HIPAA Updates

HHS Proposes New Rule to Implement HIPAA Standards for Healthcare Attachments and Electronic Signatures

The Secretary of the Department of Health and Human Services (HHS) has proposed a new rule that will require the adoption of standards for healthcare attachments transactions and electronic signatures used in conjunction with those transactions to support healthcare claims and prior authorization transactions. The new rule will implement the requirements of the Administrative Simplification Requirements of HIPAA and the Affordable Care Act and will apply to all health plans, healthcare clearinghouses, and healthcare providers that currently lack an efficient, uniform method of sending attachments.

Currently, when making coverage decisions about healthcare services, health plans often require additional information that cannot be added to the specified fields or data elements of the adopted prior authorization request or healthcare claims transaction. Currently, this information is sent through the mail or by fax and is subject to manual processes that consume considerable time and resources. At present, there are no adopted HIPAA standards, implementation guides, or operating rules covering healthcare attachments or electronic signatures. The proposed rule will support electronic transmissions of this type of information.

“We believe that the health care industry has long anticipated the adoption of a set of HIPAA standards for the electronic exchange of clinical and administrative data to support electronic health care transactions, such as prior authorization of services and claims adjudication, and the standards we are proposing to adopt are an important step in reducing provider burden,” explained the HHS.

The Administrative Simplification Rules of HIPAA called for standard-setting organizations (SSOs) to develop standard code sets for electronic healthcare transactions, and some of these have previously been implemented as part of the Transactions and Code Sets final rule. A rule was also proposed in 2005 – The HIPAA Administrative Simplification: Standards for Electronic Health Care Claims Attachments; Proposed Rule – that required the adoption of standards for health care claims attachment standards for specific service areas, including ambulance services, clinical reports, emergency department, laboratory results, medications, and rehabilitation services; however, based on the comments received, the HHS chose not to finalize that rule.

The American Hospital Association (AHA) has announced its support for the proposed rule and the adoption of a new HIPAA standard for attachments and electronic signatures, as this will ease the burden on providers,/ Currently, the lack of a HIPAA standard for attachment transactions slows down claims processing, leading to delays to payments and patient care, and contributes to provider burnout. “The AHA supports establishing a standard for attachments to reduce the administrative burdens facing clinicians, and we look forward to providing robust commentary after analyzing the rule’s specifics,” said Terrence Cunningham, AHA director of administrative simplification policy.

The proposed rule is scheduled to be published in the Federal Register on December 21, 2022. Comments on the proposed rule must be submitted by March 21, 2022.

The post HHS Proposes New Rule to Implement HIPAA Standards for Healthcare Attachments and Electronic Signatures appeared first on HIPAA Journal.

OCR Confirms Use of Website and Other Tracking Technologies Without a BAA is a HIPAA Violation

The HHS’ Office for Civil Rights has issued a bulletin confirming that the use of third-party tracking technologies on websites, web applications, and mobile apps without a business associate agreement (BAA) is a HIPAA violation if the tracking technology collects and transmits individually identifiable health information. Even with a BAA in place, the use of the tracking technology may still violate the HIPAA Rules

The bulletin has been issued in response to the discovery earlier this year that Meta Pixel tracking code was being extensively used on the websites of hospitals and that the code snippet transferred data to Meta, including sensitive patient data. These privacy breaches came to light during an investigation by The Markup and STAT, which found Meta Pixel had been added to the websites of one-third of the top 100 hospitals in the United States and, in 7 cases, the code had been added to password-protected patient portals. The study was limited to the top 100 hospitals, so it is likely that hundreds of hospitals have used the code and have – in all likelihood unwittingly – transferred sensitive data to Meta/Facebook without a business associate agreement in place and without obtaining patient consent.

Following the publication of the report, several lawsuits were filed against healthcare providers over these impermissible disclosures, with some plaintiffs claiming the information disclosed on the websites of their healthcare providers had been transferred to Meta and was used to serve them targeted advertisements related to their medical conditions. The news came as a shock to healthcare providers, triggering investigations and recent data breach notifications; however, despite so the widespread use of the tracking code, only a handful of hospitals and health systems have reported the breach and have sent notifications so far. The bulletin from the HHS is likely to trigger a flurry of breach notifications as providers realize that the use of Meta Pixel and other tracking code constitutes a HIPAA violation.

What are Tracking Technologies?

Tracking technologies are commonly snippets of code that are added to websites, web applications, and mobile apps for tracking user activity, typically for determining the journeys of users while using websites and monitoring their on-site interactions. The data collected by these technologies can be analyzed and used to improve the services provided through the websites and applications and enhance the user experience, which benefits patients. While there are benefits to individuals from the use of this code, there is also considerable potential for harm to be caused, as in addition to providing a HIPAA-regulated entity with useful information, the data collected through these technologies is usually transmitted to the vendor.

For instance, if a female patient arranged an appointment on the website of a healthcare provider to discuss the termination of a pregnancy, the tracking technology on the site could be transmitted to the vendor, and subsequently disclosed to other third parties. That information could be provided to law enforcement or other third parties. Information disclosed in confidence by a patient of a website or web application could be transferred to a third party and be used for fraud, identity theft, extortion, stalking, harassment, or to promote misinformation.

In many cases, these tracking technologies are added to websites and applications without the knowledge of users, and it is often unclear how any disclosed information will be used by a vendor and to whom that transmitted information will be disclosed. These tracking technologies often use cookies and web beacons that allow individuals to be tracked across the Internet, allowing even more information to be collected about them to form detailed profiles. When tracking technologies are included in web applications, they can collect device-related information, including location data which is tied to a unique identifier for that device, through which a user could be identified.

All Tracking Technologies Must be HIPAA Compliant

There is nothing in HIPAA that prohibits the use of these tracking technologies, but the HIPAA Rules apply when third-party tracking technologies are used, if the tracking technology collects individually identifiable information that is protected under HIPAA and if it transmits that information to a third party, be that the vendor of the tracking technology or any other third-party. If the tracking technology collects any identifiers, they are classed as protected health information because the information connects the individual to the regulated entity, indicating the individual has received or will receive health care services or benefits from the regulated entity, and that relates to the individual’s past, present, or future health or health care or payment for care.

There is an elevated risk of an impermissible disclosure of PHI when tracking technology is used on patient portals or any other pages that require authentication as these pages usually have access to PHI. If tracking code is added to these pages it must be configured in a way to ensure that the code only uses and discloses PHI in compliance with the HIPAA Privacy Rule, and that any information collected is secured in a manner compliant with the HIPAA Security Rule. Tracking code on unauthenticated pages also has the potential to have access to PHI. The same applies to tracking technologies within a HIPAA-regulated entity’s mobile apps, if it collects and transmits PHI. OCR confirmed that only mobile apps offered by healthcare organizations are covered by HIPAA. HIPAA does not apply to third-party apps that are voluntarily downloaded by individuals, even if the apps collect and transmit health information.

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules,” explained OCR in the bulletin.

The OCR bulleting confirms that if tracking technologies are used, the provider of that code – which includes Meta Platforms (Meta Pixel) and Google (Google Analytics) – would be classed as a business associate and must enter into a business associate agreement (BAA) with the HIPAA-regulated entity before the code can be added to a website or application. The BAA must state the responsibilities of the vendor with respect to the PHI and specify the permitted uses and disclosures of that information. If the vendor will not sign a BAA, PHI cannot legally be provided to that vendor, therefore the code cannot be used or must be configured in a way that it does not collect or transmit PHI. OCR also confirmed that if a vendor states that they will strip out any identifiable information prior to saving or using the transferred data, such a disclosure to the vendor would still only be permitted if a BAA was signed and if the HIPAA Privacy Rule permits such a disclosure.

Other potential violations of HIPAA could occur. If any PHI is disclosed to a vendor, it must be in line with the organization’s privacy policy and be detailed in their Notice of Privacy Practices. It is important to note that simply stating that tracking technology is used in a notice of privacy practices is not sufficient by itself to ensure compliance. In addition to a BAA, any disclosure of PHI for a purpose not expressly permitted by the HIPAA Privacy Rule requires a HIPAA-compliant authorization from a patient, giving their consent to disclose that information. Website banners that ask a website visitor to consent to cookies and the use of web tracking technologies do not constitute valid HIPAA authorizations.

Actions HIPAA-Regulated Entities Should Take Immediately

In light of the bulletin, HIPAA-regulated entities should read it carefully to make sure they understand how HIPAA applies to tracking technologies. They should also conduct a review of any tracking technologies that they are using on their websites, web applications, or mobile apps to ensure those technologies are being used in a manner compliant with the HIPAA Rules. If they are not already, website tracking technologies must be included in a HIPAA-regulated entity’s risk analysis and risk management processes.

It is important to state that a tracking technology vendor is classed as a business associate under HIPAA, even if a BAA is not signed. As such, any disclosures to that vendor would be classed as an impermissible disclosure of PHI without a BAA in place, and the HIPAA-regulated entity would be at risk of fines and other sanctions if PHI is transmitted without a signed BAA.

If during the review a HIPAA-regulated entity discovers tracking technologies are being used in a manner not compliant with the HIPAA Rules, or have been in the past, then the HIPAA Breach Notification Rule applies. Notifications will need to be sent to OCR and the individuals whose PHI has been impermissibly disclosed.

The post OCR Confirms Use of Website and Other Tracking Technologies Without a BAA is a HIPAA Violation appeared first on HIPAA Journal.

Cybersecurity is Now a Patient Safety Issue, Suggests Sen. Warner In Congressional Report

Senator Mark Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, has recently published a white paper – Cybersecurity is Patient Safety – that highlights the current cybersecurity challenges facing the healthcare industry and suggests several potential policy changes that could help to improve healthcare cybersecurity and better protect all health information, including health data not currently protected under the HIPAA Rules.

Sen. Warner suggests the only way to improve healthcare cybersecurity rapidly is through a collaborative effort involving the public and private sectors, with the federal government providing overall leadership. While further regulation may be necessary, the overall consensus of healthcare industry stakeholders is the best approach is to introduce incentives for improving cybersecurity, rather than mandating cybersecurity improvements with a threat of financial penalties for noncompliance.

The healthcare industry is under attack from cybercriminals and nation-state threat actors and cyberattacks and data breaches are increasing at unacceptable levels. In 2021, 45 million Americans had their sensitive personal and healthcare exposed or stolen in healthcare industry cyberattacks. More must be done to improve resilience and deal with the increasing threats. “Unfortunately, the healthcare sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate,” said Senator Warner. “Cybersecurity can no longer be viewed as a secondary concern; it must become incorporated into every organization’s – from equipment manufacturers to health care providers – core business models.”

The white paper suggests several areas where policies could be changed to improve cybersecurity in the healthcare industry.

Improve Federal Leadership

The Department of Health and Human Services (HHS) is the Sector Risk Management Agency (SRMA) for the healthcare industry, but within the HHS agencies such as the Office for Civil Rights (OCR), Centers for Medicare and Medicaid Services (CMS), and the Food and Drug Administration (FDA) have their own jurisdictions and cybersecurity policies. The white paper explains that there is a lack of overall leadership and suggests a senior leader should be appointed, who should be “empowered—both operationally and politically—to ensure HHS speaks with one voice regarding cybersecurity in health care, including expectations of external stakeholders and the government’s role.”

Modernize HIPAA

HIPAA was enacted in 1996, and the HIPAA Privacy and Security Rules have been in place for two decades, and while updates have been made to the HIPAA Rules, they fail to fully address emerging threats to the confidentiality, integrity, and availability of healthcare data. The current focus is on protecting the healthcare data collected, stored, and transmitted by HIPAA-regulated entities, but the same information is collected, stored, and transmitted by entities that are not bound by the HIPAA Rules. It has been suggested that more sensitive healthcare data is now being collected by health apps than is collected and stored by HIPAA-regulated entities, yet this data is largely unregulated. The white paper suggests Congress should direct the HHS to update HIPAA and expand the definition of covered entities and stipulate the allowable uses and disclosures of health data by entities that are not currently classed as HIPAA-regulated entities, to address the gap between HIPAA and the FTC Health Breach Notification Rule.

Develop a Healthcare-Specific Cybersecurity Framework

The National Institute of Standards and Technology (NIST) has released its Framework for Improving Critical Infrastructure Cybersecurity, and while that work has been commended, many healthcare industry stakeholders want more detailed guidance from NIST that is specific to the healthcare industry and have called for NIST develop a consensus-based healthcare-specific cybersecurity framework.

Improve Security Incident Preparedness and Response

The HHS recently stressed in its October Cybersecurity newsletter the importance of security incident preparedness and planning, as cyberattacks are inevitable in the lifespan of a healthcare organization. More needs to be done to encourage healthcare organizations to prepare for attacks. The HHS could direct healthcare facilities to consider cyberattacks to be equivalent to natural disasters such as hurricanes and earthquakes, including mandating training of hospital staff to use analog equipment and legacy systems, and to establish a disaster relief program for victims of cyberattacks.

Incentivize Healthcare Providers to Replace Legacy Systems

Legacy systems are still extensively used in the healthcare industry, despite software and operating systems reaching end-of-life and having support withdrawn. Legacy systems are a security risk, yet healthcare organizations continue to use them as they continue to function and the cost of replacing them is too high. Incentives should be offered to phase out these legacy systems, such as a program similar to the 2009 Car Allowance Rebate System (CARS) that encouraged people to trade in their old vehicles.

Improve Medical Device Cybersecurity

There is considerable concern about the cybersecurity of medical devices and a need for minimum standards of security to be maintained and good cyber hygiene practices followed. There is a need for all software and devices to be supplied with a software bill of materials (SBOMs), and for security requirements to be required during pre-market approval, as proposed by the PATCH Act. The white paper also suggests restrictions could be imposed on the sale of medical devices that have software that has reached end-of-life and is no longer supported, and for healthcare organizations to be incentivized to invest in systems for tracking medical equipment.

Address the Current Cybersecurity Talent Shortage

There is currently a global shortage of cybersecurity professionals that is unlikely to be resolved in the short to medium term. Healthcare organizations struggle to recruit the necessary talent and many cybersecurity positions in healthcare remain unfilled. The white paper suggests one way to address the shortage would be for Congress to create a workforce development program and to incentivize individuals to take on cybersecurity positions in healthcare, such as offering student loan forgiveness for cybersecurity professionals who commit to serving in rural communities, similar to the National Health Service Corps Loan Repayment Program.

Reduce the Cost of Cyber Insurance

Cyber insurance is becoming increasingly expensive and there is an extensive and burdensome application process. The white paper suggests a federal reinsurance program could be introduced to cover plans that require minimum cyber hygiene standards to be maintained, which could help the industry achieve minimum cyber hygiene standards without government mandates. The program would standardize coverage elements and provide incentives for insurance companies to adopt them. This could lower overall risks, which could help to reduce the cost of insurance.

Senator Warner is seeking feedback on the white paper from businesses, advocacy groups, researchers, and individuals. Comments should be submitted no later than December 1, 2022.

The post Cybersecurity is Now a Patient Safety Issue, Suggests Sen. Warner In Congressional Report appeared first on HIPAA Journal.

30 Senators Call for HIPAA Privacy Rule Update to Better Protect Women’s Privacy

A group of 30 senators is urging the Department of Health and Human Services to update the Health Insurance Portability and Accountability Act (HIPAA) to better protect the privacy of patients’ reproductive health information in the wake of the Supreme Court decision on Dobbs v. Jackson Women’s Health Organization and the overturning of Roe Vs Wade, which removed the Federal right to an abortion that had existed for almost 50 years. Following the decision, several states have either banned abortion for state residents or implemented restrictions, with some already seeking to investigate and punish women for seeking abortion care.

The senators, led by Senate Committee on Health, Education, Labor and Pensions (HELP) Chair Patty Murray (D-Wa.), wrote to HHS Secretary, Xavier Becerra, calling for further rulemaking to update the HIPAA Privacy Rule to broadly restrict HIPAA-regulated entities from sharing individuals’ reproductive health information without explicit consent, specifically the sharing of that information with law enforcement, or related to civil or criminal proceedings premised on the provision of abortion care. The senators are calling for the update “to protect patients, and their providers, from having their health information weaponized against them.”

This is the second such request to be sent to Becerra to update the HIPAA Privacy Rule with respect to reproductive healthcare information following the Supreme Court decision. In July 2022, Sens Michael Bennet (D-CO) and Catherine Cortez Masto (D-NV) wrote to Secretary Becerra requesting a HIPAA Privacy Rule update to improve patients’ reproductive healthcare rights.

Confusion About Permitted and Required Disclosures of PHI to Law Enforcement

HIPAA was passed by Congress in 1996, with the legislation calling for the HHS to issue regulations that ensured the privacy of personal health information, which led to the HIPAA Privacy Rule being penned in 2000 to limit uses and disclosures of protected health information unless consent is obtained. The HIPAA Privacy Rule has been updated several times since, with the senators now calling for a further update. “In order for patients to feel comfortable seeking care, and for health care personnel to provide this care, patients and providers must know that their personal health information, including information about their medical decisions, will be protected,” wrote the senators.

They explained that since the Dobbs decision, there has been widespread confusion among healthcare providers about when they are required to provide patients’ health information to state and local law enforcement. Some healthcare providers felt they were legally required to hand over that information when the HIPAA Privacy Rule only permits information to be provided to law enforcement. There have also been cases of healthcare providers being unaware that certain disclosures of reproductive health information are not permitted under HIPAA. “Stakeholders have even described clashes between providers and health care system administrators on whether certain information must be shared. Many of these issues seem to arise from misunderstandings of what the HIPAA Privacy Rule requires of regulated entities and their employees,” wrote the senators.

As more states introduce bans on abortions or implement laws that severely restrict access to abortion care, the confusion is likely to grow. Some states have implemented laws that criminalize abortion providers and also make it illegal for anyone to aid or abet an abortion, which means that any healthcare professional could be exposed to legal liability, from a referring provider to a receptionist. Some state legislators are proposing laws that will ban state residents from visiting another state to have an abortion. “In many cases, these laws have been used to disproportionately criminalize or surveil women of color for their pregnancy loss,” warn the senators.

The senators warn that prohibiting access to abortions and undermining health information privacy will likely have devastating consequences for women’s health. If there is a threat of legal action, many women may delay or avoid disclosing a pregnancy or avoid seeing prenatal care. They may also avoid seeking care for medical conditions such as arthritis or cancer, where the treatment could impact their pregnancy, and healthcare providers may hesitate to provide certain treatments. There are fears that women who are experiencing complications from pregnancy or abortion may avoid seeking essential emergency care, which could have profound health consequences.

Prompt Rulemaking Requested to Update the HIPAA Privacy Rule

The senators explained that HIPAA has protected patient privacy for more than 20 years and recognized the need for stronger protections to be in place for highly sensitive information such as psychotherapy notes, and suggest similar restrictions are required for reproductive health information. The senators praised the efforts of the HHS after the Dobbs decision, which included issuing guidance on the requirements of the HIPAA Privacy Rule with respect to information related to reproductive care, but have called for further proactive steps to be taken to strengthen patient privacy protections.

In addition to broadly restricting HIPAA-regulated entities from sharing reproductive health information without explicit consent for law enforcement, civil, or criminal proceedings premised on the provision of abortion care, the senators have called for the HHS to increase its efforts to engage and educate the healthcare community about the obligations of HIPAA-regulated entities under the HIPAA Privacy Rule, including explaining the difference between permitted and required disclosures of PHI, best practices for educating patients and health plan enrollees on their privacy rights, and how HIPAA interacts with state laws.

They have called for the HHS to expand its efforts to educate patients about their rights under the HIPAA Privacy Rule and to ensure cases involving reproductive health information receive timely, appropriate attention for compliance and enforcement activities.

The post 30 Senators Call for HIPAA Privacy Rule Update to Better Protect Women’s Privacy appeared first on HIPAA Journal.

OCR Issues Guidance for Providers and Individuals Following Supreme Court Decision on Roe v. Wade

President Biden and U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra recently called on HHS agencies to take action to protect access to sexual and reproductive health care, which includes abortion, pregnancy complications, and other related care, following the decision of the Supreme Court in Dobbs vs. Jackson Women’s Health Organization. The Supreme Court overruled Roe v. Wade and Planned Parenthood v. Casey and took away the right of women to have a safe and legal abortion.

Yesterday, the HHS Office for Civil Rights (OCR) issued new guidance for healthcare providers and patients seeking access to reproductive health care services to ensure patient privacy is protected. The guidance explains that the federal Health Insurance Portability and Accountability Act (HIPAA) requires individuals’ private medical information, which includes information about abortion and other sexual and reproductive health care, is required to be kept private and confidential. That information is classed as protected health information (PHI) under HIPAA and healthcare providers are not required to disclose PHI to third parties.

The guidance also explains the extent to which private medical information is protected on personal cell phones and tablets and includes advice for protecting individuals’ privacy when using period trackers and other health information apps. Concern has been raised by women that health apps on smartphones, such as period trackers, threaten privacy as they disclose geolocation data. That information could potentially be abused by individuals seeking to deny them access to medical care.

“How you access health care should not make you a target for discrimination,” explained HHS Secretary Xavier Becerra. “HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information.” Becerra is encouraging anyone who believes their privacy rights have been violated to file a complaint with OCR and explained that protecting access to health care, which includes abortion care and other forms of sexual and reproductive health care, is now an enforcement priority for OCR.

The guidance for healthcare providers explains that the HIPAA Privacy Rule allows HIPAA-covered entities, which includes healthcare providers, to disclose an individual’s PHI without obtaining authorization from that individual for the purposes of healthcare, payment, and healthcare operations, but other disclosures – to law enforcement officials for example – are only permitted in narrow circumstances, tailored to protect the individual’s privacy and support their access to health care, which includes abortion care. HIPAA-covered entities and their business associates are reminded that they can use and disclose PHI without an individual’s signed authorization, but only for reasons expressly permitted or required by the Privacy Rule. The guidance also explains the restrictions on disclosures of PHI under the HIPAA Privacy Rule when required by law, for law enforcement purposes, and to avert a serious threat to health or safety.

Separate guidance has been issued for individuals about protecting the privacy and security of their health information when using their personal cell phones or tablets. It is important for individuals to understand that most health apps, including period trackers, are not covered by the HIPAA Privacy or Security Rules. That means any personal healthcare data entered, collected, or transmitted by those apps or is stored on smartphones or tablets, is not protected and there are no restrictions on disclosures of that information.

The guidance explains best practices to adopt when using these health apps that will decrease the personal information collected by the apps and limit the potential for disclosures of personal information – including geolocation data – without the individual’s knowledge. The guidance explains how to turn off the location services on Apple and Android devices, and offers advice on selecting apps, browsers, and search engines that prioritize privacy and security.

Information on individuals’ rights to reproductive healthcare is available here.

The post OCR Issues Guidance for Providers and Individuals Following Supreme Court Decision on Roe v. Wade appeared first on HIPAA Journal.

OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends

Start preparing now and get your telehealth services HIPAA compliant as when the COVID-19 Public Health Emergency (PHE) ends, the telehealth HIPAA flexibilities stop. That is the advice of the Department of Health and Human Services’ Office for Civil Rights, which released new guidance this week on HIPAA and audio-only telehealth services.

The Period of Enforcement Discretion Will End

In March 2020, the HHS’ Office for Civil Rights issued a Telehealth Notification and said it would be exercising enforcement discretion and would not be imposing sanctions and penalties for HIPAA violations with respect to the good faith provision of telehealth services. The move was intended to make it easier for healthcare organizations to offer telehealth services to patients to help prevent the spread of COVID-19.

OCR permitted healthcare organizations to use remote communication tools for telehealth, which included apps and platforms that would not normally be considered ‘HIPAA-compliant,’ and did not require HIPAA-covered entities to enter into a business associate agreement with the providers of remote communication tools. The notice of enforcement discretion stated that it lasted for the duration of the PHE. When the Secretary of the HHS declares that the COVID-19 PHE no longer exists, or upon the expiration date of the declared PHE, whichever comes sooner, the period of enforcement discretion will end. That means that the continued use of remote communication technologies could potentially violate the HIPAA Rules and could lead to financial penalties and other remedies to resolve the HIPAA violations.

In the new guidance on HIPAA and audio-only telehealth, OCR explains when, and under what circumstances, audio-only telehealth is permitted under HIPAA. OCR confirmed that telehealth services are permitted under HIPAA, but HIPAA-regulated entities should apply reasonable safeguards to protect the privacy of protected health information (PHI), such as ensuring telehealth services are provided in private settings, as far as is possible, and using lowered voices to reduce the potential for incidental disclosures of PHI. It is also necessary to verify the identity of the patient, orally or in writing.

The HIPAA Security Rule May Apply to Telehealth

The HIPAA Security Rule may apply to telehealth. When audio-only telehealth services are provided over standard telephone lines – landlines – the HIPAA Security Rule does not apply, as the information transmitted is not electronic. However, if electronic communication technologies are used, the HIPAA Security Rule does apply, which includes “Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, such as the Internet, intra-, and extranets, cellular, and Wi-Fi.”

When these technologies are used, the HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI), and risks and vulnerabilities must be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes. OCR suggests that due to the speed at which communication technologies evolve, a robust inventory and asset management process is recommended to identify such technologies and the information systems that use them, as this will help to ensure an accurate and thorough risk analysis.

Business Associate Agreements May be Required

Any vendor that is provided with access to ePHI, or comes into contact with ePHI, is required to enter into a business associate agreement (BAA) with a HIPAA-covered entity. BAAs may be required with vendors providing platforms to support telehealth. A BAA is only required when a telecommunication service provider (TSP) is acting as a business associate. The HIPAA conduit exception applies if the TSP has only transient access to the PHI it transmits. “If the TSP is not also creating, receiving, or maintaining PHI on behalf of the covered entity, and the TSP does not require access on a routine basis to the PHI it transmits in the call, no business associate relationship has been created.  Therefore, a BAA is not needed,” explained OCR in the guidance.

A BAA is required when a TSP is more than a conduit and is not just providing data transmission services, and is either creating, receiving, or maintaining ePHI. In such cases, a BAA is required before the service is used. That applies to remote communication technologies, mobile apps, and Internet and cloud services.

“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance [Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth] explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino.

The post OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends appeared first on HIPAA Journal.

OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends

Start preparing now and get your telehealth services HIPAA compliant as when the COVID-19 Public Health Emergency (PHE) ends, the telehealth HIPAA flexibilities stop. That is the advice of the Department of Health and Human Services’ Office for Civil Rights, which released new guidance this week on HIPAA and audio-only telehealth services.

The Period of Enforcement Discretion Will End

In March 2020, the HHS’ Office for Civil Rights issued a Telehealth Notification and said it would be exercising enforcement discretion and would not be imposing sanctions and penalties for HIPAA violations with respect to the good faith provision of telehealth services. The move was intended to make it easier for healthcare organizations to offer telehealth services to patients to help prevent the spread of COVID-19.

OCR permitted healthcare organizations to use remote communication tools for telehealth, which included apps and platforms that would not normally be considered ‘HIPAA-compliant,’ and did not require HIPAA-covered entities to enter into a business associate agreement with the providers of remote communication tools. The notice of enforcement discretion stated that it lasted for the duration of the PHE. When the Secretary of the HHS declares that the COVID-19 PHE no longer exists, or upon the expiration date of the declared PHE, whichever comes sooner, the period of enforcement discretion will end. That means that the continued use of remote communication technologies could potentially violate the HIPAA Rules and could lead to financial penalties and other remedies to resolve the HIPAA violations.

In the new guidance on HIPAA and audio-only telehealth, OCR explains when, and under what circumstances, audio-only telehealth is permitted under HIPAA. OCR confirmed that telehealth services are permitted under HIPAA, but HIPAA-regulated entities should apply reasonable safeguards to protect the privacy of protected health information (PHI), such as ensuring telehealth services are provided in private settings, as far as is possible, and using lowered voices to reduce the potential for incidental disclosures of PHI. It is also necessary to verify the identity of the patient, orally or in writing.

The HIPAA Security Rule May Apply to Telehealth

The HIPAA Security Rule may apply to telehealth. When audio-only telehealth services are provided over standard telephone lines – landlines – the HIPAA Security Rule does not apply, as the information transmitted is not electronic. However, if electronic communication technologies are used, the HIPAA Security Rule does apply, which includes “Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, such as the Internet, intra-, and extranets, cellular, and Wi-Fi.”

When these technologies are used, the HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI), and risks and vulnerabilities must be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes. OCR suggests that due to the speed at which communication technologies evolve, a robust inventory and asset management process is recommended to identify such technologies and the information systems that use them, as this will help to ensure an accurate and thorough risk analysis.

Business Associate Agreements May be Required

Any vendor that is provided with access to ePHI, or comes into contact with ePHI, is required to enter into a business associate agreement (BAA) with a HIPAA-covered entity. BAAs may be required with vendors providing platforms to support telehealth. A BAA is only required when a telecommunication service provider (TSP) is acting as a business associate. The HIPAA conduit exception applies if the TSP has only transient access to the PHI it transmits. “If the TSP is not also creating, receiving, or maintaining PHI on behalf of the covered entity, and the TSP does not require access on a routine basis to the PHI it transmits in the call, no business associate relationship has been created.  Therefore, a BAA is not needed,” explained OCR in the guidance.

A BAA is required when a TSP is more than a conduit and is not just providing data transmission services, and is either creating, receiving, or maintaining ePHI. In such cases, a BAA is required before the service is used. That applies to remote communication technologies, mobile apps, and Internet and cloud services.

“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance [Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth] explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino.

The post OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends appeared first on HIPAA Journal.

Healthcare Groups Provide Feedback on HITECH Recognized Security Practices

Earlier this year, the HHS’ Office for Civil Rights issued a request for information (RFI) on how the financial penalties for HIPAA violations should be distributed to individuals who have been harmed by those HIPAA violations, and the “recognized security practices” under the amended Health Information Technology for Economic and Clinical Health (HITECH) Act. The comment period has now closed, and OCR is considering the feedback received.

Background

It has long been OCR’s intention to distribute a proportion of the funds raised through its HIPAA enforcement actions to victims of those HIPAA violations; however, to date, OCR has not developed a methodology for doing so and requested feedback on a method for distributing the funds to ensure they are directed to victims effectively.

In January 2021, the HITECH Act was amended by Congress to encourage healthcare organizations to adopt recognized security practices. The amendment called for the Secretary of the Department of Health and Human Services to consider whether recognized security practices had been adopted by a HIPAA-regulated entity for no less than 12 months previously, when making certain determinations. Recognized security practices are those outlined by the National Institute of Standards and Technology (NIST), HIPAA Security Rule, and privacy and security frameworks.

Essentially, if recognized security practices have been adopted and have been continuously in place for at least 12 months, financial penalties could be reduced or avoided altogether, and the length and extent of audits and compliance investigations would be reduced.

Feedback from Healthcare Industry Groups

Several healthcare industry groups responded to the RFI and provided feedback, including the Healthcare Information and Management Systems Society (HIMSS), Medical Management Association MGMA, and the Connected Health Initiative (CHI).

HIMSS

HIMSS has welcomed the amendments to the HITECH Act and in its letter to the HHS stressed the importance of a unified approach to healthy cybersecurity and information privacy practices, as emphasized in the HITECH Security Practices.

HIMSS recommended “OCR implement policies that only afford enforcement discretion to situations involving use of security best practices as that discretion applies to safeguarding electronic protected health information (PHI) and not to other areas that are within the scope of HIPAA.”

HIMSS recommends OCR should foster innovation in standards by recognizing the value of adherence to widely accepted cybersecurity frameworks and standards, such as the NIST Cybersecurity Framework and the HITRUST Common Security Framework, rather than trying to define a fixed set of cybersecurity practices, which has the potential to become outdated in a rapidly changing threat landscape. OCR should also align its work with other federal agencies to improve best practices for healthcare.

HIMSS expressed concern that “a strict interpretation of security practices in place continuously over a 12-month period could have the unintended consequence of discouraging the adoption of new methods during that time frame.” HIMSS stressed the importance of encouraging organizations to update security practices regularly as new technologies or methodologies emerge and giving them the flexibility to update processes throughout the year to meet ever-changing cybersecurity best practices without fear that they may run afoul of the requirement for consistent and continuous use. “HIMSS recommends OCR distinguish between confirming that a control is in place and narrowly defining how the control is implemented.”

With respect to the financial penalties, HIMSS suggested OCR should earmark some of the fine amounts for helping to fund and distribute educational materials and other resources to HIPAA-regulated entities to ensure that all organizations have the knowledge and resources to prevent or mitigate cyberattacks.

MGMA

MGMA explained in a letter to HHS Secretary Xavier Becerra that it represents a wide range of medical groups and hundreds of thousands of physicians, and has been working diligently to improve education on cybersecurity best practices. MGMA said its members are becoming more vigilant and are voluntarily taking steps to protect themselves and their patients and welcomes the efforts of the HHS to understand and consider those measures when making certain determinations.

MGMA has made three key recommendations. The HHS should provide HIPAA-regulated entities with the flexibility to choose which recognized security practices to adopt, as there are vast differences in the technical and financial capabilities of medical groups, which can include small private practices in rural areas to large regional and national health systems, and the full spectrum of physician specialties and organizational forms. If specific recognized security systems are required, there could be unintended consequences stemming from the increased cost and administrative burden. Medical groups need to balance security with their ability to stay financially viable and avoid interruptions to patient care. MGMA has recommended the HHS does not mandate what constitutes recognized security practices any further, and that the HHS should accept and not limit the broad statutory definition of the term recognized security practices.

MGMA has requested OCR provide best practices and education, including sample frameworks and checklists, that include real-world approaches for medical groups to implement acknowledged cybersecurity policies into their practices, and has also requested the HHS ensure potential requirements are consistent with other programs, such as the Office of National Coordinator for Health Information Technology (ONC) rulemaking to prohibit “information blocking.”

CHI

CHI said it supports OCR’s efforts to encourage the adoption of recognized security practices and for those practices to be considered as a mitigating factor when investigating data breaches, complaints, and reviews for potential HIPAA violations, but suggests that the 2021 HITECH Act revision should only apply to HIPAA compliance enforcement actions and audits.

Since current security standards will evolve over time, CHI recommends that OCR consider new and emerging risk management security standards in its recognized security practices, rather than specifying a set of security practices. CHI has also requested OCR provide up-to-date and clear information on the obligations of healthcare organizations under HIPAA, in light of the many changes that have occurred across the industry since the HITECH Act was passed, including changes to technology.

For instance, the HIPAA Privacy and Security Rules were introduced prior to the release of the first iPhone, and there is a lack of clarity about how HIPAA applies to mobile environments, which can deter healthcare providers from adopting patient-centered technologies and can prevent patients from fully benefiting from mobile technologies. Further guidance is needed to help healthcare providers adopt new technologies that enable care coordination and ensure compliance.

“OCR has created key guidance for mobile developers and those interested in the intersection between information technology and healthcare. OCR’s outreach focus is an educational campaign for that community, and we see vast improvement in the understanding, from connected health companies, of their roles and responsibilities under the HIPAA Privacy Rules,” explained CHI. However, similar educational campaigns are required for providers and patients.

CHI has requested the HHS make no revisions to the HIPAA Privacy Rule that require disclosures for any additional purposes besides to the individual when the individual exercises his/her right of access under the Rule, or to HHS for purposes of enforcement of the HIPAA Rules, as this could place an unnecessary burden on HIPAA-regulated entities and could lessen the protections for the privacy of individuals’ PHI.

CHI has also requested OCR provide sample business associate agreement language for developers and providers and should ensure that HIPAA does not prevent innovations in AI technology.

The post Healthcare Groups Provide Feedback on HITECH Recognized Security Practices appeared first on HIPAA Journal.

NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance

The National Institute of Standards and Technology (NIST) is planning on revising and updating its guidance on implementing the HIPAA Security Rule and is seeking comment from stakeholders on aspects of the guidance that should be changed.

NIST published the guidance – NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – in October 2008. During the past 13 years, cybersecurity has evolved and the threat landscape has changed considerably. NIST’s cybersecurity resources have also evolved during that time and an update to the guidance is now long overdue.

NIST will be updating the guidance to reference its new cybersecurity resources, will amplify awareness of non-NIST resources relevant to compliance with the HIPAA Security Rule, and will update its implementation guidance for HIPAA-covered entities and business associates.

Specifically, NIST has requested comment from stakeholders on their experiences applying and using the resource guide, including the parts of the guidance that have been helpful and those that have not, with the reasons why.

NIST wants to hear from covered entities and business associates that have used the guidance and have found key concepts to be missing, and for stakeholders who found the guidance not to be applicable to their organization to provide information on how it can be made more useful, relatable, and actionable to a wider range of audiences.

Covered entities and business associates have complied with the HIPAA Security Rule in a range of different ways. NIST is seeking information on any tools, resources, and techniques that have been adopted that have proven useful, and for covered entities that have enjoyed successes with their compliance programs to share information on how they manage compliance and security simultaneously, assess risks to ePHI, determine whether the security measures implemented are effective at safeguarding ePHI, and how they document demonstrating adequate implementation. NIST also wants to hear from any covered entity or business associate that has implemented recognized security practices that have diverged from compliance with the HIPAA Security Rule.

Stakeholders are invited to submit comment through June 15, 2021 for consideration ahead of the proposed update. Submitted comments will be considered and implemented as far as is practicable.

The post NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance appeared first on HIPAA Journal.