HIPAA Training and Advice

Is Qualtrics HIPAA Compliant?

The issue with answering the question is Qualtrics HIPAA compliant is that, although the “experience management” platform appears to support HIPAA compliance, configuring and using the platform in a HIPAA compliant manner looks more complicated than some Covered Entities will be comfortable with.

For those who struggle with fancy terminology, Qualtrics is an online platform that enables businesses to create and send surveys, obtain customer/employee feedback, and address satisfaction issues using analytics and AI-powered automation. As an engagement and response tool, Qualtrics is a very advanced option. But is Qualtrics HIPAA compliant?

Certainly, Qualtrics appears to be HIPAA compliant in its role as a Business Associate to a Covered Entity. It has multiple security certifications – including self-certified compliance with the HiTRUST CSF Framework – and is willing to enter into a Business Associate Agreement with a Covered Entity if the platform is going to be used for collecting, storing, or transmitting PHI.

Qualtrics doesn’t provide previews of its Business Associate Agreements, but the draft Contractor Agreement for businesses Qualtrics might share PHI with is very comprehensive and covers everything required by the Administrative Simplification provisions. Assuming the Business Associate Agreement between Covered Entities and Qualtrics is equally as comprehensive, there should be no problem with clarifying Covered Entities’ and Qualtrics’ compliance obligations.

Can Qualtrics be Used in Compliance with HIPAA?

This is where the issue with HIPAA compliance exists. As mentioned previously, Qualtrics is a very advanced experience management platform. However, rather than explaining the platform’s capabilities – and how to use them – in a language people might understand, the limited information on the web site is garnished with fancy terminology. This can make it difficult to configure and use Qualtrics in compliance with HIPAA.

There is a rich resource library that contains product demonstrations, and you can also find demos on YouTube that don’t require you to register first. Both sources demonstrate that, if you don’t know what you are doing when using the platform, the range of options is complicated to navigate – potentially resulting in configuration challenges, user problems, project delays, and incomplete data analyses.

To help overcome the issue, Qualtrics has an online resource library with plenty of “how to” pages; but, again, we get the feeling you already have to be familiar with the software – and understand the terminology – to benefit from the advice offered. Phone, email, and chat customer service is also available depending on which level of plan you subscribe to, but the company’s live support services get very poor reviews on user-verified review sites.

Limited Use Cases Suggest Other Solutions May be More Viable

Like most online survey software, Qualtrics can be used to gain insights into patients’ health habits, track the effectiveness of patient safety programs, and solicit feedback from members of the workforce. Provided the platform is configured and used in compliance with HIPAA when PHI is being collected, stored, or transmitted, the platform can be an asset for these use cases.

However, in order to appear more valuable to healthcare providers than competing online survey software, Qualtrics also suggests additional use cases that are unrealistic – for example, solving the nationwide nursing shortage and diagnosing patients’ illnesses remotely with no reference to each patient’s medical history. Other examples tend to have an overreliance on the authenticity of customer reviews to prove a point.

In conclusion, Qualtrics is a HIPAA compliant platform that might be a nice toy to have, but it is an expensive toy that could create compliance issues due to the complexity of navigating the platform. Additionally, concerns exist about the steep learning curve, reportedly poor customer support, and limited use cases which suggest other solutions may be more viable. Certainly, simpler survey platforms which are easier to understand are less likely to be responsible for inadvertent HIPAA violations.

The post Is Qualtrics HIPAA Compliant? appeared first on HIPAA Journal.

Is Proton Mail HIPAA Compliant?

Like most questions relating to HIPAA and technology, the answer to the question is Proton Mail HIPAA compliant is “it depends”. This is because no technology is HIPAA compliant. It is how the technology is configured and used that determines compliance with HIPAA.

Proton Mail offers mail, storage, and VPN services, and claims to be “the world’s largest end-to-end encrypted email service”. The “end-to-end” part of the claim does a lot of heavy lifting because emails are only fully encrypted between Proton Mail users. If you send an encrypted email to a (say) Outlook user, you have to set a password for the recipient to open the email.

Nonetheless, Proton Mail is an attractive option for businesses operating in regulated industries because of its zero-knowledge model and advanced privacy protections. It is also fairly easy to configure (compared to – for example – Microsoft365) and it is possible to “bridge” accounts between the Proton Mail client and third-party email service providers.

Do Covered Entities Need Encrypted Email?

Before considering is Proton Mail HIPAA compliant, it may be worth considering whether Covered Entities need encrypted email. This is because the Privacy and Security Rules do not stipulate that emails have to be encrypted – only that the privacy of PHI is protected and that measures are implemented to ensure the confidentiality, integrity, and availability of electronic PHI.

Therefore, although encrypted email services such as Proton Mail can prevent data breaches if emails are intercepted in transit or if a mail server is hacked, encrypted email services do not prevent emails containing PHI being sent to the wrong recipient, mail shots being sent with all recipients’ names in the “to” or “cc” boxes, or malicious insiders using encrypted email to steal PHI.

Furthermore, HHS has issued guidance that it is okay to communicate PHI with a patient via unencrypted email provided the patient has not specifically requested to be contacted via a more secure channel. Indeed, the guidance states Covered Entities can assume a patient has given their consent to be contacted by unencrypted email if the patient has initiated contact in this manner.

But Is Proton Mail HIPAA Compliant?

For Covered Entities that feel encrypted email is an essential part of a multi-layered defense strategy, Proton Mail meets the physical, technical, and administrative safeguards required of a Business Associate and will enter into a Business Associate Agreement with Covered Entities – even though the vendor does not have access to the content of emails due to its zero knowledge model.

All emails between Proton Mail users are encrypted by default, and the user-friendly Administrator’s Console makes it easy to onboard or remove users, manage user credentials, and control which users have access to Proton Drive storage volumes containing PHI. The console also allows administrators to force sign outs when user credentials are believed to have been compromised.

In these respects, Proton Mail goes beyond the minimum requirements to support HIPAA compliance, and it could be said that Proton Mail is HIPAA compliant. However, users still have to be trained – and remember – to set a password for each recipient that is not a Proton Mail user, which may cause more compliance issues than not using an encrypted mail service to communicate PHI.

The post Is Proton Mail HIPAA Compliant? appeared first on HIPAA Journal.

HIPAA Continuity of Care

Under HIPAA, continuity of care is not always as straightforward as it could be due to seemingly contradictory guidance issued by HHS’ Office of Civil Rights. Whereas the Privacy Rule would appear to allow disclosures of PHI for continuity of care and care coordination, the HHS’ guidance states disclosures of PHI between Covered Entities must be kept to the minimum necessary amount.  

The term “continuity of care” has various definitions. Some definitions imply care is continuous within the same healthcare organization (or Organized Health Care Arrangement), while others extend the definition to multiple healthcare settings. An example of this is a patient’s journey from a physician’s office to a hospital, then to a care home, then to a home health service.

With regards to HIPAA and continuity of care in a single healthcare setting – or within an Organized Health Care Arrangement – the Privacy Rule allows disclosures of Protected Health Information (PHI) for healthcare operations without patient consent or authorization. One of the permissible disclosures of PHI in this category is for “case management and care coordination”.

However, when continuity of care involves multiple providers in a linear process, some transfers of information can be incomplete due to the complicated language of the Privacy Rule and seemingly conflicting guidance issued by HHS’ Office for Civil Rights in 2019 with regard to HIPAA care coordination and HIPAA continuity of care.

Continuation of Care, HIPAA, and What the Privacy Rule Says

In the context of continuation of care, HIPAA §164.506(c)(4) states a Covered Entity may disclose PHI to another Covered Entity for health care operations if either Covered Entity has or had a relationship with the individual who is the subject of the PHI being disclosed, if the PHI being disclosed pertains to such relationship, and if it is for a purpose allowed by the definition of health care operations.

The Privacy Rule (HIPAA §164.502(b)(2)) also states the minimum necessary standard does not apply to disclosures to or requests by a health care provider for treatment. Therefore, in the example given above of a patient’s journey from a physician’s office to a home health service, there should be no problem with the home health service obtaining PHI from the physician to provide treatment.

However, in guidance issued by HHS’ Office for Civil Rights, several examples are given in which it is permissible to transfer PHI between Covered Entities to support care coordination and continuity of care under HIPAA. However, the HHS guidance concludes with a reminder that “although such disclosures are permitted, they are subject to the minimum necessary standard”.

Office for Civil Rights Guidance for HIPAA Coordination of Care

The conclusion to the guidance can appear to contradict the Privacy Rule – particularly the clause stating the minimum necessary standard does not apply to disclosures for treatment. However, when the examples in the guidance are more closely examined, they relate to disclosures of PHI between health plans – rather than healthcare providers – which are not for treatment purposes.

Nonetheless, because the term Covered Entity is used in the guidance, some providers have applied the guidance to their healthcare operations and only provide the minimum necessary PHI to the next provider “up the continuity line”.  Provider B then has an incomplete medical history to transfer to Provider C, who also limits disclosures to the minimum necessary when handing off to Provider D.

Provider D (in our example, the home health service) can acquire the PHI they need from Provider A (the physician) to ensure continuity of care under HIPAA; but, because Provider A believes they have to obtain an authorization from the patient before disclosing more than the minimum necessary PHI, there is an avoidable delay in Provider D receiving potentially vital healthcare data – which can impact patient care.

Proposed Changes to Clarify HIPAA Care Coordination Rules

To clarify the position between HIPAA and care coordination, several Rule changes have been proposed. The proposed changes – if finalized – will not only impact HIPAA compliance, but other federal Rules that govern uses and disclosures of PHI (i.e., 42 CFR Part 2). The key Notices of Proposed Rule Making (NPRMs) that will clarify the care coordination HIPAA rules are:

The Office of Civil Rights’ Proposed Modifications to the Privacy Rule

This NPRM published in January 2021 proposes multiple HIPAA updates to “support, and remove barriers to, coordinated care and individual engagement”. Among the proposed changes to the Privacy Rule:

  • Disclosures of PHI will be permitted without the need to obtain consent or authorization to help individuals with a substance use disorder in emergency circumstances.
  • Disclosures of PHI for continuity of care and individual-level care coordination will be specifically permitted to avoid misunderstanding about when consent is required.
  • An exception to the Minimum Necessary Standard will be created for disclosures of PHI relating to individual-level HIPAA care coordination and case management.

Update to CMS Interoperability and Patient Access Final Rule

In 2020, the Centers for Medicare and Medicaid Services (CMS) published the Interoperability and Patient Access Final Rule. As the title suggests, the Rule has the primary objectives of improving interoperability between Medicare Covered Entities and enabling better patient access to PHI. Among other measures, a proposed update to the Rule published in December 2022 seeks stakeholder comments on how best to enable data exchanges via a Trusted Exchange Framework.

Closer Alignment of 42 CFR Part 2 and  the HIPAA Privacy Rule

Also at the end of 2022, the Office for Civil Rights and the Substance Abuse and Mental Health Services Administration (SAMHSA) jointly published an NPRM that more closely aligns the Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2) with the uses and disclosures of PHI permitted by the HIPAA Privacy Rule. If finalized in its current format, the NPRM will better support compliance with HIPAA and care coordination for SUD and mental health patients.

The post HIPAA Continuity of Care appeared first on HIPAA Journal.

HIPAA Continuity of Care

Under HIPAA, continuity of care is not always as straightforward as it could be due to seemingly contradictory guidance issued by HHS’ Office of Civil Rights. Whereas the Privacy Rule would appear to allow disclosures of PHI for continuity of care and care coordination, the HHS’ guidance states disclosures of PHI between Covered Entities must be kept to the minimum necessary amount.  

The term “continuity of care” has various definitions. Some definitions imply care is continuous within the same healthcare organization (or Organized Health Care Arrangement), while others extend the definition to multiple healthcare settings. An example of this is a patient’s journey from a physician’s office to a hospital, then to a care home, then to a home health service.

With regards to HIPAA and continuity of care in a single healthcare setting – or within an Organized Health Care Arrangement – the Privacy Rule allows disclosures of Protected Health Information (PHI) for healthcare operations without patient consent or authorization. One of the permissible disclosures of PHI in this category is for “case management and care coordination”.

However, when continuity of care involves multiple providers in a linear process, some transfers of information can be incomplete due to the complicated language of the Privacy Rule and seemingly conflicting guidance issued by HHS’ Office for Civil Rights in 2019 with regard to HIPAA care coordination and HIPAA continuity of care.

Continuation of Care, HIPAA, and What the Privacy Rule Says

In the context of continuation of care, HIPAA §164.506(c)(4) states a Covered Entity may disclose PHI to another Covered Entity for health care operations if either Covered Entity has or had a relationship with the individual who is the subject of the PHI being disclosed, if the PHI being disclosed pertains to such relationship, and if it is for a purpose allowed by the definition of health care operations.

The Privacy Rule (HIPAA §164.502(b)(2)) also states the minimum necessary standard does not apply to disclosures to or requests by a health care provider for treatment. Therefore, in the example given above of a patient’s journey from a physician’s office to a home health service, there should be no problem with the home health service obtaining PHI from the physician to provide treatment.

However, in guidance issued by HHS’ Office for Civil Rights, several examples are given in which it is permissible to transfer PHI between Covered Entities to support care coordination and continuity of care under HIPAA. However, the HHS guidance concludes with a reminder that “although such disclosures are permitted, they are subject to the minimum necessary standard”.

Office for Civil Rights Guidance for HIPAA Coordination of Care

The conclusion to the guidance can appear to contradict the Privacy Rule – particularly the clause stating the minimum necessary standard does not apply to disclosures for treatment. However, when the examples in the guidance are more closely examined, they relate to disclosures of PHI between health plans – rather than healthcare providers – which are not for treatment purposes.

Nonetheless, because the term Covered Entity is used in the guidance, some providers have applied the guidance to their healthcare operations and only provide the minimum necessary PHI to the next provider “up the continuity line”.  Provider B then has an incomplete medical history to transfer to Provider C, who also limits disclosures to the minimum necessary when handing off to Provider D.

Provider D (in our example, the home health service) can acquire the PHI they need from Provider A (the physician) to ensure continuity of care under HIPAA; but, because Provider A believes they have to obtain an authorization from the patient before disclosing more than the minimum necessary PHI, there is an avoidable delay in Provider D receiving potentially vital healthcare data – which can impact patient care.

Proposed Changes to Clarify HIPAA Care Coordination Rules

To clarify the position between HIPAA and care coordination, several Rule changes have been proposed. The proposed changes – if finalized – will not only impact HIPAA compliance, but other federal Rules that govern uses and disclosures of PHI (i.e., 42 CFR Part 2). The key Notices of Proposed Rule Making (NPRMs) that will clarify the care coordination HIPAA rules are:

The Office of Civil Rights’ Proposed Modifications to the Privacy Rule

This NPRM published in January 2021 proposes multiple HIPAA updates to “support, and remove barriers to, coordinated care and individual engagement”. Among the proposed changes to the Privacy Rule:

  • Disclosures of PHI will be permitted without the need to obtain consent or authorization to help individuals with a substance use disorder in emergency circumstances.
  • Disclosures of PHI for continuity of care and individual-level care coordination will be specifically permitted to avoid misunderstanding about when consent is required.
  • An exception to the Minimum Necessary Standard will be created for disclosures of PHI relating to individual-level HIPAA care coordination and case management.

Update to CMS Interoperability and Patient Access Final Rule

In 2020, the Centers for Medicare and Medicaid Services (CMS) published the Interoperability and Patient Access Final Rule. As the title suggests, the Rule has the primary objectives of improving interoperability between Medicare Covered Entities and enabling better patient access to PHI. Among other measures, a proposed update to the Rule published in December 2022 seeks stakeholder comments on how best to enable data exchanges via a Trusted Exchange Framework.

Closer Alignment of 42 CFR Part 2 and  the HIPAA Privacy Rule

Also at the end of 2022, the Office for Civil Rights and the Substance Abuse and Mental Health Services Administration (SAMHSA) jointly published an NPRM that more closely aligns the Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2) with the uses and disclosures of PHI permitted by the HIPAA Privacy Rule. If finalized in its current format, the NPRM will better support compliance with HIPAA and care coordination for SUD and mental health patients.

The post HIPAA Continuity of Care appeared first on HIPAA Journal.

Is SurveyMonkey HIPAA Compliant?

Is SurveyMonkey HIPAA compliant? At the present time, SurveyMonkey is HIPAA compliant. However, SurveyMonkey’s parent company – Momentive – is in the process of being acquired by a private equity consortium. If the acquisition proceeds, we cannot guarantee the information below will remain accurate.

SurveyMonkey is an online application that enables subscribers to create and send surveys via email, social media, and messaging services. The application is most often used in the healthcare industry to gain insights into patients’ health habits, track the effectiveness of patient safety programs, and solicit feedback from members of the workforce.

Although SurveyMonkey offers a free plan, it is extremely limited. Free subscribers can only ask up to 10 questions per survey, plus accept only 40 responses per survey. Additionally, if PHI is going to be disclosed in any answers or questions, it will be necessary to enter into a Business Associate Agreement – something SurveyMonkey is only prepared to do with subscribers to its business plans.

Is SurveyMonkey HIPAA Compliant?

In its role as a Business Associate, SurveyMonkey is HIPAA compliant. The company provides a comprehensive security statement and a HIPAA compliance web page on which it attests to reasonably and appropriately protecting the confidentiality, integrity, and availability of electronic PHI received, maintained, or transmitted on behalf of Covered Entities (subject to accounts being HIPAA-enabled). The web page also lists some of the safeguards SurveyMonkey has put in place:

  • Assigned security team responsible for maintaining compliance with HIPAA.
  • Screening, authorization, and HIPAA training of SurveyMonkey staff.
  • Data backup and disaster recovery plans.
  • Systems regularly monitored, updated, and patched.
  • Incident response plan that includes reporting security incidents to Covered Entities.
  • All communications with SurveyMonkey servers are encrypted with SSL.
  • Regular risk assessments to ensure safeguards remain relevant and effective.

With regards to the Business Associate Agreement, SurveyMonkey offers its own Agreement or will enter a Covered Enty’s Agreement subject to being able to comply with the terms of the Agreement. Helpfully, the company has published a preview BAA on its website. However, visitors are alerted to the fact that the preview BAA was last updated in 2015 and reminded that SurveyMonkey’s parent company may soon be acquired – so the terms of the preview BAA may not remain the same.

Complying with HIPAA when using SurveyMonkey

If a Business Associate Agreement is in place, SurveyMonkey has the tools to support HIPAA compliance. These tools include activity logs and optional automatic log-off – which administrators should configure to comply with organizational HIPAA policies – and alert messages that warn users when they risk disclosing PHI or risk respondents disclosing PHI.

However, alert messages can be ignored and mistakes made. Therefore, it is important to train users on the compliant use of SurveyMonkey and how to respond if a response to a survey question discloses PHI they are not authorized to see. It may also be necessary to train users on how to identify and report inadvertent data breaches to compliance officers.

In conclusion, although SurveyMonkey is HIPAA compliant in its role as a Business Associate and has the tools to support HIPAA compliance, it is the responsibility of each Covered Entity to subscribe to an appropriate HIPAA-enabled business plan, configure the tools correctly, ensure users are trained how to comply with HIPAA when using SurveyMonkey, and monitor compliance.

The post Is SurveyMonkey HIPAA Compliant? appeared first on HIPAA Journal.

Is Microsoft Teams HIPAA Compliant?

If your HIPAA-covered organization is planning to use Microsoft Teams to collect, store, share, or transmit electronic PHI, it is important to know how to make Microsoft Teams HIPAA compliant. This is because, although most Microsoft business plans include the capabilities to support HIPAA compliance when using Teams, how the platform is used is what determines compliance.

Microsoft Teams is a communications platform that includes secure chat, videoconferencing, and file sharing capabilities. The platform is widely used in business to “bridge the gap between in-person and remote teammates” and can ensure team members stay informed, organized, and connected. Microsoft Teams can also be integrated with hundreds of apps to enhance collaboration and streamline workflows.

Because of its advanced capabilities and integrations, Microsoft Teams is one of the top ten communication platforms used in the healthcare industry. The platform can be used for corporate communications, onboarding, training, and scheduling, and for conducting wellness checks with frontline workers – an engagement activity that is practically essential in the healthcare industry at present.

When these uses do not involve the collection, storage, sharing, or transmission of electronic PHI, the question is Microsoft Team HIPAA compliant does not apply because the platform does not have to be HIPAA compliant to conduct corporate communications, etc. However, if electronic PHI is collected, stored, shared, or transmitted via the platform – or via any app integrated with the platform – it is important Covered Entities know how to make Microsoft Teams HIPAA compliant.

How to Make Microsoft Teams HIPAA Compliant

No software is HIPAA compliant. How software is configured and used determines compliance, so it is important Covered Entities and Business Associates understand the capabilities of the software before deployment – and also understand what features the software may be lacking. For example, many software solutions claiming to be HIPAA compliant lack automatic logoff features because the devices on which they are deployed should be configured to log users out after a period of inactivity.

With Microsoft Teams, HIPAA compliance can also be reliant on which business plan an organization subscribes to. The Teams platform is included in most business plans (i.e., not Office Home or Apps for Business), but varies in capabilities between plans. For example, two of the three “Frontline” business plans lack full identity and access management controls, and only the Microsoft 365 and Office 365 E5 business plans include the Teams Phone System by default.

While these potential shortcomings can be overcome by subscribing to add-on licenses, this means that both the platform and the add-on must be configured correctly to comply with the technical safeguards of the Security Rule. This can increase the complexity of making Microsoft Teams HIPAA compliant and increase the risk of an inadvertent HIPAA violation or data breach. The same applies to any other app integrated with the Teams Platform.

Why How the Platform is Used is Important

With most software solutions that support HIPAA compliance, once they have been configured to comply with the technical safeguards of the Security Rule, the risk of an inadvertent violation or data breach is relative to what they are used for and how they are used. What Microsoft Teams is used for and how it is used is particularly relevant in the context of answering the question is Microsoft Teams HIPAA compliant – especially with regards to interactions with patients.

Because of the platform’s capabilities, Microsoft Teams can be deployed to schedule, manage, and conduct virtual telehealth consultations with patients. It is even possible to connect Microsoft Teams to certain types of EHR (subject to prerequisites) so healthcare professionals can launch virtual consultations with patients from the EHR, and so patients can request virtual appointments with healthcare professionals via a Covered Entity’s healthcare portal.

Conducting virtual telehealth consultations can increase the risk of HIPAA violations if the identity of the patient is not verified or if the patient is in a location in which it is impossible to guarantee the confidentiality of PHI (there are many real life examples). Consequently, it is important healthcare professionals using Microsoft Teams to conduct virtual telehealth consultants use good judgement to ensure disclosures of PHI are permissible under the Privacy Rule.

Other Considerations to Take into Account

Microsoft Teams has a Data Loss Prevention safeguard which prevents sensitive data being shared with individuals who attend a meeting as a guest (as most patients would be). Depending on how this safeguard is configured, it can prevent healthcare professionals permissibly disclosing PHI to patients. This may prompt healthcare professionals to use alternative, non-compliant telehealth services to communicate with patients.

It is also important to be aware that, by subscribing to a Microsoft 365 or Office 365 business plan, healthcare providers automatically accept Microsoft’s Business Associate Agreement. Microsoft will not enter into individual customers’ Business Associate Agreements; so, if a Covered Entity does not like the terms of Microsoft’s Business Associate Agreement, the options are to either accept them and put up with them, or look for another communications platform to use.

One further consideration is that Covered Entities must subscribe to a business plan in order to use Teams under a Business Associate Agreement and the business plan must include licenses for all users. This can make it very expensive to provide telehealth services via Microsoft Teams if the platform is only utilized by a few users or the plan includes multiple analytics, insight, and management capabilities the Covered Entity will pay for, but never use.

Is Microsoft Teams HIPAA Compliant? Conclusion

While it is possible to make Microsoft Teams HIPAA compliant by subscribing to the right plan and configuring the platform to comply with the technical safeguards of the Security Rule, there are a number of considerations to take into account before adopting Microsoft Teams as a communication channel through which electronic PHI is collected, stored, shared, or transmitted.

These include the confidentiality of PHI during virtual telehealth consultations (this could apply to any telehealth platform), the risk that a user might use a non-compliant alternative to Microsoft Teams to circumnavigate Data Loss Prevention controls, Microsoft’s Business Associate Agreement, and the cost of subscribing to a business plan which may include capabilities that will never be used.

For many Covered Entities, there are cheaper options. However, some have known security issues, while others are alleged to have connectivity issues. Therefore, Covered Entities are advised to conduct thorough due diligence on any potential communications software to ensure it supports HIPAA compliance, and to ensure it is easy to configure and use in compliance with HIPAA.

The post Is Microsoft Teams HIPAA Compliant? appeared first on HIPAA Journal.