Tag Archive for: hipaa

Proposed Privacy Rule Changes

/in /by

Finalization of Privacy Rule modifications is still pending

The Department of Health and Human Services (HHS) published proposed changes to HIPAA’s Privacy Rule on January 21, 2021. The proposal was under a public comment period until May 2021 and HHS expects to publish final changes in March or April 2023.

Effective Date – Once published, the final rule will become effective 60 days from its date of publication in the Federal Register.

Compliance Date – The important date for covered entities and other parties affected by the rule will be the Compliance Date which will be 180 days from the Effective Date.  This will allow covered entities ample time to make changes in policies, forms, and procedures.

Proposed Changes – There are multiple possible changes affecting an individual’s (patient’s) right of access, permitted disclosures for the purpose of care coordination and case management activities, and more.  Here is a brief listing of proposed changes that, if finalized, will have the greatest impact for providers and their practices:

  • New Terms will be introduced for Electronic Health Records and Personal Health Applications.
  • Timeliness for access to records will be amended from the current 30-day period to 15 calendar days for responding to access requests for inspection and/or copies of PHI. An additional 15 calendar days will be permitted to fulfill the request if certain conditions are met.
  • Strengthened right of inspection – Individuals will be permitted to take notes, take photographs, and use other personal resources to capture information when inspecting their designated record set.
  • Right of access fees – Reasonable, cost-based fees that may be imposed for copies of PHI (or for a summary of PHI if agreed to by the individual) will be clarified.
  • Notice of access and authorization fees – A covered entity will be required to post a fee schedule on its website, if it has one, and make the fee schedule available at the point of service and upon request that specifies the types of access to PHI that are available free of charge and standard copy fees, including for any readily producible electronic and non-electronic forms and formats. Upon request, the covered entity must provide an individualized estimate of the approximate fee for any type of request covered by the fee schedule and provide an individual with an itemized list of the specific charges for labor, supplies, and postage that constitute the total fee charged, if requested.
  • Requests to direct PHI to a third party will enable an individual to make a request to disclose their PHI to a third party in oral as well as written form (current requirement is written form) and to direct transmission of their PHI in an electronic format to a third party (if records are maintained electronically by the covered entity).
  • Care coordination and case management activities are added to the exceptions to the Minimum Necessary Standard regarding disclosures to or requests by healthcare providers or health plans with respect to an individual.
  • Business Associate Agreements must specify if the Business Associate is expected to disclose PHI to an individual or the individual’s designee upon request, rather than to the Covered Entity, as necessary to satisfy the covered entity’s obligations (to comply with patient access rights).
  • Modified Language for Notice of Privacy Practices – Several new, specific statements will need to be prominently displayed in the notice. In addition, the email address of the person who is designated to provide further information and answer questions about the notice will need to be included.
  • Obtaining acknowledgement of receipt of the Notice of Privacy Practices will no longer be required.
  • Providers of Telecommunications Relay Services (as defined in 47 U.S.C. 255(a)(3)) will be specifically excluded from the definition of Business Associates and covered entities will be permitted to disclose PHI to a TRS Communications Assistant as necessary to conduct covered functions.
  • Presumption of compliance – There are several permissions for disclosure within the Privacy Rule that will be based on a covered entity’s good faith belief that providing access is in the best interests of the individual (e.g., to prevent a serious and reasonably foreseeable harm, or lessen a serious or reasonably foreseeable threat, to the health or safety of a person or the public). The covered entity will be presumed to have complied with the good faith requirement absent evidence that the covered entity acted in bad faith.
  • Uses to carry out treatment, payment or healthcare operations – Covered entities will be permitted to disclose an individual’s PHI to a social services agency, community-based organization, home and community-based services provider, or similar third party that provides health or human services to specific individuals for individual-level care coordination and case management activities.
  • Reducing identity verification burden – Verification of patient access requests will be permitted to be done orally or in writing.
  • Unreasonable measures of verification – Unreasonable verification measures will be defined, and examples provided to help covered entities avoid impeding an individual’s access rights.

Note – Eagle Associates will provide a detailed explanation of all changes and operational recommendations once the final rule is published. 

Notice for Subscribers to Eagle Associates’ HIPAA Compliance SystemEagle Associates will publish revised policies, forms (such as Notice of Privacy Practices and Business Associate Agreements), and workforce member training prior to the compliance date.  We will also provide guidance documents to help ensure your practice is fully prepared to meet the new requirements.

Beware of Teleconferencing Hijacking

/in /by

If you have begun or increased your use of Teleconferencing/Telehealth to provide health care, be aware of cyber-attacks.  The FBI issued a notice on 3/30/2020, which warned that bad actors have been hijacking Zoom and other teleconference platforms, disrupting them with pornographic or hate images and language.

The following steps can help to secure your teleconferences:

  • Do not make meetings public.  In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.  Other platforms also offer security settings such as meeting passwords and waiting rooms.
  • Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
  • Manage screensharing options. In Zoom, change screensharing to “Host Only.”
  • Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
  • Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.

If you were a victim of a teleconference hijacking, or any cyber-crime for that matter, report it to the FBI’s Internet Crime Complaint Center at ic3.gov. Additionally, if you receive a specific threat during a teleconference, please report it to us at tips.fbi.gov or call the FBI Boston Division at (857) 386-2000.

HIPAA Security Emphasis

/in /by

Prior to the end of support of Windows 7 in January 2020, many covered entities are still working to upgrade their operating system to Windows 10. We have published an article in the October issue of the Advisor® that warns of some documented security vulnerabilities within Windows 10 that must be considered in properly configuring the newer operating system. Following is a link to a whitepaper for proper configuration of Windows 10 (that was issued jointly by Microsoft and HIPAAOne) that you may share with your IT vendor or personnel: https://www.hipaaone.com/wp-content/uploads/2019/06/HIPAA-Compliance-Microsoft-Windows-10.pdf

In addition, the article describes two aspects of a Security Risk Analysis that HHS has recently emphasized. The first is in regard to an asset listing, which is generally addressed in contingency planning. While this list may be helpful in rebuilding the network/information system following a disaster, HHS emphasizes that the listing should first serve as a thorough inventory of all devices that receive, store or transmit EPHI so that appropriate security measures can be considered for each. And lastly, an asset listing will help practices with multiple locations track the location of devices.

The second item of emphasis is a recommendation from HHS that covered entities establish a business associate listing. It is recommended that any time the services of a new vendor are engaged, the practice determine whether the vendor will qualify as a business associate. If so, the business associate should be recorded in a listing, along with contact information and a description of the services the BA provides. A Business Associate Agreement must be established with such entities prior to providing access to or sending the BA any protected health information. When a covered entity is audited by the Office for Civil Rights, a business associate listing will be requested. Establishing the list prior to an audit will ensure that your practice is able to respond quickly and confidently to the request.

Please see the article in the October 2019 Advisor® for more details.

Protective Measures Following A Breach

/in /by

When your practice determines that a privacy breach is reportable, notification to patients must be provided within 60 calendar days from the date of discovery of the incident. The notice to patients must include:

  • a brief description of the breach;
  • the types of information that were involved;
  • a brief description of what your practice is doing to investigate the breach, mitigate any harm, and prevent further breaches (corrective actions); and 
  • contact information for the practice’s Privacy Officer (in the event the patient has questions regarding the breach).

It is also required that your practice provide notice of any steps that affected individuals should take to protect themselves from potential harm that might result from the breach. This article addresses the types of protective measures available to patients following a breach, when they should be recommended, and who should provide for them.

Providing Credit Monitoring & Identity Theft Protection Services

The Breach Notification Rule does not stipulate whether credit monitoring and identity theft protection services should be provided for patients who have had their PHI breached.  The decision whether or not to provide those services is left to the discretion of your practice.  However, your practice is required to provide patients with details of the steps that should be taken (by them) to mitigate further risk and protect themselves from harm.

Credit monitoring may not be necessary for all confirmed breaches. Breach of credit card numbers and Social Security numbers (SSNs) present the most risk for identity theft or fraud.  According to fraud experts, simply having full name and address does not enable theft or fraud.  However, having full name, address, date of birth (DOB) and SSN would place someone at significant risk of identity theft.

Note that some states have enacted legislation requiring credit monitoring to be offered for all data breaches. Your state medical or dental society can provide information on your state’s position. 

Consider the Public Relations (PR) Factor

Providing credit monitoring can reverse any ill will that the privacy breach has caused by demonstrating a genuine concern for the patient’s privacy. This relatively simple action may lessen the likelihood that the patient will file a privacy complaint with the Office for Civil Rights (OCR) or complain to others about your practice.  An OCR complaint could result in significant administrative time to respond to an investigation and could potentially result in civil monetary penalties.

Place yourself in the patient’s shoes.  If you have to send them notification of a confirmed breach, you’ve just told them that your practice has improperly disclosed their PHI and perhaps, as a protective measure, they should monitor their credit. Offering credit monitoring at no expense to the patient alleviates a burden that resulted from actions of the practice.  

Credit Monitoring

While the credit reporting bureaus – Equifax, Experian, and TransUnion – must provide consumers with a free credit report once every 12 months upon request, ongoing credit monitoring services include providing alerts to patients whenever the company receives notification of an application for credit, loans, or when personal information, such as an address or phone number is changed.

Identity theft protection services cover a much broader range of activities, some of which may not show up on credit reports. These include the use of personal documentation such as SSNs, as well as driver’s license, medical ID, and passport numbers.

The decision about which services to offer should be based on the level of risk breach victims are likely to face. The level of risk will be determined by the nature of the attack, the types of data that have been exposed, the likelihood of data being used for identity theft and fraud, and the risk of data being sold.

If you attempt to sign up for a credit monitoring service on the patient’s behalf, the company may see it as an attempt at credit or identity theft. It is recommended that you inform the patient of your willingness to reimburse them for such services, or you could offer an up-front payment to the patient once they have selected a service.

The cost of a one-year plan can range from $100 to $250 for an individual. Considering the cost of dealing with an unhappy patient and a possible OCR inquiry, one year of credit monitoring can be a wise investment for the practice.  

Credit Freeze

The Federal Trade Commission (FTC) recommends that if someone is concerned about identity theft, data breaches, or someone gaining access to their credit report without permission, they might consider placing a credit freeze on their report.  Depending on the nature of the breach, you might recommend that your patients consider a credit freeze.

A credit freeze will not prevent thieves from making charges to existing accounts, but this free tool lets people restrict access to their credit reports, which in turn makes it more difficult for identity thieves to open new accounts in the person’s name.  A credit freeze does not affect a person’s credit score nor prevent the person from getting a free annual credit report.  A credit freeze does not keep a person from opening a new account, renting an apartment, or buying insurance, however a person might need to temporarily lift a freeze to accomplish these things. It is free to lift a credit freeze and free to place it again.  

A freeze remains in place until the person asks the credit bureau to temporarily lift it or remove it altogether. If the request is made online or by phone, a credit bureau must lift a freeze within one hour. If the request is made by mail, the bureau must lift the freeze within three business days from receipt of the request. 

You may direct patients to the FTC recommendations at:

https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

Summary

All potential breaches should be investigated and documented.  Final determinations on whether an incident requires notification of patients and protective measures is at the discretion of your practice.

Business Associates vs. Vendors

/in /by

Most covered entities have business relationships with vendors or service providers that fall into the category of business associates, as defined by HIPAA rules. The factor that will decide whether or not there is a business associate relationship with a particular service provider is whether the individual or entity handles protected health information (PHI) as part of the services that they provide to the practice. 

Business Associates

Following is a definition of a business associate, according to the Privacy Rule:

Business Associates – In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. 

Examples of business associates include:

  • Companies that help doctors get paid for providing health care, including billing or collection companies and companies that process health care claims
  • People like outside lawyers, accountants and IT specialists (if their work requires access to or disclosure of PHI)
  • Companies that store or destroy medical records, such as shredding companies, storage facilities (for paper records) and cloud-based data storage vendors (for electronic records)
  • Companies that provide data transmission services with respect to PHI, such as secure email or Internet-based fax services
  • Voice Over Internet Protocol (VOIP) phone service providers
  • Companies that provide phone answering, mailing or transcription services

It is not necessary that the entity use the protected health information, but only that your practice intentionally provides access to or discloses it to the business associate as part of the service relationship. For example, although a cloud-based data storage company may simply store data (that contains PHI) for the practice and does not use it, the covered entity has made an intentional disclosure of PHI to the company and in turn it is providing the service of storage to the covered entity. Therefore, the data storage company is considered a business associate subject to HIPAA rules. It is very important to establish a written Business Associate Agreement with such entities prior to disclosing PHI to them.

Vendors

There are some entities that may have inadvertent access to PHI due to their presence in your practice, such as janitorial staff or a pharmaceutical rep, that are not considered business associates. In most cases these vendors will only have incidental access, such as overhearing a part of a conversation concerning a patient or seeing a patient’s name on a chart. Protected health information is not intentionally disclosed to these entities, nor are they provided with persistent access to it. And, as long as the covered entity has reasonable safeguards in place and these disclosures are limited in nature, they are not a violation of HIPAA Rules. 

For complete information regarding business associate agreements and vendor confidentiality agreements, please refer to the article on page 5 of the May issue of the American Practice Advisor® titled “Business Associate vs. Vendor Confidentiality Agreements.”

HIPAA Workforce Sanctions

/in /by

Sanctions, also known as penalties or disciplinary actions, are a common requirement when implementing regulatory requirements.  HIPAA Rules specifically state that a Covered Entity (i.e., a medical or dental practice) must implement policies to prevent, detect, contain, and correct privacy and security violations and apply appropriate sanctions against members of their workforce who fail to comply with policies and procedures.

The HIPAA definition of workforce meansemployees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

A recent Eagle Associates News page article Preventing HIPPA Violations referenced a practice that was fined $125,000 for unauthorized disclosures of PHI.  Another reason for the civil monetary penalty was that the practice did not sanction the provider that made the disclosures.  This draws attention to the fact that no member of the practices’ workforce is exempt from sanctions when they are involved in a HIPAA-related violation

Sanction Policy and Types

Covered entities must maintain a written policy establishing a set of disciplinary actions that may be imposed when a workforce member violates its Privacy or Security policies. The policy should explain that sanctions will be applied equally to any workforce member that is at fault regardless of title or length of employment (including management and officers).  The policy should further outline that the actual sanction that is imposed for a given violation will be based on the risk to the patient’s PHI, repeat offenses, intent, and actual impact on PHI.  The authority for imposing sanctions lies with the practice’s Privacy Manager, Security Officer, and management personnel.  Having multiple persons involved ensures an appropriate review of circumstances and determination of the appropriate sanction to be imposed.

Workforce members must be provided notice of possible sanctions for violations.  This can be easily communicated in a confidentiality agreement that outlines the workforce member’s responsibilities, and consequences for failing to comply with practice policies. 

HIPAA Sanction Examples

The Security Officer, Privacy Manager and/or Compliance Committee should impose the sanction(s) that they determine to be appropriate, considering the severity of the incident, the intent of the workforce member, and the number of prior incidents in which the individual has been involved. Following are examples of possible sanctions that may be imposed:

  • A verbal reprimand should be imposed for incidents that are deemed to be minor, and for first occurrence of an incident by an individual.
  • A written reprimand should be imposed for incidents that are a repetition of an incident, or a different incident that involves the same individual.
  • A staff member may be temporarily suspended from work to prevent him/her from accessing protected health information, for a length of time to be determined by the Security Officer or Privacy Manager. The length of the suspension will be dependent upon the type and the severity of the incident and/or the repetition of offenses by the individual.
  • A staff member may be terminated from the practice for malicious or other serious failure to follow HIPAA policies and procedures implemented by the practice.

The written policy and sample sanctions should enable a practice to determine an appropriate sanction for the incident being addressed.  Again, sanctions need to be applied to all workforce members that violate HIPAA policies and procedures.  Perhaps the most difficult sanctions are those that need to be applied to providers and management personnel.  Due to the sensitivity and possible resistance to sanctions for providers and management personnel, it is recommended to have a discussion with compliance officers and management before violations occur.

Recommended Actions for Sanctions Compliance

  1. Ensure that your practice has written sanction policies.  Practices with Eagle’s HIPAA policy manuals should review Sections 1.14 and 1.14a and either:
    1. Implement those policies or;
    2. Implement existing HR or other practice policies intended to address HIPAA violations.
  2. Ensure that workforce members are aware of possible sanctions for HIPAA violations.  We recommend using a confidentiality agreement (Form 7.10 from the Eagle Associates HIPAA policy manual) for all workforce members to inform them of sanctions and possible actions.
  3. Ensure that sanctions are imposed and documented in the workforce member’s personnel file.
  4. Provide workforce member training for Privacy, Security, and Breach Notification Rule requirements.  Using Eagle Associates’ Compliance Training modules for HIPAA (occurring in April, May, and June issues of the Advisor) will document that the practice has met requirements for training and awareness.