Latest HIPAA News

Meta Sued over the Scraping of Patient Data from Hospital Websites

A lawsuit has been filed against Meta that alleges the social media giant has been knowingly collecting patient data from hospital websites via the Meta Pixel tracking tool, and in doing so has violated the privacy of millions of patients.

The lawsuit was filed in the U.S. Northern District of California and alleges violations of state and federal laws related to the collection of patient data without consent. Last week, a report was released by The Markup/STAT on a study on the 100 top hospitals in the United States which found that one-third used the Meta Pixel tool on their websites. The Meta Pixel tool is a snippet of JavaScript code that is used to track visitor actions on websites, such as the forms they click and the options they select from dropdown menus. When the tool is included on healthcare providers’ websites, there is potential for the tool to transmit protected health information to Meta/Facebook, such as IP address, when a patient has scheduled an appointment and any information selected from menus, such as the medical condition that the appointment is about.

The study identified 7 hospital systems that had installed Meta Pixel on their patient portals behind password protection and the tool was transmitting sensitive data such as patient conditions, which could be tied to the patients through their IP addresses. The study found no evidence that Meta had entered into a business associate agreement with the hospitals, nor that consent to share patient data with Meta was obtained from patients by the hospitals and healthcare systems that used Meta Pixel.

The lawsuit was filed on behalf of patient John Doe, who is a user of Facebook and a patient of Medstar Health System in Maryland. The plaintiff said he uses the patient portal for making appointments, communicating with providers, and reviewing lab test results, and did not consent to information being shared with Meta/Facebook. Medstar Health said all patient data is secured and it does not use any Facebook/Meta technologies on its website. According to the lawsuit, at least 664 healthcare systems in the United States have added the Meta Pixel tool to their websites, which sends sensitive data to Meta.

Meta states on its website that “If Meta’s signals filtering mechanism detects Business Tools data that it categorizes as potentially sensitive health-related data, the filtering mechanism is designed to prevent that data from being ingested into our ads ranking and optimization systems.” However, the lawsuit claims, “Despite knowingly receiving health-related information from medical providers, Facebook has not taken any action to enforce or validate its requirement that medical providers obtain adequate consent from patients before providing patient data to Facebook.” The lawsuit alleges the use of the tool on hospital websites without obtaining consent is a violation of the Health Insurance Portability and Accountability Act (HIPAA), as the data is collected without a business associate agreement. It should be noted that Meta/Facebook is not bound by HIPAA Rules; however, the hospitals that use the tool could be in violation of HIPAA for transferring the data without consent.

The lawsuit alleges a breach of the duty of good faith and fair dealing, and violations of federal and state laws, including the federal Electronic Communications Privacy Act and California’s Invasion of Privacy Act and Unfair Competition Law. The lawsuit seeks class action status, compensatory and punitive damages, and attorneys’ fees.

This is not the first lawsuit to be filed against Facebook over the collection of data from hospital websites. The same attorneys had a case against Facebook dismissed in 2018 – Smith et al v. Facebook – over the collection of browsing data from hospital websites. The decision was upheld by the U.S. Court of Appeals for the 9th Circuit, which ruled that the plaintiffs could not sue Facebook as they had agreed to Facebook’s contract terms.

A copy of the lawsuit was obtained by Reclaim the Net and is published here.

The post Meta Sued over the Scraping of Patient Data from Hospital Websites appeared first on HIPAA Journal.

May 2022 Healthcare Data Breach Report

May 2022 saw a 25% increase in healthcare data breaches of 500 or more records. 70 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in May 2022, which is the highest monthly total this year and well above the 12-month average of 56.75 data breaches per month. This level of reported data breaches has not been seen since June 2021.

May 2022 Healthcare Data Breaches

Across those data breaches, the records of 4,410,538 individuals were exposed, stolen, or impermissibly disclosed, which is more than twice the number of records that were breached in April, and almost 40% higher than the average number of records breached each month over the past 12 months.

Breached healthcare records in the past 12 months (May 2022)

Largest Healthcare Data Breaches Reported in May 2022

In May 2022, there were 31 reports of healthcare data breaches that involved the records of more than 10,000 individuals. The largest breach to be reported affected the HIPAA business associate, Shields Health Care Group, which provides MRI and other imaging services in New England. The exact nature of the attack was not disclosed, but Shields said hackers accessed its network and exfiltrated files containing patient data. The breach affected 2 million patients who received medical services at 52 facilities in New England.

Partnership HealthPlan of California also reported a major data breach, in this case, a ransomware attack. Hackers gained access to systems containing the records of 854,913 current and former health plan members. The Hive ransomware gang claimed responsibility for the attack and allegedly stole 400GB of data.

The number of eye care providers affected by a hacking incident at the electronic health record vendor Eye Care Leaders continued to grow throughout May (and June). While they are not all reflected in the May data, as of June 21, at least 23 eye care providers are known to have been affected, and the data breach has affected at least 2,187,383 patients.

Data Breaches of over 10,000 Records Reported in May 2022

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Business Associate Breach Cause of Data Breach
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking/IT Incident Yes Hacking and data theft incident
Partnership HealthPlan of California CA Health Plan 854,913 Hacking/IT Incident No Ransomware attack
SAC Health System CA Healthcare Provider 149,940 Theft No Theft of documents in break-in at storage facility
Aon PLC IL Business Associate 119,636 Hacking/IT Incident Yes Hacking and data theft incident
Parker-Hannifin Corporation Group Health Plans OH Health Plan 119,513 Hacking/IT Incident No Hacking and data theft incident
Heidell, Pittoni, Murphy & Bach, LLP NY Business Associate 114,979 Hacking/IT Incident Yes Ransomware attack
Schneck Medical Center IN Healthcare Provider 92,311 Hacking/IT Incident No Hacking and data theft incident
Alameda Health System CA Healthcare Provider 90,000 Hacking/IT Incident No Unauthorized access to email accounts
Val Verde Regional Medical Center TX Healthcare Provider 86,562 Hacking/IT Incident No Ransomware attack
NuLife Med, LLC NH Healthcare Provider 81,244 Hacking/IT Incident No Hacking and data theft incident
Comstar, LLC MA Business Associate 68,957 Hacking/IT Incident Yes Unspecified hacking incident
Shoreline Eye Group CT Healthcare Provider 57,047 Hacking/IT Incident Yes Eye Care Leaders hacking incident
AU Health GA Healthcare Provider 50,631 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Finkelstein Eye Associates IL Healthcare Provider 48,587 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Oklahoma City Indian Clinic OK Healthcare Provider 38,239 Hacking/IT Incident No Ransomware attack
Moyes Eye Center, PC MO Healthcare Provider 38,000 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Family Health Care, Inc KS Healthcare Provider 33,619 Hacking/IT Incident No Unspecified hacking incident
Allwell Behavioral Health Services OH Healthcare Provider 29,972 Hacking/IT Incident No Hacking and data theft incident
Creative Hospice Care, Inc. dba Homestead Hospice & Palliative Care GA Healthcare Provider 28,332 Hacking/IT Incident No Unauthorized access to email accounts
FPS Medical Center AZ Healthcare Provider 28,024 Hacking/IT Incident No Ransomware attack
Capsule NY Healthcare Provider 27,486 Hacking/IT Incident No Unauthorized access to user accounts
McKenzie Health System MI Healthcare Provider 25,318 Hacking/IT Incident No Hacking and data theft incident
Sylvester Eye Care OK Healthcare Provider 19,377 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Aesto, LLC d/b/a Aesto Health AL Business Associate 17,400 Hacking/IT Incident Yes Hacking and data theft incident
Vail Health Services CO Healthcare Provider 17,039 Hacking/IT Incident No Ransomware attack
Motion Picture Industry Health Plan CA Health Plan 16,838 Unauthorized Access/Disclosure No Mismailing incident
Bryan County Ambulance Authority OK Healthcare Provider 14,273 Hacking/IT Incident No Ransomware attack
Associated Ophthalmologists of Kansas City, P.C. MO Healthcare Provider 13,461 Hacking/IT Incident No Eye Care Leaders hacking incident
Allaire Healthcare Group NJ Healthcare Provider 13,148 Hacking/IT Incident No Unauthorized access to user accounts
EmblemHealth Plan, Inc. NY Health Plan 11,399 Unauthorized Access/Disclosure No Unconfirmed
Behavioral Health Partners of Metrowest, LLC MA Business Associate 11,288 Hacking/IT Incident Yes Hacking and data theft incident

Causes of May 2022 Healthcare Data Breaches

Hacking incidents continue to be reported in high numbers in May, with 53 (75.7%) of the month’s data breaches classed as hacking or other IT incidents. That represents a 77% increase in incidents compared to April. Those incidents accounted for 95.5% of the records breached in May (4,212,721 records), which is more than twice the number of records exposed in hacking incidents in April. The average breach size was 79,485 records and the median breach size was 13,148 records.

There were 13 unauthorized access/disclosure incidents reported in May – a slight increase from April. Across those incidents, 43,807 records were impermissibly disclosed. The average breach size was 3,370 records and the median breach size was 1,196 records.

There were three theft incidents reported and one incident involving the loss of paper/films. These breaches involved a total of 154,010 records, with an average breach size of 35,503 records and a median breach size of 1,771 records.

Causes of May 2022 Healthcare Data Breaches

With so many hacking incidents, it is unsurprising that 31 of the month’s data breaches involved protected health information stored on network servers. The high number of breaches of electronic health records was due to the cyberattack on Eye Care Leaders. As the chart below shows, email account breaches were reported in high numbers in May, 70% more incidents than in April. While security awareness training for the workforce and multi-factor authentication will not prevent all email data breaches, they can significantly improve protection.

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the hardest hit HIPAA-covered entity type in May, with 49 reported breaches. There were 11 data breaches reported by health plans, and business associates of HIPAA-covered entities reported 10 breaches; however, 8 data breaches occurred at business associates but were reported by the covered entity. The data breaches detailed in the chart below reflect where the data breach occurred.

May 2022 Healthcare data breaches by HIPAA regulated entity

Healthcare providers suffered the highest number of data breaches, but business associates topped the list in terms of the number of exposed healthcare records.

HIPAA-Regulated Entity

Number of Reported Data Breaches Total Records Exposed

Business Associate

18

2,554,789

Health Plan

10

1,014,150

Healthcare Provider 42

841,599

May 2022 Healthcare Data Breaches by State

Data breaches of 500 or more healthcare records were reported by HIPAA-regulated entities in 29 states. California was the worst affected state with 8 large healthcare data breaches reported, followed by New York with 6 reported breaches.

State No. Reported Data Breaches
California 8
New York 6
Georgia, Missouri & Ohio 4
Alabama, Illinois, Massachusetts, North Carolina, Oklahoma & Texas 3
Arizona, Connecticut, Florida, Maryland, Michigan, New Hampshire, Virginia & Washington 2
Colorado, Indiana, Kansas, Minnesota, Mississippi, Montana, New Jersey, Nevada, Tennessee & Wisconsin 1

HIPAA Enforcement Activity in May 2022

No HIPAA enforcement actions were announced by the HHS’ Office for Civil Rights or state Attorneys General in May. So far this year, 4 financial penalties totaling $170,000 have been imposed by OCR to resolve HIPAA violations.

The post May 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

HHS Offers Advice to Help Healthcare Organizations Strengthen Their Cyber Posture

The HHS’ Health Sector Cybersecurity Coordination Sector (HC3) has published guidance for healthcare organizations to help them improve their cyber posture. Cyber posture is the term given for the overall strength of an organization’s cybersecurity, protocols for predicting and preventing cyber threats, and the ability to continue to operate while responding to cyber threats.

To comply with the HIPAA Security Rule, organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information, and reduce risks to a low and acceptable level.

Technical safeguards will help to keep ePHI private and confidential and will ensure ePHI can be recovered in the event of a destructive cyberattack. A robust cybersecurity program can help to limit the damage caused in the event of an attack, can prevent the theft of sensitive information such as ePHI and intellectual property, limit the potential for misuse of patient data, and will help to improve customer confidence.

HC3 details several steps that can be taken to improve cyber posture such as conducting regular security posture assessments, consistently monitoring networks and software for vulnerabilities, defining which departments own risks and assigning managers to specific risks, regularly analyzing gaps in security controls, defining key security metrics, and creating incident response and disaster recovery plans.

HC3 also recommends following the cybersecurity best practices detailed in CISA Insights for protecting against cyber threats. These best practices can help to reduce the likelihood of a damaging cyber intrusion occurring, will help organizations rapidly detect attacks in progress, will make it easier to conduct an efficient breach response, and maximize organizations’ resilience to destructive cyberattacks.

HC3 draws attention to the security risk assessment, which is an aspect of HIPAA Security Rule compliance that has been problematic for many healthcare organizations. The security risk assessment is concerned with identifying threat sources, threat events, and vulnerabilities, determining the likelihood of exploitation and the probable impact, and calculating risk as a combination of likelihood and impact.

Healthcare organizations can then use the information provided by risk assessments to prioritize risk management. The Office for Civil Rights has recently released a new version of its Security Risk Assessment Tool, which can help small- and medium-sized healthcare organizations with their security risk assessments.

The post HHS Offers Advice to Help Healthcare Organizations Strengthen Their Cyber Posture appeared first on HIPAA Journal.

Webinar Today: July 20, 2022: Compliance vs. Security: Why you Need Both to be HIPAA Compliant

Healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities that come into contact with protected health information (PHI) are required to ensure policies, processes, and people are compliant with the Rules of the Health Insurance Portability and Accountability Act (HIPAA).

Ensuring you have a good security posture is an important part of HIPAA compliance. The HIPAA Security Rule requires HIPAA-regulated entities to have appropriate safeguards in place to ensure the confidentiality, integrity, and availability of ePHI, and to manage risks to protected health information and reduce them to a low and acceptable level.

Ensuring you have a good security posture has never been more important. Cyber threat actors have stepped up their attacks on the healthcare industry and data breaches are occurring at record levels. Further, following the ‘Safe Harbor’ update to the HITECH Act, if you are able to demonstrate you have implemented recognized security practices, you will be protected against fines, sanctions, and extensive audits and investigations by the HHS’ Office for Civil Rights.

To help you on your compliance journey and with your security efforts, Compliancy Group is hosting a webinar that will explain the ins and outs of compliance and cybersecurity, and why both are necessary for patient privacy and your practice’s security.

During the webinar, Compliancy Group will explain how HIPAA compliance can be simplified, you will be walked through the regulation, and will be provided with actionable tips that you can implement within your practice today.

 3 learning objectives of the webinar:

  1. Why compliance and security are BOTH required for HIPAA compliance.
  2. How HIPAA and security help protect your patients.
  3. What you can implement in your practice now to avoid breaches and fines.

Webinar Details:

Compliance vs. Security: Why you Need Both to be HIPAA Compliant

Wednesday, July 20, 2022

11:00 a.m. PT ¦ 2:00 p.m. ET

Host: Compliancy Group

[contact-form-7]

The post Webinar Today: July 20, 2022: Compliance vs. Security: Why you Need Both to be HIPAA Compliant appeared first on HIPAA Journal.

Study Reveals One Third of Top 100 U.S. Hospitals are Sending Patient Data to Facebook

An analysis of hospitals’ websites has revealed one-third of the top 100 hospitals in the United States are sending patient data to Facebook via a tracker called Meta Pixel, without apparently obtaining consent from patients.

Meta Pixel is a snippet of JavaScript code that is used to track visitor activity on a website. According to Meta, “It works by loading a small library of functions which you can use whenever a site visitor takes an action (called an event) that you want to track (called a conversion). Tracked conversions appear in the Ads Manager where they can be used to measure the effectiveness of your ads, to define custom audiences for ad targeting, for dynamic ads campaigns, and to analyze [the] effectiveness of your website’s conversion funnels.”

Meta Pixel can collect a variety of data, including information about the buttons clicked and the pages visited by clicking those buttons, and the data collected is linked to the individual by their IP address, which identifies the device that the visitor is using. That information is then automatically sent to Facebook. On a hospital website, the tracker could collect a user’s IP address and link it to sensitive information, such as if that individual had clicked to make an appointment.

The analysis was conducted by The Markup and the report was co-published by STAT. The Markup found that Meta Pixel tracking was present on a third of hospitals’ appointment scheduling pages. In one example – University Hospitals Cleveland Medical Center – the researchers found that when a visitor clicks on the ‘Schedule Online’ button on a doctor’s page, Meta Pixel sent the text of the button to Meta, along with the doctor’s name and the search term, which for that patient was pregnancy termination. It was a similar story with several other websites, which sent information taken from the selection made from dropdown menus, which provided information about the patient’s condition – Alzheimer’s disease for example.

Even more concerning is that for 7 hospital systems, Meta Pixel was installed inside password-protected patient portals. The researchers found that five of those hospital systems were sending data to Meta about real patients who volunteered to participate in the Pixel Hunt project, which was jointly run by the Markup and Mozilla Rally. Participation in that project involved allowing data to be sent to The Markup about the sites they visited, which revealed the data being sent to Meta included patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments.

The Markup said there did not appear to be any business associate agreements between the hospitals and Meta that would allow the data sharing under the HIPAA Rules, and express consent from patients authorizing the sharing of data with Meta did not appear to have been obtained, suggesting potential HIPAA violations.

The 7 health systems were Community Health Network, Edward-Elmhurst Health, FastMed, Novant Health, Piedmont, Renown Health, and WakeMed. All but FastMed and Renown Health had removed the Meta Pixel after being informed about the data transfer by The Markup at the time of publication of the report, along with 6 hospitals out of the 33 that were identified as having the Meta Pixel on their appointment booking pages.

The Markup said in its report that the 33 hospitals that had Meta Pixel on their appointment pages have collectively reported more than 26 million patient admissions and outpatient visits in 2020, and this study was only limited to the top 100 hospitals. Many others may also be passing data to Facebook through Meta Pixel.

The Markup said it was unable to determine how Meta/Facebook used the data transferred through Meta Pixel, such as for providing targeted adverts. Meta spokesperson, Dale Hogan, issued a statement in response to the findings of the study. “If Meta’s signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems.”

The post Study Reveals One Third of Top 100 U.S. Hospitals are Sending Patient Data to Facebook appeared first on HIPAA Journal.

ONC and OCR Release Updated Security Risk Assessment Tool

The Department of Health and Human Services (HHS)’ Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) have released a new version of the HHS Security Risk Assessment (SRA) Tool.

The HIPAA Security Rule requires HIPAA-regulated entities to conduct a comprehensive, organization-wide risk analysis to identify the risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). All risks identified must then be subject to risk management processes to reduce the identified risks and vulnerabilities to a low and acceptable level.

Risk analyses/assessments are vital for HIPAA compliance. They help HIPAA-covered entities determine if they are compliant with the administrative, physical, and technical safeguards of the HIPAA Security Rule and help to identify the most effective and appropriate administrative, physical, and technical safeguards to protect ePHI. Investigations and audits of HIPAA-regulated entities have shown that the risk assessment/analysis is an aspect of compliance that many healthcare organizations fail to get right, and it is one of the most commonly cited HIPAA violations in OCR enforcement actions.

In 2014, ONC and OCR jointly developed and launched the SRA Tool to help small- and medium-sized healthcare practices and business associates with this important aspect of HIPAA Security Rule compliance. The SRA tool is a downloadable tool that can be used to guide HIPAA-regulated entities through the risk assessment process. The SRA Tool is a desktop application that uses a wizard-based approach involving multiple-choice questions, threat and vulnerability assessments, and asset and vendor management, and walks users through the security risk assessment process.

The SRA tool has been updated over the years, with the latest version incorporating new features in response to user feedback and public input. Those features include the incorporation of Health Industry Cybersecurity Practices (HICP) references, file association in Windows, improved reports, bug fixes, and stability improvements.

ONC and OCR have also developed a new SRA Tool Excel Workbook, which is intended to replace the legacy paper version of the SRA Tool. The workbook contains conditional formatting and formulas to calculate and help identify risk in a similar fashion to the SRA Tool application and is a good alternative for users who do not have Microsoft Windows.

ONC and ORC explain that the use of the tool does not guarantee compliance with HIPAA but can help them achieve compliance. The tool was developed for SMBs, and may not be appropriate for larger healthcare organizations.

The SRA tool, which can be downloaded here, can be installed as an application on 64-bit versions of Microsoft Windows 7/8/10/11. The new SRA Tool Excel Workbook can be used on other systems.

The post ONC and OCR Release Updated Security Risk Assessment Tool appeared first on HIPAA Journal.

OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends

Start preparing now and get your telehealth services HIPAA compliant as when the COVID-19 Public Health Emergency (PHE) ends, the telehealth HIPAA flexibilities stop. That is the advice of the Department of Health and Human Services’ Office for Civil Rights, which released new guidance this week on HIPAA and audio-only telehealth services.

The Period of Enforcement Discretion Will End

In March 2020, the HHS’ Office for Civil Rights issued a Telehealth Notification and said it would be exercising enforcement discretion and would not be imposing sanctions and penalties for HIPAA violations with respect to the good faith provision of telehealth services. The move was intended to make it easier for healthcare organizations to offer telehealth services to patients to help prevent the spread of COVID-19.

OCR permitted healthcare organizations to use remote communication tools for telehealth, which included apps and platforms that would not normally be considered ‘HIPAA-compliant,’ and did not require HIPAA-covered entities to enter into a business associate agreement with the providers of remote communication tools. The notice of enforcement discretion stated that it lasted for the duration of the PHE. When the Secretary of the HHS declares that the COVID-19 PHE no longer exists, or upon the expiration date of the declared PHE, whichever comes sooner, the period of enforcement discretion will end. That means that the continued use of remote communication technologies could potentially violate the HIPAA Rules and could lead to financial penalties and other remedies to resolve the HIPAA violations.

In the new guidance on HIPAA and audio-only telehealth, OCR explains when, and under what circumstances, audio-only telehealth is permitted under HIPAA. OCR confirmed that telehealth services are permitted under HIPAA, but HIPAA-regulated entities should apply reasonable safeguards to protect the privacy of protected health information (PHI), such as ensuring telehealth services are provided in private settings, as far as is possible, and using lowered voices to reduce the potential for incidental disclosures of PHI. It is also necessary to verify the identity of the patient, orally or in writing.

The HIPAA Security Rule May Apply to Telehealth

The HIPAA Security Rule may apply to telehealth. When audio-only telehealth services are provided over standard telephone lines – landlines – the HIPAA Security Rule does not apply, as the information transmitted is not electronic. However, if electronic communication technologies are used, the HIPAA Security Rule does apply, which includes “Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, such as the Internet, intra-, and extranets, cellular, and Wi-Fi.”

When these technologies are used, the HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI), and risks and vulnerabilities must be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes. OCR suggests that due to the speed at which communication technologies evolve, a robust inventory and asset management process is recommended to identify such technologies and the information systems that use them, as this will help to ensure an accurate and thorough risk analysis.

Business Associate Agreements May be Required

Any vendor that is provided with access to ePHI, or comes into contact with ePHI, is required to enter into a business associate agreement (BAA) with a HIPAA-covered entity. BAAs may be required with vendors providing platforms to support telehealth. A BAA is only required when a telecommunication service provider (TSP) is acting as a business associate. The HIPAA conduit exception applies if the TSP has only transient access to the PHI it transmits. “If the TSP is not also creating, receiving, or maintaining PHI on behalf of the covered entity, and the TSP does not require access on a routine basis to the PHI it transmits in the call, no business associate relationship has been created.  Therefore, a BAA is not needed,” explained OCR in the guidance.

A BAA is required when a TSP is more than a conduit and is not just providing data transmission services, and is either creating, receiving, or maintaining ePHI. In such cases, a BAA is required before the service is used. That applies to remote communication technologies, mobile apps, and Internet and cloud services.

“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance [Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth] explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino.

The post OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends appeared first on HIPAA Journal.

OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends

Start preparing now and get your telehealth services HIPAA compliant as when the COVID-19 Public Health Emergency (PHE) ends, the telehealth HIPAA flexibilities stop. That is the advice of the Department of Health and Human Services’ Office for Civil Rights, which released new guidance this week on HIPAA and audio-only telehealth services.

The Period of Enforcement Discretion Will End

In March 2020, the HHS’ Office for Civil Rights issued a Telehealth Notification and said it would be exercising enforcement discretion and would not be imposing sanctions and penalties for HIPAA violations with respect to the good faith provision of telehealth services. The move was intended to make it easier for healthcare organizations to offer telehealth services to patients to help prevent the spread of COVID-19.

OCR permitted healthcare organizations to use remote communication tools for telehealth, which included apps and platforms that would not normally be considered ‘HIPAA-compliant,’ and did not require HIPAA-covered entities to enter into a business associate agreement with the providers of remote communication tools. The notice of enforcement discretion stated that it lasted for the duration of the PHE. When the Secretary of the HHS declares that the COVID-19 PHE no longer exists, or upon the expiration date of the declared PHE, whichever comes sooner, the period of enforcement discretion will end. That means that the continued use of remote communication technologies could potentially violate the HIPAA Rules and could lead to financial penalties and other remedies to resolve the HIPAA violations.

In the new guidance on HIPAA and audio-only telehealth, OCR explains when, and under what circumstances, audio-only telehealth is permitted under HIPAA. OCR confirmed that telehealth services are permitted under HIPAA, but HIPAA-regulated entities should apply reasonable safeguards to protect the privacy of protected health information (PHI), such as ensuring telehealth services are provided in private settings, as far as is possible, and using lowered voices to reduce the potential for incidental disclosures of PHI. It is also necessary to verify the identity of the patient, orally or in writing.

The HIPAA Security Rule May Apply to Telehealth

The HIPAA Security Rule may apply to telehealth. When audio-only telehealth services are provided over standard telephone lines – landlines – the HIPAA Security Rule does not apply, as the information transmitted is not electronic. However, if electronic communication technologies are used, the HIPAA Security Rule does apply, which includes “Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, such as the Internet, intra-, and extranets, cellular, and Wi-Fi.”

When these technologies are used, the HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI), and risks and vulnerabilities must be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes. OCR suggests that due to the speed at which communication technologies evolve, a robust inventory and asset management process is recommended to identify such technologies and the information systems that use them, as this will help to ensure an accurate and thorough risk analysis.

Business Associate Agreements May be Required

Any vendor that is provided with access to ePHI, or comes into contact with ePHI, is required to enter into a business associate agreement (BAA) with a HIPAA-covered entity. BAAs may be required with vendors providing platforms to support telehealth. A BAA is only required when a telecommunication service provider (TSP) is acting as a business associate. The HIPAA conduit exception applies if the TSP has only transient access to the PHI it transmits. “If the TSP is not also creating, receiving, or maintaining PHI on behalf of the covered entity, and the TSP does not require access on a routine basis to the PHI it transmits in the call, no business associate relationship has been created.  Therefore, a BAA is not needed,” explained OCR in the guidance.

A BAA is required when a TSP is more than a conduit and is not just providing data transmission services, and is either creating, receiving, or maintaining ePHI. In such cases, a BAA is required before the service is used. That applies to remote communication technologies, mobile apps, and Internet and cloud services.

“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance [Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth] explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino.

The post OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends appeared first on HIPAA Journal.

OCR to Produce Video Presentation on HITECH Act Recognized Security Practices

The HHS’ Office for Civil Rights (OCR) is producing a video presentation to help HIPAA-regulated entities implement “Recognized Security Practices.”

The Health Information Technology for Economic and Clinical Health (HITECH) Act was recently amended (Public Law 116-321) to require OCR to consider recognized security practices that have been in place for at least 12 months prior to certain Security Rule enforcement and audit activities. OCR previously issued a Request for Information regarding the HITECH Act recognized security practices, the comment period for which ended last week.

There has been confusion about what constitutes recognized security practices and how it is possible to demonstrate to OCR that recognized security practices have been adopted and have been continuous for the 12 months prior to a data breach or OCR investigation.

In the video presentation, Nicholas Heesters, Senior Advisor for Cybersecurity at OCR will explain the 2021 HITECH Act amendment regarding recognized security practices, provide guidance on demonstrating security practices have been in place, how evidence of those security practices will be requested by OCR, and how to find out more information on the best security practices to implement.

Ahead of the publication of the video, OCR has requested questions from HIPAA-regulated entities to ensure they are addressed in the presentation. The deadline for submitting questions is June 17, 2022. Questions should be sent to: OCRPresents@hhs.gov

OCR will be releasing the presentation this summer and will make an announcement about how the presentation can be viewed at a later date.

The post OCR to Produce Video Presentation on HITECH Act Recognized Security Practices appeared first on HIPAA Journal.