails due to its zero knowledge model.

All emails between Proton Mail users are encrypted by default, and the user-friendly Administrator’s Console makes it easy to onboard or remove users, manage user credentials, and control which users have access to Proton Drive storage volumes containing PHI. The console also allows administrators to force sign outs when user credentials are believed to have been compromised.

In these respects, Proton Mail goes beyond the minimum requirements to support HIPAA compliance, and it could be said that Proton Mail is HIPAA compliant. However, users still have to be trained – and remember – to set a password for each recipient that is not a Proton Mail user, which may cause more compliance issues than not using an encrypted mail service to communicate PHI.

The post Is Proton Mail HIPAA Compliant? appeared first on HIPAA Journal.

HIPAA Continuity of Care

Posted by HIPAA Journal

Under HIPAA, continuity of care is not always as straightforward as it could be due to seemingly contradictory guidance issued by HHS’ Office of Civil Rights. Whereas the Privacy Rule would appear to allow disclosures of PHI for continuity of care and care coordination, the HHS’ guidance states disclosures of PHI between Covered Entities must be kept to the minimum necessary amount.  

The term “continuity of care” has various definitions. Some definitions imply care is continuous within the same healthcare organization (or Organized Health Care Arrangement), while others extend the definition to multiple healthcare settings. An example of this is a patient’s journey from a physician’s office to a hospital, then to a care home, then to a home health service.

With regards to HIPAA and continuity of care in a single healthcare setting – or within an Organized Health Care Arrangement – the Privacy Rule allows disclosures of Protected Health Information (PHI) for healthcare operations without patient consent or authorization. One of the permissible disclosures of PHI in this category is for “case management and care coordination”.

However, when continuity of care involves multiple providers in a linear process, some transfers of information can be incomplete due to the complicated language of the Privacy Rule and seemingly conflicting guidance issued by HHS’ Office for Civil Rights in 2019 with regard to HIPAA care coordination and HIPAA continuity of care.

Continuation of Care, HIPAA, and What the Privacy Rule Says

In the context of continuation of care, HIPAA §164.506(c)(4) states a Covered Entity may disclose PHI to another Covered Entity for health care operations if either Covered Entity has or had a relationship with the individual who is the subject of the PHI being disclosed, if the PHI being disclosed pertains to such relationship, and if it is for a purpose allowed by the definition of health care operations.

The Privacy Rule (HIPAA §164.502(b)(2)) also states the minimum necessary standard does not apply to disclosures to or requests by a health care provider for treatment. Therefore, in the example given above of a patient’s journey from a physician’s office to a home health service, there should be no problem with the home health service obtaining PHI from the physician to provide treatment.

However, in guidance issued by HHS’ Office for Civil Rights, several examples are given in which it is permissible to transfer PHI between Covered Entities to support care coordination and continuity of care under HIPAA. However, the HHS guidance concludes with a reminder that “although such disclosures are permitted, they are subject to the minimum necessary standard”.

Office for Civil Rights Guidance for HIPAA Coordination of Care

The conclusion to the guidance can appear to contradict the Privacy Rule – particularly the clause stating the minimum necessary standard does not apply to disclosures for treatment. However, when the examples in the guidance are more closely examined, they relate to disclosures of PHI between health plans – rather than healthcare providers – which are not for treatment purposes.

Nonetheless, because the term Covered Entity is used in the guidance, some providers have applied the guidance to their healthcare operations and only provide the minimum necessary PHI to the next provider “up the continuity line”.  Provider B then has an incomplete medical history to transfer to Provider C, who also limits disclosures to the minimum necessary when handing off to Provider D.

Provider D (in our example, the home health service) can acquire the PHI they need from Provider A (the physician) to ensure continuity of care under HIPAA; but, because Provider A believes they have to obtain an authorization from the patient before disclosing more than the minimum necessary PHI, there is an avoidable delay in Provider D receiving potentially vital healthcare data – which can impact patient care.

Proposed Changes to Clarify HIPAA Care Coordination Rules

To clarify the position between HIPAA and care coordination, several Rule changes have been proposed. The proposed changes – if finalized – will not only impact HIPAA compliance, but other federal Rules that govern uses and disclosures of PHI (i.e., 42 CFR Part 2). The key Notices of Proposed Rule Making (NPRMs) that will clarify the care coordination HIPAA rules are:

The Office of Civil Rights’ Proposed Modifications to the Privacy Rule

This NPRM published in January 2021 proposes multiple HIPAA updates to “support, and remove barriers to, coordinated care and individual engagement”. Among the proposed changes to the Privacy Rule:

  • Disclosures of PHI will be permitted without the need to obtain consent or authorization to help individuals with a substance use disorder in emergency circumstances.
  • Disclosures of PHI for continuity of care and individual-level care coordination will be specifically permitted to avoid misunderstanding about when consent is required.
  • An exception to the Minimum Necessary Standard will be created for disclosures of PHI relating to individual-level HIPAA care coordination and case management.

Update to CMS Interoperability and Patient Access Final Rule

In 2020, the Centers for Medicare and Medicaid Services (CMS) published the Interoperability and Patient Access Final Rule. As the title suggests, the Rule has the primary objectives of improving interoperability between Medicare Covered Entities and enabling better patient access to PHI. Among other measures, a proposed update to the Rule published in December 2022 seeks stakeholder comments on how best to enable data exchanges via a Trusted Exchange Framework.

Closer Alignment of 42 CFR Part 2 and  the HIPAA Privacy Rule

Also at the end of 2022, the Office for Civil Rights and the Substance Abuse and Mental Health Services Administration (SAMHSA) jointly published an NPRM that more closely aligns the Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2) with the uses and disclosures of PHI permitted by the HIPAA Privacy Rule. If finalized in its current format, the NPRM will better support compliance with HIPAA and care coordination for SUD and mental health patients.

The post HIPAA Continuity of Care appeared first on HIPAA Journal.

HIPAA Continuity of Care

Posted by HIPAA Journal

Under HIPAA, continuity of care is not always as straightforward as it could be due to seemingly contradictory guidance issued by HHS’ Office of Civil Rights. Whereas the Privacy Rule would appear to allow disclosures of PHI for continuity of care and care coordination, the HHS’ guidance states disclosures of PHI between Covered Entities must be kept to the minimum necessary amount.  

The term “continuity of care” has various definitions. Some definitions imply care is continuous within the same healthcare organization (or Organized Health Care Arrangement), while others extend the definition to multiple healthcare settings. An example of this is a patient’s journey from a physician’s office to a hospital, then to a care home, then to a home health service.

With regards to HIPAA and continuity of care in a single healthcare setting – or within an Organized Health Care Arrangement – the Privacy Rule allows disclosures of Protected Health Information (PHI) for healthcare operations without patient consent or authorization. One of the permissible disclosures of PHI in this category is for “case management and care coordination”.

However, when continuity of care involves multiple providers in a linear process, some transfers of information can be incomplete due to the complicated language of the Privacy Rule and seemingly conflicting guidance issued by HHS’ Office for Civil Rights in 2019 with regard to HIPAA care coordination and HIPAA continuity of care.

Continuation of Care, HIPAA, and What the Privacy Rule Says

In the context of continuation of care, HIPAA §164.506(c)(4) states a Covered Entity may disclose PHI to another Covered Entity for health care operations if either Covered Entity has or had a relationship with the individual who is the subject of the PHI being disclosed, if the PHI being disclosed pertains to such relationship, and if it is for a purpose allowed by the definition of health care operations.

The Privacy Rule (HIPAA §164.502(b)(2)) also states the minimum necessary standard does not apply to disclosures to or requests by a health care provider for treatment. Therefore, in the example given above of a patient’s journey from a physician’s office to a home health service, there should be no problem with the home health service obtaining PHI from the physician to provide treatment.

However, in guidance issued by HHS’ Office for Civil Rights, several examples are given in which it is permissible to transfer PHI between Covered Entities to support care coordination and continuity of care under HIPAA. However, the HHS guidance concludes with a reminder that “although such disclosures are permitted, they are subject to the minimum necessary standard”.

Office for Civil Rights Guidance for HIPAA Coordination of Care

The conclusion to the guidance can appear to contradict the Privacy Rule – particularly the clause stating the minimum necessary standard does not apply to disclosures for treatment. However, when the examples in the guidance are more closely examined, they relate to disclosures of PHI between health plans – rather than healthcare providers – which are not for treatment purposes.

Nonetheless, because the term Covered Entity is used in the guidance, some providers have applied the guidance to their healthcare operations and only provide the minimum necessary PHI to the next provider “up the continuity line”.  Provider B then has an incomplete medical history to transfer to Provider C, who also limits disclosures to the minimum necessary when handing off to Provider D.

Provider D (in our example, the home health service) can acquire the PHI they need from Provider A (the physician) to ensure continuity of care under HIPAA; but, because Provider A believes they have to obtain an authorization from the patient before disclosing more than the minimum necessary PHI, there is an avoidable delay in Provider D receiving potentially vital healthcare data – which can impact patient care.

Proposed Changes to Clarify HIPAA Care Coordination Rules

To clarify the position between HIPAA and care coordination, several Rule changes have been proposed. The proposed changes – if finalized – will not only impact HIPAA compliance, but other federal Rules that govern uses and disclosures of PHI (i.e., 42 CFR Part 2). The key Notices of Proposed Rule Making (NPRMs) that will clarify the care coordination HIPAA rules are:

The Office of Civil Rights’ Proposed Modifications to the Privacy Rule

This NPRM published in January 2021 proposes multiple HIPAA updates to “support, and remove barriers to, coordinated care and individual engagement”. Among the proposed changes to the Privacy Rule:

  • Disclosures of PHI will be permitted without the need to obtain consent or authorization to help individuals with a substance use disorder in emergency circumstances.
  • Disclosures of PHI for continuity of care and individual-level care coordination will be specifically permitted to avoid misunderstanding about when consent is required.
  • An exception to the Minimum Necessary Standard will be created for disclosures of PHI relating to individual-level HIPAA care coordination and case management.

Update to CMS Interoperability and Patient Access Final Rule

In 2020, the Centers for Medicare and Medicaid Services (CMS) published the Interoperability and Patient Access Final Rule. As the title suggests, the Rule has the primary objectives of improving interoperability between Medicare Covered Entities and enabling better patient access to PHI. Among other measures, a proposed update to the Rule published in December 2022 seeks stakeholder comments on how best to enable data exchanges via a Trusted Exchange Framework.

Closer Alignment of 42 CFR Part 2 and  the HIPAA Privacy Rule

Also at the end of 2022, the Office for Civil Rights and the Substance Abuse and Mental Health Services Administration (SAMHSA) jointly published an NPRM that more closely aligns the Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2) with the uses and disclosures of PHI permitted by the HIPAA Privacy Rule. If finalized in its current format, the NPRM will better support compliance with HIPAA and care coordination for SUD and mental health patients.

The post HIPAA Continuity of Care appeared first on HIPAA Journal.

Is SurveyMonkey HIPAA Compliant?

Posted by HIPAA Journal

Is SurveyMonkey HIPAA compliant? At the present time, SurveyMonkey is HIPAA compliant. However, SurveyMonkey’s parent company – Momentive – is in the process of being acquired by a private equity consortium. If the acquisition proceeds, we cannot guarantee the information below will remain accurate.

SurveyMonkey is an online application that enables subscribers to create and send surveys via email, social media, and messaging services. The application is most often used in the healthcare industry to gain insights into patients’ health habits, track the effectiveness of patient safety programs, and solicit feedback from members of the workforce.

Although SurveyMonkey offers a free plan, it is extremely limited. Free subscribers can only ask up to 10 questions per survey, plus accept only 40 responses per survey. Additionally, if PHI is going to be disclosed in any answers or questions, it will be necessary to enter into a Business Associate Agreement – something SurveyMonkey is only prepared to do with subscribers to its business plans.

Is SurveyMonkey HIPAA Compliant?

In its role as a Business Associate, SurveyMonkey is HIPAA compliant. The company provides a comprehensive security statement and a HIPAA compliance web page on which it attests to reasonably and appropriately protecting the confidentiality, integrity, and availability of electronic PHI received, maintained, or transmitted on behalf of Covered Entities (subject to accounts being HIPAA-enabled). The web page also lists some of the safeguards SurveyMonkey has put in place:

  • Assigned security team responsible for maintaining compliance with HIPAA.
  • Screening, authorization, and HIPAA training of SurveyMonkey staff.
  • Data backup and disaster recovery plans.
  • Systems regularly monitored, updated, and patched.
  • Incident response plan that includes reporting security incidents to Covered Entities.
  • All communications with SurveyMonkey servers are encrypted with SSL.
  • Regular risk assessments to ensure safeguards remain relevant and effective.

With regards to the Business Associate Agreement, SurveyMonkey offers its own Agreement or will enter a Covered Enty’s Agreement subject to being able to comply with the terms of the Agreement. Helpfully, the company has published a preview BAA on its website. However, visitors are alerted to the fact that the preview BAA was last updated in 2015 and reminded that SurveyMonkey’s parent company may soon be acquired – so the terms of the preview BAA may not remain the same.

Complying with HIPAA when using SurveyMonkey

If a Business Associate Agreement is in place, SurveyMonkey has the tools to support HIPAA compliance. These tools include activity logs and optional automatic log-off – which administrators should configure to comply with organizational HIPAA policies – and alert messages that warn users when they risk disclosing PHI or risk respondents disclosing PHI.

However, alert messages can be ignored and mistakes made. Therefore, it is important to train users on the compliant use of SurveyMonkey and how to respond if a response to a survey question discloses PHI they are not authorized to see. It may also be necessary to train users on how to identify and report inadvertent data breaches to compliance officers.

In conclusion, although SurveyMonkey is HIPAA compliant in its role as a Business Associate and has the tools to support HIPAA compliance, it is the responsibility of each Covered Entity to subscribe to an appropriate HIPAA-enabled business plan, configure the tools correctly, ensure users are trained how to comply with HIPAA when using SurveyMonkey, and monitor compliance.

The post Is SurveyMonkey HIPAA Compliant? appeared first on HIPAA Journal.