March 19, 2020 The situation around COVID-19 (Novel Coronavirus) has continued to evolve across the globe, including recent changes to HIPAA & Telehealth as well as how to share PHI during this public health emergency. Late last night, the OCR & Cybersecurity and Infrastructure Security Agency (CISA) released another bulletin regarding new concerns around maintaining the security of your data and PHI. Scammers frequently increase their attacks during a public emergency, when they know that there is an increased dependence on digital communications and heightened fear and uncertainty, and the bulletin included several recommendations to protect your practice. The CISA warned individuals of the increased cyber threats related to the Coronavirus. They recommend caution when receiving any emails with a subject line related to COVID-19 as well as anything containing an attachment or hyperlink, as these are often directed to fraudulent websites asking individuals to provide private information. To exercise proper security measures, the CISA offered specific precautions to take: Leveraging public fear during a health emergency isn’t the only tactic that is used by scammers during this Coronavirus outbreak. As most companies have decided to move to remote operations, there has been an even larger window for cyber threat actors to hack into private information as sensitive data is now accessed through unsecured networks. Good “cyber hygiene” to instill in your practice includes: Protecting PHI from cyberattacks also means ensuring you are aware of the HIPAA regulations surrounding public health emergencies. Reminding employees of appropriate access to PHI and implementing controls such as applying additional protections for COVID-19 health records are especially important. As the news continues to focus on the Coronavirus, individuals who have access to public health records may become curious about the health of those around them. It is important to ensure that PHI is only accessed when necessary, especially on less secure wireless networks such as those used when working from home.
Updates to HIPAA & Telehealth During COVID-19
March 18, 2020 Amidst the current national public health emergency for COVID-19 or the Novel Coronavirus, the OCR has released a bulletin regarding the increased use of telehealth services among the medical community. In addition to the bulletin, during a press conference held yesterday, the OCR acknowledged the need for healthcare providers to seek remote communications with their patients and understand that these technologies may not be fully compliant with standard HIPAA regulations. “We are empowering medical providers to serve patients wherever they are during this national public health emergency.” OCR Director Roger Severino emphasized in a statement, “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.” Under this update, any healthcare provider has the ability to use any non-public remote communication technology to provide telehealth services. This enforcement discretion applies to telehealth services needed for any reason, not strictly for the diagnosis or treatment of the COVID-19 related health conditions. During this time, the OCR will not impose violations for any noncompliance against healthcare providers under the good faith provision of telehealth during this national emergency. This provision also allows healthcare providers to defer to their own judgment in requesting to examine a patient showing potential COVID-19 symptoms using technology such as video chat applications. This allows providers to assess a larger number of patients as well as limit the risk associated with being exposed to the virus during an in-person consultation. The telehealth services can be provided on any non-public facing communication applications without facing noncompliance penalties. Some acceptable applications include: Other similar video communication methods such as Facebook Live are considered public-facing and should not be used in the provision of telehealth. Health providers can seek additional privacy protections by providing telehealth services through technology vendors that are HIPAA compliant. They can enter into business associate agreements with these vendors in the provision of their video communication products. Some of the vendors that offer HIPAA-compliant video communication services include: While there will not be any enforcement of HIPAA noncompliance for providers choosing to utilize these methods of communication, it is important to still understand the security risks associated. The OCR recommends that providers notify patients when using these third party applications for these services as they potentially introduce privacy risks and any available encryption and privacy settings should be implemented during use. If as a provider you already have a HIPAA-compliant and secure telehealth application, it is still recommended to use the most secure application available to you. Even during a public health crisis, HIPAA law still applies and includes specific caveats for sharing PHI in such an emergency. Read our blog article on Handling HIPAA During Public Health Emergencies for more information.
Your Practice May Have Experienced a HIPAA Breach – Now What?
March 10, 2020 Whether you have recently experienced a breach or are just preparing for the worst, it’s important to know what you need to assess in the event that your practice is faced with a HIPAA incident. Any time your Protected Health Information (PHI) is exposed, whether maliciously or accidentally, your practice may be facing serious fines for a HIPAA violation. The first step is knowing what exactly is considered a breach of PHI. As defined by the U.S. Department of Health and Human Services, a HIPAA breach is the “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” This definition is broad and leaves practices to determine if a breach has occurred. If you believe you may have been breached, the next step is to assess your specific level of risk using the following factors: In any instance where unsecured PHI is involved, properly assessing the level of risk associated with your practice’s potential data breach is an essential first step. Your next steps are reporting the breach and notifying the right individuals as specified by HIPAA. In addition, the number of affected persons, your state’s individual reporting requirements, the types of PHI, and the likelihood the PHI exposed will be used for malicious intent will influence the best way to address the breach. All practices, before a breach ever occurs, should have a Breach Notification Policy in place that will outline the proper reporting steps that must be followed. Like all HIPAA policies, the policy should also include any state-specific breach notification laws that might supersede Federal requirements. It’s important to note that analyzing your HIPAA program shouldn’t only be done after a breach has already occurred. Practices should assess their level of HIPAA compliance regularly and complete the mandatory annual Security Risk Analysis in order to determine areas that could be breached in the future. This not only sheds light on often overlooked risks, such as outdated computer programs or missing policies for regulating access but in the circumstance that your practice does experience a breach you are better equipped to identify and mitigate the issue. In fact, if you experience a breach and have not completed the required Security Risk Analysis beforehand, the likelihood that your practice will be hit with a HIPAA fine goes up dramatically – almost all HIPAA fines levied by the OCR are in part the result of a missing risk analysis. Updating and maintaining your practice-specific Security Risk Analysis and policies on a regular basis may seem daunting, but software solutions (like Abyde!) help streamline and automate this process to simplify your compliance program.
Missing Business Associate Agreement with EHR Vendor Leads to $100,000 Fine
March 3, 2020 Announced today, a medical practice in Utah has come to a $100,000 settlement with the OCR for their failure to meet HIPAA requirements under the Security Rule. The practice of Steven A. Porter, M.D. received the $100,000 monetary settlement in addition to submitting to a corrective action plan over the next two years after a breach report led to the OCR’s investigation of the practice’s HIPAA compliance program. The investigation began after the practice filed a breach report regarding a complaint against a Business Associate of the practice’s EHR company. The Business Associate (BA) was blocking access to the practices’ patient’s electronic protected health information in exchange for $50,000 to be paid by the practice. While the original complaint was against the BA, once the investigation was initiated by the Office for Civil Rights, it was the practice that found themselves in the government’s crosshairs. Within the compliance review, the OCR had found that the practice had failed to do the following: Unfortunately for the practice, their lack of proper safeguarding and documentation of compliance cost them a hefty fine and put their patient’s PHI at risk. This breach, and corresponding financial settlement, highlights that even when working with typical healthcare vendors, such as EHR providers, the right Business Associate Agreements and HIPAA-compliant policies are required to prevent impermissible safeguarding or access to PHI. OCR Director, Roger Severino, included a statement in the HHS press release regarding the incident. “All health care providers, large and small, need to take their HIPAA obligations seriously, the failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the healthcare industry.” This fine follows a recent article highlighting the OCR’s focus on “low hanging fruit” and commitment to address an ongoing lack of HIPAA compliance among covered entities. As these violations continue to see costly outcomes, it is more important now than ever to ensure your practice has a full HIPAA program in place.