HIPAA Compliance for Medical Practices
82.7K views | +35 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Moving in Front of Healthcare’s Connectivity Curve

Moving in Front of Healthcare’s Connectivity Curve | HIPAA Compliance for Medical Practices | Scoop.it

As a clinician, technology is a significant interest in my life. I have always felt that one way in which to stay young is to embrace technology, and to understand how technology integrates into our professional and personal lives.

This past April, I was intrigued by the announcement of ResearchKit by Apple.. The first research apps developed covered five areas of study: Asthma, breast cancer, cardiovascular disease, diabetes, and Parkinson’s disease. However, the number of commercial and institutional research organizations using the open-source platform of ResearchKit is expanding daily.

More than 75,000 people have enrolled in ongoing health studies using ResearchKit apps to gather health data. Smartphones and wearable technology, with their microphones, cameras, motion sensors, and GPS devices, have unique advantages for gathering health data, and, in some cases, can serve as a valuable addition to regular care from a provider.

The possibilities for benefiting the body of health knowledge are endless. However, it is important for patients to be mindful and use these tools wisely in this modern world of connectivity.

More than a few people are commenting on the possible risks of gathering data in this way. As always in our modern society, available technology is way ahead of regulations. For example, we have strong laws and regulations regarding patient confidentiality enshrined in medical tradition and HIPAA.

Recognizing this vulnerability, Apple added the following to their app store submission guidelines: “All studies conducted via ResearchKit must obtain prior approval from an independent ethics review board.” Meaning, all studies must obtain Institutional Review Baords (IRB) approval. This is a good step in the right direction, but much more care is needed to gather data with the expanding number of ResearchKit apps, to ensure that personal health data is protected and that this technology is used in an ethical, and lawful, way.

Regardless of the all the caveats, I remain intrigued and hopeful that leveraging technology via tools such as smartphones and software like ResearchKit will be a great boon to the understanding of disease and treatments around the world.

I would recommend the following to put us ahead of the curve with these new tools:

  1. Ethical guidelines and procedures need to be developed by the research community in the U.S. to ensure that use of technology in research data gathering is done with the greatest protection of the patients’ individual health data.
  2. Laws and regulations need to be considered to ensure the integrity of the data as well as the protection of personal health information.
  3. Companies like Apple, who are leading the roll out of this technology, should not wait for state and federal governmental entities to regulate the use of technology in research and should be leaders in the ethical, responsible use of apps to gather and use health research data.

Technology in medicine is constantly evolving. We have to try to evolve with it, however, and recognize that the law of unintended consequences is always present, and will always present challenges as the vast universe of technology expands with every increasing speed in medicine and every other area of life.

No comment yet.

Two Sentenced in HIPAA Criminal Case

Two Sentenced in HIPAA Criminal Case | HIPAA Compliance for Medical Practices | Scoop.it

Two individuals - a former hospital worker and a convicted drug trafficker - have been sentenced to serve time in federal prison for HIPAA privacy violations.

But the May 18 sentencing for HIPAA violations of drug "kingpin" Stuart Seugasala is the least of his problems. He'll be serving his 10-year HIPAA-related prison sentence concurrently with three life sentences for his January convictions on drug trafficking conspiracy and two kidnapping charges. In addition to that, he'll serve a consecutive seven-year sentence on firearm violations.

In a statement, the U.S. Department of Justice notes that because there is no parole in the federal penal system, Seugasala will spend the rest of his life in custody.

Meanwhile, as part of the same criminal case, Stacy Laulu, a former financial worker at Providence Alaska Medical Center in Anchorage, was sentenced on May 29 to two years in federal prison for each of her two counts of unauthorized disclosure of health information, for which she was convicted in January. She will serve the two year sentences concurrently. Federal prosecutors say Seugasala in March 2013 contacted Laulu, a friend, to find out if two victims of his crimes, who were both admitted to Providence Alaska Medical Center due to injuries inflicted by Seugasala and two other accomplices, had reported him to police.

"Laulu accessed the private electronic medical files of the victims and reported back to Seugasala," according to the Justice Department statement. Laulu went to trial with Seugasala in January and was convicted of violating the privacy rights of the victims.

Unlike Laulu, Seugasala received the maximum 10-year sentence on his HIPAA conviction. The HIPAA case is the first in the history of Alaska "and one of few such cases prosecuted in the country," federal prosecutors note. Judge Ralph Beistline, who presided over the Seugasala and Lulua cases, said that in committing these HIPAA violations, Seugasala "disrespected the victims again."

While imposing the life sentences on Seugasala, Beistline told him, "You enjoyed being a drug kingpin, you seemed to enjoy the misery that you created, and you enjoyed your criminal posse," according to the Justice Department statement.

Three other individuals involved with the criminal case were also convicted and sentenced on a variety of charges that included drug conspiracy, drug trafficking and kidnapping - but not HIPAA violations.

Relatively Rare Cases

While HIPAA criminal convictions are themselves unusual, it's even rarer in cases involving individuals who are not employed by a covered entity or business associate, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. In those rare cases, the individuals have usually been convicted of HIPAA violations related to other crimes, he notes.

"Before the HITECH Act in 2009, the criminal conviction could be based on an aiding and abetting or conspiracy charge, where the non-employee causes the HIPAA covered entity to violate HIPAA. We have seen this in identity theft cases," he says. "The HITECH Act amended the criminal provision to more explicitly permit prosecutors to go after anyone who improperly obtains or discloses health information, even if not part of a covered entity."

Criminal prosecutions tied to HIPAA violations often are tied to cases "involving criminal conduct, such as identity theft, other fraud, or in this case drug trafficking crimes," Greene notes. "So far, prosecutors have seemed to be more interested in using HIPAA as a secondary charge in other criminal matters rather than seeking to prosecute matters that only involve inappropriate access or use of health information."

Other Cases

There have been only a handful of other federal criminal HIPAA cases elsewhere in the U.S. The 10-year sentence for Seugasala's HIPAA crimes is apparently the most substantial so far.

Among other recent cases was the sentencing in February of Texas hospital worker Joshua Hippler to 18 months in federal prison for criminal HIPAA violations.

Hippler, 30, formerly of Longview, Texas, was sentenced after pleading guilty on Aug. 28, 2014, to wrongful disclosure of individually identifiable health information, according to federal prosecutors.

Prosecutors say that from December 2012 through January 2013, Hippler was an employee of an unidentified East Texas hospital. During this time, he obtained protected health information with the intent to use it for personal gain, they say.

In another HIPAA prosecution, Denetria Barnes, a former nursing assistant at a Florida assisted living facility, was sentenced in October 2013 to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information.

And in April 2013, Helene Michel, the former owner of a Long Island, N.Y., medical supply company, was sentenced to 12 years in prison in a case that involved $10.7 million in Medicarefraud as well as criminal HIPAA violations


Aside from those cases, most other defendants sentenced for criminal HIPAA violations have generally received much lighter sentences.

For example, last November, Christopher R. Lykes Jr., a former South Carolina state employee, was sentenced to three years of probation, plus community service, after he sent personal information about more than 228,000 Medicaid recipients to his personal e-mail account. Lykes pleaded guilty to four counts of willful examination of private records by a public employee and one count of criminal conspiracy.

And in 2010, former UCLA Healthcare System surgeon Huping Zhou was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others. Zhou was the first defendant in the nation to receive a prison sentence for a HIPAAprivacy violation, according to the U.S. attorney's office for the central district of California.

No comment yet.

Current HIPAA Requirements Sufficient, AHA Tells ONC

Current HIPAA Requirements Sufficient, AHA Tells ONC | HIPAA Compliance for Medical Practices | Scoop.it
The current HIPAA requirements are enough to support the improvement of the healthcare infrastructure to better support secure data sharing in support of clinical care, according to the American Hospital Association (AHA).

In a letter to the Office of the National Coordinator (ONC) Secretary Karen DeSalvo, AHA Senior Vice President of Public Policy Analysis and Development Linda Fishman wrote that overall, the AHA agrees with the ONC Interoperability Roadmap. However, the AHA worries “that the roadmap is not sufficiently grounded in an assessment of present realities or focused enough on the steps that will enable public and private stakeholders to travel from the present regulatory, clinical and technology environment to the future state envisioned.”aha_logo

Fishman explained that the roadmap needs to be more specific in the immediate steps and resources necessary to improve nationwide interoperability. Moreover, a more clear outline is needed to highlight the short-term, intermediate-term, and long-term timeframes in terms of interoperability.

“Given the significant investments already made, the AHA urges ONC to adopt the current requirements of the meaningful use program and the capabilities of the 2014 Edition certified EHRs as the starting point for the nationwide interoperability roadmap,” Fishman wrote.

In terms of privacy and security, the AHA does not agree with the roadmap in its suggestions for change. For example, the roadmap states that “current government and private sector programs provide insufficient incentives for interoperability across the care continuum.” The AHA disagrees, and Fishman wrote that the current HIPAA requirements are sufficient for improving the infrastructure for better data sharing.

“The proper focus should be on making these requirements the prevailing standard nationwide if it is essential to address access to health information within the interoperability context,” the AHA explained. “The roadmap proposals could exacerbate the existing conflict among federal, state and local laws, rather than working to limit them.”

It is also necessary for the ONC to work with the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) to see where additional guidance might be required in terms of HIPAA requirements. Specifically, stakeholders might need assistance in understanding how privacy and security rules apply in ACOs and other multi-stakeholder alternative delivery system organizations.

“Under the current HIPAA privacy rule, the use and/or disclosure of protected health information between covered entities for health care operations that expressly qualify as quality assessment and improvement activities is permissible only when both the disclosing and receiving covered entity have or had a relationship with the patient about whom the information pertains. Achieving the meaningful quality and efficiency improvements that a clinically integrated setting promises requires that all participating providers be able to share and conduct population-based data analyses.”

The AHA also recommended that ONC continue to work within the broader framework of the existing cybersecurity policy. Cybersecurity activities need to “align with the ongoing collaboration of the Departments of Homeland Security and HHS with public-private collaborations.” The NIST Cybersecurity Framework must also be kept in mind because it is the “overarching federal approach to cybersecurity.”

It is important to find the right balance when it comes to information sharing, as the data must also be kept secure. However, the current policy frameworks already address this issue, according to the AHA, and it is necessary for the ONC to work within those policies to improve interoperability.
No comment yet.

Think Your Practice is HIPAA Compliant? Think Again.

Think Your Practice is HIPAA Compliant? Think Again. | HIPAA Compliance for Medical Practices | Scoop.it

You may think you know HIPAA inside and out, but experts say many practices and physicians are making mistakes regarding protected health information (PHI) that could get them into big trouble with the law. Here are nine of the most common compliance missteps they say practices and physicians are making.


For most physicians, texting is an easy, convenient, and efficient way to communicate with patients and colleagues. But if a text contains unencrypted PHI, that could raise serious HIPAA problems.

"One of the big things people are doing these days is texting PHI, and people seem to be ignoring the fact that text messages can be read by anyone, they can be forwarded to anyone, [and] they're not encrypted in any fashion when they reside on a telecommunications provider's server," says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC. "People really need to understand that [short message service (SMS)] text messaging is inherently nonsecure, and it's noncompliant with HIPAA."

That's not to say that texting PHI is never appropriate, it just means that physicians must find a way to do so securely. While the privacy and security rules don't provide explicit text messaging guidelines, they do state that covered entities must have "reasonable and appropriate safeguards to protect the confidentiality, availability, and integrity of protected health information," says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC. As a result, Caswell, who formerly worked for HHS' Office for Civil Rights, says physicians must consider, "What would I put on my [smart] phone to reasonably and appropriately safeguard that information?" Most likely, the answer will be a secure messaging service with encryption, she says, adding that many inexpensive solutions are available to providers.


Similar to text messaging, many physicians are e-mailing unencrypted PHI to patients and colleagues. As Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association says, e-mailing is becoming ubiquitous in our society, and healthcare is no exception.

If your providers are e-mailing PHI, consider implementing a secure e-mail application; for instance, one that recognizes when content included in the e-mail contains sensitive information and therefore automatically encrypts the e-mail. Your practice could use the application to specify certain circumstances in which e-mails should be encrypted; such as the inclusion of social security numbers or credit card numbers. The application would then filter e-mails for that specified content, and when it finds that content, encrypt those e-mails automatically, says Caswell.

Another option is to use a secure e-mail application to set up filters to automatically encrypt e-mails sent with attachments, or encrypt e-mails when senders include a word like "sensitive" or "encrypt" in the subject line, she says. An added benefit of encrypting e-mail is if a potential breach occurs, like the theft of a laptop containing e-mails with PHI, that is not considered a reportable breach if the e-mails stored on the laptop are encrypted, says Tennant. "You don't need to go through all of the rigmarole in terms of reporting the breach to the affected individual, and ultimately, to the government," he says. "So it's sort of a get out of jail free card in that sense."

If your practice would rather prohibit the use of e-mail altogether, a great alternative might be a patient portal that enables secure messaging.

Finally, if patients insist on having PHI e-mailed to them despite the risks, get their permission in writing for you to send and receive their e-mails, says Tennant.


If your practice has not conducted a security risk analysis — and about 31 percent of you have not, according to our 2014 Technology Survey, Sponsored by Kareo — it is violating HIPAA. The security rule requires any covered entity creating or storing PHI electronically to perform one. Essentially, this means practices must go through a series of steps to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information (ePHI).

Though the security risk analysis requirement has been in place since the security rule was formally adopted in 2003, it's been pretty widely ignored by practices, says Hook. Part of the reason, he says, is lack of enforcement of the requirement until recently. Since conducting a security risk analysis is now an attestation requirement in the EHR incentive program, auditors are increasingly noting whether practices are in compliance.


If your practice has not updated its Notice of Privacy Practices (NPP) recently, it could be violating HIPAA. The HIPAA Omnibus Rule requires practices to update these policies and take additional steps to ensure patients are aware of them, says Tennant.

Some of the required updates to the NPP include:

• Information regarding uses and disclosures that require authorization;

• Information about an individual's right to restrict certain disclosures of PHI to a health plan; and

• Information regarding an affected individual's right to be notified following a privacy or security breach.

In addition to updating the NPP, a practice must post it prominently in its facility and on the website, and have new patients sign it and offer a copy to them, says Tennant. "I'd say of every 10 practices, hospitals, dental offices I go into, nine of them don't have their privacy notice in the waiting room," he says.


Don't hesitate to take action when patients request an amendment to information in their medical records, cautions Cindy Winn, deputy director of consulting services at The Fox Group, LLC. Under the HIPAA Privacy Rule, patients have the right to request a change to their records, and providers must act on those requests within 60 days, she says.

If you disagree with a patient's requested change, you must explain, in writing, why you are not making the requested change, says Hook. Then, share that reasoning with the patient and store a copy of it in the patient's medical record, as well as a copy of the patient's written request for the amendment.


The privacy and security rules require formal HIPAA education and training of staff. Though the rules don't provide detailed guidance regarding what training is required, Hook recommends training all the members of your workforce on policies and procedures that address privacy and security at the time of hire, and at least annually thereafter.

The HIPAA Security Rule also requires practices to provide "periodic security reminders" to staff, says Caswell, adding that many practices are unaware of this. Actions that might satisfy this requirement include sending e-mails to staff when privacy and security issues come up in the news, such as information about a recent malware outbreak; or inserting a regular "security awareness" column in staff e-newsletters.

Finally, be sure to document any HIPAA training provided to staff.


With few exceptions, the privacy rule requires practices to provide patients with copies of their medical records when requested. It also requires you to provide access to the record in the form requested by the individual, if it is readily producible in that manner.

While practices can charge for copies of records, some practices may be getting into trouble due to the fee they are charging, says Tennant. "HIPAA is pretty clear that you can only charge a cost-based fee and most of those are set by the state, so most states have [limits such as] 50 cents a page up to maybe $1 a page ... but you can't charge a $50 handling fee or processing fee; at least it's highly discouraged," says Tennant.

To ensure you are following the appropriate guidelines when dealing with record copy requests, review your state's regulations and consult an attorney. Also, keep in mind that though the privacy rule requires practices to provide copies within 30 days of the request, some states require even shorter timeframes.


If your practice does not have security controls in place regarding who can access what medical records and in what situations, it's setting itself up for a HIPAA violation. The privacy rule requires that only those who have a valid reason to access a patient's record — treatment purposes, payment purposes, or healthcare operations — should do so, says Caswell. "If none of those things exist, then a person shouldn't [access] an individual's chart."

Caswell says practices need to take steps to ensure that staff members do not participate in "record snooping" — inappropriately accessing a neighbor's record, a family member's record, or even their own record.

She recommends practices take the following precautions:

• Train staff on appropriate record access;

• Implement policies related to appropriate record access; and

• Run EHR audits regularly to determine whether inappropriate access is occurring.


Similar to providing too much access to staff, some practices provide too much access to outside entities, says Caswell. For instance, they release too much PHI when responding to requests such as subpoenas for medical records, requests for immunization information from schools, or requests for information from a payer.

"If there's, say, for instance, litigation going on and an attorney says, 'I need the record from December 2012 to February 2014,' it is your responsibility to only send that amount of information and not send anything else, so sort of applying what's called the minimum necessary standard," says Caswell. "When you receive outside requests for PHI, pay close attention to the dates for which information is requested, as well as the specific information requested."

No comment yet.

Shocks and surprises in new breach trend studies

Shocks and surprises in new breach trend studies | HIPAA Compliance for Medical Practices | Scoop.it

Since 2010, HHS has documented more than 1,000 major data breaches (where each incident involved the compromise of more than 500 patient records). Now we’re starting to see some in-depth analyses of those breaches.

In the new issue of the Journal of the American Medical Association (JAMA), there’s a study that concludes that 29 million medical records were compromised between 2010 and 2013.

The JAMA study also found that six of the breaches involved at least one million records each – and more than one third of all breaches occurred in just five states: California, Texas, Florida, New York and Illinois.

The study was accompanied by an earnest editorial subtitled “The Importance of Good Data Hygiene.” The authors called for a total overhaul of HIPAA, which they described as “antiquated and inadequate.” They noted that HIPAA doesn’t adequately regulate the use of Protected Health Information (PHI) by “digital behemoths” like Apple, Google, Facebook and Twitter.

In addition to the JAMA report, our company did an extensive analysis of 2014 data breach trends summarized here. We thoroughly documented 89 of those breaches, and we excluded the huge Community Health Systems breach so it wouldn’t skew the other data. Here are the most important trends we spotted:

Non-digital breaches still a problem

In the 89 incidents, paper breaches accounted for 9 percent of compromised records in the first half of 2014 – and 31 percent in the second half. Nearly 200,000 paper records were compromised, plus about 60,000 pieces of individually identifiable health information ranging from lab specimens to x-rays. Obviously, it’s still vitally important to safeguard the confidentiality of non-digital health records. Organizations must clarify and enforce policies and procedures to achieve that goal.

Theft of portables still a concern

We confirmed the loss or theft of 12 portable computing devices last year – and the lack of appropriate physical safeguards was a major contributing factor. In addition to taking greater common-sense precautions, organizations should use whole-disk encryption and other technical safeguards to render PHI unusable, unreadable or indecipherable to unauthorized people. Policies and procedures for portable device security need to be clearly communicated to all employees – and workforce training needs to involve much more than a dry online tutorial.

Watch out for rogue employees and business associates

We uncovered 45 incidents involving company insiders that resulted in the compromise of nearly half a million records. In other words, about half of all the data breaches were the result of mistakes or malice by an organization’s own people. It’s impossible to prevent every workforce-related breach, but everyone in the organization needs to be on the lookout for unusual activities that could spell trouble. All employees and BAs need to know that the hammer will come down – swiftly and consistently – on insiders who intentionally compromise patient data.

No organization should shout “hooray” simply for avoiding an Anthem-scale breach. There are many other incidents – improper disposal of paper records, misplaced x-rays, employee snooping, and more – that can still do a lot of financial and reputational damage. Those are the types of breaches that even a HIPAA tech-fix can’t solve.

These breach trend summaries agree on one main point: healthcare organizations need to constantly assess the maturity of their information risk management programs – and not view them as a narrowly defined “HIPAA compliance” duty.

No comment yet.