Latest HIPAA News

Improve Patient Satisfaction With Enhanced Payment Options

Offering modern HIPAA compliant patient payment solutions provides a better customer experience for patients, encourages timely payment and is proven to bring financial savings and improved operational efficiency to any size of healthcare practice.

Adding multiple up-to-date payment options leads to improvements in satisfaction and retention levels. For example, making it convenient for patients to pay from their phones by automatically communicating balances and payment options by text and email, practice staff will spend on average 30% less time on payment collection and posting. Plus the practice will see a significant reduction in its accounts receivable numbers.

Non-Payment Is Bad For Both Patients And Healthcare Providers

Non-payment is known to be one of the main reasons why patients switch healthcare providers. Patients can become anxious when they owe money and frustrated if they find it difficult to make a payment.

Digital patient payment solutions that can be easily integrated with all existing practise management systems make it more convenient for patients to settle their medical bills. They also bring a wide array of benefits to the practice, such as improved cash flow, reduced AR rates, and staff efficiency.

Recent studies show that younger patients are open to switching healthcare provider to one that offers finance and convenient digital payments.

Features Of Patient Payment Solutions

If you don’t have digital payment options available, consider upgrading to add a variety of choices that make it easier for patients to pay their bills. Some examples include:

1. Contactless Payments

HIPAA Compliant Contactless Payments For PatientsContactless patient payment solutions are secure and can protect staff and patients’ health and safety by allowing patients to pay by touching their mobile device or card to a digital reader.

Offering contactless also means that if someone has forgotten their wallet, they can still make a payment with Apple Pay®, Google Pay™, SamsungPay® or a digital wallet.

Because contactless payments do not require patients to enter a PIN, swipe a card, or sign for a transaction, they decrease the time patients need to spend at the front desk, reducing queues and allowing your team to focus more of their valuable time on other tasks.

2. Patient Financing

Healthcare providers can encourage patients to seek medical care by offering patient financing as part of an upgraded payment solution.  The option of manageable monthly payments empowers patients to access the essential treatment they need.

Offer Patient Finance As A Payment OptionMultiple financing options are offered to patients just 30 seconds after applying, and the vast majority get approved.

Healthcare providers who offer patient financing will enhance their practice and are helping their patients who may otherwise pay surprise medical bills with expensive credit card debt.

Patient financing can strengthen cash flow and dramatically reduce accounts receivable numbers with zero risk to the practice, while at the same time increasing patient loyalty.

3. Online Payments

Online Patient Payment Solutions For HealthcarePart of a modern payment solution suite is a secure online payment gateway, allowing patients to pay online 24 x 7. Optimized for mobile devices, it also works with laptops and desktop computers, allowing patients to make payments from home or on the go.

A payment link can be added to your website, to emails, texts, and any other patient communications. This means patients will have a seamless and smooth payment experience.

Being fully integrated with your practice management software payments will be automatically posted to the patient ledger or electronic health records. This reduces errors and helps staff to monitor transactions.

4. Card On File

Card on file is functionality that allows a practice, with consent from the patient, to store their payment information securely and conveniently in a secure HIPAA compliant vault hosted in the cloud. 43% of patients say they are comfortable with automatic payments to avoid repetitive manual data entry of their debit or credit card.

Secure Online Vault For Payment SolutionsWhen patients leave a payment method on file, it means one less step during future checkouts. This can even be done ahead of visits when a patient fills out a digital registration form. The front desk can make the payment for the patient at checkout with no need to dig around for cards and a payment receipt will be automatically sent by email.

A card update feature checks stored card information and if anything has changed, the payment information is automatically updated in the vault. This saves staff time keeping up with payment information.

The healthcare organization is also protected from chargebacks or legal disputes with card on file agreements that are built in to the system and are kept on file with a patient’s record, and which can be emailed or printed for patients’ own records.

5. Subscription Payments

ubscription Payment Options For Healthcare ProvidersCard on file also enables healthcare providers to set up an automatically recurring payment to allow a patient to pay down a large out-of-pocket expense over several months. For many patients, having this interest-free option can make the difference between choosing to avail of medical care or not. This flexible payment option is a highly practical way for healthcare providers to receive more incoming payments and for patients to afford their treatment.

6. Increased Security & Fraud Prevention

With modern patient payment systems, data is never stored on the premises or servers of a healthcare provider.  Instead, the application stores all customer data in a secure, encrypted, electronic vault which is compliant with all relevant standards such as PCI, DSS, and HIPAA. The practice is also protected from the cost of fraud. Risk management experts monitor transactions and maximize security in order to detect attempts at fraud.

Summary Of Benefits To Healthcare Providers

Better Patient Payment SolutionsStreamlining your payment processes with a patient payment solution that seamlessly integrates with your existing practise management systems brings many business benefits while also providing an improved patient experience.

  • Reduced AR – Dramatically reduces accounts receivable numbers.
  • Stronger Cash Flow – Better payment options, including flexible financing means patients are able to pay medical bills immediately.
  • More Focus On Patients – Patient payment solutions bring greater staff efficiency allowing them to spend more time on patient care and less time on administration duties.
  • More Patients – Practices that offer digital payments bring in more new patients and have higher retention levels.
  • Increased Operating Margins – Practices that get paid more quickly and have less bad debts have lower accounting costs and higher margins.

Benefits Of Upgrading Payment Solutions For Patients

Empowering patients to pay bills from anywhere at any time with any internet connected device fosters patient loyalty and trust.

  • Empowerment – Flexible and varied payment options mean patients can confidently access the treatments they need.
  • Convenience – Multiple payment options provides a better, more convenient customer experience for patients.
  • Affordability – Spreading the cost with regular subscription payments or financing allows patients to receive the care they need and budget appropriately.

Find Out More About Patient Payment Solutions

Find out more about patient payment solutions by filling in a form on this page. You will be contacted by a member of staff from Rectangle Health our page sponsor.

Find out more about the Benefits Of Patient EngagementYou can ask questions, request a demonstration, or arrange a no risk evaluation, all with no obligation.

Since 1983 Rectangle Health has been providing financial technology solutions exclusively for healthcare organizations. Their fully HIPAA compliant solutions are used by over 60,000 healthcare providers in the U.S and they process over $6 billion of patient payments annually.


 

The HIPAA Journal has arranged a 25% reader discount on Rectangle’s list price for their patient payment solutions.

By supporting one of our sponsors, you are helping The HIPAA Journal to continue to provide our news service free of charge.

The post Improve Patient Satisfaction With Enhanced Payment Options appeared first on HIPAA Journal.

FREE WEBINAR on THURSDAY: Lessons & Examples from 2023’s Breaches & Fines

Data BreachMarch 21st Webinar: Highly sophisticated cybercriminal groups and state-sponsored hackers continue to target the healthcare industry. It has been the worst ever year for healthcare data breaches. Here are the stats for the year to date:

  • 725 data breaches have been reported to the HHS Office for Civil Rights.
  • The protected health information of more than 133 million individuals has been exposed or stolen.
  • Several multi-million-record data breaches were reported, including 3 that rank in the top 10 biggest data breaches of all time.
  • More healthcare records have been exposed in 2023 than in 2021 and 2022 combined.
  • The Office for Civil Rights imposed 13 financial penalties on HIPAA-regulated entities, including two financial penalties of more than $1 million.
  • State Attorneys General have also been actively enforcing HIPAA compliance, with 16 investigations leading to financial penalties, including a $49.5 million settlement with Blackbaud.

Free Webinar: Lessons & Actionable Tips From 2023 Data Breaches

Lessons can and should be learned from 2023’s data breaches. The free webinar will include these topics:

  • Discussion of some of the major data breaches of the year with explanations of how compliance with HIPAA could have prevented some of these breaches and regulatory fines.
  • A walk through the full extent of the HIPAA regulations with actionable tips that you can implement within your organization to help simplify the compliance process and protect your business from being breached or fined.
  • Attendees will also be provided with predictions about what can be expected in the coming year and beyond.
  • During the webinar, you will have the opportunity to ask questions, or you can email them in advance: webinar@compliancygroup.com

Free Webinar Details

Thursday, March 21, 2024

11:00 a.m. PT ¦ 12:00 p.m. MT ¦ 1:00 pm CT ¦ 2:00 pm ET

Host: Compliancy Group

Speaker: Liam Degnan, Compliancy Group, Director of Strategic Initiatives

The post FREE WEBINAR on THURSDAY: Lessons & Examples from 2023’s Breaches & Fines appeared first on HIPAA Journal.

HIPAA Pays Off: Why Invest in Compliance – Free Webinar Aug 17

Are you aware that investing in HIPAA compliance can actually result in increased revenue? Conversely, putting HIPAA compliance on the back burner can be detrimental to the organization.

The HIPAA compliance specialists, Compliancy Group, will be hosting a webinar to explain how investing in compliance can result in increased revenue.

Attendees will learn how and why investing time and money into HIPAA compliance can result in a positive year and will be provided with real-life examples of HIPAA-regulated entities that have invested time and money into their HIPAA compliance programs and have reaped the benefits.

Free Webinar Details

Thursday, August 17, 2023

11:00 a.m. PT ¦ 12:00 p.m. MT ¦ 1:00 pm CT ¦ 2:00 pm ET

Host: Compliancy Group

Speaker: Liam Degnan, Compliancy Group, Director of Strategic Initiatives

Please Use The Form On This Page To Sign Up

The post HIPAA Pays Off: Why Invest in Compliance – Free Webinar Aug 17 appeared first on HIPAA Journal.

HIPAA Compliance Guidelines

We have compiled these HIPAA Compliance Guidelines because HIPAA rules and regulations can be very confusing for healthcare professionals tasked with ensuring HIPAA compliance at their organization.

HIPAA Compliance Guidelines

Please use the form on this page to arrange to receive a free copy of the HIPAA Guidelines Checklist.

HIPAA Guidelines: Seven Elements For Effective Compliance

In 2011, HHS published “The Seven Fundamental Elements Of An Effective Compliance Program”. We have slightly amended it to be more relevant to HIPAA compliance in 2023. Here is a summary of the elements, which we outline in more detail below:

  1. Develop policies and procedures so that day-to-day activities comply with the Privacy Rule.
  2. Designate a Privacy Officer and a Security Officer.
  3. Implement effective training programs.
  4. Ensure channels of communication exist to report violations, and breaches.
  5. Monitor compliance at floor level so poor compliance practices can be nipped in the bud.
  6. Enforce sanctions policies fairly and equally.
  7. Respond promptly to identified or reported violations, and breaches.

You can also read more about the background and history of the Seven Elements here, although this is not necessary.

Next we go over each element in more detail

Element 1: Why Privacy Rule Policies and Procedures?

Although HIPAA compliance consists of complying with all relevant Administrative Simplification Regulations, implementing Security Rule and Breach Notification standards is generally an organizational process not connected with cultivating a culture of compliance. Additionally, the most common HIPAA violations are attributable to failures to comply with the Privacy Rule.

However, it is no longer sufficient to develop policies and procedures that only address permissible uses and disclosures, the minimum necessary standard, and patients’ rights. Covered Entities should ensure Privacy Rule policies and procedures include how to explain to patients what PHI is (and what it isn’t), how to verify an individual’s identity, and how to record requests for privacy protections.

Element 2: The Roles of HIPAA Compliance Officers

It is interesting that the HHS’ Office of Inspector General placed this “tip” in second place after the development of policies and procedures. This would imply the roles of HIPAA compliance officers are to train members of the workforce, monitor compliance, and enforce the organization’s sanctions policy. However, there is quite a lot more involved in being a compliance officer.

In most cases, the HIPAA Privacy Officer will be the point of contact for members of the public and members of the workforce that want to report privacy concerns. Security Officers are generally more responsible for conducting risk assessments, ensuring security solutions are configured properly, and training members of the workforce on how to use the solutions compliantly.

Element 3: What Makes an Effective Training Program?

The effectiveness of the training provided to members of the workforce can make the difference between ticking the box of compliance or cultivating a culture of compliance. To make Privacy Rule training effective, members of the workforce must understand what PHI is, why it has to be protected, and the consequences to patients, employers, and themselves of HIPAA violations.

Security Rule training must be even more focused on the consequences of taking shortcuts, circumnavigating safeguards, and failing to alert managers of a data breach for fear of “getting into trouble”. One way of achieving this is to ask members of the workforce to run personal online credentials through the HIBP database to illustrate the importance of unique, complex passwords.

Element 4: The Importance of Two-Way Communication

While policy making and training has to come from the top down, it is important that any channels of communication relating to HIPAA compliance are also bottom up – not only to raise compliance concerns or report HIPAA violations, but also to provide feedback on what works and what doesn’t on the ground floor, and what new challenges are facing frontline members of the workforce.

This is why it can be important – when resources allow – to have a compliance team consisting of team members that have worked in or have knowledge of how different departments operate. For example, a compliance team consisting solely of lawyers and IT managers may not appreciate the difficulty of protecting the privacy of PHI in front of a grieving family mourning a recent loss.

Element 5: How Most Poor Compliance Practices Develop

Most poor compliance practices result from well-meaning intentions – for example, to “get the job done” or provide a good service to a patient’s family. When minor violations are allowed to continue, poor compliance practices can develop into a culture of non-compliance. This is why it is important identify and address poor compliance practices at the earliest opportunity.

While it is important to have eyes on compliance at floor level, it is also important not to take eyes off compliance at higher levels. Busy managers and senior managers can also be guilty of taking shortcuts with compliance or ignoring non-compliant activities because they do not have the time to “sort it out” – when, in truth, the failure to take action is a failure of management.

Element 6: The Best Sanctions are Not Always Disciplinary

Sanctions policies can often be overwhelming documents threatening all manner of disciplinary actions for non-compliance from warnings to suspensions, to termination of contract and loss of license. Some even include the maximum federal penalties for violations of §1177 of the Social Security Act (up to ten years in prison and up to $250,000 in fines).

Although these sanctions may have to legally be included in a sanctions policy, making them the focus of attention is not necessarily the best way to cultivate a culture of compliance. The threat of additional training is often sufficient to create and maintain a compliant workforce – especially if whole teams have to attend refresher training due to the non-compliance of an individual!

Element 7: Responding Quickly is the Key to Compliance

One of the keys to cultivating a culture of compliance is to respond to queries, issues, complaints, reports of violations, and data breaches as quickly as possible. Responding quickly to any type of communication demonstrates a commitment to compliance and an eagerness to ensure – once a compliant workforce is achieved – the compliant state is maintained.

Responding to queries, issues, complaints, etc. would ordinarily be the responsibility of compliance officers (or teams), but this can lead to the compliance officers being overwhelmed. Consequently, it may be necessary for managers and senior managers to take some responsibility for monitoring compliance and responding to workforce or patient communications.

The post HIPAA Compliance Guidelines appeared first on HIPAA Journal.

State Of HIPAA – 2024 Predictions

It has been 28 years since President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law – and 22 years since the first of the Administrative Simplification Rules became effective – but HIPAA compliance is still proving a challenge for many HIPAA-regulated entities. This article explores the current state of HIPAA and some of the main aspects of the HIPAA Rules that are proving difficult for HIPAA-regulated entities.

Predictions for 2024

  • OCR will increase enforcement actions for violations of the HIPAA Security Rule that have contributed to data breaches and HIPAA Breach Notification Rule violations for failing to issue timely notifications to individuals whose PHI has been compromised in data breaches. 2024 will see record numbers of settlements and civil monetary penalties.
  • The HIPAA Right of Access will continue to be an enforcement priority for OCR – This is low-hanging fruit. The investigations are straightforward and require few OCR resources and the findings of investigations are unlikely to face legal challenges.
  • OCR is planning a HIPAA Security Rule update in Spring 2023 which we predict will include several new mandatory requirements for cybersecurity, including stricter access control requirements such as mandatory multi-factor authentication.
  • A new rule will be introduced regarding disclosures of reproductive health information, which will be prohibited for reasons other than treatment, payment, and healthcare operations and for PHI to be used for identifying, investigating, and prosecuting patients, providers, and others involved in the provision of legal reproductive health care services, in response to the overturning of Roe v. Wade
  • The lawsuit filed by the AHA in response to OCR’s December 2022 guidance on tracking technologies makes strong arguments that OCR has stretched the definition of protected health information to more than the current statute can bear. Should that challenge not prove to be successful, 2024 will see the first enforcement action over the use of tracking technologies on hospital websites. If the lawsuit is successful, further rulemaking will be proposed regarding tracking technologies to ensure patient privacy.
  • The HHS’ Centers for Medicare and Medicaid Services (CMS) will introduce new cybersecurity requirements as a condition for participation in the Medicare and Medicaid programs
  • State Attorneys General will step up enforcement of HIPAA compliance and will impose more financial penalties against healthcare organizations that have failed to meet minimum standards for cybersecurity.

HIPAA Enforcement in 2023

The HHS’ Office for Civil Rights (OCR) has been enforcing HIPAA compliance more aggressively in recent years and 2022 was a record year, with 22 penalties imposed to resolve violations of the HIPAA Rules. 17 of the 22 financial penalties imposed in 2022 resolved violations of the HIPAA Right of Access – the failure to provide individuals with timely access to their medical records. OCR’s HIPAA Right of Access enforcement initiative appears to have worked. In 2023, OCR only imposed 4 penalties for HIPAA Right of Access violations. The other 9 penalties were imposed for HIPAA Security Rule failures – risk analysis, technical and administrative safeguards, reviews of information system activity, and verification of identity – and other HIPAA Privacy Rule failures – disclosures of PHI in response to online reviews, disclosures of PHI to reporters, and a lack of policies and procedures/training to prevent HIPAA violations by employees.

OCR has faced challenges with HIPAA enforcement due to a significant increase in its workload in recent years while its budget has remained flat. OCR investigates all data breaches of 500 or more records, and data breaches have been increasing at an alarming rate. OCR explained in its annual report to Congress that since fiscal year 2017, OCR has received a 100% increase in large breach reports, largely driven by an increase in hacking incidents, especially ransomware attacks. In 2021, 75% of breaches of 500 or more records were due to hacking compared to 41.6% of data breaches in 2017, and the problem is getting worse. In 2023, 79.7% of the year’s 725 data breaches were due to hacking.

Between 2017 and 2021, OCR also saw a 28% increase in complaints about potential HIPAA violations, which also need to be investigated. OCR’s hands are somewhat tied as funding has remained flat for years and OCR is also having to cope with inflationary increases. OCR explained in its 2022 report to Congress that it has been forced to decrease its enforcement staff by 45%, and with its resources under incredible strain, that naturally has an impact on the speed of investigations and the number of cases where financial penalties can be pursued.

OCR can increase funding through its enforcement actions, but despite OCR more than doubling the number of settlements and civil monetary penalties (CMPs) in 2022 compared to 2017-2019 levels, OCR had a 92.6% reduction in total penalties compared to 2018, falling from $28.7 million in 2018 to just $2.13 million in 2022 and $4.18 million in 2023.  The average HIPAA penalty has fallen from $2.6 million in 2018 (median: $500,000) to just $321,269 in 2023 (median: $100,000). The decrease in penalties is due to a reinterpretation of the language of the HITECH Act, which has seen the maximum penalties for HIPAA violations reduced in three of the four penalty tiers. OCR has asked Congress to increase the maximum penalties for HIPAA violations and is constantly pushing to have its budget increased, but there are no indications at present that additional funding will be provided.

The budgetary pressures have forced OCR to look at other ways of increasing funding such as improving efficiency and productivity through restructuring and getting better use of its existing resources. In 2023, OCR restructured and created a new enforcement division, which it is hoped will allow OCR to investigate data breaches faster, clear the current backlog of investigations, and impose more financial penalties. In 2024 we should start to see results from that restructuring. Time will tell how effective that move has been.

OCR Director, Melanie Fontes Rainer, has confirmed that OCR’s HIPAA Right of Access enforcement initiative is continuing and OCR is making compliance with HIPAA with respect to reproductive healthcare information an enforcement priority, as well as HIPAA Security Rule compliance to protect against the increasing numbers of hacking incidents.

State attorneys general also enforce the HIPAA Rules and in 2023, 16 investigations resulted in settlements to resolve allegations of violations of HIPAA and state privacy laws. State attorneys general in California, Colorado, Florida, Indiana, New York, New Jersey, Ohio, Oregon, and Pennsylvania have taken action against HIPAA-regulated entities for security failures that have led to data breaches, and there were three multi-state actions, including a $49.5 million settlement with Blackbaud to resolve violations of HIPAA and state laws that led to its 5.5 million record data breach.

One of the latest actions, taken against Refuah Health Center Inc. by the New York Attorney General involved a $450,000 financial penalty to resolve multiple violations of the HIPAA Security Rule. The settlement also included the requirement for $1.2 million to be invested in improving cybersecurity. This could become common in enforcement actions as a way of helping to ensure that similar breaches do not occur in the future.

The State of HIPAA Compliance

OCR has conducted two rounds of compliance audits to assess the state of HIPAA compliance since the HIPAA Privacy and Security Rules were enacted. The second phase of HIPAA audits was launched in 2016, and while OCR has announced its intention to conduct an ongoing program of compliance audits, they have failed to materialize due to budget constraints and it is unlikely that those plans will be resurrected until OCR’s funding issues have been resolved. The 2016-2017 HIPAA audit program identified many areas of noncompliance. Most covered entities were found to have failed to have achieved compliance in the following areas:

  • HIPAA Security Rule risk analysis and risk management requirements
  • Timely breach notifications and adequate content of breach notifications
  • Prominent posts of Notices of Privacy Practices on websites and insufficient content of those notices
  • Timely responses to individuals’ right of access requests and charges for copies of medical records

It has been 6 years since the second phase of the compliance audits came to an end and many of the compliance issues identified by OCR continue to pose problems for HIPAA-regulated entities, as can be seen in OCR’s enforcement actions, which give an indication of the current state of HIPAA compliance.

Most Common HIPAA Violations in OCR’s Enforcement Actions (2020-2023)

HIPAA Violation Number of Cases
HIPAA right of access 45
Risk analysis 13
Reviews of system activity 5
Risk management 4
Notice of Privacy Practices 4
Audit controls 3
Business associate agreements 3
Appointment of a HIPAA Privacy Officer 2
Impermissible disclosure on social media/Internet 3
Lack of technical safeguards 3
Technical and nontechnical evaluation 3
HIPAA Privacy Rule policies 2

Top HIPAA Security Rule Compliance Challenges in 2023

Complying with all HIPAA provisions and implementation specifications can be a challenge, especially for smaller healthcare providers and business associates who do not have extensive resources available to devote to HIPAA compliance. While there are many aspects of the HIPAA Security Rule that can prove challenging, there are some common areas of vulnerability that are identified time and again in OCR’s investigations.

Risk Analyses

The HIPAA Security Rule mandates that regulated entities must conduct comprehensive and accurate organization-wide risk analyses to identify risks and vulnerabilities to electronic protected health information (ePHI). The risk analysis process needs to be ongoing, and the best practice is to conduct these at least annually or as needed, such as following any material change to policies and procedures or changes in technology. The risk analysis must be comprehensive, which means an organization must identify all ePHI within the organization, external ePHI created received, or maintained by business associates, and all threats to that information must be identified, including human, natural, and environmental threats to ePHI and the systems on which the information is stored. The HHS has developed a Security Risk Assessment Tool to help regulated entities with this vital process.

Risk Management Processes

Once risks and vulnerabilities have been identified they must be subjected to risk management processes and be reduced to a low and acceptable level in a timely manner. Risks must be assessed and remediations prioritized to ensure the risks that are most likely to be exploited are addressed first. Risk management processes also need to be extended to third parties – business associates – which means performing due diligence on vendors throughout the supply chain and implementing processes to identify, assess, and manage vendor risk at each stage of the vendor life cycle – onboarding, ongoing, and offboarding. Reducing risk exposure from vendor relationships is one of the biggest security challenges in healthcare in 2024 and a pressing issue, as hackers are actively targeting the supply chain.

Technical Security Controls

The HIPAA Security Rule does not specify the technical controls that should be implemented to secure systems containing ePHI, as these need to be based on the specific IT architectures of each regulated entity. It is the responsibility of each regulated entity to ensure that appropriate security controls are implemented and that they are effective at reducing risk. Security controls need to be regularly subjected to security assessments to make sure they have been implemented correctly, are operating as intended, and are achieving the desired outcome. HIPAA-regulated entities should conduct vulnerability scans and consider penetration testing to gain a better understanding of vulnerabilities to allow them to be properly managed.

Audit Controls and Information System Activity Reviews

All IT systems that contact ePHI must have audit controls and create logs of system activity and information system activity reviews should be conducted on audit logs, access reports, and security incident tracking reports. Despite information system activity reviews being a requirement of the HIPAA Security Rule, OCR’s investigations have revealed many organizations only conduct reviews on an ad-hoc basis in response to potential security incidents. Regular reviews allow HIPAA-regulated entities to rapidly identify unauthorized access to ePHI by malicious insiders and hackers. All too often, regulated entities discover unauthorized access by insiders and hackers, which has been ongoing for many months or years.

Access Controls

Technical policies and procedures need to be developed, implemented, and maintained for all electronic information systems that contain or allow access to ePHI to only allow access to persons or software programs that have been granted access rights per the organization’s access management policies and procedures. Access controls need to be based on the principle of least privilege, and access must be promptly revoked when individuals leave employment or no longer require access to ePHI. Ineffective access controls can be exploited by malicious actors to move laterally within networks and gain access to huge volumes of ePHI.

Telehealth Services

In response to the pandemic, OCR introduced telehealth flexibilities to make it easier for HIPAA-regulated entities to provide virtual care to clients and exercised enforcement discretion with regard to the technologies that can be used to provide these services. Now that the COVID-19 Public Health Emergency has been declared over, that period of enforcement discretion is due to terminate. OCR’s notice of enforcement discretion for telehealth expired at 11:59 p.m. on May 11, 2023, but HIPAA-regulated entities were given a 90-day transition period that came to an end on August 9, 2023. Now, all telehealth platforms must be fully compliant with the HIPAA Security Rule.

Challenges with HIPAA Privacy Rule Compliance in 2024

There are several aspects of HIPAA Privacy Rule compliance that are likely to prove challenging for HIPAA-regulated entities in 2024 and OCR has confirmed that these HIPAA Privacy Rule issues are still or will be enforcement priorities in 2023 and beyond.

Timely Access to Medical Records

The 2016 HIPAA compliance audits identified widespread noncompliance with the HIPAA Right of Access and increasing numbers of complaints were being received from individuals struggling to obtain copies of their medical records. OCR launched a new compliance initiative in 2019 targeting noncompliance with the HIPAA Right of Access, and the bulk of OCR’s subsequent enforcement actions to date have been for noncompliance with the HIPAA Right of Access. OCR is continuing with this enforcement initiative, and further, the proposed Privacy Rule changes that are expected to be finalized in 2024 will likely see the time frame for providing records decrease from 30 days to 15 days.

Tracking Technologies

In 2022, investigations into the use of tracking technologies on websites revealed the extent to which these third-party code snippets were being used by healthcare organizations. The code snippets collect valuable data on websites and web app user activity, which can be used to improve those services; however, the code can also collect identifiable health information and transmit that information to third parties. Those third parties typically do not sign business associate agreements, and using the code without a BAA in place or first obtaining consent from individuals to share that information is a HIPAA violation. OCR issued guidance on tracking technologies and HIPAA in December 2022 and the OCR Director has issued a statement confirming OCR will be enforcing this aspect of compliance. Many lawsuits have been filed against healthcare providers over privacy violations related to the use of tracking technologies, some of which have resulted in multi-million-dollar settlements. Whether there will be enforcement will hinge on the ruling in a lawsuit filed against the HHS by the AHA, which challenges the legality of its guidance and is attempting to prevent OCR from enforcing the guidance.

Disclosures of Reproductive Health Information

The decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization removed the federal right to abortion, leaving it to individual states to decide on the legality of abortions in their respective states. As of January 2024, 14 states have implemented total bans on abortions, a further 2 have placed 6-week limits, and another 6 have implemented bans that are not yet being enforced due to legal challenges.

Fears exist that some anti-abortion states may attempt to take legal action against individuals who facilitate terminations in states where abortion is legal as well as prosecuting individuals who travel out of state to have abortions in more permissive states. OCR is concerned the threat of criminal activity may prevent some patients from sharing important health information with their healthcare providers. Consequently, OCR is proposing a new category of PHI for reproductive health information. If finalized, Covered Entities will only be allowed to disclose reproductive health information (other than for TPO purposes) to third parties who attest the disclosure will not be used to prosecute facilitators of terminations in states where abortions are legal. False attestations will be considered wrongful disclosures under §1177 of the Social Security Act.

Staff Training

The Verizon Data Breach Investigations Report highlighted the extent to which data breaches are caused by human error. Out of all data breaches analyzed by Verizon in 2022, 82% involved the human element. Those data breaches include misconfigurations, responses to phishing and social engineering attacks, failures to set strong passwords, and other mistakes. These mistakes often expose ePHI and make it easy for hackers to gain access to healthcare networks. The only way of tackling human error is through education. The HIPAA Privacy Rule requires regulated entities to provide training on HIPAA policies relevant to each individual’s role, while the HIPAA Security Rule requires a security awareness training program. In the case of the latter, increasing the frequency of training can help to create a security culture and eradicate bad security practices.

Looking Forward – Pending Changes to the HIPAA Rules

While updates to the HIPAA Rules are made fairly infrequently, there are pending changes to the HIPAA Privacy Rule, that are due to be finalized in 2024. OCR has also recently announced its intention to improve privacy protections for reproductive health information through new HIPAA rulemaking, and the HHS’ Centers for Medicare and Medicaid Services (CMS) has proposed updates to transaction code sets to enable the electronic transmission of healthcare attachment transactions. States are also introducing new laws to better protect the privacy of state residents and ensure they are notified in the event of privacy breaches. Staying up to date with changes to state laws and ensuring compliance will be an ongoing challenge.

In December 2023, OCR also published its Healthcare Cybersecurity Strategy which outlined its plans for improving the resiliency of the healthcare industry to cyberattacks. OCR said it will be establishing voluntary Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) and will be incentivizing healthcare organizations to adopt these goals. The priority is raising baseline cybersecurity across the healthcare sector by providing incentives to achieve essential HPH CPGs and encouraging the adoption of enhanced HPH CPGs. While HPH CPGs will be voluntary initially, OCR intends to make the essential HPH CPGs mandatory and enforceable. OCR is seeking additional funding for enforcement but also to help healthcare organizations make the necessary investments in cybersecurity and cover the initial costs.

OCR believes regulatory updates are required in addition to funding and voluntary goals to drive the behavioral changes needed across the sector and has confirmed that a much-needed update to the HIPAA Security Rule will be proposed in Spring 2024, which will include new cybersecurity requirements. Action is also being taken at the state level to improve healthcare cybersecurity. In response to a large increase in cyberattacks on hospitals in New York State, the New York Attorney General is proposing new cybersecurity requirements for New York hospitals and has also budgeted for assistance for hospitals that have limited resources to help them comply with the new regulations.

While the proposed HIPAA updates are intended to improve the privacy and security of personally identifiable information and reduce the administrative burden on HIPAA-regulated entities, they are a cause of concern for many HIPAA-regulated entities that will have to spend considerable time and effort implementing the changes and ensuring their employees are fully trained. The HHS will provide a grace period to allow the changes to be implemented before compliance becomes mandatory, but it is important to start updating policies and procedures as soon as possible to ensure compliance with these new requirements to ensure the deadlines are not missed.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post State Of HIPAA – 2024 Predictions appeared first on HIPAA Journal.

HHS Secretary Will Not Renew COVID-19 PHE: HIPAA Enforcement Discretion to End on May 11, 2023

The Secretary of the Department of Health and Human Services (HHS) has announced that he does not plan to renew the COVID-19 Public Health Emergency, which is due to expire on May 11, 2023. The HHS’ Office for Civil Rights (OCR) has confirmed that the Notifications of Enforcement Discretion that were issued in response to the COVID-19 Public Health Emergency will expire one month from today, at 11:59 pm on May 11, 2023.

Four Notifications of Enforcement Discretion were announced by OCR in response to the COVID-19 Public Health Emergency in 2020 and 2021 to support the healthcare sector during the COVID-19 pandemic. Under the Notices of Enforcement Discretion, OCR would refrain from imposing financial penalties for violations of certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules. The flexibilities introduced by OCR concerned Community-based COVID-19 testing sites, uses and disclosures of protected health information by business associates for public health oversight activities, the use of online or web-based scheduling applications for scheduling individual appointments for COVID-19 vaccinations, and the use of telehealth remote communications that would not, under normal circumstances, be HIPAA-compliant.

OCR had previously stated that it would provide healthcare organizations with sufficient time to come into compliance with the HIPAA Rules regarding telehealth, so while the notice of enforcement discretion ends on May 11, 2023, HIPAA-covered entities will be provided with a three-month – 90-day – transition period, during which time financial penalties will not be imposed for non-compliance with the HIPAA Rules in connection with the good faith provision of telehealth services. The transition period starts on May 12, 2023, and expires at 11:59 pm on August 9, 2023.

“OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic,” said Melanie Fontes Rainer, OCR Director. “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”

Since the telehealth Notice of Enforcement Discretion took effect, healthcare providers have been able to use any non-public-facing remote communication product for audio and video communication to provide telehealth services, even if those platforms are not HIPAA compliant.  For instance, if a communication platform was used and the provider of that communication platform was unwilling to enter into a business associate agreement with the healthcare provider, the platform could be used without risking a financial penalty.

Now that the Notice of Enforcement Discretion is due to expire, healthcare providers must now enter into a HIPAA-compliant business associate agreement with the provider of the communication platform to be able to continue to use it after August 9, 2023. Healthcare providers should make arrangements to obtain a business associate agreement or transition to a HIPAA-compliant communications platform as soon as possible to prevent any disruption to telehealth services and to avoid financial penalties for non-compliance.

You can view the OCR announcement on this link (PDF).

The post HHS Secretary Will Not Renew COVID-19 PHE: HIPAA Enforcement Discretion to End on May 11, 2023 appeared first on HIPAA Journal.

What Gets Overlooked For HIPAA Compliant Email Retention?

In this post, we cover the 5 Requirements for HIPAA Compliant Email Retention.

In a recent survey, we discovered that HIPAA compliant email retention is often overlooked and incorrectly implemented when organizations consider their overall HIPAA data retention requirements.

Email Retention Of PHI

Because Covered Entities email out Protected Health Information (PHI), all emails containing that information, either in the body text or as an attachment, must comply with the following HIPAA regulations:

  • Emails must be securely backed up and retained for a minimum of six years as per the HIPAA Security rule.
  • Specific access and audit controls must be implemented to safeguard the integrity of PHI in emails.
  • A system needs to be in place to prevent improper modification or deletion of emails.

Regular email solutions do not cover these HIPAA requirements. While some solutions such as Office 365 can include email backups, these are not sufficient for full HIPAA email compliance.

As an example of how HIPAA compliant email needs to be implemented we examined a leading HIPAA email retention solution (ArcTitan from TitanHQ) and rated its functionality based on HIPAA compliance requirements. Included below is the review summary and details of exactly how any HIPAA compliant email solution needs to work. You can read the full review here.

Review Summary

  • ArcTitan from TitanHQ is a seamless, easy-to-implement, and cost-effective email retention solution that has been designed for HIPAA compliant email retention requirements.
  • ArcTitan works robustly for any size of Covered Entity or Business Associate, protecting all emails with PHI, and covering all the necessary HIPAA retention requirements.

The 5 Requirements for HIPAA Compliant Email Archiving

Here are the 5 specific ways ArcTitan is HIPAA compliant for email retention, and which must be covered for full HIPAA email compliance.

1. Encrypted Storage

ArcTitan encrypts all emails in its secure data centers, ensuring that PHI is protected from unauthorized access. In addition, ArcTitan provides data loss prevention mechanisms, such as email audit functionality. This guarantees emails have not been altered or deleted and also prevents the destruction of emails by a dishonest or malcontent employee.

2. Retention Policies

ArcTitan enables Covered Entities to implement retention policies for email archiving. In this way, organizations can ensure that emails are retained for the correct period of time as required by HIPAA rules.

What is often overlooked is that most organizations’ email systems are centered around specific email usage on a per-employee basis, and when a person leaves their email address and emails are often deleted. This can invertedly break HIPAA rules unless the departed employee’s emails are backed up and retained for six years as part of the retention policy.

3. Search Capabilities

Emails are automatically placed in a cloud-based secure archive using sophisticated indexing. Unlike a simple data backup, ArcTitan uses the indexing to include a powerful search facility. to enable organizations to quickly and easily search through their email archives. It can be very time consuming to find and recover individual emails with regular backup systems often taking weeks and tying up IT resources.

4. Compliance Reporting & Audit Trails

Organizations can easily demonstrate their compliance with HIPAA rules for email with ArcTitan’s comprehensive reporting and audit trails of all email activity which use ID authentication. This can be very important if an organization is required involved in litigation, needs to confirm proof of delivery, or to comply with an audit request from the Department of Health and Human Services.

5. Access Controls

Access to archived emails on ArcTitan is limited to authorized personnel, known as Data Guardians, thanks to the platform’s strong access controls. Additionally, Data Guardians are responsible for managing legal hold and deletion requests.

You can read the full review here which contains more details of pricing, technical specifications and non HIPAA benefits to organizations.

The post What Gets Overlooked For HIPAA Compliant Email Retention? appeared first on HIPAA Journal.