HIPAA Compliance for Medical Practices
82.6K views | +0 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Medical Device Cybersecurity - 4 Steps to Take 

Medical Device Cybersecurity - 4 Steps to Take  | HIPAA Compliance for Medical Practices | Scoop.it

As if the headlines today are not scary enough, now we have to be worried – very worried, it seems – about medical device cybersecurity!  Reports of hacking and other incidents related to medical device cybersecurity are all over the news lately.  Not only does it have a financial impact, but confidentiality and HIPAA issues come up immediately!  The first 6 months of 2017 have seen an inordinate number of cybersecurity meltdowns.   In addition, other HIPAA breaches and data leaks occur much too often.

  • In April 2017, hospitals in Europe were shut down by the WannaCry ransomware.  At least two contrast agent injectors were compromised as part of that attack.
  • In 2015, three hospitals suffered data breaches when devices were infected by malware.  The devices included a blood gas analyzer and a picture archiving and communications system (PACS) system.  In these instances, the malware made its way from the device to other systems in the hospitals, leaving the hospital facing a ransom demand to cleanse its systems.  And this happened even though the hospitals had firewalls, intrusion detection and other security tools in place!
  • In August 2017, the FDA approved a firmware patch to address cybersecurity vulnerabilities in 500,000 pacemakers manufactured by Abbott.  The problems were identified over a year ago!


Why are medical devices vulnerable to cyber attacks?

Most of the time, the medical device cybersecurity flaws are due to external software such as Windows.  Many devices have Windows operating systems as the interface to the persons operating the equipment.  Windows is also used to interface with electronic health record systems.  If the device is connected to the internet, a pathway exists for malware to infect the Windows software on the device.  Malware can then make its way to other connected devices or applications.

But as the pacemaker issue mentioned above shows, there can also be vulnerabilities in the devices themselves.  An investment firm lit a fire when it issued a report a year ago claiming most devices had little to no built-in cybersecurity measures.

What does the government advise about medical device cybersecurity?

Two government agencies are concerned about medical device cybersecurity.  The Food and Drug Administration (FDA) has principally been concerned about patient safety.  The Office of Civil Rights (OCR)  of the Health and Human Services Department (HHS) administers the Privacy and Security HIPAA rules.

In its focus on patient safety, the FDA did not focus much on the HIPAA security issues related to medical device cybersecurity.  The FDA expanded its view of medical device cybersecurity considerations with its Postmarket Management of Cybersecurity in Medical Devices guidance issued on December 28, 2016.  This non-binding guidance advises device manufacturers to consider several strategies for reducing medical device cybersecurity risks.

  • Maintaining robust software lifecycle processes that include monitoring third party software components for new vulnerabilities.
  • Understanding, detecting and establishing communication processes with users when vulnerabilities are recognized.
  • Adopting coordinated vulnerability disclosure policies and deploying mitigation measures that address risks.

The 4 things medical device users should do

First, ask vendors how they are implementing the FDA Postmarket Management Guidance.  In this day and age, there is really no excuse for not keeping third party software like Windows up to date.

Second, expand the information you keep in your inventory of medical devices to include several factors, including:

  • The risk of each device, e.g., use of third party software, connection to the internet, etc.
  • The type of data kept on the device, whether it is static or dynamic.
  • The security controls that exist on the device, e.g., encryption, use of passwords, etc.

Third, include medical devices with third party software in the periodic HIPAA Security Rule Risk Assessment you perform.

Fourth, keep a sharp eye out for communications about vulnerabilities of your medical devices – and for patches to firmware that can improve the resistance of devices to hacking.

Medical device cybersecurity is not a particularly glamorous issue, but paying attention to it is vital in this environment.  Hospitals have long had to keep electrical/electronic equipment safe to use around patients.  Cybersecurity is just another part of that culture of safety.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

It Was An Active Year for HIPAA Enforcement: Is It the New Norm?

It Was An Active Year for HIPAA Enforcement: Is It the New Norm? | HIPAA Compliance for Medical Practices | Scoop.it

It was  an active year for the federal government’s enforcement of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, their implementing regulation, HIPAA. So far in 2014, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has entered into settlement arrangements with seven covered entities to resolve alleged violations of HIPAA. While at first glance this may not seem like substantial enforcement activity, it represents the greatest number of HIPAA settlements by OCR in any calendar year to date.

Skagit County, Washington (March 6, 2014)

OCR’s first HIPAA settlement of the year was entered into on March 6, 2014, with a county government. OCR opened an investigation of Skagit County, Washington, upon receiving a December 9, 2011, breach notification that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the county.

OCR’s investigation revealed a broader exposure of the ePHI of 1,581 individuals whose information was accessible on the county’s public web server. Many of the accessible files involved ePHI of a sensitive nature, including information concerning the testing and treatment of infectious diseases. OCR’s investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security and Breach Notification Standards (e.g., failure to notify the affected individuals of the breach, lack of sufficient policies and procedures, failure to train county workforce). The investigation was settled through the execution of a resolution agreement that included a payment of $215,000 and a corrective action plan (CAP). The CAP has a three-year term and requires Skagit County to take the following actions, among others:

  • post a notification of the breach on the home page of the county’s website for 90 days and in major print or broadcast media;
  • update its privacy, security and breach notification policies and procedures subject to OCR’s review;
  • submit hybrid entity documents designating its covered health care components to OCR, and implement hybrid entity and related safeguards;
  • report to OCR any violations of its HIPAA policies and procedures by workforce members, and
  • submit annual compliance reports to OCR.

QCA Health Plan, Inc. (April 14, 2014)

On April 14, 2014, OCR entered into a resolution agreement and CAP with QCA Health Plan, Inc., to settle alleged violations of the HIPAA Privacy and Security Standards. OCR began investigating QCA after receiving a breach notification from the insurer on February 21, 2012, that an unencrypted laptop containing the ePHI of 148 individuals was stolen from a workforce member’s car.  In addition to the unauthorized disclosure of ePHI, OCR’s investigation revealed that QCA had not: implemented policies and procedures to prevent, contain and correct security violations; conducted an assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI it held; implemented security measures sufficient to reduce any identified risks and vulnerabilities to a reasonable and appropriate level, or implemented appropriate physical safeguards for workstations that accessed ePHI.

The investigation was settled through the execution of a resolution agreement that included a payment of $250,000 and a CAP. The CAP has a two-year term and requires QCA to take the following actions, among others:

  • provide OCR with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI;
  • retrain its workforce;
  • report to OCR any violations of its HIPAA policies and procedures by workforce members, and
  • submit annual compliance reports to OCR.

Concentra Health Services (April 21, 2014)

On April 21, 2014, OCR entered into a resolution agreement and CAP with Concentra Health Services to settle alleged violations of the HIPAA Privacy and Security Standards. The settlement resulted from an investigation initiated by OCR upon receiving a December 2011 breach report that an unencrypted laptop was stolen from a Concentra physical therapy center.

The total number of affected patients was unclear. OCR alleged that Concentra failed to remediate and manage its lack of encryption, which was identified as a potential source of vulnerability in Concentra’s HIPAA risk assessment. For instance, only 434 out of the covered entity’s 597 laptops were encrypted. OCR also alleged that Concentra had failed to implement policies and procedures to prevent, detect, contain and correct security violations. Prior to this incident, Concentra had been subject to two security breaches involving stolen, unencrypted laptops that each affected more than 500 individuals, as well as 16 additional breaches affecting fewer than 500 individuals. The investigation was settled through the execution of a resolution agreement that included a payment of $1,725,220 and a CAP. The term of the CAP is two years and requires Concentra to take the following actions, among others:

  • conduct and submit for OCR’s approval periodic risk analyses, including assessments of potential risks and vulnerabilities to the confidentiality of Concentra’s ePHI;
  • implement risk management plans and provide OCR with evidence of such implementation and timelines for any expected remediation actions;
  • provide to OCR periodic encryption status updates;
  • provide security awareness training to its workforce members, and
  • submit annual compliance reports to OCR.

Columbia University and New York-Presbyterian Hospital (May 7, 2014)

On May 7, 2014, OCR entered into a resolution agreement and CAP with each of The Trustees of Columbia University in the City of New York (CU) and New York-Presbyterian Hospital (NYP) to settle alleged violations of the HIPAA Privacy and Security Standards. The settlements arose from OCR investigations of CU and NYP following their September 27, 2010, joint notification to OCR of the unauthorized disclosure of ePHI for 6,800 individuals, including patient status, vital signs, medications and laboratory results.

NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The breach was caused when “a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally owned computer server on the network containing NYP patient ePHI.” Deactivation of the server resulted in ePHI being accessible on Internet search engines. The breach was discovered when an individual complained after finding the ePHI of the individual’s deceased partner, a former NYP patient, on the Internet.

OCR stated that its investigation found that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI, and therefore “neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.” OCR also alleged that NYP had failed to implement appropriate policies and procedures for authorizing access to its databases and had failed to comply with its own policies on information access management.

In order to resolve the alleged violations, NYP entered into a resolution agreement with OCR that included a payment of $3.3 million and a three-year CAP. Similarly, CU entered into a resolution agreement with OCR that included a payment of $1.5 million and a three-year CAP. Under the CAPs, NYP and CU each agreed to take the following actions, among others:

  • conduct and submit to OCR a risk analysis;
  • implement a risk management plan;
  • develop processes to evaluate environmental or operational changes to information systems that affect the security of ePHI;
  • revise policies and procedures on information access management and device and media controls;
  • develop/update a mandatory privacy and security awareness training program for workforce members with access to ePHI;
  • investigate and notify OCR of any failures by workforce members to comply with HIPAA policies and procedures, and
  • submit annual compliance reports to OCR.

Parkview Health System, Inc. (June 17, 2014)

On June 17, 2014, Parkview Health System entered into a resolution agreement and CAP with OCR to settle alleged violations of the HIPAA Privacy Standards resulting from a June 4, 2009, incident that involved paper medical records. OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule when returning approximately 5,000–8,000 of the physician’s medical records. Parkview had taken custody of the records while assisting the retiring physician in transitioning her patients to new providers and was considering purchasing some of the records upon the physician’s retirement. OCR alleged that Parkview did not appropriately safeguard the records when returning them to the retiring physician. To settle the allegations, Parkview entered into a resolution agreement with OCR that included a payment of $800,000 and a CAP. The CAP has a one-year term and, in part, requires Parkview to:

  • adopt and implement a policy governing the safeguarding of non-electronic PHI;
  • train its workforce on the policy;
  • notify OCR of any violations of the policy, and
  • submit a report to OCR regarding its compliance with the CAP.

Anchorage Community Mental Health Services (December 17, 2014)

On December 2, 2014, Anchorage Community Mental Health Services, Inc., (ACMHS) and OCR entered into a resolution agreement and CAP to settle alleged violations of the HIPAA Security Standards. OCR initiated an investigation into ACMHS’s compliance with HIPAA after receiving a March 2, 2012, notification from the provider regarding a breach of unsecured ePHI affecting 2,743 individuals. The breach resulted from malware that compromised ACMHS’s information technology resources. OCR’s investigation found that ACMHS had never performed an accurate and thorough risk assessment, had never implemented HIPAA security policies and procedures and, since 2008, had failed to implement technical security measures to guard against unauthorized access to ePHI transmitted electronically by failing to ensure that appropriate firewalls were in place and regularly updated with available patches. ACMHS agreed to pay $150,000 and to comply with the requirements set forth in the CAP to settle the allegations. The term of the CAP is two years and, in part, obligates ACMHS to:

  • revise, adopt and distribute to its workforce updated HIPAA security policies and procedures that have been approved by OCR;
  • develop and provide updated, OCR-approved, security awareness training to applicable workforce members;
  • conduct annual risk-assessments of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by ACMHS;
  • document the security measures implemented to reduce identified risks and vulnerabilities to a reasonable and appropriate level;
  • investigate and report to OCR any violations of its HIPAA security policies and procedures by workforce members, and
  • submit annual reports to OCR describing ACMHS’s compliance with the CAP.


All but one of the settlements discussed above arose from unauthorized disclosures of ePHI and serve as reminders to covered entities and business associates to take appropriate steps to implement robust technical, administrative and physical safeguard to protect the ePHI in their possession.

It is also worth noting that the financial payments required under the 2014 resolution agreements do not appear to directly correlate to the number of individuals potentially affected by a breach. This is consistent with settlements in prior years and is likely due to a variety of factors including the egregiousness of the circumstances surrounding a breach, the findings of OCR’s compliance investigation, and the nature of the interactions between the covered entity and OCR.  

It is likely that OCR’s increased HIPAA enforcement activity will continue in 2015. The agency has been increasingly vocal about enforcement being a priority, possibly in response to congressional pressure to meet its statutory enforcement mandate and a recent Office of Inspector General investigation criticizing OCR’s enforcement practices. For example, OCR representatives recently backed away from prior statements that the upcoming round of HIPAA compliance audits are primarily intended to be educational, noting that the audit program will be used as an enforcement tool.

In addition, six of the seven settlements discussed above arose from self-reported breach notifications, the latest of which was made in March of 2012. Accordingly, OCR likely has a large pipeline of active investigations which will only increase due to the lower breach reporting threshold that was adopted in the final HIPAA Omnibus Regulations and became effective on September 23, 2013.

Finally, while there has recently been a notable amount of turnover in top-level HIPAA staff at OCR, there is nothing to suggest that the new leadership will divert from making enforcement an ongoing priority in the years to come. One might also expect an uptick in the level of enforcement by state Attorneys General as they increasingly assert their HIPAA enforcement authority granted under the 2009 HITECH Act.

Conducting a thorough risk assessment, addressing any identified vulnerabilities, implementing and updating comprehensive HIPAA policies and procedures, and appropriately training workforce members who have access to PHI are all steps that covered entities and business associates must take to comply with HIPAA and to protect the PHI in their possession.

No comment yet.

HHS slaps provider with $150K bill for HIPAA breach | Healthcare IT News

HHS slaps provider with $150K bill for HIPAA breach | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it
A five-facility mental health organization in Alaska has agreed to pay up and shape up its HIPAA compliance program after a Department of Health and Human Services investigation found the group failed to appropriately safeguard patient data.
Anchorage Community Mental Health Services will pay $150,000 to HHS to settle potential HIPAA violations after the organization failed to patch their systems and continued to run outdated, unsupported software that eventually led to a malware data breach affecting 2,743 individuals. ACMHS reported the breach to HHS back in March 2012.

Following the investigation by the Office for Civil Rights, the HHS division responsible for HIPAA enforcement, officials discovered ACMHS had adopted HIPAA security policies and procedures, but they were not followed by the organization's employees for a seven-year period, from 2005 to 2012.
The data breach of electronic protected health information resulted after ACMHS failed to "identify and address basic risks," OCR officials wrote in settlement bulletin. Specifically, the organization neglected to update IT resources with system patches and updated software. 
"Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis," said OCR Director Jocelyn Samuels, in the December bulletin. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks."
In addition to the $150,000 settlement, Anchorage Community Mental Health Services will also be required to implement a corrective action plan and subsequently report to OCR on its compliance program. 

To date, nearly 41.5 million people have had their protected health information compromised in a reportable HIPAA privacy or security breach, according to the most recent HHS data. 
In its most recent settlement before ACMHS, HHS in June slapped the six-hospital Parkview Health System in Fort Wayne, Indiana, with an $800,000 settlement after Parkview dumped 71 boxes of patient records in the driveway of a retiring physician's home while she was away. According to the complaint, the medical records were "unattended and accessible to unauthorized persons" on the physician's driveway, located in a "heavily trafficked" area.

Earlier this year, OCR also set records after announcing its largest monetary settlement ever with New York-Presbyterian Hospital and Columbia University Medical Center, who together agreed to hand over a whopping $4.8 million to settle alleged HIPAA violations after the electronic protected health information of 6,800 patients wound up on Google back in 2010. 
To date, OCR has levied some $26 million in monetary settlements against 24 HIPAA-covered entities found to have violated privacy, security and breach notification rules

No comment yet.

Medical Identity Thefts Account for 43% of all Reported Identity Theft Cases in U.S.   

Medical Identity Thefts Account for 43% of all Reported Identity Theft Cases in U.S.    | HIPAA Compliance for Medical Practices | Scoop.it

You may want to ask your medical or dental provider what measures they are taking to protect your electronic health records. In some cases, the answer may surprise you. Here is a recent article from USA Today that will get your attention.

Nearly half of identity thefts in U.S. are medical info.

Story Highlights

  • Medical records of between 27.8 million and 67.7 million have been breached since 2009
  • Thieves have used stolen medical information for all sorts of nefarious reasons
  • Perpetrators use different methods to obtain information, from stealing laptops to hacking into computer networks

If modern technology has ushered in a plague of identity theft, one particular strain of the disease has emerged as most virulent: medical identity theft.

Last month, the Identity Theft Resource Center produced a survey showing that medical-related identity theft accounted for 43% of all identity thefts reported in the United States in 2013. That is a far greater chunk than identity thefts involving banking and finance, the government and the military, or education. The U.S. Department of Health and Human Services says that since it started keeping records in 2009, the medical records of between 27.8 million and 67.7 million people have been breached.

The definition of medical identity theft is the fraudulent acquisition of someone's personal information – name, Social Security number, health insurance number – for the purpose of illegally obtaining medical services or devices, insurance reimbursements or prescription drugs.

"Medical identity theft is a growing and dangerous crime that leaves its victims with little to no recourse for recovery," said Pam Dixon, the founder and executive director of World Privacy Forum. "Victims often experience financial repercussions and worse yet, they frequently discover erroneous information has been added to their personal medical files due to the thief's activities." The Affordable Care Act has raised the stakes. One of the main concerns swirling around the disastrous rollout of federal and state health insurance exchanges last fall was whether the malfunctioning online marketplaces were compromising the confidentiality of Americans' medical information. Meanwhile, the law's emphasis on digitizing medical records, touted as a way to boost efficiency and cut costs, comes amid intensifying concerns over the security of computer networks.

Edward Snowden, the former National Security Agency contractor who has disclosed the agency's activities to the media, says the NSA has cracked the encryption used to protect the medical records of millions of Americans.



Thieves have used stolen medical information for all sorts of nefarious reasons, according to information collected by World Privacy Forum, a research group that seeks to educate consumers about privacy risks. For example:

  • A Massachusetts psychiatrist created false diagnoses of drug addiction and severe depression for people who were not his patients in order to submit medical insurance claims for psychiatric sessions that never occurred. One man discovered the false diagnoses when he applied for a job. He hadn't even been a patient.
  • An identity thief in Missouri used the information of actual people to create false driver's licenses in their names. Using one of them, she was able to enter a regional health center, obtain the health records of a woman she was impersonating, and leave with a prescription in the woman's name.
  • An Ohio woman working in a dental office gained access to protected information of Medicaid patients in order to illegally obtain prescription drugs.
  • A Pennsylvania man found that an imposter had used his identity at five different hospitals in order to receive more than $100,000 in treatment. At each spot, the imposter left behind a medical history in his victim's name.
  • A Colorado man whose Social Security number, name and address had been stolen received a bill for $44,000 for a surgery he not undergone.

Perpetrators use different methods to obtain the information, ranging from stealing laptops to hacking into computer networks, according to Sam Imandoust of the Identity Theft Resource Center. "With a click of a few buttons, you might have access to the records of 10,000 patients. Each bit of information can be sold for $10 to $20," he said.

According to HHS, the theft of a computer or other electronic device is involved in more than half of medical-related security breaches. Twenty percent of medical identity thefts result from someone gaining unauthorized access to information or passing it on without permission. Fourteen percent of breaches can be attributed to hacking.

"We say encrypt, encrypt, encrypt," said Rachel Seeger, a spokesman for HHS's Office For Civil Rights, which is charged with investigating breaches of medical records in health plans, medical practices, hospitals and related institutions.



The records in a laptop that a fired employee lifted from the North County Hospital in Newport, Vt., last year had not been encrypted. The laptop contained the records of as many as 550 patients. Around the time that breach was uncovered, HHS cited the hospital for a second breach involving two employees gaining access to records without authorization. Those cases are ongoing.

Wendy Franklin, director of development and community relations at North County, said the hospital generally does encrypt its records. Franklin also noted that North County requires all of its employees to sign agreements not to disclose medical records and to undergo training in confidentiality laws and procedures. She also said the hospital has instituted an audit to track access to private health records. But, in the end, Franklin said, the hospital largely has to rely on the honor system.

Two federal laws govern the confidentiality of medical records: the Health Insurance Portability and Accountability Act (HIPAA), originally passed in 1996, and the Health Information Technology (HITECH) Act of 2009. Together they lay out what health care providers and affiliated businesses are required to do to protect confidentiality of patients.

According to James Pyles, a Washington, D.C., lawyer who has dealt with health issues for more than 40 years, all 50 states have their own privacy laws and 46 of them require consumer notification when there is a security breach of private records.

HHS can impose a civil fine of between $100 and $50,000 for each failure of a business, institution or provider to meet privacy standards, up to a maximum of $1.5 million per year. A person who knowingly violates HIPAA faces a criminal fine of $50,000 and up to a year in prison. If the perpetrator tried to sell the information for "commercial advantage, personal gain or malicious harm," he or she could face a $250,000 fine and up to 10 years in prison.

The HIPAA law includes exceptions that allow a provider to share medical information without a patient's permission. A common example is when hospital business offices share information for the purpose of seeking payment. But there are also exceptions for "public health activities," "health oversight activities," "law enforcement purposes," and other purposes. No wonder, Pyles said, some patients are reluctant to disclose to a medical provider that they have a sexually transmitted disease or a mental illness unless they have to.

Under the HITECH law, a medical provider, health plan or medical institution must notify patients when a breach of their medical records is discovered. HHS must also be contacted. HHS discloses breaches involving 500 or more patients.

Discovery of the breach is useful but doesn't correct the mischief that may have happened. Although patients can have corrected information put in their files, it's difficult to get fraudulent information removed because of the fear of medical liability.

"It's almost impossible to clear up a medical record once medical identity theft has occurred," said Pyles. "If someone is getting false information into your file, theirs gets laced with yours and it's impossible to segregate what information is about you and what is about them."

Pyles describes the status quo as "the worst of two worlds," he said. The U.S. has "a regulated industry that is saddled with laws with so many loopholes that they don't know what they are responsible for, and a public that doesn't believe their health information is being protected."

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

What Can You Expect in 2015 Regarding HIPAA Enforcement?

As of earlier this month, 1, 170 breaches involving 31 million records have been reported to the Department of Health and Human Services (HHS) since mandated reporting of breaches began in September 2009.  An increase in the number of breaches isn’t the only statistic on the rise.  Although 2014 data has not yet been released, the number of complaints in 2013 reached a new high (4,463).  It doesn’t take a crystal ball to predict that these numbers in 2015 will continue to rise.  We haven’t reached the apex yet.

The newly approved 2015 federal budget does not include an increase in funding for the federal agencies responsible for enforcing HIPAA, including the HHS Office of Civil Rights (OCR), but HHS isn’t viewing it as a setback.  Per an OCR spokeswoman “OCR’s strong enforcement of the HIPAA privacy, security, and breach notification rules, remains very much on track…”  Just a few weeks ago, HHS settled with the Alaska Department of Health and Humans services for $1.7 million for potential HIPAA violations.

If enforcement efforts remain on track in 2015, so should compliance efforts next year.  Keep your HIPAA policies and procedures up to date and conduct regular risk assessments.  If your organization has not addressed security on mobile devices or theft of patient data by former employees, do so now.  Especially if you are contemplating a transaction in 2015, it’s time to take a deep dive regarding HIPAA compliance.

No comment yet.

Ebola Outbreak Prompts HHS Bulletin on Application of HIPAA During Emergencies

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress and signed by President Bill Clinton in 1996. According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule establishes nationwide standards “to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.” HIPAA also provides to patients the right to examine and obtain a copy of health records and to request corrections.

The HIPAA Privacy Rule places restrictions on the use and disclosure of patients’ protected health information, but also ensures that appropriate uses and disclosures of the information may occur for critical purposes, including when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.

Prompted in part by the recent Ebola outbreak, the HHS’s Office for Civil Rights (OCR), issued a November 10, 2014 bulletin to ensure that HIPAA-covered entities and their business associates are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in an emergency situation. “BULLETIN: HIPAA Privacy in Emergency Situations” also was issued to “serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.”

The bulletin, which can be accessed on the HHS’ Health Information Privacy page, addresses obligations imposed by the rule when “Sharing Patient Information” and in “Safeguarding Patient Information.” It also describes basic restrictions for sharing protected health information during treatment for the purposes of public health activities, for notification to family and friends, and for notification to media and business associates.

While the HHS bulletin specifically mentions that the HIPAA Privacy Rule is not suspended during a public health or other emergency, the bulletin goes on to say that the Secretary of HHS may waive certain provisions of the Privacy Rule under certain circumstances. Those circumstances include declaration by the President of the United States of an emergency or disaster or by the Secretary of a public health emergency. In those instances, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with provisions of the Privacy Rule to obtain a patient’s agreement before speaking to family members about the patient’s care—however, that waiver would apply only to hospitals that have instituted a disaster protocol and only would apply for 72 hours after that protocol begins.

The bulletin states that a hospital may release limited “facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.”

The Privacy Rule applies to disclosures made by employees, volunteers, and other members of a “covered entity” or its “business associates.”

Covered entities comprise “health plans, health care clearinghouses, and those health care providers that conduct one or more covered health care transactions electronically, such as transmitting health care claims to a health plan.”

Business associates are defined in the bulletin as “persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate.”

The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates. Therefore, HIPAA does not prevent managers, supervisors, or HR professionals from asking for a doctor’s note if the note is needed to implement or administer sick leave, workers’ compensation benefits, or health insurance. However, a health care provider may not give such information directly to an employer without an authorization from the employee.

No comment yet.