Latest HIPAA News

Hospital Employee Discovered to Have Accessed Medical Records Without Authorization for 14 Years

Posted by HIPAA Journal

Cases of employees snooping on medical records are relatively common, although an incident at Tewksbury Hospital in Massachusetts stands out due to the length of time that an employee was accessing medical records without authorization before being caught.

The hospital was tipped off about the employee in April after a former patient made a complaint about their medical record being accessed inappropriately. In response to the complaint, the hospital conducted a full review which revealed the former patient’s medical records had been accessed by an employee without any legitimate reason for doing so.

Further investigation revealed it was far from a one off.  The employee had been accessing the records of patients without authorization for a period of 14 years. The first instance dated back to 2003 and the inappropriate access continued until May 2017. During that time, the employee accessed the records of more than 1,000 patients.

Tewksbury Hospital, which is run by the Department of Public Health, has now written to all patients whose medical records were inappropriately accessed, although many of those individuals are now former patients and the hospital no longer holds valid contact information. In an attempt to contact those individuals, a substitute data breach notice has been placed on the Mass.gov website.

The employee was a clerk at the hospital and was required to have access to medical records in order to complete work duties. Those access rights were abused and as a result, the employee was terminated and no longer has access to the EMR system.

The types of information that were potentially accessed includes names, phone numbers, addresses, gender, dates of birth, medical diagnoses, details of medical treatment provided at the hospital and in some cases, Social Security numbers.

Tewksbury Hospitals says steps have now been taken to reduce the probability of similar incidents occurring in the future and to make sure that if records are accessed inappropriately, incidents are detected promptly. Those steps included conducting a review of policies and procedures regarding access to its EMR system and a reassessment of how access logs to medical records are reviewed. Staff will also be provided with additional training on the privacy and security of protected health information.

Tewksbury Hospital says the investigation did not uncover any evidence to suggest protected health information was misused in any way.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights, which investigates all data breaches that have impacted more than 500 individuals. If the investigation reveals HIPAA Rules have been violated by the hospital, the penalty is likely to be severe for a breach of this duration.

The post Hospital Employee Discovered to Have Accessed Medical Records Without Authorization for 14 Years appeared first on HIPAA Journal.

Model HIPAA-Compliant PHI Access Request Form Released by AHIMA

Posted by HIPAA Journal

The American Healthcare Informatics Management Association (AHIMA) has announced it has released a model PHI access request form for healthcare providers to give to patients who want to exercise their right under HIPAA to obtain copies of their health data.

The model PHI access request form is compliant with HIPAA regulations and can be easily customized to suit the needs of each healthcare organization.

AHIMA claims that until now, a model PHI access request form was not available to healthcare providers. HIPAA-covered entities have had to develop their own forms and there is considerable variation in the forms used by different healthcare organizations. Patients with multiple healthcare providers often find the process of obtaining their health data confusing.

AHIMA has listened to feedback from its members and industry stakeholders who explained that the process of accessing medical records was often confusing for patients. Even some healthcare organizations are confused about what is permitted and not permitted under HIPAA Rules when it comes to providing access to health data. The new model form should help clear up confusion.

It is hoped that the new form will be used as a standard across the industry which will make it easier for patients to exercise their rights under HIPAA, regardless of which healthcare providers they use.

AHIMA interim CEO Pamela Lane said, “Our hope is that it will help connect patients with their health information and make them more empowered healthcare consumers.”

Streamlining the Process of Providing Copies of Health Data to Patients

The ONC recently issued a report in which HIPAA-covered entities were given tips to help streamline the process of providing patients with access to their healthcare data.

The ONC report explained its research has shown that oftentimes patients are confused about the process of accessing their health data. Forms are confusing and patients are often unaware of their rights under HIPAA. For example, many are unaware that under HIPAA Rules they are permitted to have PHI provided in the format of their choosing. Paper copies can be requested or they are entitled to have their health data in electronic form – electronic copies can be sent via email or provided on a portable storage device such as a CD or zip drive.

The new model PHI access request form ties in with the advice given by the ONC and patients can stipulate how they would like their PHI copies to be delivered. The form should also make processing requests straightforward for healthcare providers and help them to streamline the processing of PHI access requests.

The form is suitable for use by all types of healthcare providers, from large multi-hospital health systems to individual physicians, clarifying what patients have the right to access and what healthcare organizations must provide.

Lane said the the model PHI access request form is “Written in easy-to-understand language for all patients” explaining, “this model form and explanation of use provides healthcare providers with a customizable tool that both ensures their compliance and captures patient request information in a clear, simple format.”

The final version of the PHI access request form can be downloaded from AHIMA on this link.

Recommendations for HIPAA Covered Entities Wishing to Use the Model PHI Access Request Form

The model PHI access request is self-explanatory for patients, but AHIMA has given additional recommendations for healthcare providers who wish to start using the new form.

AHIMA suggests the form should be customized to match the capabilities of healthcare providers’ systems and can be updated as required when systems are upgraded. Healthcare providers can also add their address, logos and barcodes to the forms should they so wish.

While the form is HIPAA-compliant in its original form, healthcare providers that customize the form must ensure that any changes comply with HIPAA Rules. Healthcare providers are told they should read 45 CFR 164.524(c)(3) to ensure the form stays compliant.

Internal policies can be developed by HIPAA-covered entities, but AHIMA stresses those policies must be in line with HIPAA guidance and should not serve as a barrier to health data access. HIPAA Rules allow covered entities to charge patients fees for providing copies of their health data. AHIMA recommends providers consult OCR guidance on fees as well as state laws to ensure compliance.

The post Model HIPAA-Compliant PHI Access Request Form Released by AHIMA appeared first on HIPAA Journal.

Is Google Drive HIPAA Compliant?

Posted by HIPAA Journal

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant?

Is Google Drive HIPAA Compliant?

The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a manner that violates HIPAA Rules.

G Suite – formerly Google Apps, of which Google Drive is a part – does support HIPAA compliance. The service does not violate HIPAA Rules provided HIPAA Rules are followed by users.

G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied.

The use of any software or cloud platform in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business associate agreement (BAA) prior to the service being used with any PHI. Google offers a BAA for Google Drive (including Docs, Sheets, Slides, and Forms) and other G Suite apps for paid users only.

Prior to use of any Google service with PHI, it is essential for a covered entity to review, sign and accept the business associate agreement (BAA) with Google. It should be noted that PHI can only be shared or used via a Google service that is specifically covered by the BAA. The BAA does not cover any third-party apps that are used in conjunction with G Suite. These must be avoided unless a separate BAA is obtained from the provider/developer of that app.

The BAA does not mean a HIPAA covered entity is then clear to use the service with PHI. Google will accept no responsibility for any misconfiguration of G Suite. It is down to the covered entity to make sure the services are configured correctly.

Covered entities should note that Google encrypts all data uploaded to Google Drive, but encryption is only server side. If files are downloaded or synced, additional controls will be required to protect data on devices. HIPAA-compliant syncing is beyond the scope of this article and it is recommended syncing is turned off.

To avoid a HIPAA violation, covered entities should:

  • Obtain a BAA from Google prior to using G Suite with PHI
  • Configure access controls carefully
  • Use 2-factor authentication for access
  • Use strong passwords
  • Turn off file syncing
  • Set link sharing to off
  • Restrict sharing of files outside the domain (Google offers advice if external access is required)
  • Set the visibility of documents to private
  • Disable third-party apps and add-ons
  • Disable offline storage for Google Drive
  • Disable access to apps and add-ons
  • Audit access and account logs and shared file reports regularly
  • Configure ‘manage alerts’ to ensure the administrator is notified of any changes to settings
  • Back up all data uploaded to Google Drive
  • Ensure staff are training on the use of Google Drive and other G Suite apps
  • Never put PHI in the titles of files

To help HIPAA-covered entities use G Suite and Google Drive correctly, Google has released a Guide for HIPAA Compliance with G Suite to assist with implementation.

The post Is Google Drive HIPAA Compliant? appeared first on HIPAA Journal.

U.S. Data Breaches Hit Record High

Posted by HIPAA Journal

Hacking still the biggest cause of data breaches and the breach count has risen once again in 2017, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout.

In its half yearly report, ITRC says 791 data breaches have already been reported in the year to June 30, 2017 marking a 29% increase year on year. At the current rate, the annual total is likely to reach 1,500 reported data breaches. If that total is reached it would represent a 37% increase from last year’s record-breaking total of 1,093 breaches.

Following the passing of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing healthcare data breach summaries on its website. Healthcare organizations are required by HIPAA/HITECH to detail the extent of those breaches and how many records have been exposed or stolen. The healthcare industry leads the way when it comes to transparency over data breaches, with many businesses failing to submit details of the extent of their breaches.

ITRC says it is becoming much more common to withhold this information. In the first 6 months of 2017, 67% of data breach notifications and public notices did not include the number of records exposed, which is a 13% increase year on year and a substantial increase from the 10-year average of 43%. The lack of full information about data breaches makes it harder to produce meaningful statistics and assess the impact of breaches.

81.5% of healthcare industry data breach reports included the number of people impacted – a similar level to 2016. ITRC points out that does not mean healthcare organizations are failing to provide full reports, only that HITECH/HIPAA regulations do not require details of breaches of employee information to be reported.

The OCR breach portal shows healthcare industry data breaches in the year to June 30, 2017 increased by 14% year on year. 169 breaches were reported in the first six months of 2017 compared to 148 in the same period in 2016.

Hacking is Still the Biggest Cause of U.S Data Breaches

The biggest cause of U.S data breaches is still hacking according to the report, accounting for 63% of data breaches reported in the first half of the year across all industries – and increase of 5% year on year. Phishing, ransomware, malware and skimming were also included in the totals for hacking. 47.7% of those breaches involved phishing and 18.5% involved ransomware or malware.

The second biggest causes of U.S. data breaches were employee error, negligence and improper disposal, accounting for 9% of the total, followed by accidental exposure on the Internet – 7% of breaches.

The OCR breach portal shows 63 healthcare data breaches were attributed to hacking/IT incidents – 37% of the half yearly total. That represents a rise of 19% from last year.

In close second place is unauthorized access/disclosure – 58 incidents or 35% of the total. A 14% decrease year on year. In third place is loss/theft of devices – 40 incidents or 24% of all healthcare data breaches. A 4% fall year on year. The remaining 4% of healthcare data breaches – 7 incidents – were caused by improper disposal of PHI/ePHI.

Matt Cullina, CEO of CyberScout, said “All these trends point to the need for businesses to take steps to manage their risk, prepare for common data breach scenarios, and get cyber insurance protection.”

The post U.S. Data Breaches Hit Record High appeared first on HIPAA Journal.

Are You Blocking Ex-Employees’ PHI Access Promptly?

Posted by HIPAA Journal

A recent study commissioned by OneLogin has revealed many organizations are not doing enough to prevent data breaches by ex-employees.

Access to computer systems and applications is a requirement while employed, but many organizations are failing to block access to systems promptly when employees leave the company, even though ex-employees pose a significant data security risk.

Blocking access to networks and email accounts when an employee is terminated or otherwise leaves the company is one of the most basic security measures, yet all too often the process is delayed.

500 IT employees who had some responsibility for security in their organization were interviewed for the study and approximately half of respondents said they do not immediately terminate ex-employees’ network access rights. 48% said it takes longer than a day to delete ex-employees’ login credentials.

A quarter of respondents said it can take up to a week to block access, while one in five respondents said it can take up to a month to deprovision ex-employees. That gives them plenty of time to gain access to systems and steal information. Almost half of respondents were aware of ex-employees who still had access to company systems, while 44% of respondents lacked confidence that ex-employees had been removed from their networks.

Deprovisioning ex-employees can be a labor-intensive task and IT departments are under considerable time pressure. It is all too easy to postpone the task and concentrate on other more pressing issues. Automatic provisioning technology can reduce the time burden and improve security, but many organizations continue to perform the task manually. Whether automatic or manual, deprovisioning should take place promptly – as soon as the individual is terminated or employment ceases.

How serious is the threat from ex-employees? 20% of respondents said they had experienced at least one data breach by an ex-employee, while approximately half of those individuals said more than 1 in 10 data breaches experienced by their organization was due to an ex-employee.

For healthcare organizations, ex-employees are a significant threat. There have been numerous cases of employees changing companies and taking patient lists with them when they leave. If access is not blocked, there is nothing to stop data being stolen.

Further, if policies are not introduced to cover the deprovisioning of employees or if those policies are not strictly adhered to, organizations are at risk of receiving a HIPAA violation penalty – See Administrative Safeguards § 164.308 (3)(ii)(B).

The post Are You Blocking Ex-Employees’ PHI Access Promptly? appeared first on HIPAA Journal.

Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018

Posted by HIPAA Journal

The cuts to the budget of the Office of the National Coordinator for Health Information Technology (ONC) mean the agency must make some big changes, one of which will be the withdrawal of funding for the Office of the Chief Privacy Officer. ONC National Coordinator Don Rucker, M.D., has confirmed that the office will be closed out in fiscal year 2018.

Deven McGraw, the Deputy Director for Health Information Privacy, has been serving as Acting Chief Privacy Officer until a permanent replacement for Lucia Savage is found, following her departure in January. It is now looking highly unlikely that a permanent replacement will be sought.

One of the key roles of the Chief Privacy Officer is to ensure that privacy and security standards are addressed and health data is appropriately protected. The Chief Privacy Officer also advises the National Coordinator for Health IT on privacy and security policies covering electronic health information. However, Rucker does not believe it is necessary for the ONC to have an office dedicated to privacy and security as other agencies in the HHS could assist and take on additional tasks.

The HITECH Act required ONC to appoint a Chief Privacy Officer; however, an alternative is for ONC to request personnel from other HHS agencies. Faced with a $22 million cut in its operating budget, ONC will turn to the HHS’ Office for Civil Rights to assist with privacy functions with the ONC only maintaining ‘limited support’ for the position of Chief Privacy Officer.

The Chief Privacy Officer has been instrumental in improving understanding of HIPAA Rules with respect to privacy since the HITECH Act was passed. Many healthcare organizations have impeded the flow of health information due to a misunderstanding of the HIPAA Privacy Rule. The Chief Privacy Officer has helped to explain that HIPAA Rules do not prevent the exchange of health information – They only ensure information is shared securely and the privacy of patients is preserved. These outreach efforts are likely to be impacted by the loss of the Office of the Chief Privacy Officer.

Rucker explained that discussions are now taking place between ONC and OCR to determine how these and other tasks will be performed, but explained that privacy and security are implicit in all aspects of the work performed by ONC and that will not change.

Cutbacks are inevitable with the trimming of the ONC’s budget but Rucker has explained that the HHS will continue to ensure privacy and security issues are dealt with and efforts to improve understanding of the HIPAA Privacy and Security Rules will also continue.

The post Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018 appeared first on HIPAA Journal.

ONC Offers Help for Covered Entities on Medical Record Access for Patients

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule requires covered entities to give medical record access for patients on request. Patients should be able to obtain a copy of their health records in paper or electronic form within 30 days of submitting the request.

Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance for covered entities on providing patients with access to their medical records. A series of videos was also released to raise awareness of patients’ rights under HIPAA to access their records. In theory, providing access to medical records should be a straightforward process. In practice, that is often not the case.

Patients often have difficulty accessing their electronic health data with many healthcare organizations unable to easily provide health records electronically. Patient portals often provide information for patients, although the information available via patient portals can be incomplete or inaccurate. When patients need to obtain their health information to give to other healthcare providers, they can find it difficult to find the information they need.

The Office of the National Coordinator for Health Information Technology (ONC) has recently published a report detailing some of the problems faced by healthcare providers when providing medical record access for patients. The report offers useful tips for healthcare organizations to help them provide medical record access for patients quickly and easily.

For the report- Improving the Health Records Request Process for PatientsONC spoke to 17 consumers to find out about the challenges they faced when attempting to gain access to their medical records. The report includes three examples of patients and caregivers that have experienced difficulties when attempting to exercise their right to access medical data. The personas are fictional, although the challenges faced by those personas were taken from real world examples.

ONC also looked at the medical record release forms used by 50 large healthcare systems across 32 states and spoke to stakeholders and health system professionals about the challenges faced when trying to provide patients with copies of their health records. ONC discovered the process of providing electronic copies of health records is often hampered by inefficient systems and limited resources.

The research has allowed ONC to develop tips to help healthcare providers create a streamlined, transparent, and electronic records request process. Making the suggested changes will allow health systems to improve the process of providing access to health data. Patients will then suffer less frustration and be able to obtain their records faster, allowing them to coordinate their care more effectively and have greater control over their health and wellbeing.

The post ONC Offers Help for Covered Entities on Medical Record Access for Patients appeared first on HIPAA Journal.

Indiana Senate Passes New Law on Abandoned Medical Records

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers (and other covered entities) to implement reasonable administrative, technical, and physical safeguards to protect the privacy of patients’ protected health information.

HIPAA applies to electronic protected health information (ePHI) and physical records. Safeguards must be implemented to protect all forms of PHI at rest and in transit and when PHI is no longer required, covered entities must ensure it is disposed of securely.

For electronic protected health information that means data must be permanently deleted so it cannot be reconstructed and recovered. To satisfy HIPAA requirements, the Department of Health and Human Services’ Office for Civil Rights (OCR) recommends clearing, purging or destroying electronic media used to store ePHI. Clearing involves the use of software to overwrite data, purging involves degaussing or exposing media to strong magnetic fields to destroy data. Destruction of electronic media could involve pulverization, melting, disintegration, shredding or incineration.

For physical PHI, OCR recommends shredding, burning, pulping, or pulverization to render PHI unreadable and indecipherable and to ensure the data cannot be reconstructed.

If PHI is not disposed of in accordance with HIPAA Rules, covered entities can face heavy financial penalties. Those penalties are decided by OCR, although state attorneys general can also fine covered entities since the introduction of the Health Information Technology for Clinical and Economic Health (HITECH) Act.

While state attorneys general can take action against covered entities for HIPAA violations that impact state residents, few have exercised that right – Only Connecticut, Vermont, Massachusetts, New York and Indiana all done so since the passing of the HITECH Act.

Even though few states are taking action against covered entities for HIPAA violations as allowed by the HITECH Act, many states have introduced laws to protect state residents in the event of a data breach.

In Indiana, a new state law has been recently passed that allows action to be taken against organizations that fail to dispose of medical records securely.

Indiana Updates Legislation Covering Abandoned Medical Records

In Indiana, legislation has previously been introduced covering ‘abandoned records’. If medical records are abandoned, such as being dumped or disposed of without first rendering them unreadable, action can be taken against the organization concerned.

Abandoned records are those which have been “voluntarily surrendered, relinquished, or disclaimed by the health care provider or regulated professional, with no intention of reclaiming or regaining possession.” The state law previously only covered physical records, although a new Senate Bill (SB 549) has recently been unanimously passed that has expanded the definition to also include ePHI stored in databases. The definition of ‘abandoned records’ has also been expanded to include those that have been “recklessly or negligently treated such that an unauthorized person could obtain access or possession” to those records.”

While there are exceptions under SB 549 for organizations that maintain their own data security procedures under HIPAA and other federal legislation, the new law closes a loophole for organizations that are no longer HIPAA covered entities. In recent years, there have been numerous cases of healthcare organizations going out of business and subsequently abandoning patients’ files. SB 549 allows the state attorney general to take action against HIPAA covered entities that have gone out of business if they are discovered to have abandoned PHI or disposed of ePHI incorrectly.

The new legislation came into effect on July 1, 2017. The new law allows the Indiana attorney general to file actions against the organization concerned and recover the cost of securing and disposing of the abandoned records. That should serve as a deterrent and will help to keep state residents’ PHI private.

The post Indiana Senate Passes New Law on Abandoned Medical Records appeared first on HIPAA Journal.

OCR Draws Attention to Risks from File Sharing Tools and Cloud Computing

Posted by HIPAA Journal

File sharing and collaboration tools offer many benefits to HIPAA-covered entities, although the tools can also introduce risks to the privacy and security of electronic health information.  Many companies use these tools, including healthcare organizations, yet they can easily lead to the exposure or disclosure of sensitive data.

The Department of Health and Human Services’ Office for Civil Rights has recently issued a reminder to covered entities and business associates of the potential risks associated with file sharing and collaboration tools, explaining the risks these services can introduce and how covered entities can use these services and remain in compliance with HIPAA Rules.

While file sharing tools and cloud computing services may incorporate all the necessary protections to ensure data is secured and cannot be accessed by unauthorized individuals, over the past few years there have been numerous cases where human error has resulted in misconfigurations. Those errors have led to data breaches.

A Metalogix survey conducted by the Ponemon Institute revealed that one in two companies that uses the file sharing tool SharePoint had a confirmed data breach within SharePoint in the last 24 months. That doesn’t mean that SharePoint should not be used, nor that healthcare organizations should avoid other cloud and file sharing tools. If these cloud services and tools are to be used, covered entities and business associates must conduct a thorough risk analysis to identify potential risks to the confidentiality, integrity and availability of ePHI. Risk management policies must then be adopted to ensure those risks are reduced to an acceptable level.

Misconfigurations should be detected during a risk analysis, although OCR also recommends that organizations conduct vulnerability scans. Scans should help covered entities identity potential vulnerabilities such as misconfigurations of software, obsolete software or missed patches. The recent ransomware attacks (WannaCry and NotPetya) have shown that missed patches and/or obsolete software can enable cybercriminals to gain access to networks and install malware.

OCR also points out that covered entities and business associates must enter into a business associate agreement with cloud service providers prior to services/tools being implemented.

OCR draws attention to guidance released last year on cloud computing services. The guidance helps covered entities wishing to utilize cloud computing services to implement the solutions while complying with HIPAA Rules.

The guidance can be downloaded from OCR via this link.

The post OCR Draws Attention to Risks from File Sharing Tools and Cloud Computing appeared first on HIPAA Journal.