New HIPAA Rules

Posted by Steve Alder

The New HIPAA Rules and the Changes for Reporting Breaches of PHI

Although the new HIPAA rules introduced in the Final Omnibus Rule of 2013 did not make many changes to the existing Security and Privacy Rules, they did have significant implications for covered entities that have failed to take measures to prevent the unauthorized disclosure of Protected Health Information (PHI).

Whereas previously, covered entities could avoid reporting breaches of PHI when there was a low risk of harm to a patient´s reputation or finances, the new HIPAA rules stipulate that all breaches of PHI must now be reported to the Office for Civil Rights (OCR) unless a documented procedure is completed that justifies the failure to report the breach.

The documented procedure has to demonstrate that there was a low risk of harm to the patient due to the nature of the PHI that was disclosed or due to the person(s) to whom it was disclosed. If multiple identifying elements have been disclosed, or the person to whom it was disclosed is unknown, HIPAA covered entities must report the breach to the OCR – unless it can be proven that the breach of PHI did not result in an unauthorized disclosure, or the risk of harm to a patient was mitigated by the destruction of the disclosed PHI.

In addition to this revised criteria for reporting breaches of PHI to the OCR, the new HIPAA rules increased the fines for non-compliance with the Security and Privacy Rules – the additional revenue being allocated to tougher enforcement of HIPAA. Shortly following the release of the new HIPAA rules, it was announced that the OCR would be conducting a round of audits – a worrying concern for any covered entity that has still failed to take measures to prevent the unauthorized disclosure of PHI.

How to Avoid Data Breaches with Secure Messaging

Rather than finding ways to avoid reporting data breaches to the OCR, it is in a covered entity´s best interests to avoid data breaches altogether. Studies conducted into the primary reasons for the unauthorized disclosure of PHI report that the theft of laptops, mobile devices and USB Flash drives account for nearly half of all PHI breaches. Therefore, these risks of harm to a patient´s reputation or finances should be the first to be eliminated.

One of the best solutions for achieving this objective is secure messaging – a communications platform that protects the integrity of PHI and prevents the unauthorized disclosure of Protected Health Information by encapsulating PHI within a private network. Secure messaging is an ideal and HIPAA compliant alternative to emails and SMS, as safeguards exist to prevent PHI being saved to a user´s device or a USB Flash drive.

Secure messaging also restricts access to PHI to authorized users, who can then communicate encrypted PHI with other authorized users via secure messaging apps. The secure messaging apps work across all operating systems and devices so that authorized users retain the same speed and convenience of modern technology as they currently enjoy using personal mobile devices to support their workloads.

All activity on the secure messaging network is monitored to ensure compliance with the new HIPAA rules and the secure messaging policies that have been implemented to support them. In the event that a laptop of Smartphone – to which a message containing PHI has been sent – is stolen, administrators have the ability to remote delete all protected Health Information and PIN-lock the app to prevent the unauthorized disclosure of PHI.

The Comprehensive Benefits of Secure Messaging

The mechanisms included in secure messaging solutions to ensure 100% message accountability have resulted in a significant acceleration of the communications cycle in healthcare organizations. Phone tag has been practically eliminated in many healthcare organizations that have implemented a secure messaging solution to comply with the new HIPAA rules – resulting in increased productivity among healthcare providers.

The group messaging facility on the secure messaging apps has been proven to foster collaboration between healthcare providers, and also to accelerate patient admissions and hospital discharges – saving many medical facilities more than $500,000 per year. Studies into the cost of operating a secure messaging solution have also found secure messaging up to 40% less expensive than alternative, unsecure channels of communication.

As well as reducing costs, increasing staff efficiency and helping healthcare organizations to comply with the new HIPAA rules, secure messaging solutions have also been beneficial to patients. According to a 2015 study by the Tepper School of Business at the Carnegie Mellon University, patient safety issues are reduced by 27% and medication errors reduced by 30% when a secure messaging solution is integrated with a healthcare organization´s EMRs.

 

The post New HIPAA Rules appeared first on HIPAA Journal.

Is Apple Pay HIPAA Compliant?

Posted by Steve Alder

Apple Pay is not HIPAA compliant – but, but due the way the payment service works, Apple Pay does not need to be HIPAA compliant before the service can be used by healthcare providers to collect payments from patients, or by health plans to collect payments from plan members. In addition, the payment service is exempted from HIPAA under §1179 of the HIPAA Act.

What is Apple Pay?

Apple Pay is a mobile payment service available on iPhones, iPads, Apple Watches, and other Mac devices that facilitates online, app, and contactless payments. The service works by allowing users to enter the details of their payment cards into an Apple Wallet app. The app then sends the user’s Apple account and device information to the card issuer and creates a unique Device Account Number for each card.

When a user wants to use Apple App to pay for goods or services, they either click on an Apple Pay button for online and in-app purchases, or run their device over a Near Field Communications (NFC) reader for in-store purchases. Apple Pay sends the payment request and the Device Account Number to the card issuer, where the payment is processed. Apple does none of the processing. It only facilitates the payment.

Because of the way the payment service works, the organization in receipt of the payment never has access to the user’s debit or credit card number – or, in the context of is Apple Pay HIPAA compliant – any information that could be used to identify the user. Even Apple does not know what a user buys, where they bought it from, or how much they paid for it. Due to this high level of privacy, any information sent through the service would not qualify as Protected Health Information  (PHI).

HIPAA Exempts Payment Services Anyway

Even without this high level of privacy, it would not be necessary to make Apple Pay HIPAA compliant and sign a Business Associate Agreement with Apple as §1179 of the HIPAA Act exempts “entities engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution. The exemption was confirmed by HHS’ Office for Civil Rights in the preamble to the HIPAA Final Omnibus Rule in 2013.

However, this exemption only applies to the payment facilitation element of Apple Pay. If a covered entity or business associate uses Apple Pay for B2B transactions, there is no exemption for PHI stored in an Apple Wallet app to support transactions or reconcile payments. As Apple will not sign a Business Associate Agreement for the Apple Wallet app, it is a violation of HIPAA to store any individually identifying health information in the Apple Wallet app.

It may also be important for covered entities and business associates to identify – and conduct risk assessments on – any third party integration with Apple Pay. If Apple Pay is used (for example) to reconcile payments, the reconciliation software must be HIPAA compliant and Business Associate Agreements must be entered into with the software vendors. Members of the workforce may also need security awareness training on using Apple Pay in compliance with HIPAA.

Is Apple Pay HIPAA Compliant? Conclusion

For the reasons discussed above, Apple Pay does not have to be HIPAA compliant in order for covered entities and business associates to use the service to collect payments from patients and plan members. When used for B2B transactions, covered entities and business associates may have to implement Apple Pay HIPAA compliant integrations and conduct risk assessments if the integrations will create, collect, maintain, or transmit PHI. Covered entities and business associates with questions relating to is Apple Pay HIPAA compliant should seek professional compliance advice.

The post Is Apple Pay HIPAA Compliant? appeared first on HIPAA Journal.

Merck Reaches Settlement with Insurers over $1.4 Billion NotPetya Malware Attack

Posted by Steve Alder

The Pharmaceutical giant Merck has finally obtained a settlement with its insurance policy providers over a June 2017 cyberattack that Merck claimed resulted in $1.4 billion in damages. Merck was infected with the infamous NotPetya wiper malware – a malware variant that appeared to be ransomware but was in fact a wiper. The malware has been linked to Russian state-sponsored hackers and was used to attack targets in Ukraine, but attacks occurred globally, resulting in an estimated $10 billion in losses worldwide.

Merck was badly hit by the attack and claimed that 40,000 of its computers were wiped by NotPetya malware, and when it tried to recover those losses under its ‘all-risk insurance policies, its insurers refused to pay out, claiming the cyberattack was excluded as the policy did not cover acts of war.

Merck challenged the decision and maintained that the exclusions in its insurers’ policies did not apply to NotPetya and a trial court judge ruled in Merck’s favor. After examining the language of the war exclusion of the policies, the history of how war exclusions have been interpreted in the past, and the nature of the all-risk policy, the trial court concluded that the cyberattack could not be excluded. The trial court’s decision was affirmed in May 2023 by a state appellate court.

The language of war exclusion did not include any reference to cyberwarfare or cyberattacks and the insurers failed to demonstrate that the NotPetya cyberattack on Merck was a hostile or warlike action, therefore the war exclusion did not apply and Merck was entitled to recover approximately $700 million of its losses. Ultimately, if the insurers had wanted to exclude certain types of cyberattacks from their coverage, they should have included language to that effect in their policies.

The insurers challenged the decision of the appellate court and sought to have the decision reversed by a New Jersey Supreme Court; however, this month, they decided to drop the appeal and reached a settlement with Merck over the claims. Had the case been resolved through the courts in the insurers’ favor, a legal precedent would have been set that would have had implications for all cyber insurance claims; however, since the legal challenge has been resolved with a confidential settlement, that is not the case. That said, insurers are likely to tighten up the language of their policies to make it clear exactly what types of cyberattacks will and will not be covered by their policies.

The post Merck Reaches Settlement with Insurers over $1.4 Billion NotPetya Malware Attack appeared first on HIPAA Journal.