HIPAA Requirements for Online Tracking from OCR

The Office for Civil Rights (OCR) has issued a bulletin to remind covered entities and business associates of their obligations under HIPAA when using online tracking technology. These technologies include but are not limited to Google Analytics, Meta Pixel, Cookies, and QR codes.

Cover entities regularly share electronic protected health information (ePHI) with some of these tracking vendors. Some may be doing so in violation of HIPAA. Regulated entities are not permitted to use tracking technologies in a manner that would result in unauthorized disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.

Tracking technologies are used to collect and analyze information about how patients interact with websites and/or mobile applications (“apps”). If a covered entity or business associate utilizes a technology partner to analyze interactions or to disclose tracking information as part of their health care operations, the HIPAA rules will apply when the information that is collected contains protected health information (PHI). If your organization collects sensitive information with an online tracking vendor, such sharing may be considered impermissible disclosures. Another example of a HIPAA violation would be disclosures of PHI to a tracking company for marketing purposes without a patient’s authorization.

Tracking technology is a script or code on a website or mobile app that is used to gather information about users as they interact with the website or mobile app. Then it is analyzed by owners of the website or mobile app. Some third parties may also be used to analyze the data to create insights about users’ online activities. These insights could be used in beneficial ways. Such as to help improve care or the patient experience. However, this tracking information could also be misused and cause identity theft, stalking, and harassment.

Disclosures include a variety of information that is shared through tracking technologies on a website or mobile app. Including individually identifiable health information (IIHI) that the individual provides when they use websites or mobile apps. This information could include a patient’s medical record number, home or email address, or dates of services, as well as an individual’s IP address or geographic location, or medical device IDs. All such IIHI collected on a website or mobile app generally is PHI, even if the individual does not have an existing relationship with the entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services. This is because, when an entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the entity and thus relates to the individual’s past, present, or future health or health care or payment for care.

Covered entities and business associates may have user-authenticated webpages, which require a patient to log in before they are able to access the webpage, such as a patient portal or a telehealth platform. Tracking technologies on an entity’s user-authenticated webpages generally have access to PHI. Tracking technologies within user-authenticated webpages may even have access to an individual’s diagnosis and treatment information, prescription information, billing information, or other information within the portal. A regulated entity must configure any user-authenticated webpages that include tracking technologies to allow technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA Security Rule. Hence, why it is so important to only work with website companies that are familiar with the HIPAA rules.

Tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a covered entity or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI. In these circumstances, regulated entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules. If a patient makes an appointment through the website of a covered entity and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor. In this case, the tracking technology vendor is a business associate, and a BAA is required. The BAA must specify the vendor’s permitted and required uses and disclosures of PHI and provide that the vendor will safeguard the PHI and report any security incidents, including breaches of unsecured PHI to the covered entity. The tracking technology vendor must implement administrative, physical, and technical safeguards in accordance with the Security Rule (encrypting ePHI that is transmitted to the tracking technology vendor; enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the tracking technology vendor’s infrastructure) to protect the ePHI.

Cover entities may also have webpages that do not require users to log in before the patient can access the information on a webpage, these are considered unauthenticated webpages. This may include general information about the practice or business like their location, services they provide, or their policies and procedures. Tracking technologies on unauthenticated webpages generally do not have access to PHI. Then a regulated entity’s use of such tracking technologies is not regulated by the HIPAA Rules. If tracking technologies on unauthenticated webpages have access to PHI, then the HIPAA Rules apply.

Examples of unauthenticated webpages where the HIPAA Rules apply include:

  • The login page of a patient portal (which may be the website’s homepage or a separate, dedicated login page), or a user registration webpage where an individual creates a login for the patient portal, generally are unauthenticated because the individual did not provide credentials to be able to navigate to those webpages.
  • However, if the individual enters credential information on that login webpage or enters registration information (name, email address) on that registration page, such information is PHI. Therefore, if tracking technologies on a regulated entity’s patient portal login page or registration page collects an individual’s login information or registration information, that information is PHI and is protected by the HIPAA Rules.
  • Tracking technologies on an unauthenticated webpage that addresses specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the covered entity is disclosing PHI to the tracking technology vendor, and therefore, the HIPAA Rules apply.

Mobile apps that help patients manage their health information or pay bills collect a variety of information that is provided by the app user. This includes information typed or uploaded into the app, as well as information provided by the app user’s device, such as fingerprints, network location, geolocation, device ID, or advertising ID. This information is PHI, and the regulated entity must comply with the HIPAA Rules for any PHI that the mobile app uses or discloses. Any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information may also be considered PHI. The HIPAA Rules apply to any PHI collected by a covered entity through a mobile app used by patients to track health-related variables. Such as heartrate monitoring or menstrual cycle, body temperature, etc.

Patients that voluntarily download or enter their information into mobile apps that are not developed or offered by regulated entities, regardless of where the information came from do not have to follow the HIPAA Rules. For example, the HIPAA Rules do not apply to health information that a patient enters in a mobile app offered by an entity that is not regulated by HIPAA (even if the individual obtained that information from their medical record created by a regulated entity). In instances where the HIPAA Rules do not apply to such information, other laws may apply. For instance, the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR) may apply in instances where a mobile health app impermissibly discloses a user’s health information.

Again, covered entities and business associates are required to comply with the HIPAA Rules when using tracking technologies. The HIPAA rules include the HIPAA Privacy, Security, and Breach Notification requirements. Ensuring that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that the minimum necessary rule is followed.

Websites may advise the use of tracking technology in the website privacy policy or terms of use, but the Privacy Rule does not permit disclosure of PHI to tracking technology vendors based on this notice. Website banners asking patients to accept cookies or other tracking technology does not constitute a HIPAA authorization. If the technology vendor is not a business associate of the covered entity, then a patient authorization is required BEFORE the PHI is disclosed to the vendor. Any disclosure of PHI to the vendor without a patients’ authorization requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure. If a covered entity does not want to create a business associate relationship with these vendors, or the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the entity cannot disclose PHI to the vendors without a patient authorization.

A regulated entity’s failure to comply with the HIPAA Rules may result in a civil money penalty. Therefore, moving forward it will be necessary to ensure your business partners are HIPAA compliant.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://hipaakeeper.com/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Can a Medical Practitioner be sued for a HIPAA Violation or a Data Breach?

With so many data breaches in the news many medical practitioners are asking if they can be sued over HIPAA violations or from a data breach.

HIPAA rules state there is no private right of action, therefore, a patient cannot sue for a HIPAA violation. With that said, it is possible if there were privacy violations under state law, legal action may be taken. All states have their own set of privacy laws that encompasses more than just the healthcare sector. State privacy laws vary from state to state and define what is considered private information. HIPAA and state laws require covered entities to secure protected health information (PHI) with administrative, physical, and technical safeguards. Business associates and subcontractors are required to do the same.

If a patient wants to file a lawsuit, the patient must be able to prove negligence and damage caused harm by the violation or data breach. The Omnibus Rule removed the harm threshold when it came to covered entities reporting data breaches, but a patient has the right to claim harm. On another note, if a patient joins a class action lawsuit, it may make a stronger case. However, many class action lawsuits are filed based on the exposure to future harm. Without evidence of harm this may reduce the case. This can be a costly endeavor and patients should consider this and review what they hope to gain before taking legal action. Keep in mind, this is not a quick lawsuit. In the end, there is no guarantee of any monetary gain for the patient.

Many times, the practice can discuss the issues with the patient and avoid legal action altogether. It is recommended that if a practice has a disgruntled patient, the HIPAA privacy officer should talk to the patient if given the opportunity. Sometimes, an upset patient merely wants to be heard. Depending on the circumstances, the practice may be required to report the incident to the Department of Health and Human Services Office for Civil Rights (OCR).

If a patient feels as though their protected health information has been violated, they do have the right to file a complaint with the OCR. The complaint from the patient must be filed within 180 days of the incident. In some cases, an extension may be permitted. The complaint is reviewed to determine if it is justifiable. If it is, then the OCR will contact the practice and try to resolve the issue in the most suitable manner. This may include technical assistance, a resolution agreement, and/or ongoing compliance documentation. The average investigation timeline for a data breach takes 1½ – 2 years. Of course, for more complex breaches, it may take even longer. The outcome of the investigation will depend on the severity and nature of the violation, if this was a repeated offense, and the number of patients affected. Depending on the documentation of the incident and how it was handled, a practice may be able to avoid a desk audit. Remember, if it’s not documented, it does not exist. The patient may also file a complaint with the State Attorney General. Some complaints are referred to the Department of Justice (DOJ) if the investigation results in criminal violations. I hope this helps you to understand how important it is to keep patient data secure, and the documentation that demonstrates your efforts. If you have any questions on data security, how to handle a patient complaint, or how to handle a security incident, we are here to help.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Can a medical provider accept cash payments when a patient has insurance?

The Omnibus rule, also known as the “Final” rule changed HIPAA in many ways. It gave HIPAA teeth and included business associates as being liable under the HIPAA rules. I thought most medical providers had been made aware of the many changes, but it has come to my attention that many are not.

This article we will discuss one of the confusing segments of the Omnibus rule, which is the restriction on disclosures for payments out of pocket by a patient.

Under the Omnibus rule, individuals have the right to obtain restrictions on the disclosure of their protected health information (PHI) in electronic or any other form to a health plan for payment or healthcare operations for specific items and services that the individual has paid out of pocket and in full. Such requests for restrictions must be granted by the practice unless disclosure is “required by law.” More on this later in this article.

Medical practices should consider various methods for segmenting restricted PHI such as “flags,” subfolders within the chart, special notations in the record, or other ways to ensure the restricted PHI is not inadvertently disclosed to the health plan in the event of an audit.

Under the HIPAA Omnibus Rule, providers must ensure that patients are notified of this right in their notice of privacy practices. There are other rights under the Omnibus rule that also must be included, but we are not covering that in this article. Notice of Privacy Practices must be placed in a prominent and accessible location (check in/out window or waiting room) and posted to the practice’s website if they have one.

More about the restriction requirements…

HHS states that the provider should notify downstream providers of the fact that an individual has requested a restriction to a health plan. However, some practices utilize forms that state that this restriction is for this date of service, for this specific appointment, you cannot guarantee others will abide by this restriction and that they should contact the other providers.

Here is one example, a patient that is meeting with their primary physician and requests a restriction on tests that will determine if they have a heart condition. If the primary physician refers the patient to a cardiologist, it is the patient’s responsibility to request a restriction from the cardiologist, if they wish to pay out of pocket. Although the primary physician would not be required to alert the cardiologist of the patient’s potential request to a restriction, it is recommended to do so if possible. Another option would be to advise the patient to ensure that they are aware that it is the patient’s obligation to request restrictions from subsequent providers.

With technology that has progressed, the patient requests for other restrictions should be reviewed to see if it is available within the EHR.

Restrictions and follow-up care…

If a patient has a restriction in place for a health care service but does not pay out of pocket and requests a restriction with regard to the follow-up treatment, and the provider needs to include information that was previously restricted in the bill to the health plan in order to have the service deemed medically necessary or appropriate, then the provider is permitted to disclose such information so long as doing so is consistent with the provider’s minimum necessary policies and procedures. We also clarify that such a disclosure would continue to be permitted for payment purposes and would not require the individual’s written authorization. However, it is encouraged to discuss this with the patient to ensure that they are aware that previously restricted protected health information may be disclosed to the health plan unless they request an additional restriction and pay out of pocket for the follow-up care.

A patient may use their FSA or HSA to pay for the health care items or services that they request to have restricted from another plan. However, the patient may not restrict a disclosure to the FSA or HAS necessary to carry out that payment.

Under Medicare rules, medical practices are required to produce medical records if audited. This is a condition for participation in Medicare and practices are subject to the mandatory claim submission provisions of the Social Security Act (which requires that if a physician attempts to charge a patient any remuneration for a service that is covered by Medicare, then the physician or supplier must submit a claim to Medicare). The Omnibus Final Rule states that there is an exception to the requirement when the patient (or the patient’s legal representative) refuses of their own free will to authorize the submission of a bill to Medicare. In these such cases, a Medicare provider is not required to submit a claim to Medicare for the covered service and may accept an out-of-pocket payment for the service from the patient. The limits on what the provider may collect from the patient continue to apply to charges for the covered service, notwithstanding the absence of a claim to Medicare.Thenthe provider must restrict the disclosure of protected health information regarding the service to Medicare.

Bundled services…

Medical providers will need to discuss the provider’s ability to unbundle items or services and the impact of doing so since the health plan may still be able to determine the restricted item or service. If the medical provider is able to unbundle the items or services, they should do so. If the provider is not able to unbundle the group of items or services, they should inform the patient and give them the opportunity to pay out of pocket for the entire group and be able to restrict the disclosure.

Restriction Forms…

Although HIPAA does not require a patient to complete a restriction form, it is recommended to utilize a Do-Not-File-Insurance or Self-Pay form. This will inform patients of their rights and responsibilities and remind staff of this restriction. This form also would notify the patient that the medical practice will ensure that the information is not inadvertently disclosed to a health plan for payment or other health care operations purposes, such as audits by the health plan, unless the disclosure is required by law.

Medical practices may also consider including in the form that the restriction is void if payment for the services is not received in full or if the payment is dishonored due to an invalid credit card or check. It is recommended in these cases to reach out to the patient directly to seek payment before disclosing the information. If payment in full is not received, the practice is not required to abide by this disclosure restriction request and may file a claim with the patient’s health plan.

Impermissible disclosure consequences…

A practice who discloses restricted protected health information to the health plan is making a disclosure in violation of the Privacy Rule and the HITECH Act, which, as with other impermissible disclosures is subject to possible criminal penalties, civil monetary penalties, or corrective action.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Healthcare Cyber-Attacks on the Rise

Healthcare cyber-attacks are on the rise and data breaches can cost a practice a fortune. It is no secret that patient data is valuable on the black market. Cyber criminals will try many different methods to gain access to this data.

The Office for Civil Rights (OCR) stated in their Cybersecurity Newsletter that there has been a 42% increase in cyber-attacks for the first half of 2022 compared to 2021, and a 69% increase in cyber-attacks targeting the health care sector. The number of data breaches occurring in the health care sector also continue to rise. Breaches of unsecured protected health information (PHI), including ePHI, reported to the OCR affecting 500 or more individuals increased from 663 in 2020 to 714 in 2021. Seventy-four percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents. In the health care sector, hacking is now the greatest threat to the privacy and security of PHI. A timely response to a cybersecurity incident is one of the best ways to prevent, mitigate, and recover from cyberattacks.

If you haven’t done so already, we recommend completing the Security Incident Procedures and Breach Notification Plan. You should add those responsible for your Security Response Team. Educate your team on identifying security incidents and how to respond to them. The quicker you can identify a threat, the sooner you can mitigate the issue.

Another area to ensure that you have in place is your inventory list to ensure you can locate which devices may be affected. In your Contingency Plan, there is a list of devices and software applications that you can use to determine which devices/applications that will need to be brought online in which order. Your IT department/vendor will assist with this process.

If it has been determined that a breach of patient data has occurred, this must be reported to the OCR. Remember to follow your state law if it is more stringent.

As with all requirements under HIPAA, you must document your process. If it is not documented, it does not exist. If there are other areas that you have questions, please do not hesitate to contact us!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA and Emergencies – How to Respond

First, I hope that all of you and your loved ones are safe. Fiona and Ian have affected many places, and many have suffered so much. Prayers for all…

HIPAA Applies Only to Covered Entities and Business Associates

The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate. The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates. The HIPAA Privacy Rule does not restrict the American Red Cross from sharing patient information. Keep in mind, there may be other state or federal rules that apply.

HIPAA requires every healthcare facility and business associate to have a Contingency plan in place. Disasters come in a variety of circumstances and additional challenges on health care providers. Questions often arise about the HIPAA regulations to share PHI with friends and family, public health officials, and emergency personnel. The HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need. Keep in mind the HIPAA Privacy Rule is not suspended during a public health or other emergency, however, the Secretary of Health and Human Services may waive certain provisions of the Privacy Rule under section 1135(b)(7) of the Social Security Act.

Under these circumstances, the Secretary also has the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • the requirement to honor a request to opt out of the facility directory.
  • the requirement to distribute a notice of privacy practices.
  • the patient’s right to request privacy restrictions.
  • the patient’s right to request confidential communications.

When the Secretary issues such a waiver, it only applies:

(1) in the emergency area and for the emergency period identified in the public health emergency declaration

(2) to hospitals that have instituted a disaster protocol

(3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

HIPAA Privacy and Disclosures in Emergency Situations

Under the HIPAA Privacy Rule, a waiver is not required to share protected health information (PHI) for the following purposes and under the following conditions.

Treatment

Covered entities may disclose, without a patient’s authorization, PHI about the patient as necessary to treat the patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.

Public Health Activities

The HIPAA Privacy Rule recognizes the need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed PHI without an authorization, for example:

  • To a public health authority, A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. For example: Centers for Disease Control and Prevention (CDC) or a state or local health department.
  • At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority.
  • To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.

Minimum Necessary

A covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish thepurpose.

Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification

A covered entity may share PHI with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care.

  • The covered entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible.
  • If the person is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.
  • For patients who are unconscious or incapacitated: A health care provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care, if the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient.

A covered entity may share PHI with disaster relief organizations such as the American Red Cross, that are authorized by law to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care. A patient’s permission is not required in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

Imminent Danger

HIPAA expressly defers to the professional judgment of health care professionals in making determinations about the nature and severity of the threat to health or safety. Covered entities may share PHI with anyone to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct.

Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification

Upon request for information about a particular patient by name, a hospital or other health care facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient. Reports to the media about an specific patient, or the disclosure of specific information about treatment of a specific patient, such as tests, test results, or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative, who is a person legally authorized to make health care decisions for the patient).

Business Associates

A business associate of a covered entity (including a business associate that is a subcontractor) may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.

Safeguarding Patient Information

In an emergency, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information. Safeguard all patient information as if it were your own.

If there are other areas that you have questions, please do not hesitate to contact us!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Privacy Facts for Medical Offices

There has been some confusion about when and how to share patient information. I thought it might be a good time to review some of the facts from the HIPAA Privacy and Security Rules.

Here are some highlights:

  1. The Privacy Rule does not require a signed consent form before sharing information for treatment.
  2. Medical providers can share information for treatment purposes without a signed patient authorization.
  3. The Privacy Rule permits communication with patients, providers, and others by e-mail, telephone, or facsimile, with the implementation of safeguards to protect patient privacy. During your risk analysis you will have discovered how data flows in and out of your network so you can apply reasonable and appropriate safeguards.
  4. Medical providers may use remote communication technologies to provide telehealth services, including audio-only services, in compliance with the HIPAA Privacy Rule.
  5. HIPAA requires reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures, including when providing telehealth services.
  6. Medical providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those services.
  7. The HIPAA Security Rule does not apply to audio-only telehealth services provided by a covered entity that is using a standard telephone line. Keep in mind traditional landlines are being replaced with Voice over Internet Protocol (VoIP) and mobile technologies that use the Internet, cellular, and Wi-Fi. Medical providers using telephone systems that transmit ePHI need to apply the HIPAA Security Rule safeguards to those technologies.
  8. Medical providers must enter into a business associate agreement (BAA) with a telecommunication service provider (TSP) only when the vendor is acting as a business associate.
  9. If using a telephone to communicate with patients, a BAA is not required with a TSP that has only transient access to the PHI it transmits, because the vendor is acting merely as a conduit for the PHI.
  10. The Privacy Rule does not cut off all communications between medical providers and the families and friends of patients. If the patient does not object, you may:
    • share needed information with family, friends, or anyone else a patient identifies as involved in his/her care.
    • disclose information when needed to notify a family member or anyone responsible for the patient’s care about the patient’s location or general condition.
    • share the appropriate information for these purposes even when the patient is incapacitated if doing so is in the best interest of the patient.
  11. Medical providers may report child abuse or neglect to appropriate government authorities. 
  12. Patient right of access is another area that has been confusing for medical practices. When possible, you should obtain the request for medical records in writing. However, you may not require a patient to come to the office to complete the authorization if it would cause a hardship, or if they do not have access to email or a fax machine. You must still verify that the person requesting the information has the right to do so. You may do this by asking verification questions and/or calling them back at the number you have on file.

If there are other areas that you have questions about please do not hesitate to contact us!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA changes and updates for 2022-2023

Since HIPAA’s inception there have been several updates over the years. As technology changes, so must some the of HIPAA rules. We have not seen any major changes since 2013 when the Omnibus Rule gave HIPAA teeth and enforcement became real.

During 2019 the United States Department of Health and Human Services (HHS) had requested comments on 54 questions from providers. In December 2020 HHS issued a Notice of Proposed Rulemaking that outlined several changes to the HIPAA Privacy Rule based on the response they received in 2019. In 2021 HHS again requested comments on the proposed HIPAA changes, however the Final Rule has not been published yet.

The Office for Civil Rights (OCR) has been implementing many files for violations of the HIPAA Right of Access when access to medical records in the designated record set is not provided in a timely manner. With these new proposed changes, the time frame maybe reduced. 

The proposed changes strengthen the requirements for providers to offer patients access to their PHI. This also includes data sharing between facilities, technology partners, and mobile apps. 

Some of these changes to HIPAA in 2022 are likely to be implemented, but it may take until 2023 for those changes to become enforceable. We will be updating our policies to reflect these changes. At that time, you will receive an email from Aris requesting to review and approve changes and/or new policies. It is suggested to review these changes and update your staff. Many of these changes will directly affect how they interact with your patients.

We are updating our HIPAA training to include the new rules to ensure all staff members understand these changes. We will be dividing the training into two sessions since there is so much to cover. One session will cover the Privacy Rule and the other session will discuss the Security Rule. This will help educate everyone on the new rules and protect your practice. 

The proposed updates to the HIPAA Privacy Rule are as follows:

  • individuals’ rights to inspect their PHI in person, which includes taking notes or capturing images of their PHI;
  • shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension);
  • clarifying the form and format required for responding to individuals’ requests for their PHI, including when business associates are involved;
  • requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy;
  • reducing the identity verification burden on individuals exercising their access rights;
  • creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR;
  • requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access;
  • limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR; 
  • specifying when electronic PHI (ePHI) must be provided to the individual at no charge;
  • amending the permissible fee structure for responding to requests to direct records to a third party; and
  • requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorizationand, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.

Amending the definition of health care operations to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute health care operations. 

  • Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures. The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary needed to accomplish the purpose of each use or disclosure. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations.
  • Clarifying the scope of covered entities’ abilities to disclose PHI to social services agencies, community-based organizations, home and community based service (HCBS) providers,and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals.
  • Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity’s good faith, but this presumption could be overcome with evidence of bad faith.
  • Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.
  • Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP).
  • Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
  • Expressly permitting disclosures to Telecommunications Relay Services (TRS) communications assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers.
  • Expanding the Armed Forces permission to use or disclose PHI to all uniformed services, which then would include the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps.

Effective and Compliance Dates

The effective date of a final rule would be 60 days after publication. Covered entities and their business associates would have until the “compliance date” to establish and implement policies and practices to achieve compliance with any new or modified standards. The Department of Health and Human Services (HHS) previously noted that the 180-day general compliance period for new or modified standards would not apply where a different compliance period is provided in the regulation for one or more provisions. 

HHS requested comment on whether the 180-day compliance period is sufficient for covered entities and business associates to revise existing policies and practices and complete training and implementation. For proposed modifications that would be difficult to accomplish within the 180-day timeframe, the HHS requests information about the types of entities and proposed modifications that would necessitate a longer compliance period, how much longer such compliance period would need to be to address such issues, as well as the complexity and scope of changes and the impact on entities and individuals of a longer compliance period.

To give you some idea of how serious this can be, see below the tiered penalty structure:

Tier 1: Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA and had reasonably tried to adhere to the HIPAA rules: $100 per violation, with an annual maximum of $25,000. 

Tier 2: HIPAA violation due to reasonable cause and should have been aware (but was not due to willful neglect), even with the HIPAA rules they had in place: $1,000 per violation, with an annual maximum of $100,000.

Tier 3: HIPAA violation due to willful neglect of the HIPAA rules, but violation is corrected within the required time period: $10,000 per violation, with an annual maximum of $250,000.

Tier 4: HIPAA violation is due to willful or wanton neglect and no attempt to correct: $50,000 per violation, with an annual maximum of $1.5 million.

HIPAA has teeth and the Office for Civil Rights (OCR) is heavily enforcing fines against violations. Let’s work together to avoid this! 

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Data Breaches in Healthcare are Increasing

Since 2015 the number of data breaches in healthcare has steadily been rising. This includes medical offices, health plans, and business associates. These breaches range from unauthorized access, loss, theft, but mostly from hacking. Hacking was determined to be from emails, network servers, desktop computers, to electronic medical records. No office is immune. Starting with a system wide HIPAA risk analysis is the first step in protecting your data. Modern technology helps us in many ways, but it is ever so important to keep up with data security. Many medical offices think once their office is set up, they are set for life or at least “a while”. Technology is growing faster and faster, and you must be diligent to keep up. This is not a do-it-yourself job anymore!

Let’s look at some of the numbers from the data breaches over 500 patient records that were reported:

From January – July 2022 there have been 380 breaches reported.

In 2021 there are 457 still being investigated and 258 that have been archived, that is a total of 715 reported.

In 2020 there are 63 still being investigated and 601 that have been archived, totaling 663.

In 2019 there were 512 reported breaches.

In 2018 there were 368.

In 2017 there were 357.

In 2016 there were 329.

In 2015 there were 270.

I think it is important to note that the number of breaches are increasing each year. Now more than ever anyone involved in healthcare must approach HIPAA compliance and data security as necessary as having insurance to protect your organization. Instead of being reactive to “when” this happens, being proactive can help this “from” happening.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Why it is so important to secure emails that contain PHI

We have advised our clients for years to only transmit protected health information (PHI) if it is encrypted. We have also recommended encryption for the data at rest. With the rise of hacking, this is never more important. There are many problems that can arise from compromised email accounts.

It only takes one employee’s email account to get hacked, then the hacker can view what the user has stored, who they communicate with, and who they do not speak with directly. Let’s review each one:

  1. Contents of email. Of course, you do not want an unknown person reading your emails, but it is even worse if your email account contains PHI. The hacker can take that information, sell it, or even target your patients to gain more information.
  2. The hacker can also see who you are communicating with and now they can target your co-workers into giving them information by impersonating you.
  3. They also know who you only communicate with via email. This sets the stage for phone conversations since you do not know what this person sounds like. The hacker can request wire transfers, employee lists, patient lists, the amount of information that they are willing to request is only limited by their imagination.

These attacks may be targeted for financial gain, identity theft, or medical insurance theft. Regardless of the hackers’ motives, they all can be devastating to a practice. Just last year an Orlando practice had 4 email accounts compromised and over 447K patients were affected. When considering the methods to secure email accounts, you must also consider which devices are used to access email. This furthers the security requirements. A thorough risk analysis will uncover potential vulnerabilities and give you the opportunity to avoid a data breach.

That brings me to the next topic… if you don’t need to store it, DO NOT. If you can move the needed documentation to a secure server or your EHR, then do. If there isn’t a “need” to store patient information (or any sensitive information) in email, then remove it. This also applies to “old” patient records in databases or software. There is a reason behind medical record retention requirements, and when it is safe to dispose of medical records, then do! This too reduces your liability!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

What does “Recognized Security Practices” mean?

We have talked in the past about the Office for Civil Rights conducting a minimum of a 12 month look back for data security/ HIPAA compliance efforts. If an organization suffers a breach, with proper documentation fines may be waived. This is known as “Recognized Security Practices”. Every organization will have different documentation based on their network configuration and how data flows in and out of your information systems. This isn’t really anything new since data security requirements have been in place since the Security Rule was enacted. There have been updates over the last few years, and they are making some new revisions requiring covered entities and business associates to document their efforts now more than ever. NIST SP800-66 Rev. 2

This includes ensuring your policies and procedures are documented and followed by your staff. Our online system makes this task must easier by enabling the HIPAA compliance officer to download and share certain policies for employees to review. Plus, the confidentiality and acceptable use agreement that is signed via DocuSign demonstrates you have advised your employees they must follow your policies and procedures.

Another part of this documentation should be reports from your IT department/vendor. Again, depending on how you access ePHI (electronic protected health information), reports will vary from practice to practice. Some suggested reports are:

  1. Managed devices. You can use this as your inventory list instead of completing the list in your package. However, we still recommend documenting which devices have been used to access and/or store ePHI.
  2. In the report above, this may contain operating systems, patches / updates that have been applied, IP addresses, User ID, and a device name. All of this is useful information, and if the report does not contain this information, you need to look for another report.
  3. Software lists are very important since you can see if any employee has downloaded unauthorized software or if a computer has been compromised.
  4. Device health reports typically include information on anti-virus, last log in, some record failed logins, or that is in a different report. These are must have reports.
  5. Access logs may be located within the software the IT vendor utilizes to manage your network, within your domain controller, and within your EHR/PM software. These reports must be reviewed to ensure employees are only accessing ePHI based on their job function and to look for outside intrusions.
  6. Backup reports should demonstrate when backups are performed and to ensure they are successful.
  7. Summary reports are useful, but you must make sure you review them, and they can be lengthy.

There are times when certain devices cannot be updated or upgraded due to the nature of the equipment and the cost to do so. This would not necessarily be a violation if you demonstrate other means to protect your system. For example, either removing the outdated equipment from internet access or placing it on a separate network so it would not be accessible by other drives that contain ePHI. Your IT vendor should be able to guide you through the proper process based on your particular network.

Annual audits by a third party are highly recommended unless your IT vendor specializes in network security. Often, these two types of companies work well together. The IT vendor handles the day-to-day operations, and the network security companies hardens the systems.

Some organizations complain that this costs too much money. Trust me, this is much less expensive than a data breach. Plus, if you plan on obtaining cyber liability insurance, carriers are now asking detailed questions about data security and compliance efforts. If you do have a data breach and you do not have “qualified documentation”, your claim could be denied. Of course, the term “qualified documentation” is open to interpretation. They do have an outlandish wish list from what I have seen. Although I have always been a proponent of this insurance, I am starting to believe unless you already have a policy, you may not be able to obtain one. If you do apply now, you will need to have HEAVY data security in place. Which you should have anyway!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

©2025 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC