PIH Health, Inc. (PIH), a California health care network, has agreed to pay the OCR $600,000. The violations stem from an email phishing attack that exposed unsecured electronic protected health information (ePHI).
The settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020. The breach report stated that in June 2019, a phishing attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.
“Hacking is one of the most common types of large breaches reported to OCR every year,” said OCR Acting Director Anthony Archeval. “HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients’ protected health information.”
Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that will be monitored by OCR for two years and paid a $600,000 settlement to OCR. Under the corrective action plan, PIH is obligated to take definitive steps toward resolving potential violations of the HIPAA Rules, including:
Conducting an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules.
Training its workforce members who have access to PHI on its HIPAA policies and procedures.
Phishing attacks continue to pose a significant threat to the healthcare industry, exploiting human error to gain unauthorized access to sensitive patient data. These attacks typically involve deceptive emails or messages that trick staff into revealing login credentials, clicking malicious links, or downloading malware.
Due to the highvalue of protected health information (PHI) on the black market, healthcare organizations are prime targets for cybercriminals. Successful phishing breaches can lead to widespread data exposure, operational disruption, regulatory penalties, and loss of patient trust.
In recent years, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has intensified enforcement actions against healthcare entities that fail to implement adequate phishing defenses, such as employee training, risk assessments, and email security tools. As phishing tactics grow more sophisticated, healthcare organizations must prioritize a layered cybersecurity approach to protect against these persistent threats.
Securing email accounts is critically important, especially in sectors like healthcare, where sensitive information is routinely exchanged. Email is often the gateway to an organization’s internal systems and can serve as a direct path for cybercriminals to access protected health information (PHI), financial data, and other confidential content. Unsecured email accounts are particularly vulnerable to phishing attacks, credential theft, and unauthorized access, all of which can lead to data breaches, regulatory fines, and reputational damage.
What to do to prevent a Breach?
Implementing strong passwords, multi-factor authentication (MFA), encryption, and regular staff training are essential steps in safeguarding email communications. By fortifying email security, organizations not only reduce the risk of cyberattacks but also demonstrate a proactive commitment to protecting patients, and organizational data.
OCR recommends that health care providers, health plans, health care clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:
Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Integrate risk analysis and risk management into business processes regularly.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.
If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.
The Health Insurance Portability and Accountability Act (HIPAA) has long served as a cornerstone in protecting the privacy and security of individuals’ health information. As digital technology continues to evolve, so do the ways in which health data can be collected, shared, and potentially exposed. Recently, there have been significant updates concerning the use of online tracking technologies—such as cookies, web beacons, and pixels—particularly when used by HIPAA-covered entities and their business associates. These updates clarify how existing HIPAA regulations apply in the digital landscape, emphasizing the need for transparency, patient consent, and robust safeguards when handling protected health information (PHI) online.
These updates may be good news for healthcare
A federal judge in Texas ruled that the use of third-party online tracking technologies on hospitals’ public-facing web pages was unlawful. District Judge Mark Pittman in Texas sided with the American Hospital Association (AHA), the Texas Hospital Association, Texas Health Resources and United Regional Health Care System in his ruling that found the Department of Health and Human Services overstepped its authority with the 2022 guidance.
The lawsuit specifically argues that HHS expanded HIPAA’s definition of “individually identifiable health information” beyond its statutory authority. Also, it calls for the portion of OCR’s guidance addressing unauthenticated web pages to be invalidated.
This past March, HHS updated its guidance on the use of third-party web trackers to exclude certain types of website visits from meeting its criteria for protected health information (PHI) disclosures. The AHA contended the revised bulletin was still unlawful, and Judge Pittman agreed in his ruling.
Keep in mind, this milestone verdict comes from hospitals and larger entities rather than small to medium sized practices. Whereas, they have more financial strength.
HHS / OCR back tracks and updates guidance
On March 18, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released updated guidance on the use of online tracking technologies by HIPAA-covered entities and their business associates. This update clarifies how HIPAA applies to tools like cookies, pixels, and web beacons used on websites and mobile apps.
Key Points from the Updated Guidance:
Definition of PHI in Online Tracking: OCR emphasizes that individually identifiable health information (IIHI) collected through tracking technologies is considered protected health information (PHI) under HIPAA. This includes data such as IP addresses, device identifiers, and browsing behavior when linked to an individual’s health care or payment for health care. Even if the individual does not have an existing relationship with the entity, such information is still regarded as PHI.
Use on Authenticated and Unauthenticated Webpages: The guidance distinguishes between authenticated webpages (requiring user login) and unauthenticated webpages. For authenticated pages, any tracking technology that collects PHI must comply with HIPAA regulations. For unauthenticated pages, if the information collected can be linked to an individual’s health care or payment, it is also considered PHI.
Business Associate Agreements (BAAs): Disclosing PHI to third-party tracking technology vendors without a valid HIPAA authorization or a business associate agreement (BAA) is considered a HIPAA violation. Entities must ensure that any sharing of PHI complies with HIPAA’s Privacy Rule requirements.
Enforcement and Compliance: OCR has indicated that it will prioritize compliance with the HIPAA Security Rule in investigations related to online tracking technologies. Covered entities are advised to conduct thorough risk assessments, train staff, and implement appropriate technical safeguards to ensure compliance.
This updated guidance underscores the importance of safeguarding PHI in the digital realm. HIPAA-regulated entities must carefully assess their use of online tracking technologies, ensuring compliance with privacy regulations to protect patient information.
Google Analytics
Removing Protected Health Information (PHI) from Google Analytics is a critical step for HIPAA-covered entities to ensure compliance with privacy regulations. Since Google Analytics is not a HIPAA-compliant service and does not sign Business Associate Agreements (BAAs), any transmission of PHI through its platform constitutes a HIPAA violation. To avoid this, organizations must take proactive measures to prevent PHI—such as names, IP addresses, medical conditions, appointment details, or any data that can be tied to an individual’s health—from being captured by tracking scripts. This often involves disabling data collection on sensitive pages, using robust filtering techniques to scrub URLs of identifiable information, and configuring analytics tools to anonymize IP addresses and exclude user-specific identifiers.
By auditing their tracking implementations and employing privacy-centric alternatives, healthcare organizations can maintain valuable analytics insights without compromising patient privacy.
Analytics Alternatives
There are some Google Analytics alternatives, but not all of them give prices. When searching for these services, be very careful. Nefarious characters are going to try and trick you into offering a too good to be true service. Criminals are looking for new ways to gain access to patient data.
Let us know if you would like us to review any particular service or if you have any questions. We are here to help!
Feel free to share this article with your colleagues. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you on every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
“Simplifying HIPAA through Automation, Education, and Support”
We wrote about this back in December 2022, but the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) has added an additional warning. The OCR has confirmed its active investigations nationwide to ensure compliance with HIPAA. The use of online tracking technologies and HIPAA requirements must be reviewed on all medical websites.
The OCR and the FTC are cautioning providers about the privacy and security risks when utilizing online tracking technologies. These may be integrated into websites or mobile apps. Depending on how they are created and set up, these technologies may be disclosing personal health information to third parties. Tracking technologies collect and analyze information when visitors use websites or apps. Most of the time, this information is shared directly with third parties and even track the visitor when they navigate away from the website or app.
Online tracking technology can be used for good, but patients should not have to sacrifice their personal information in the process. The OCR and FTC sent letters to 130 hospital systems and telehealth providers to emphasize the risks and concerns about the use of these technologies, such as the Meta/Facebook pixel and Google Analytics. These are just a couple that are known to track a user’s online activities. These tracking technologies gather identifiable information about visitors, usually without their knowledge.
The minimum necessary rule must be followed even with modern technology. This means only the minimum necessary information can be shared to complete the task, nothing more. The OCR enforces the HIPAA rules and will review all aspects of your compliance if they receive a complaint, or if you have a data breach.
The FTC’s role in is protecting the public from deceptive or unfair business practices. This includes unfair methods of competition, promotion, research, and education. Through FTC’s recent enforcement actions against BetterHelp, GoodRx, and Premom, the FTC has put companies on notice that they must monitor the flow of health information to third parties that use tracking technologies integrated into websites and apps. The unauthorized disclosure of such information may violate the FTC Act and could constitute a breach of security under the FTC’s Health Breach Notification Rule.
Companies not covered by HIPAA still have a responsibility to protect against the unauthorized disclosure of personal health information—even when a third party developed their website or mobile app. When working with a website designer or marketing group, be sure to fully vet them for their HIPAA compliance efforts. Even if they have worked with other medical practices. Being HIPAA compliant is more complicated now with all the modern technology and they must jump through the same hoops as a medical practice. Just because they say it will help you with your practice, doesn’t mean it is acceptable under the HIPAA rules. Trust but verify!
Aris Medical Solutions has an online system called the HIPAA Keeper™, to help covered entities and business associates get compliant and stay compliant with HIPAA!
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”
To read about actual HIPAA fines, click on our Education tab!
Most of us are familiar with fines for data breaches of over 500 patient records. This time a business associate was fined $75K for 267 records.
Covered entities are responsibility to vet their business associates. This includes making sure they understand the HIPAA rules. Such as, conducting risk assessments, determining vulnerabilities and how to mitigate them, and maintaining proper HIPAA policies and procedures. While it is unusual to see a fine like this for under 500 records, this says the Office for Civil Rights (OCR) is now setting fines for breaches under 500 patient records. If this business associate had done their due diligence and had tried to be HIPAA compliant, I truly doubt they would have been fined. Compliance can be achieved in 7 Steps with our HIPAA Keeper™ System!
Do not be afraid to ask who conducted and when their last risk analysis was updated. Ask if you may see a copy of their data security policies. Ask for their HIPAA training certificates or a training list of employees who will be working with your practice.
iHealth Solutions, LLC (doing business as Advantum Health), a Kentucky-based business associate that provides coding, billing, and onsite information technology services to health care providers has paid $75,000 to OCR and has agreed to implement a corrective action plan.
Under the terms of the settlement agreement, iHealth Solutions will be monitored by OCR for two years to ensure compliance with the HIPAA Security Rule. iHealth Solutions has agreed to take the following steps:
Conduct an accurate and thorough analysis of its organization to determine the possible risks and vulnerabilities to the electronic protected health information it holds;
Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic protected health information;
Implement a process to evaluate environmental and operational changes that affect the security of electronic protected health information; and
Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures.
Sound familiar? YES, this is what covered entities are required to do! Business associates and their subcontractors (business associates of business associates) are required under HIPAA to follow the same rules and regulations as covered entities. Making sure you have a business associate agreement (BAA) in place is only the first step!
Let your business associates know Aris Medical Solutions has an online system called the HIPAA Keeper™, to help them get compliant and stay compliant with HIPAA!
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”
To read about other actual fines, click on our Education tab!
The Office for Civil Rights (OCR) has issued a bulletin to remind covered entities and business associates of their obligations under HIPAA when using online tracking technology. These technologies include but are not limited to Google Analytics, Meta Pixel, Cookies, and QR codes.
Cover entities regularly share electronic protected health information (ePHI) with some of these tracking vendors. Some may be doing so in violation of HIPAA. Regulated entities are not permitted to use tracking technologies in a manner that would result in unauthorized disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.
Tracking technologies are used to collect and analyze information about how patients interact with websites and/or mobile applications (“apps”). If a covered entity or business associate utilizes a technology partner to analyze interactions or to disclose tracking information as part of their health care operations, the HIPAA rules will apply when the information that is collected contains protected health information (PHI). If your organization collects sensitive information with an online tracking vendor, such sharing may be considered impermissible disclosures. Another example of a HIPAA violation would be disclosures of PHI to a tracking company for marketing purposes without a patient’s authorization.
Tracking technology is a script or code on a website or mobile app that is used to gather information about users as they interact with the website or mobile app. Then it is analyzed by owners of the website or mobile app. Some third parties may also be used to analyze the data to create insights about users’ online activities. These insights could be used in beneficial ways. Such as to help improve care or the patient experience. However, this tracking information could also be misused and cause identity theft, stalking, and harassment.
Disclosures include a variety of information that is shared through tracking technologies on a website or mobile app. Including individually identifiable health information (IIHI) that the individual provides when they use websites or mobile apps. This information could include a patient’s medical record number, home or email address, or dates of services, as well as an individual’s IP address or geographic location, or medical device IDs. All such IIHI collected on a website or mobile app generally is PHI, even if the individual does not have an existing relationship with the entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services. This is because, when an entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the entity and thus relates to the individual’s past, present, or future health or health care or payment for care.
Covered entities and business associates may have user-authenticated webpages, which require a patient to log in before they are able to access the webpage, such as a patient portal or a telehealth platform. Tracking technologies on an entity’s user-authenticated webpages generally have access to PHI. Tracking technologies within user-authenticated webpages may even have access to an individual’s diagnosis and treatment information, prescription information, billing information, or other information within the portal. A regulated entity must configure any user-authenticated webpages that include tracking technologies to allow technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA Security Rule. Hence, why it is so important to only work with website companies that are familiar with the HIPAA rules.
Tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a covered entity or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI. In these circumstances, regulated entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules. If a patient makes an appointment through the website of a covered entity and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor. In this case, the tracking technology vendor is a business associate, and a BAA is required. The BAA must specify the vendor’s permitted and required uses and disclosures of PHI and provide that the vendor will safeguard the PHI and report any security incidents, including breaches of unsecured PHI to the covered entity. The tracking technology vendor must implement administrative, physical, and technical safeguards in accordance with the Security Rule (encrypting ePHI that is transmitted to the tracking technology vendor; enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the tracking technology vendor’s infrastructure) to protect the ePHI.
Cover entities may also have webpages that do not require users to log in before the patient can access the information on a webpage, these are considered unauthenticated webpages. This may include general information about the practice or business like their location, services they provide, or their policies and procedures. Tracking technologies on unauthenticated webpages generally do not have access to PHI. Then a regulated entity’s use of such tracking technologies is not regulated by the HIPAA Rules. If tracking technologies on unauthenticated webpages have access to PHI, then the HIPAA Rules apply.
Examples of unauthenticated webpages where the HIPAA Rules apply include:
The login page of a patient portal (which may be the website’s homepage or a separate, dedicated login page), or a user registration webpage where an individual creates a login for the patient portal, generally are unauthenticated because the individual did not provide credentials to be able to navigate to those webpages.
However, if the individual enters credential information on that login webpage or enters registration information (name, email address) on that registration page, such information is PHI. Therefore, if tracking technologies on a regulated entity’s patient portal login page or registration page collects an individual’s login information or registration information, that information is PHI and is protected by the HIPAA Rules.
Tracking technologies on an unauthenticated webpage that addresses specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the covered entity is disclosing PHI to the tracking technology vendor, and therefore, the HIPAA Rules apply.
Mobile apps that help patients manage their health information or pay bills collect a variety of information that is provided by the app user. This includes information typed or uploaded into the app, as well as information provided by the app user’s device, such as fingerprints, network location, geolocation, device ID, or advertising ID. This information is PHI, and the regulated entity must comply with the HIPAA Rules for any PHI that the mobile app uses or discloses. Any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information may also be considered PHI. The HIPAA Rules apply to any PHI collected by a covered entity through a mobile app used by patients to track health-related variables. Such as heartrate monitoring or menstrual cycle, body temperature, etc.
Patients that voluntarily download or enter their information into mobile apps that are not developed or offered by regulated entities, regardless of where the information came from do not have to follow the HIPAA Rules. For example, the HIPAA Rules do not apply to health information that a patient enters in a mobile app offered by an entity that is not regulated by HIPAA (even if the individual obtained that information from their medical record created by a regulated entity). In instances where the HIPAA Rules do not apply to such information, other laws may apply. For instance, the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR) may apply in instances where a mobile health app impermissibly discloses a user’s health information.
Again, covered entities and business associates are required to comply with the HIPAA Rules when using tracking technologies. The HIPAA rules include the HIPAA Privacy, Security, and Breach Notification requirements. Ensuring that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that the minimum necessary rule is followed.
Websites may advise the use of tracking technology in the website privacy policy or terms of use, but the Privacy Rule does not permit disclosure of PHI to tracking technology vendors based on this notice. Website banners asking patients to accept cookies or other tracking technology does not constitute a HIPAA authorization. If the technology vendor is not a business associate of the covered entity, then a patient authorization is required BEFORE the PHI is disclosed to the vendor. Any disclosure of PHI to the vendor without a patients’ authorization requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure. If a covered entity does not want to create a business associate relationship with these vendors, or the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the entity cannot disclose PHI to the vendors without a patient authorization.
A regulated entity’s failure to comply with the HIPAA Rules may result in a civil money penalty. Therefore, moving forward it will be necessary to ensure your business partners are HIPAA compliant.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
With so many data breaches in the news many medical practitioners are asking if they can be sued over HIPAA violations or from a data breach.
HIPAA rules state there is no private right of action, therefore, a patient cannot sue for a HIPAA violation. With that said, it is possible if there were privacy violations under state law, legal action may be taken. All states have their own set of privacy laws that encompasses more than just the healthcare sector. State privacy laws vary from state to state and define what is considered private information. HIPAA and state laws require covered entities to secure protected health information (PHI) with administrative, physical, and technical safeguards. Business associates and subcontractors are required to do the same.
If a patient wants to file a lawsuit, the patient must be able to prove negligence and damage caused harm by the violation or data breach. The Omnibus Rule removed the harm threshold when it came to covered entities reporting data breaches, but a patient has the right to claim harm. On another note, if a patient joins a class action lawsuit, it may make a stronger case. However, many class action lawsuits are filed based on the exposure to future harm. Without evidence of harm this may reduce the case. This can be a costly endeavor and patients should consider this and review what they hope to gain before taking legal action. Keep in mind, this is not a quick lawsuit. In the end, there is no guarantee of any monetary gain for the patient.
Many times, the practice can discuss the issues with the patient and avoid legal action altogether. It is recommended that if a practice has a disgruntled patient, the HIPAA privacy officer should talk to the patient if given the opportunity. Sometimes, an upset patient merely wants to be heard. Depending on the circumstances, the practice may be required to report the incident to the Department of Health and Human Services Office for Civil Rights (OCR).
If a patient feels as though their protected health information has been violated, they do have the right to file a complaint with the OCR. The complaint from the patient must be filed within 180 days of the incident. In some cases, an extension may be permitted. The complaint is reviewed to determine if it is justifiable. If it is, then the OCR will contact the practice and try to resolve the issue in the most suitable manner. This may include technical assistance, a resolution agreement, and/or ongoing compliance documentation. The average investigation timeline for a data breach takes 1½ – 2 years. Of course, for more complex breaches, it may take even longer. The outcome of the investigation will depend on the severity and nature of the violation, if this was a repeated offense, and the number of patients affected. Depending on the documentation of the incident and how it was handled, a practice may be able to avoid a desk audit. Remember, if it’s not documented, it does not exist. The patient may also file a complaint with the State Attorney General. Some complaints are referred to the Department of Justice (DOJ) if the investigation results in criminal violations. I hope this helps you to understand how important it is to keep patient data secure, and the documentation that demonstrates your efforts. If you have any questions on data security, how to handle a patient complaint, or how to handle a security incident, we are here to help.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”
Recently a cosmetic practice was fined $30,000 to settle potential HIPAA Privacy Rule violations. In the past many practices believed if they did not accept insurance payments (considered as a “transaction” under HIPAA), they were immune from the privacy rule. This may not be the case. There is a section in the rule that states “Other transactions that the Secretary may prescribe by regulation”. HIPAA compliance is a balancing act, are you willing to lose $30K of your hard-earned money to test the system?
This investigation started with a compliant from a patient that had requested their medical record and did not receive them in a timely manner. Under the HIPAA Privacy Rule, the provider must respond to a patient’s request for access no later than 30 calendar days after the request. If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days if they provide the individual (within the initial 30-day period) with a written statement for the reason of the delay and include a date when the entity will have the information available. See 45 CFR §164.524(b)(2). Unfortunately for this practice, this was not handled in a timely manner. Therefore, an investigation was launched.
Let us review how this happens.
Once a complaint is filed to the Office for Civil Rights (OCR), the OCR will determine if the complaint falls within their duties to investigate. Once an investigation has been opened, the OCR will contact the practice for their documentation surrounding the incident. Depending on the documentation that is submitted will determine if a desk audit is warranted. Therefore, documentation is SO important, you may be able to avoid a desk audit if you supply the appropriate documents.
During a desk audit more than likely, you will be asked for documentation of what preventative measures you had in place before the incident and what you have implemented to prevent this from happening again. While you are being investigated the OCR may also review your compliance in other areas. If they find discrepancies, you could be fined for those as well. HIPAA encompasses a large range of requirements. Patient privacy, patient rights, and data security to name a few. I will not go into detail during this notification since we are sharing the security rule requirements in other messages.
Each resolution agreement that is issued by the HHS/OCR outlines the deficiencies they uncover. Most of them include the lack of a risk analysis, risk management, training, business associate agreements, and policies and procedures. During this investigation, other violations were uncovered and included the social security act was named in the resolution agreement: Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) a.
From this, I hope you can understand the importance of HIPAA compliance. Because one simple oversight can cause this much heartache. Patient privacy, patient rights, and data security is as important as caring for your patients. We have just learned that any entity that has patient data can be investigated and fined for violations under HIPAA.
Tell your friends and colleagues to ensure everyone understands no one is immune from HIPAA if you have patient data. Fines are fierce and not worth taking a chance by thinking “it won’t happen to me”.
If you need assistance with HIPAA Training, Risk Management, or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
While the nation was shut down and people were suffering, hackers were busy at work. It is coming to light how many organizations have had a data breach and have been hit with ransomware.
Now more than ever all organizations need to make sure their HIPAA Compliance Officer understands what is needed for data security. The FBI has stated cybercrime in 2020 has surpassed 2019 and we still have a few months to go. The problem is the hackers have become very sophisticated in their attacks. Whereas it used to be easy to spot a fake email, that is no longer the case. Between email and text efforts, they are gaining access to our information and we are the ones permitting it. Also, user credentials are compromised and used to gain access to your network or to send false emails to gather personal information. These scams typically involve a criminal that has hacked a legitimate email address. For example, a person would receive a message that appears to be from someone within their organization or a business associate with which that person knows. The message will request a payment, wire transfer, gift card purchase, or even a list of employees with social security numbers that seems legitimate. The compliance officer should be notified, and the transaction verified BEFORE it is completed. Every office needs to have a verification process in place before releasing ANY data.
We have said this before… if a stranger walked up to you and asked you to verify your identity would you give them any information? Of course not, but that is exactly what we are doing when we receive an email or text message from someone or somewhere, we trust. Trust, but verify.
With more and more people working remotely, that brings us to another vulnerability. Covered entities that utilize the services of business associates are required by HIPAA to ensure the business associate is in fact HIPAA compliant. The starting point is to ensure you have a business associate agreement in place with all your vendors that create, receive, maintain, or transmit protected health information (PHI). This agreement should include security requirements to ensure they are protecting your patient data. If a covered entity does not have a BA agreement in place and the vendor causes a data breach, the covered entity will more than likely receive the fine. With a BA agreement in place, it is still typical the covered entity bears the financial burden of the breach but may not receive the fines. That is why a BA agreement should include an indemnification and requiring the business associate to carry cyber liability insurance. Recently, a business associate was fined $2.3 million for a data breach that was caused by a hacking incident. If the covered entities did not have BA agreements in place, they could have been the ones who received this hefty penalty. Also, recently an orthopedic clinic was fined $1.5 million after a journalist notified them that a database of their patient information was posted for sale online. For this reason, we recommend covered entities should carry their own policies as well. “Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino. Many electronic and portable devices are used to process and store PHI. Anyone with access to such devices could potentially have the ability to change configurations, install malicious programs, change information, or access information that are not authorized to. Any of these actions has the potential to affect the integrity of patient information. HIPAA requires covered entities and their business associates to implement and follow policies and procedures to limit access to only those who are authorized.
Risk management should be at the top of everyone’s list. Preventing data breaches and securing patient data is everyone’s responsibility, but the OCR requires someone to be the point person, hence the HIPAA Security or Compliance Officer title. This responsibility is so much more than just a title. HIPAA Compliance Officers responsibilities include creating, maintaining, and enforcing compliance. This includes the staff, management, and even the medical providers.I hear too often that the compliance officer gets push back from the doctors or owners. This is so unfortunate since they are only trying to do their job that is required under state and federal law. They are the frontline defense in keeping your practice alive and well. The owners of the practice may suffer the financial loss, but sometimes everyone does if the practice closes. Let’s all work together to keep patient data safe and secure.
To find out more about how our automated HIPAA compliance platform can help your organization click here:
The Office for Civil Rights (OCR) back in March relaxed it’s enforcement for non-compliance with regards to telemedicine. They permitted the use of audio/video communication applications such as Facetime, Google hangouts, Zoom, and Skype without risk that a provider could be issued a penalty for non-compliance. Providers were encouraged to inform their patients of potential privacy risks and do their best to engage encryption and whatever means they had available to secure the data.
Even though some states are experiencing a surge in more COVID cases, medical providers are expected to seek HIPAA qualified products and obtain a business associate agreement. Telehealth providers should now have an agreement ready that will include state law provisions and data security information. Medical providers should read this agreement carefully to ensure the data security is outlined and meets their state law breach notification guidelines. Ideally, it would be best for the vendor to sign YOUR business associate agreement if you have one that has outlined security requirements.
If a medical provider does not obtain a signed business associate from a vendor, the medical provider should terminate using the vendor. Just because a vendor doesn’t sign a BAA it does NOT release them from liability. It just means the liability falls on the medical provider for not obtaining the signed document. Furthermore, the medical provider may receive fines for non-compliance should the business associate suffer a data breach or security incident. These documents are extremely important!
Many thanks to all our healthcare workers for staying strong throughout these trying times.
If you would like more information or need a business associate agreement, contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
We all have been annoyed at one time or another when we arrive at a counter or a place of business and the person is on their cell phone and we are ignored. Of course, that is not very good customer service. When you work in healthcare, it goes to an all new level. HIPAA doesn’t restrict the use of cell phones, except how they are secured and protected. However, this is not what we are discussing here today.
We are hearing about complaints from patients accusing employees of taking pictures of their information. This particular situation the employee was accused of taking pictures of the computer screen and the patient told the doctor. This afforded the doctor the opportunity to address the situation and avoid a formal complaint to the Office for Civil Rights (OCR). We recommend employees leaving their cell phones out of sight of patients unless the phone is used for business purposes within the practice. Some organizations are even adding cell phone lockers. I can remember before we had cell phones, we actually gave out our work number to anyone who needed to get in contact with us! Now you know how old I really am! Joking aside, this is a very serious matter that could cause the OCR to open an investigation. Keep in mind, when you are being investigated by the OCR, they do not “just” investigate “that” situation. They look at your overall compliance plan. Where are your policies? What were your procedures before, during, and after the occurrence. What have you done to prevent the same situation from happening again? Plus, many more items they take into consideration when conducting an investigation.
The next area of concern with cell phones are with patients. We have long been a proponent of using privacy screens on computers. Now, even if the screen is across the room, we are pushing our clients to add the screens. Patients now have their phones out while making new appointments, they could potentially take pictures of computer screens across the room and enlarge them. Some of you may be thinking that we worry too much and all this security is driving you crazy. It only takes ONE mistake or ONE complaint to turn your life into a rollercoaster. Prevention is the best medicine!
If you would like more information, contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
