April 2, 2020 We know times are a little turbulent right now. Way of life in America looks a lot different at the end of March than it did at the beginning of the month. Most of us are now working from home, cleaning and washing our hands more than ever before and worrying about when stores will finally restock on toilet paper. And like many of us, healthcare professionals across the United States have been following the growing number of COVID-19 cases with great concern. It’s a looming reality that some have even been in contact with patients who have tested positive for the Coronavirus. However, when it comes to sharing sensitive medical information, there are many misconceptions that paint HIPAA laws in such a way that make it appear as if it is an obstacle rather than what HIPAA is intended to promote – which is the allowance of protected health information to be shared securely, efficiently and with the right people. What so many don’t understand is that HIPAA rules and regulations identify the right ways and the wrong ways of making sensitive information accessible – especially in times of crisis. Even during a public health emergency, HIPAA still applies – in fact, HIPAA law has included specific ways where PHI can be shared in a health emergency pretty much since its inception. These regulations include an expanded ability to share PHI with those directly working on the public health threat, but still prohibit disclosures that are not secure such as those to the public at large. A great example of this is the recent news headlines featuring the names of well-known public figures testing positive. These individuals chose to share their diagnosis and spread awareness, but if diagnoses are made public without the required patient consent – like what happened to a Detroit Pistons player whose positive test made headlines before he had a chance to tell his own mother – HIPAA laws have been violated. Media leaks are common, but sensitive health information should be handled with extreme care. HIPAA was built to mitigate public risk during a health emergency while still maintaining the privacy that all individuals deserve. Despite what you may have heard, HIPAA doesn’t make it impossible for you to know whether you’ve been in contact with an infected person – it just regulates the type of information that is shared. With misinformation and public anxiety swirling, read up on our simplified guidance on handling HIPAA during a public health emergency to learn more. The OCR has also released several bulletins serving as both updates and reminders on HIPAA regulations to best meet the current needs of patient privacy. To make things a little easier, here’s a quick summary on recent bulletins regarding COVID-19: With the constant news stories and anxiety around COVID-19, we know it can be tough to keep up with HIPAA on top of everything else. Yet as with any health-related event, HIPAA is key to protecting patients’ privacy and preventing other threats to patient data & security. In short, HIPAA is more important now than ever.
COVID-19 Brings Increased Risk of Cyber Attacks
March 19, 2020 The situation around COVID-19 (Novel Coronavirus) has continued to evolve across the globe, including recent changes to HIPAA & Telehealth as well as how to share PHI during this public health emergency. Late last night, the OCR & Cybersecurity and Infrastructure Security Agency (CISA) released another bulletin regarding new concerns around maintaining the security of your data and PHI. Scammers frequently increase their attacks during a public emergency, when they know that there is an increased dependence on digital communications and heightened fear and uncertainty, and the bulletin included several recommendations to protect your practice. The CISA warned individuals of the increased cyber threats related to the Coronavirus. They recommend caution when receiving any emails with a subject line related to COVID-19 as well as anything containing an attachment or hyperlink, as these are often directed to fraudulent websites asking individuals to provide private information. To exercise proper security measures, the CISA offered specific precautions to take: Leveraging public fear during a health emergency isn’t the only tactic that is used by scammers during this Coronavirus outbreak. As most companies have decided to move to remote operations, there has been an even larger window for cyber threat actors to hack into private information as sensitive data is now accessed through unsecured networks. Good “cyber hygiene” to instill in your practice includes: Protecting PHI from cyberattacks also means ensuring you are aware of the HIPAA regulations surrounding public health emergencies. Reminding employees of appropriate access to PHI and implementing controls such as applying additional protections for COVID-19 health records are especially important. As the news continues to focus on the Coronavirus, individuals who have access to public health records may become curious about the health of those around them. It is important to ensure that PHI is only accessed when necessary, especially on less secure wireless networks such as those used when working from home.
Updates to HIPAA & Telehealth During COVID-19
March 18, 2020 Amidst the current national public health emergency for COVID-19 or the Novel Coronavirus, the OCR has released a bulletin regarding the increased use of telehealth services among the medical community. In addition to the bulletin, during a press conference held yesterday, the OCR acknowledged the need for healthcare providers to seek remote communications with their patients and understand that these technologies may not be fully compliant with standard HIPAA regulations. “We are empowering medical providers to serve patients wherever they are during this national public health emergency.” OCR Director Roger Severino emphasized in a statement, “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.” Under this update, any healthcare provider has the ability to use any non-public remote communication technology to provide telehealth services. This enforcement discretion applies to telehealth services needed for any reason, not strictly for the diagnosis or treatment of the COVID-19 related health conditions. During this time, the OCR will not impose violations for any noncompliance against healthcare providers under the good faith provision of telehealth during this national emergency. This provision also allows healthcare providers to defer to their own judgment in requesting to examine a patient showing potential COVID-19 symptoms using technology such as video chat applications. This allows providers to assess a larger number of patients as well as limit the risk associated with being exposed to the virus during an in-person consultation. The telehealth services can be provided on any non-public facing communication applications without facing noncompliance penalties. Some acceptable applications include: Other similar video communication methods such as Facebook Live are considered public-facing and should not be used in the provision of telehealth. Health providers can seek additional privacy protections by providing telehealth services through technology vendors that are HIPAA compliant. They can enter into business associate agreements with these vendors in the provision of their video communication products. Some of the vendors that offer HIPAA-compliant video communication services include: While there will not be any enforcement of HIPAA noncompliance for providers choosing to utilize these methods of communication, it is important to still understand the security risks associated. The OCR recommends that providers notify patients when using these third party applications for these services as they potentially introduce privacy risks and any available encryption and privacy settings should be implemented during use. If as a provider you already have a HIPAA-compliant and secure telehealth application, it is still recommended to use the most secure application available to you. Even during a public health crisis, HIPAA law still applies and includes specific caveats for sharing PHI in such an emergency. Read our blog article on Handling HIPAA During Public Health Emergencies for more information.
Your Practice May Have Experienced a HIPAA Breach – Now What?
March 10, 2020 Whether you have recently experienced a breach or are just preparing for the worst, it’s important to know what you need to assess in the event that your practice is faced with a HIPAA incident. Any time your Protected Health Information (PHI) is exposed, whether maliciously or accidentally, your practice may be facing serious fines for a HIPAA violation. The first step is knowing what exactly is considered a breach of PHI. As defined by the U.S. Department of Health and Human Services, a HIPAA breach is the “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” This definition is broad and leaves practices to determine if a breach has occurred. If you believe you may have been breached, the next step is to assess your specific level of risk using the following factors: In any instance where unsecured PHI is involved, properly assessing the level of risk associated with your practice’s potential data breach is an essential first step. Your next steps are reporting the breach and notifying the right individuals as specified by HIPAA. In addition, the number of affected persons, your state’s individual reporting requirements, the types of PHI, and the likelihood the PHI exposed will be used for malicious intent will influence the best way to address the breach. All practices, before a breach ever occurs, should have a Breach Notification Policy in place that will outline the proper reporting steps that must be followed. Like all HIPAA policies, the policy should also include any state-specific breach notification laws that might supersede Federal requirements. It’s important to note that analyzing your HIPAA program shouldn’t only be done after a breach has already occurred. Practices should assess their level of HIPAA compliance regularly and complete the mandatory annual Security Risk Analysis in order to determine areas that could be breached in the future. This not only sheds light on often overlooked risks, such as outdated computer programs or missing policies for regulating access but in the circumstance that your practice does experience a breach you are better equipped to identify and mitigate the issue. In fact, if you experience a breach and have not completed the required Security Risk Analysis beforehand, the likelihood that your practice will be hit with a HIPAA fine goes up dramatically – almost all HIPAA fines levied by the OCR are in part the result of a missing risk analysis. Updating and maintaining your practice-specific Security Risk Analysis and policies on a regular basis may seem daunting, but software solutions (like Abyde!) help streamline and automate this process to simplify your compliance program.
Missing Business Associate Agreement with EHR Vendor Leads to $100,000 Fine
March 3, 2020 Announced today, a medical practice in Utah has come to a $100,000 settlement with the OCR for their failure to meet HIPAA requirements under the Security Rule. The practice of Steven A. Porter, M.D. received the $100,000 monetary settlement in addition to submitting to a corrective action plan over the next two years after a breach report led to the OCR’s investigation of the practice’s HIPAA compliance program. The investigation began after the practice filed a breach report regarding a complaint against a Business Associate of the practice’s EHR company. The Business Associate (BA) was blocking access to the practices’ patient’s electronic protected health information in exchange for $50,000 to be paid by the practice. While the original complaint was against the BA, once the investigation was initiated by the Office for Civil Rights, it was the practice that found themselves in the government’s crosshairs. Within the compliance review, the OCR had found that the practice had failed to do the following: Unfortunately for the practice, their lack of proper safeguarding and documentation of compliance cost them a hefty fine and put their patient’s PHI at risk. This breach, and corresponding financial settlement, highlights that even when working with typical healthcare vendors, such as EHR providers, the right Business Associate Agreements and HIPAA-compliant policies are required to prevent impermissible safeguarding or access to PHI. OCR Director, Roger Severino, included a statement in the HHS press release regarding the incident. “All health care providers, large and small, need to take their HIPAA obligations seriously, the failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the healthcare industry.” This fine follows a recent article highlighting the OCR’s focus on “low hanging fruit” and commitment to address an ongoing lack of HIPAA compliance among covered entities. As these violations continue to see costly outcomes, it is more important now than ever to ensure your practice has a full HIPAA program in place.
So You Have PHI to Dispose of – Now What?
February 26, 2020 The days of simply shredding paper records and files to dispose of Protected Health Information (PHI) are behind us as the use of technology continues to become more prevalent within the medical industry. Under the HIPAA Privacy Rule, practices are required to implement the proper administrative, technical, and physical safeguards when it comes to protecting patient privacy. This rule dictates that covered entities are responsible for implementing and maintaining these policies. For many practices, disposing of electronic or regular PHI in the proper way may be daunting. Instead of always shredding a paper file, practices now have to follow recommended methods to dispose of data provided by the U.S. Department of Health and Human Services. These methods include: Without a simple checklist to follow, it is difficult to guarantee that the best measures are being taken to protect this secure data. In fact, covered entities and business associates have been hit with hefty fines for not disposing of PHI properly. RELATED: IS YOUR PRACTICE MEETING HIPAA DATA SECURITY REQUIREMENTS? DOWNLOAD OUR HIPAA CHECKLIST AND FIND OUT! In one well-publicized example, a shredding company left thousands of patient files unlocked and unguarded for anyone to take. The shredding company, as well as the covered entity whose files were left unsecured, were both hit with monetary settlements. Another incident of improper PHI handling left almost 10,000 individuals impacted. In this case, a pharmacy disposed of an electronic device used for customer signatures without properly wiping the device first. This exposed a vast amount of PHI including patient names and signatures along with prescription numbers and medication names. Many of these incidents occur due to the lack of policies set in place by the practices for business associates and other outside parties handling patient data. Another case that led to monetary penalties totaling a whopping $140,000 resulted from a medical billing company disposing of 67,000 patient records in a public dumpster. Unfortunately, improper disposal of PHI is the source of many data breaches and HIPAA violations. Implementing the correct policies for disposal of PHI is paramount, and each employee must be trained on proper PHI disposal to ensure that your practice is taking every step possible to keep protected health information secure.
Tax Audits vs HIPAA Audits | What You Need to Know
February 21, 2020 When you think of the most wonderful time of the year – tax season probably isn’t the first thing that comes to mind. But even though the filing process can be a bit daunting, it’s the lesser of two evils when compared to the IRS audit that could result from not submitting anything at all. So while you file your taxes this time every year in hopes of not having to face the IRS this tax season – what are you doing to prepare for a HIPAA audit? As long as you do everything right, the changes of the government showing up on your doorstep are pretty slim. In fact, considering only about 0.5% of all tax returns filed are actually audited – you have a 6% better chance of becoming a millionaire than you do facing the IRS. But despite the unlikely odds, we’re all still focused on staying off the government’s radar by filing each and every year. This better safe than sorry mentality should also apply to the precautions taken to avoid a HIPAA audit, but for many practices, it doesn’t hold the same weight. Over the past few years, the Office for Civil Rights has investigated more HIPAA complaints and ran more random practice audits than ever before, bringing the total amount of HIPAA fines to over $19 million – just between 2020-2021 alone. So why have we seen such a major increase lately? With technology use in healthcare on the rise and changes in government standards and patient needs, it is easier for Protected Health Information (PHI) to be accessed by those with malicious intent and seemingly harder for practices to provide patients with their own PHI when requested. So just as we all go through the tax filing process – ensuring that you have a complete HIPAA program is pretty similar: So why don’t practices pay more attention to HIPAA, like they do their taxes? It all comes down to the lack of education on what HIPAA compliance really entails. The reality for many practices is that, because of misinformation or lack of education, the proper safeguards are never put in place and data breaches are growing more and more common. The worst part? A HIPAA fine could cost your practice, and has cost many others, millions of dollars in addition to time-consuming administrative burdens. And on top of that, unlike late payment fees or penalties on taxes, once a breach occurs under HIPAA there is no going back – and no way to reduce the government’s levied fines. Our takeaway? You shouldn’t just be preparing for tax season – HIPAA audit season has proven to be a year-round occurrence that deserves just as much of a priority as filing taxes does.
How to Handle HIPAA in Public Health Emergencies
February 6, 2020 Wondering how your practice needs to handle HIPAA privacy when it comes to public health emergencies, like the recent Novel Coronavirus outbreak? Read the OCR’s tips below! As the Novel Coronavirus (2019-nCoV) outbreak continued to make news, the Office for Civil Rights (OCR) sent a recent bulletin out including additional information for how to handle PHI and how the HIPAA Privacy Rule should be applied with regard to public health emergencies such as this one. Even in public health emergencies, covered entities (as well as business associates) are still expected to adhere to HIPAA regulations and safeguard the security and privacy of their PHI consistent with HIPAA law. Here’s a few key takeaways from the OCR bulletin that your organization should remember: As a reminder, all PHI disclosures even in these circumstances should be limited to the minimum information necessary, including continuing to adhere to role-based access for internal employees. If a public health agency such as the CDC requests information, all requested information should be treated as the minimum necessary for the public health purpose.
OCR Settles First Case in HIPAA Right of Access Initiative
September 9, 2019 Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services is announcing its first enforcement action and settlement in its Right of Access Initiative. Earlier this year, OCR announced this initiative promising to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged. Bayfront Health St. Petersburg (Bayfront) has paid $85,000 to OCR and has adopted a corrective action plan to settle a potential violation of the right of access provision of the Health Insurance Portability and Accountability Act (HIPAA) Rules after Bayfront failed to provide a mother timely access to records about her unborn child. Bayfront, based in St. Petersburg, Florida, is a Level II trauma and tertiary care center licensed as a 480-bed hospital with over 550 affiliated physicians. OCR initiated its investigation based on a complaint from the mother. As a result, Bayfront directly provided the individual with the requested health information more than nine months after the initial request. The HIPAA Rules generally require covered health care providers to provide medical records within 30 days of the request and providers can only charge a reasonable cost-based fee. This right to patient records extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child. “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino. “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.” In addition to the monetary settlement, Bayfront will undertake a corrective action plan that includes one year of monitoring by OCR. The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/bayfront/index.html
Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History
October 16, 2018 Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people. The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016. Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans. This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans. On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information. In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014. In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules. The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/anthem/index.html.