Healthcare cyber-attacks are on the rise and data breaches can cost a practice a fortune. It is no secret that patient data is valuable on the black market. Cyber criminals will try many different methods to gain access to this data.
The Office for Civil Rights (OCR) stated in their Cybersecurity Newsletter that there has been a 42% increase in cyber-attacks for the first half of 2022 compared to 2021, and a 69% increase in cyber-attacks targeting the health care sector. The number of data breaches occurring in the health care sector also continue to rise. Breaches of unsecured protected health information (PHI), including ePHI, reported to the OCR affecting 500 or more individuals increased from 663 in 2020 to 714 in 2021. Seventy-four percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents. In the health care sector, hacking is now the greatest threat to the privacy and security of PHI. A timely response to a cybersecurity incident is one of the best ways to prevent, mitigate, and recover from cyberattacks.
If you haven’t done so already, we recommend completing the Security Incident Procedures and Breach Notification Plan. You should add those responsible for your Security Response Team. Educate your team on identifying security incidents and how to respond to them. The quicker you can identify a threat, the sooner you can mitigate the issue.
Another area to ensure that you have in place is your inventory list to ensure you can locate which devices may be affected. In your Contingency Plan, there is a list of devices and software applications that you can use to determine which devices/applications that will need to be brought online in which order. Your IT department/vendor will assist with this process.
If it has been determined that a breach of patient data has occurred, this must be reported to the OCR. Remember to follow your state law if it is more stringent.
As with all requirements under HIPAA, you must document your process. If it is not documented, it does not exist. If there are other areas that you have questions, please do not hesitate to contact us!
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”
First, I hope that all of you and your loved ones are safe. Fiona and Ian have affected many places, and many have suffered so much. Prayers for all…
HIPAA Applies Only to Covered Entities and Business Associates
The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate. The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates. The HIPAA Privacy Rule does not restrict the American Red Cross from sharing patient information. Keep in mind, there may be other state or federal rules that apply.
HIPAA requires every healthcare facility and business associate to have a Contingency plan in place. Disasters come in a variety of circumstances and additional challenges on health care providers. Questions often arise about the HIPAA regulations to share PHI with friends and family, public health officials, and emergency personnel. The HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need. Keep in mind the HIPAA Privacy Rule is not suspended during a public health or other emergency, however, the Secretary of Health and Human Services may waive certain provisions of the Privacy Rule under section 1135(b)(7) of the Social Security Act.
Under these circumstances, the Secretary also has the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
the requirement to honor a request to opt out of the facility directory.
the requirement to distribute a notice of privacy practices.
the patient’s right to request privacy restrictions.
the patient’s right to request confidential communications.
When the Secretary issues such a waiver, it only applies:
(1) in the emergency area and for the emergency period identified in the public health emergency declaration
(2) to hospitals that have instituted a disaster protocol
(3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.
HIPAA Privacy and Disclosures in Emergency Situations
Under the HIPAA Privacy Rule, a waiver is not required to share protected health information (PHI) for the following purposes and under the following conditions.
Treatment
Covered entities may disclose, without a patient’s authorization, PHI about the patient as necessary to treat the patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.
Public Health Activities
The HIPAA Privacy Rule recognizes the need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed PHI without an authorization, for example:
To a public health authority, A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. For example: Centers for Disease Control and Prevention (CDC) or a state or local health department.
At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority.
To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.
Minimum Necessary
A covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish thepurpose.
Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification
A covered entity may share PHI with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care.
The covered entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible.
If the person is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.
For patients who are unconscious or incapacitated: A health care provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care, if the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient.
A covered entity may share PHI with disaster relief organizations such as the American Red Cross, that are authorized by law to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care. A patient’s permission is not required in this situation if doing so would interfere with the organization’s ability to respond to the emergency.
Imminent Danger
HIPAA expressly defers to the professional judgment of health care professionals in making determinations about the nature and severity of the threat to health or safety. Covered entities may share PHI with anyone to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct.
Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification
Upon request for information about a particular patient by name, a hospital or other health care facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient. Reports to the media about an specific patient, or the disclosure of specific information about treatment of a specific patient, such as tests, test results, or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative, who is a person legally authorized to make health care decisions for the patient).
Business Associates
A business associate of a covered entity (including a business associate that is a subcontractor) may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.
Safeguarding Patient Information
In an emergency, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information. Safeguard all patient information as if it were your own.
If there are other areas that you have questions, please do not hesitate to contact us!
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
When it comes to planning for a disaster, most people think “that won’t happen to me”. Under HIPAA, you are required to ensure the integrity, confidentiality, and available of ePHI. When creating your contingency plan, it is necessary to review what natural disasters could happen in your area, how would you handle a hacking incident, and what precautions do you have in place to protect your facility from theft? The idea is to have a “plan” in place for whatever may happen.
The Contingency Plan § 164.308(a)(7) standard has five implementation sections, three are required and two are addressable. Remember, addressable does not mean optional. Addressable gives the entity some flexibility on how to implement the requirements.
164.308(a)(7)(ii)(A) Data Backup Plan (R)
Most covered entities may have backup procedures as part of current business practices. Data backup plans are an important safeguard for all covered entities, and a required implementation specification. “Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”
164.308(a)(7)(ii)(B) Disaster Recovery Plan (R)
When it comes to disaster recovery planning, your plan may differ from others. Be sure your plan is based on where your data is located. Review where your data is located. Is it in a cloud-based or a premise (onsite) system? Although the majority of your ePHI may be in your EHR, you may have certain programs or files that are critical to business continuity that should also be backed up.
“Establish (and implement as needed) procedures to restore any loss of data.” Some organizations may already have a general Disaster Plan that meets this requirement; however, each entity must review the current plan to ensure that it allows them to recover ePHI.
164.308(a)(7)(ii)(C) Emergency Mode Operation Plan (R)
When an organization is operating in emergency mode due to a technical failure or power outage, security processes to protect ePHI must be maintained. “Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.”
An emergency mode operation plan should include procedures to enable continued operations in the event of a natural disaster, fire, flood, vandalism, or a system failure while still protecting the facility and the electronic data. This may include budgeting for and scheduling outside resources.
For example:
Does the plan include a list of different types of emergencies and how to react to them?
Would your organization need a temporary location, or would you be able to use one of your other locations?
Does your organization have reasonable arrangements with your IT vendor to ensure critical systems are back up and running in an appropriate time frame?
Has your organization created an emergency process that includes procedures that can be accomplished manually that is critical to patient care and business continuity?
Has your organization secured a contract with a security company to protect the facility in the event of severe damage to the building?
Has your organization considered agreements with suppliers to provide equipment or considered a backup power source?
Has your organization created a budget and allocated for the extra expenses should an emergency arise?
164.308(a)(7)(ii)(D) Testing and Revision Procedures (A)
Where the testing and revision procedures implementation specification is a reasonable and appropriate safeguard the entity must: “Implement procedures for periodic testing and revision of contingency plans.” It is important to point out that this implementation specification applies to all implementation specifications under the Contingency Plan Standard, including the Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operations Plan.
164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis (A)
“Assess the relative criticality of specific applications and data in support of other contingency plan components.”
This implementation specification requires entities to identify their software applications (data applications that store, maintain or transmit ePHI) and determine how important each is to patient care or business needs, in order to prioritize for Data Backup, Disaster Recovery and/or Emergency Mode Operations Plans. A prioritized list of specific applications and data will help determine which applications or information systems be restored first and/or which must be available at all times.
In our 7 Simple-Steps to HIPAA Compliance package, we have included an outline to assist clients in completing their Contingency Plan. You may also request a plan from your IT vendor to assist you as well. Try to think outside the box to ensure all bases are covered.
If you need assistance with your HIPAA Contingency Plan or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
