Anna Jaques Hospital Suffers Christmas Day Cyberattack – HIPAA Journal
Anna Jaques Hospital Suffers Christmas Day Cyberattack HIPAA Journal
Anna Jaques Hospital Suffers Christmas Day Cyberattack
Anna Jaques Hospital in Newburyport, MA, experienced a cyberattack on Christmas Day that resulted in an outage of its medical record system. The decision was taken to divert ambulances to other hospitals in the area until systems could be restored. On December 26, 2023, the emergency department started accepting patients. Few details have been released at this stage about the exact nature of the cyberattack and it is too early to tell if the attackers gained access to patient information. Third-party cybersecurity experts have been engaged and are investigating the attack and further information will be released as the investigation progresses.
Volunteer at NYC Health + Hospitals Impermissibly Accessed Patient Data
NYC Health + Hospitals has recently announced there has been an unauthorized disclosure of patients’ protected health information. NYC Health + Hospitals said it discovered on October 23, 2023, that an employee of NYC Health + Hospitals/Kings County allowed a Kings County volunteer to assist with processing laboratory test specimens for Kings County patients; however, the volunteer was not authorized to work in the laboratory and was not permitted to access patients’ protected health information.
While assisting in the laboratory, the volunteer accessed patients’ names, dates of birth, medical record numbers, locations within the hospital, and the laboratory tests ordered. Affected individuals had laboratory tests performed between October 2, 2021, and August 14, 2023. While PHI was impermissibly accessed, there are no indications that any of that information has been misused.
NYC Health + Hospitals said it has taken steps to prevent similar incidents from occurring in the future, including notifying all laboratory personnel that they are not permitted to provide non-employees with access to any NYC Health + Hospitals laboratories. NYC Health + Hospitals has also confirmed that the employee no longer works for NYC Health + Hospitals and has been barred from future employment at NYC Health + Hospitals, and the volunteer is no longer volunteering at NYC Health + Hospitals and has been barred from future volunteer work at NYC Health + Hospitals.
The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.
The post Anna Jaques Hospital Suffers Christmas Day Cyberattack appeared first on HIPAA Journal.
HIPAA Updates and HIPAA Changes in 2026 – The HIPAA Journal
HIPAA Updates and HIPAA Changes in 2026 The HIPAA Journal
HIPAA Administrative Simplification Regulations? 2024 Update – HIPAA Journal
HIPAA Audit Checklist – 2024 Update – HIPAA Journal
HIPAA Audit Checklist - 2024 Update HIPAA Journal
New HIPAA Regulations in 2023-2024 – HIPAA Journal
New HIPAA Regulations in 2023-2024 HIPAA Journal
What is PHI in HIPAA? – HIPAA Journal
What is PHI in HIPAA? HIPAA Journal
What is PHI in HIPAA?
PHI in HIPAA is an acronym for Protected Health Information – health information that is created, collected, maintained, or transmitted by a covered entity that relates to an individual’s past, present, or future physical or mental condition, treatment for the condition, or payment for the treatment, and that is protected by HIPAA from impermissible uses and disclosures.
In addition to individuals’ health information being protected from impermissible uses and disclosures, HIPAA also applies to individually identifiable non-health information stored in the same designated record set as PHI that could identify the subject of the PHI or be used with other information stored in the same designated record set to identify the subject of the PHI.
The application of HIPAA protections to non-health information can create misunderstandings about what information should be protected and when it should be protected (evidenced by multiple sources mistaking the “18 HIPAA identifiers” as PHI). This article aims to resolve potential misunderstandings about what is PHI in HIPAA by answering three simple questions:
- What are Designated Record Sets in HIPAA?
- What are the 18 HIPAA Identifiers?
- When is Identifying Information Not PHI in HIPAA?
What are Designated Record Sets in HIPAA?
Designated record sets are records maintained by or for a covered entity that are used in whole or part to make decisions about an individual. For example, an individual’s medical history maintained by a healthcare provider would be a designated record set, and an individual’s enrollment, payment, and claims history maintained by a health plan would be a designated record set.
A designated record set can consist of a single item of PHI or any collection of records in which one or more items qualify as PHI. For example, a photo of a child displayed on a pediatrician’s baby wall is a designated record set (because it implies a previous treatment relationship), as are details of an individual’s emotional support animal if the details include the condition of the individual.
Because a designated record set can consist of a single item of PHI, an individual can have multiple designated record sets maintained by the same organization. Any information maintained in a designated record set is considered PHI in HIPAA, even if the designated record set consists of only one piece of information relating to an individual’s condition, treatment, or payment.
What are the 18 HIPAA Identifiers?
The reason it is important to understand what designated record sets are is to dispel any misunderstandings about the 18 HIPAA identifiers. One of the reasons for potential misunderstandings about what is PHI in HIPAA is that some sources have interpreted the 18 HIPAA identifiers in §164.514 of the Privacy Rule as being PHI. They are not.
The 18 HIPAA identifiers are eighteen identifying pieces of information that have to be removed from a designated record set before the record set can be considered de-identified under the “safe harbor” method of deidentification. While any of the 18 HIPAA identifiers would assume the same protections as health information when maintained in the same designated record set as health information, they are not protected by HIPAA outside a designated record set.
In addition to not being protected by HIPAA when maintained outside a designated record set, the list of identifiers is almost a quarter of a century out of date. There are now many more pieces of information that could be used to identify an individual – and would need to be removed from a designated record set before any health information left in the set is deidentified – including unique occupations, social media aliases, and details about emotional support animals.
When is Identifying Information not PHI in HIPAA?
As explained above, identifying information is not PHI in HIPAA when it is not maintained in a designated record set that contains health information. To help better explain this, we will use the example of Mrs. Doe – who has undergone medical treatment at a hospital where she also volunteers to support nursing staff during meal delivery times.
Mrs. Doe`s medical history will be in one or more designated record sets – which also include identifying information such as her name and telephone number. While maintained in these designated records sets, Mrs. Doe’s name and telephone number are PHI and have to be protected from impermissible uses and disclosures.
However, Mrs. Doe’s name and telephone number are also included in a separate hospital database maintained by the volunteer administrator. As this database does not contain PHI, it is not a designated record set. The identifying information maintained in the database is not PHI and is not protected by HIPAA – even though the database is maintained by a hospital that maintains one or more other databases/designated records sets in which the same information is protected.
Why it is Important to Understand What is PHI in HIPAA
It is important to understand what is PHI in HIPAA so PHI can be protected against impermissible uses and disclosures in compliance with HIPAA. It can be equally important to understand what is not PHI in HIPAA to prevent obstacles to communication and operational efficiency. To demonstrate this point using the example of Mrs. Doe’s name and telephone number –
If the same level of protection was applied to the identifying information maintained in a volunteer database as the identifying information in a designated record set, it may not be possible for the volunteer administrator to contact Mrs. Doe if the nursing staff required more volunteer assistance on a particular shift. This could be because the volunteer administrator did not have sufficient permissions to access a protected designated record set containing Mrs. Doe’s telephone number.
While this is a very simple example to explain why it is important to understand what is – and what isn’t – PHI in HIPAA, similar scenarios could be applied to many different uses of individually identifiable non-health information that could be secured more than necessary due to a misunderstanding of what is PHI in HIPAA. If you are responsible for compliance in an organization, and you are not sure you understand what PHI is in HIPAA, you should seek compliance advice.
The post What is PHI in HIPAA? appeared first on HIPAA Journal.