Despite the Health Insurance Portability and Accountability Act (HIPAA) first being enacted over 20 years ago, some organizations are still found to be violating HIPAA Rules. Common causes for violations are related to security procedures. Below, we will outline some essential areas that HIPAA covered entities and their business associates should review to avoid sanctions for HIPAA violations.

HIPAA was put in place to help people maintain insurance coverage while between jobs and to protect private health information. Covered entities include health plans, health insurers, and medical service providers.

HIPAA is chiefly enforced by the Department of Health and Human Services’ Office for Civil Rights (OCR) who are responsible for checking compliance with most parts of the HIPAA Privacy and Security Rules. Violations are often solved through voluntary compliance or issued guidance. However, the OCR does reserve the right to impose financial sanctions.

The majority of reported violations involve improperly using or disclosing protected health information (PHI). This can happen through weak security, not correctly allowing patients access to their PHI, or the lack of appropriate administrative data protections.

These errors indicate that many covered entities are failing to implement the necessary security procedures. This is somewhat surprising as one of the very first parts of HIPAA, CFR 45 164.308 (a)(1), requires organizations to put policies in place to “prevent, detect, contain, and correct security violations”.

Some of the necessary steps needed to introduce these protections include:

Risk Assessment – Analysis of risks to the privacy, integrity, and security of PHI

Risk Management – The steps being taken to reduce risks to a “reasonable and appropriate level”

Sanction Policy – The internal penalties related to violating security or privacy procedures

Information system activity review – Introducing regular audits and reviews of activity logs and access history, as well as recording security incidents

Prior to these steps, a common sense approach should be taken to understanding all of the PHI the organization controls, and how they should manage it.

Identify the concerned systems – A vital first step that many do not complete is properly identifying all IT or information systems that deal with PHI. These systems should be examined and their function and hierarchy ascertained.

Organizations should pose the following questions:

Does the hardware and software in the information systems include removable media and remote access devices?

Have the types of information under management been identified?

Has the sensitivity of each type of information been evaluated?

Conduct a risk assessment – The risks and weaknesses of information security must be completely understood.

Organizations should consider:

• The risk of natural disasters of the location of the facility
• Whether responsibility has been designated for all concerned hardware
• Whether existing safeguards and identifiable risks have been examined
• Whether all processes involving ePHI — including creating, receiving, maintaining, and transmitting protected information – have been appropriately addressed

Required IT systems and services – Once the risks related to IT and information security have been understood, new software or infrastructure may need to be put in place to maximise security. Examples include:

• Multi-Factor Authentication
• Data-at-Rest Encryption
• Data-in-Transit Encryption
• Cryptographic Key Management

Before putting these safeguards into place, consider:

• Compatibility between new security measures and current IT systems
• Cost-benefit analyses to measure possible investments against potential security risks

Develop and implement policies and processes – New procedures must have an assigned owner, who is responsible for ensuring they are followed. If no one is responsible, no one takes action. Introduce measures with clear accountability to stimulate compliance.

All actors in the healthcare space, from public clinics to private insurers, must abide by HIPAA Rules and internal procedures to keep PHI private and secure. The above guidelines can be used to help your organization conform to best practices, protect PHI, and avoid sanctions for HIPAA violations.

Are Amazon Web Services (AWS) HIPAA Compliant? AWS includes the necessary features to be used in compliance with HIPAA’s Security Rule and Amazon will enter into Business Associate Agreements (BAA) with covered entities. Does this mean AWS is HIPAA compliant? As we often state, even when tools include all the required settings they must be correctly configured and the platform used in a HIPAA compliant way. Compliance is dependent on users.

Amazon Will Enter into a BAA for AWS

As Amazon are eager to work with the healthcare industry, they are willing to enter into BAAs with covered entities. In line with the agreement, Amazon support aspects of security, control, and other administrative requirements.

Previous AWS BAAs stipulated a need to secure protected health information (PHI) with Amazon EC2 Dedicated Instances or Dedicated Hosts but this requirement has since been removed.

Amazon has also published a 31 page guide to aid covered entities in their HIPAA compliant use of AWS.

AWS Can be HIPAA Compliant, But Can Also be Misused

As mentioned above, even though AWS has all the required features, HIPAA compliance for software are platforms is dependent on users.

As AWS has been developed to simplify how data is accessed, shared, stored, and analyzed by authorized users, access control is a very important feature to manage.

Using AWS that has seemingly been correctly configured reduces risks of HIPAA violations, but does not eliminate the risk entirely. Simple things like securing the data have been overlooked by companies in the past leading to data breaches. While storage is secured by default, determining user permissions can lead to errors.

When is AWS Not HIPAA Compliant?

AWS security is often betrayed by user error. Poor configuration of access controls is a common cause of breaches. Sometimes the breach is caught by security researchers, but in other cases hackers may find the unsecured data first. Data stored in the cloud without the correct security settings is an easier target for hackers than organizations’ servers.

A mistake that is often repeated is to allow access to “authenticated users”. Unfortunately, Amazon defines anyone with an AWS account, which is free to set up, as an “authenticated user” – meaning anyone with an internet connection could access the data.

How Common are AWS Misconfigurations?

AWS misconfigurations are a very common problem. Amazon even went so far as to email users with potentially misconfigured storage systems, called S3 buckets.

Amazon wrote “we’re writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) are currently configured to allow access from any user on the internet”.

They continued that “while there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available.”

A number of those disclosures involved healthcare organizations, but also military, financial and other industries. Of note was a HIPAA covered entity called Patient Home Monitoring that had left almost 50GB of data unsecured.

Free software is available to check for unsecured S3 buckets to avoid similar errors taking place in future. One such tool is S3 Inspector from Kromtech.

AWS Compliance Summary

AWS can be used in a HIPAA compliant manner and can provide advantages to healthcare organizations. It can, however, also be used in violation of HIPAA rules through misconfiguration. As the storage is secure by default, it is quite possible that changing the settings and unwittingly leaving the data unprotected would be seen as a serious HIPAA violation by auditors from the Office for Civil Rights.

HIPAA record retention requirements is understood to relate to two separate but similar retention requirements: those for HIPAA medical record retention and those for HIPAA record retention. This similarity has led to some uncertainty. Below we will try to explain which records are required to be kept for HIPAA compliance and what records covered entities may want to keep for other reasons.

HIPAA retention requirements are not overly complicated. Uncertainty arises in relation to part of the Privacy Rule which states that administrative, technical and physical protections must be in place to “protect the privacy of Protected Health Information for whatever period such information is maintained”.

HIPAA Does Not Define a Retention Period for HIPAA Medical Records

The Privacy Rule does not say how long medical records are to be kept quite simply because HIPAA does not include a medical record retention period. This is because state laws take precedence over HIPAA in this instance. Records must be retained according to individual state laws and not a standard federally mandated period. Different states have different requirements for different types of information. We provide examples below:

In Florida, physicians must keep medical records for five years after the last patient contact, but hospitals must keep them for seven.

In Nevada, healthcare providers are obligated to keep medical records for at least five years, or – for minors – until the patient is twenty-three years old.

In North Carolina, hospitals must keep patients’ records for eleven years from the date of discharge, and records relating to minors must be retained until the patient is thirty.

What are the HIPAA Retention Requirements?

HIPAA does not have retention requirements for medical records but does have requirements for other documents related to HIPAA. This is outlined in CFR §164.316(b)(1), which states covered entities must “maintain the policies and procedures implemented to comply [with HIPAA]” and records of any “action, activity or assessment”.

Under CFR §164.316(b)(2)(i), information must be retained “for 6 years from the date of its creation or [for policies] the date when it last was in effect, whichever is later”. This means that for a policy created in 2010, which was revised in 2013, a copy of the original 2010 policy would need to be kept until 2019, six years after the revision or replacement date.

Many documents need to be retained under HIPAA. While it varies depending on the activity of the covered entity or business associate, the most common to retain are:

• Notices of Privacy Practices.
• Authorizations for the Disclosure of PHI.
• Risk Assessments and Risk Analyses.
• Disaster Recovery and Contingency Plans.
• Business Associate Agreements.
• Information Security and Privacy Policies.
• Employee Sanction Policies.
• Incident and Breach Notification Documentation.
• Complaint and Resolution Documentation.
• Physical Security Maintenance Records.
• Logs Recording Access to and Updating of PHI.
• IT Security System Reviews (including new procedures or technologies implemented).

Other Aspects to Consider With HIPAA Record Retention

As we noted above, HIPAA retention requirements are not overly complicated. Depending on your business, you may be subject to other retention requirements. Insurance companies may need to explore their obligations under FINRA and employers should be aware of record retention requirements under the Employee Retirement Income Security and Fair Labor Standards Acts. Sometimes, records need to be retained indefinitely.

Cost reports sent by healthcare providers to the Centers for Medicare & Medicaid Services (CMS) must be retained for at least five years after the closure of the report. Medicare managed care program providers must retain these records for ten years. Even though there will be some overlap between these and HIPAA record retention requirements, they must be stored separately for retrieval reasons.

Covered entities and business associates are advised to retain information related to personal injury or breach of contract claims for as long as the Statute of Limitations remains in force for that affair in the relevant state. This is often longer than HIPAA record retention periods.

Must Emails be Archived to Comply with HIPAA?

HIPAA’s Security Rule does not stipulate that email archives must be HIPAA compliant. However, covered entities should consider archiving their email correspondence in a HIPAA compliant manner.

The Security Rule does stipulate that electronic communications that include PHI must be kept for at least six years. These records must be secured through the use of access controls, and audit controls should be in place to prevent changes being made or messages being removed.

HIPAA compliant archiving systems include these safeguards, as well as the other required administrative, technical, and physical protections called for in the Security Rule. As an added benefit, compliant archiving systems can reduce the risk of data theft by internal actors and minimize storage on local servers.

How to Implement HIPAA Compliant Email Archiving

For many industries, email archives are stored on remote servers operated by the service provider and messages are indexed to enable search functions. This is similar for HIPAA compliant archives, except that the protected health information (PHI) is encrypted at every stage to protect against data theft. Archive hosts also have to implement processes to limit access to the archived messages, with auditing functions enabled in-line with HIPAA’s administrative safeguards.

On request, authorized users can search the archive for information on patients, to conduct audits, and to comply with legal requests. Proof of delivery of sent emails can also be found.

The Advantages of HIPAA Compliant Email Archiving

As well as freeing local server space, HIPAA compliant email archiving can provide a range of benefits to covered entities.

• Email indexing catalogs email content, metadata, and attachments to make data retrieval for e-discovery or compliance purposes more efficient.
• As information is stored offsite by a third party, HIPAA compliant email archiving can be included as part of a covered entity’s Disaster Recovery Plan.
• HIPAA compliant archiving helps prevent insider data theft or user negligence – factors responsible for almost 50% of PHI breaches.

Healthcare organizations can be quite vulnerable to data theft by current employees. PHI can be sold for a high price to people looking to commit insurance fraud, forge identities, or access free medical care.

A high profile case occurred in South Carolina in 2012 when a state employee sent PHI belonging to over 200,000 Medicaid beneficiaries to a personal email account. The breach was discovered before the information was shared further, but the incident is a worrisome reminder that not all authorized users act in good faith.

HIPAA Compliant Email Archiving from TitanHQ

One of the leading online security providers for healthcare organizations, TitanHQ provide a HIPAA compliant email archiving solution called ArcTitan. Based in the cloud, ArcTitan allows authorized users to search, access, and retrieve emails using Microsoft Outlook or a web browser of their choice.

The tool incorporates audit functions, allows remote access, and can be used with most mail servers and email clients. ArcTitan works on Amazon Web Services (AWS) and allows access authorization to be given to up to 60,000 users. By using AWS, ArcTitan reduces local storage needs without compromising on security, therefore offering the same or greater peace of mind as on-site storage.

In specific circumstances, HIPAA covered entities are allowed to share sets of identifiable healthcare information, known as limited data sets, with authorized institutions and remain in compliance with the HIPAA Privacy Rule. In such cases, data can be shared for research, public health information, and healthcare operations without obtaining permission from patients.

Limited data sets contain identifiable protected information and they should not be confused with de-identified protected health information. Where HIPAA does not consider de-identified protected health information to be the same as protected health information (PHI), limited data sets are still seen as PHI and are subject to the HIPAA Privacy Rule.

Covered entities can only give HIPAA limited data sets with organizations that they have signed data use agreements with. The purpose of the agreement is to bind the partner organization to only using the PHI for permitted reasons, to not allow the PHI to be shared with other parties, and to ensure the HIPAA Privacy Rule will be respected.

PHI cannot be shared until a data use agreement is in place. The agreement should define:

• Approved uses and disclosures
• Authorized recipients and users of the data
• Assurances that the data will not be used to contact or identify patients
• The protections to put in place to secure the confidentiality of data and prevent prohibited uses and disclosures
• How the discovery of improper uses and disclosures should be reported to the covered entity
• That any subcontractors that access or use the data also enter into a data use agreement and agree to comply with the terms

The entire data transaction is subject to the Minimum Necessary Standard, meaning that only the minimum data needed to conduct the research or other authorized activity is to be shared.

What Information is to be Redacted From a HIPAA Limited Data Set?

While limited data sets can contain identifiable healthcare information, the following types of data must be removed before sharing:

• Names
• Street or postal addresses, beyond town/city, state, and zip code
• Telephone or fax numbers
• E-mail addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Other account numbers
• Certificate and license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers
• URLs and IP addresses
• Biometric identifiers e.g. fingerprints, retinal scans, voice prints
• Photographs depicting the person’s full face and similar images

HIPAA compliance and Saas (Software as a Service) is another area that is causing confusion for many in the healthcare space. This is somewhat understandable as HIPAA was originally introduced in 1996, when the idea of SaaS and cloud storage platforms was far from the common consciousness.

More recent Acts and Rules, such as 2009’s HITECH Act and 2013’s Final Omnibus Rule, make provisions for electronic platforms and services – but only in broad strokes. Technical details and other aspects are not defined, resulting in SaaS developers and companies making efforts to be HIPAA compliant without full knowledge of what being compliant means in this area. That being said, current thinking revolves around best practices and industry guidelines. Developers, providers, and hosting companies would do well to note these when designing their services.

What is HIPAA Compliance for SaaS?

To be in compliance with HIPAA, SaaS platforms and tools that deal with protected health information (PHI) must meet the administrative, physical, and technical standards laid out in the HIPAA Security Rule. Services covered by this Rule may include applications that collect personally identifiable information and tools that are used to create, process, or share PHI. Service providers may even need to enter into a Business Associate Agreement (BAA) with HIPAA covered entities in some cases.

The HIPAA Security Rule does not outline exact measures that need to be taken for cloud storage, VPS, or other data hosting SaaS packages to be compliant. While they may be considered “shared” architectures, nothing in the Rules prohibits their use. The most important thing for HIPAA covered entities and their business associates is that there are options to make the service eligible for use under HIPAA.

Key Compliance Areas For SaaS Providers and Hosting Companies

Most e-health applications are only for personal use only and do not need to be HIPAA compliant. SaaS developers and hosting companies whose clients use their services in a professional capacity in the healthcare industry will need to ensure that their tools meet the administrative, physical, and technical standards set by the HIPAA Security Rule.

The purpose of the administrative, physical, and technical standards is to stop unauthorized disclosures of PHI. They apply both when the data is at rest and in transit. SaaS developers and providers need to offer settings that allow access controls, user identification measures, and data encryption to be implemented. Access to physical storage locations should also be controlled.

Required Vs. Addressable Safeguards

HIPAA Rules mention a number of protections; some are listed as required, others as addressable. Required safeguards are mandatory and must be put in place as specified, without exception. Addressable protections are those which must be examined to evaluate whether they are relevant to the case at hand, and if so, there is some leeway as to how they can be implemented. The most important factors are that the desired level of protection is reached and the decision for using the method selected, or for not implementing any protection at all, is documented and available for examination.

The scope of required and addressable measures are slightly different between SaaS providers and HIPAA covered entities. One such difference is with the addressable safeguard of encryption. Healthcare providers may be allowed to forgo encryption or use a different data security method if their use and management of PHI were strictly confined to their private and secure network. As SaaS providers and hosting companies are external to the healthcare organization, a single internal network could not exist and they would be required to implement encryption, even though encryption is thought of as addressable.

While pagers may be seen as an effectively dead technology, there could still be issues arising from their use with protected health information (PHI). Though largely replaced by other messaging devices, some are wondering whether the use of pagers and paging is HIPAA compliant.

Are Pagers HIPAA Compliant?

The HIPAA Security and Privacy Rules require that physical, administrative, and technological safeguards be put in place to protect electronic communications that contain PHI. For use of a pager with PHI to be HIPAA compliant, any messages would need to be encrypted, communications would need to be able to be tracked and logged, and there would need to be a way to remotely delete any PHI from the device, should it be lost or stolen.

Other requirements under the Privacy and Security Rules are the need for user authorization and a time-out function that would log off an inactive user after a certain period of idleness. Pagers could really only be used by healthcare professionals if PHI is left out of all messages. The introduction of the necessary systems to bring pagers up to code could be problematic, and potentially not worth the effort given the ubiquity of smartphones and other, more modern, mobile devices.

Indeed, the shift to smartphones – while they have their own problems and their use must meet the same requirements – has opened up many more possibilities in terms of communicating PHI and increasing efficiency in the healthcare industry.

The Introduction of Secure Messaging Platforms

For those looking for alternatives to pagers and other non-secured and non-compliant methods of communication, the introduction of Secure Messaging Platforms and Applications may provide an answer. Available for download and for use with most desktop computers and mobile devices, these work in much the same way as conventional commonly used messaging tools, such as Facebook messenger or WhatsApp, but with the crucial difference that they can be configured for HIPAA compliant use.

These platforms include a number of features to address the elements we mentioned above that would be needed to make pagers HIPAA compliant and which also apply to other electronic message systems. These tools create an encrypted network that can be used privately within the healthcare organization; users must log in to the tool with a username and password given to them by the administrator; idle devices are automatically logged out; and network activity is tracked to allow for audits to take place. Information can be remotely deleted should a device be lost or stolen and there are protections to prevent data from being copied or shared to insecure areas.

Are Secure Messaging Platforms HIPAA Compliant?

Secure Messaging Platforms can help healthcare organizations and their employees to harness the efficiency and convenience of mobile devices and messaging tools while remaining HIPAA compliant. As we often caution, it must be noted that any technology or device is vulnerable to being misused by a person, even by a trained and authorized person. HIPAA compliance for software, smartphones, or other mobile devices ultimately depends on it being correctly configured and used in a HIPAA compliant way.

Is GoToMeeting HIPAA compliant? Could HIPAA covered entities or their business associates use GoToMeeting to share protected health information (PHI) and stay compliant with HIPAA?

GoToMeeting is an online conferencing tool developed by LogMeIn. Many solutions of this type exist to enable people to share desktops and perform meetings remotely and they offer a number of advantages to organizations.

Any system used by entities covered by the Health Insurance Portability and Accountability Act, more commonly known as HIPAA, must adhere to certain privacy and security rules defined in the Act.

If a tool does not conform to these rules, patient privacy may be compromised and the user may be liable for a HIPAA breach, potentially opening themselves up to large monetary sanctions.

It must be stated that no program or tool can be said to be 100% HIPAA compliant. Even if all the necessary options and settings are in place to protect electronic PHI (ePHI), the tool can still be misused. Compliance depends on users. The covered entity must check that staff are trained and that features are correctly implemented before any PHI is used with the system. Any information transmitted is also subject to the Minimum Necessary Standard.

Is GoToMeeting HIPAA Compliant?

For GoToMeeting to be compliant, it would need to be in line with all aspects of the HIPAA Security Rule.

In terms of end-to-end encryption requirements, GoToMeeting is up to standard; transmitted data is protected using HMAC-SHA-1 message authentication codes, while chat, video, audio, and control data are protected in transit using AES 128-bit encryption. AES 128-bit encryption meets the current standards for encryption recommended by NIST.

Audit controls are needed to track which PHI was sent where, by whom, and when. GoToMeeting is also compliant in this aspect as it records connection and sessions and account administrators have access to reporting tools.

Another requirement is the ability to authenticate users, which GoToMeeting does by issuing unique meeting codes which can be supplemented with password protection. Meeting organizers can restrict attendance to certain people, who must identify themselves with email addresses (or a phone number) and a password. Users can be automatically kicked following periods of idleness, to be determined by the organizer.

Perhaps the strongest point is that GoToMeeting stands behind their tool being HIPAA compliant, stating on their website that “the technical security controls employed in the GoToMeeting service and associated host and client software meet or exceed HIPAA technical standards.” GoToMeeting are also willing to sign a Business Associate Agreement (BAA) with covered entities. This must be signed before the service can be used.

Knowing this, can we say that GoToMeeting is HIPAA compliant? If the BAA is signed prior to use with PHI, then GoToMeeting meets all requirements for HIPAA compliant use.

Covered entities should take into account that GoToMeeting advises caution, saying “Organizations should carefully review all configurable security features of GoToMeeting in the context of their specific environments, user population and policy requirements to determine which features should be enabled and how best to configure.”

Under Federal Regulations, specifically 45 CFR 164.308 – the HIPAA Security Rule’s Administrative Safeguards – HIPAA covered entities must appoint a HIPAA Security Officer. The Security Officer must develop and introduce internal policies and processes to safeguard the integrity of electronic protected health information (ePHI). IT managers are commonly put in this role as ePHI is widely seen as an IT concern. This is not strictly true.

While the HIPAA Security Rule includes aspects of access control and safeguards around sharing ePHI, estimates say that roughly two thirds of a Security Officer’s duties are unrelated to IT. Most of the obligations revolve around training, auditing, managing incidents, and ensuring business associates are compliant. Other aspects include preparing disaster plans and overseeing the security of the facility.

The HIPAA Security Officer’s Responsibilities

As noted above, under the HIPAA Security Rule the Security Officer is required to develop and introduce polices and processes to prevent, detect, contain, and correct breaches of ePHI. A vital first step before developing these procedures is to run risk assessments on the administrative, physical, and technical safeguards noted in the Security Rule.

On finishing the assessment and recording the results, it is the Security Officer’s role to introduce steps “to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 CFR 164.306(a)”. Training of staff on the new policies and penalties related to breaking those policies should take place. Audits and periodic system reviews must also be introduced to catch any violations.

Identifying the Ideal Security Officer

Given the various facets of the role, IT managers are not always best equipped to take it on. More suitable candidates would be highly organized individuals who have a deep understanding of HIPAA and a sufficiently high position in the organization to implement the needed changes. As IT will be affected by many of these changes, familiarity with the IT systems would also be desirable.

Of paramount importance is that the Security Officer works in harmony with the covered entity’s Privacy Officer or Privacy Team. As there is a fair degree of crossover between these roles, it may be worth joining forces to carry out training, risk assessments, and other activities. SOs and Privacy Officers performing in tandem are better positioned to effectively monitor their business associates as well.

Outsourcing HIPAA Security and Compliance Software

Some organizations may not have anyone with sufficient free time to take on the Security Officer role. The responsibilities of the Security Officer can be outsourced to an external party, either in the short or the long term. For example, an outside expert could be hired just to conduct the risk assessments and write the policies. Once this is done, an internal person can be nominated to implement and oversee compliance, or the external party can continue in the role.

Another solution may be the use of compliance software, which can be customized for each covered entity and can facilitate training, risk assessments, and policy development. For covered entities that are low on the resources needed to take on extra staff or outside help, compliance software may be an efficient way to meet their administrative requirements under the Security Rule.

Be cautious of Security Officer Certification

Some consultancy companies have begun to offer Security Officer certification courses. These are neither recognized nor endorsed by the Department of Health and Human Services’ Office for Civil Rights (OCR). They have stated that no single standardized program could appropriately train employees of entities of different types and sizes. Covered entities are advised to report misleading claims in this regard.

The OCR’s website includes guidance for Security Officers. It also asks covered entities to sign up for Privacy and Security Listserv Services, which is a free service that gives updates on privacy and security issues, as well as HIPAA developments.

The Health Insurance Portability and Accountability Act, better known as HIPAA, is an important piece of legislation governing many aspects related to healthcare, but who enforces HIPAA? Which federal departments or bureaus are concerned with checking that covered entities and their business associates are acting in compliance with HIPAA Rules?

Who Enforces HIPAA?

The chief entity responsible for enforcing HIPAA is the Department of Health and Human Services’ Office for Civil Rights (OCR). Certain powers were granted to state attorneys general under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. HIPAA administrative simplification is largely monitored by the Centers for Medicare and Medicaid Services (CMS). Finally, medical devices and a number specific situations can be dealt with by the U.S. Food and Drug Administration (FDA).

The OCR and HIPAA Enforcement

The OCR is responsible for investigating all data breaches affecting over 500 people once they have been reported by a covered entity or business associate. Other incidents may be investigated if it is thought that a HIPAA violation may have occurred, even if fewer people were impacted. HIPAA complaints reported by patients and staff members of covered entities are also subject to OCR investigation.

On discovery of a HIPAA violation, the OCR has a number of options. Voluntary compliance from covered entities and publication of technical advice seems to be the OCR’s preferred manner to solve HIPAA violations.

More severe, repeated, or numerous violations can lead to the OCR imposing financial sanctions on offenders. These most often take the form of settlements where alleged violators pay the OCR but do not have to admit liability. Civil monetary penalties can also be sought by the OCR. The Department of Justice is tasked with handling cases where criminal HIPAA violations are found to have occurred.

State Attorneys General and HIPAA Enforcement

While uncommon, state attorneys general can enforce HIPAA Rules. Even though HIPAA violations are always taken seriously, should the violation impact the people of a certain state, state attorneys general may seek to prosecute the offender under state law instead of under HIPAA. There are many reasons why this may be the case, but it is often just simpler to pursue companies under state law.

Despite the potentially easier approach, a number of state attorneys general have brought charges against companies for HIPAA violations under HIPAA and HITECH laws. These cases have occurred in Connecticut, Massachusetts, New York, Minnesota, and Vermont.

Is Microsoft Azure HIPAA compliant? Can HIPAA covered entities use Microsoft Azure cloud services in compliance with HIPAA Rules?

A lot of healthcare organizations are looking to the cloud as a better way to offer some of their services. Indeed, many have already made the switch. While the cloud represents a number of improvements in efficiency and may lower expenditure, are cloud services HIPAA compliant?

There are no blanket restrictions on cloud services in HIPAA. Different HIPAA Rules may impose obligations that could impact the use of certain types of cloud services, especially in relation to services dealing with protected health information (PHI).

While searching for a cloud service provider, it is almost impossible to discount the three tech giants; Amazon, Google, and Microsoft. We have covered Amazon and Google’s offerings in previous posts, so today we will focus on Microsoft Azure. Is Microsoft Azure HIPAA compliant?

Is Microsoft Azure HIPAA compliant?

The first step in checking whether a cloud service can be used by a healthcare organization to deal with PHI is to check whether the host will accept to enter into a Business Associate Agreement (BAA) with the HIPAA covered entity.

HIPAA classes cloud service providers as business associates. Therefore, the provider has to assure covered entities that all necessary aspects of HIPAA’s Privacy and Security Rules have been thought of and addressed prior to PHI being used with the tool. The BAA serves as this assurance, and is the only HIPAA compliant means of receiving this assurance. It is a contract that explains each party’s duties and roles in relation to HIPAA. Even if the provider does not view PHI, a BAA still has to be put in place.

Microsoft Signs BAAs for Azure

Microsoft has signed BAAs covering Azure in the past. This doesn’t automatically mean that Azure is HIPAA compliant.

As we often say, HIPAA compliance is not dependant on the options and the platform – even the most well designed tool can be misused. Compliance is ultimately dependant on the users. It is up to the covered entity to check that cloud services are set up correctly.

Azure in itself is not compliant, but it can be configured and used in a HIPAA complaint way. It includes measures to protect information and control access, as well as other necessary features.

Access, Integrity, Audit, and Security Controls

Azure is accessed via a secure, encrypted VPN. All data stored, sent to, or received from Azure servers is protected by this encryption.

To meet HIPAA’s access control requirements, which limit access to PHI to authorized accounts, user permissions can be configured using Active Directory. Multi factor authentication is also possible. Access and access attempts are recorded and logged by Azure to allow for audits and tracking by administrators.

With all of this being said, is Azure HIPAA compliant? We must reiterate that although Microsoft Azure includes all of the required settings and controls to be HIPAA compliant, the responsibility falls to the covered entity to check that everything is set up correctly and that users are trained on the tool. Microsoft will accept no responsibility for HIPAA violations caused as a result of the misuse of its services.

All staff members should have been trained on their obligations under HIPAA Rules, but how and when should awareness and knowledge of HIPAA be promoted and increased? How regularly should refresher courses or further training be given?

The various organizations subject to HIPAA Rules – covered entities, their business associates, and others – are required to follow those Rules and ensure their employees have been trained in their roles with respect to them. For best results, training should occur before staff deal with protected heath information (PHI).

Essential topics to include are the permitted ways in which PHI can be used and shared, protection of personal privacy, information security, any function-specific elements, HIPAA best practices, and the various internal policies related to securing data and private information.

Sanctions for violating HIPAA and related penalties which staff members may be liable for should be presented. Without sufficient training, staff members may inadvertently break privacy or security rules and violate HIPAA.

As HIPAA is subject to modifications or additions, and internal policies may evolve with technology or guidance, further training in matters relating to PHI should be given if material changes are made.

HIPAA Training is Not a Once-Off

New staff members obviously need training to begin their role. HIPAA’s Privacy Rule notes that new employees should be trained “within a reasonable timeframe”.

However, this should not be the only training they receive. To ensure staff members remember the Rules, regular refresher or retraining is needed and is even a necessity for HIPAA compliance.

The periodicity of retraining is not defined in the HIPAA Rules, only that it must be done “regularly”. Organizations can choose the frequency as suits their needs, but best practice is to retrain annually.

The HIPAA Privacy Rule does state that training should be given to “all members of [a covered entity’s] workforce on the policies and procedures with respect to protected health information […] as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity”.

General training may not cover the requirements for all staff. Specialized sessions may be needed for different departments or roles. HIPAA standard 45 CFR § 164.308(a)(5) mentions “Job-specific” and “security awareness” training. Both of these require more than a single session at the start of employment.

Conducting training events is only part of the battle – covered entities must guarantee that employees understand the information given, and that they remember it and apply it to their work. This being the case, we advise that you increase and promote HIPAA awareness during the whole year.

Promoting HIPAA Awareness

Raising awareness of HIPAA and the responsibility that goes with it can be done in a number of ways. To supplement mandatory yearly refresher courses, lighter approaches such as newsletters, email bulletins, posters, and quizzes can all be used to keep HIPAA on peoples’ minds.

Security awareness training can be greatly improved from this. While annual training may be a common practice, regular reminders of security aspects are very important and security awareness training is often given twice a year – with monthly cybersecurity reports provided. More pressing or urgent concerns can be shared on an ad hoc basis – for example a new virus or email scam – but it is important to use discretion when notifying employees of threats, as a large number of alerts can lead to threats being ignored.

When Should Retraining Occur?

As well as yearly retraining, it may be a good idea to implement additional HIPAA training sessions if security or privacy violations take place, or if an information breach occurs. Staff members directly involved in these incidents are obvious candidates for retraining, but the event can be harnessed and used to open training to all employees to avoid a repeat of the error. Where one staff member is found to be violating HIPAA Rules, it is likely that others are also confused on the matter, and may be committing the same violation.

Is Google’s G Suite HIPAA compliant? Can healthcare organizations and covered entities use G Suite and not be in violation of HIPAA?

Google have included a number of security and privacy features in G Suite to ensure it can be used in a manner compliant with the HIPAA Security Rule. Google have also shown their willingness to enter into business associate agreements (BAAs) with covered entities to cover G Suite. With this is mind, can we say that G Suite is HIPAA compliant? As with all technologies, even when the necessary features and settings are in place, compliance is ultimately down to the users.

Making G Suite HIPAA Compliant (Default G Suite is Not)

G Suite can be used in ways that are not HIPAA compliant, like all similar services. G Suite includes all the features necessary for it to be used in a compliant manner, but the covered entity is responsible for making sure the proper settings are active or disabled. If incorrectly configured, use of G Suite may violate HIPAA.

Signing a BAA with Google

A BAA with the service provider is almost always necessary for HIPAA compliance.

Since 2013, Google has accepted entering into BAAs so healthcare organizations could use its G Suite services, known as Google Apps at that time. BAAs should always be in place before any PHI is used, processed, or uploaded by the tool. While all settings may be correctly configured, use of the service without a BAA would be a HIPAA violation.

Signing a BAA with Google is a necessary condition, but it is not the only condition

Implementing Access Controls

Prior to PHI being used in conjunction with G Suite, all features must be set correctly through the Admin Console. Any service using PHI must have access controls in place to prevent unauthorized individuals from viewing the information. User Groups should be created to give certain users access to data while restricting others. Access logs and alerts should also be set up.

Services that are not needed should be disabled, services that do not treat PHI can be left open to all registered users, and access to services dealing with PHI can be granted solely to those who need it.

Device Controls

Covered entities must also secure any portable devices with access to G Suite. Should a device that can access PHI be lost or stolen, measures should be in place to prevent it from being used by unauthorized persons to view any restricted data. Use of G Suite should be protected by login details, preferably two factor authentication, and devices should lock themselves after a period of inactivity. Administrators should be able to remotely wipe any PHI stored on the device.

Google’s BAA Does Not Cover All Google Services

Only services included in the BAA can be used with PHI. Google+, Google Talk, and others are not covered by the BAA. They can therefore not be used with PHI.

If these services remain enabled, internal rules must be established to make sure PHI is not used with them. All staff members must clearly understand these rules. Specific training for using G Suite to treat PHI in a way that is compliant with HIPAA and internal rules should be provided.

Which G Suite Services are HIPAA Compliant?

Currently, only G Suite’s core services are included in the BAA with Google. The following G Suite services can be used to treat or share PHI:

• Gmail (Not free Gmail accounts)
• Calendar
• Apps Script
• Keep
• Sites
• Jamboard
• Hangouts (Chat messaging only)
• Google Cloud Search
• Vault
• Google Drive

For Google Drive, note that sharing should be limited to selected accounts. If not, files could be accessed online by unauthorized persons. Drives should only allow access to specific individuals or groups. Files, folders, and team names on Google Drive should not reference PHI in the titles.

Gmail

Use of a free Gmail account to communicate PHI is not HIPAA compliant. One reason for this is because free Gmail email messages are scanned by third parties, leading to the potential for unauthorized access to PHI. Free Gmail accounts are not included in the G Suite BAA.

G Suite HIPAA Compliance is Based on Users

G Suite is a tool that is marketed to companies including healthcare organizations and it has been developed to include the features necessary for HIPAA compliance. However, Google note as we have above that compliance is ultimately up to the user.

Google assist organizations in configuring their accounts for HIPAA compliance and have published a G Suite HIPAA Implementation Guide that is available online.

What is a HIPAA Texting Policy?

A HIPAA Texting Policy is a guide or set of procedures that should be drawn up following a review of methods used by staff, medical professionals, and business associates to transmit protected health information (PHI). Any risks that have been identified during the review should be addressed by the policy.

The Texting Policy should also contain information detailing when and how PHI can be sent by text, as well as the consequences of breaking these rules.

The purpose of the Texting Policy is to ensure all parties who can view PHI know and understand their duties, including their duty of care to protect patient information. Given the potentially confusing nature of HIPAA, covered entities should work to avoid bad habits forming due to lack of understanding.

HIPAA Compliant Texting Issues

Implementing a HIPAA compliant Texting Policy can be problematic. Some healthcare organizations do not have the appropriate tools to record access and sharing of PHI. Others may permit staff to communicate PHI via text messages using their personal smartphones or devices, even though sufficient security measures may not be in place.

This could make any texting policy essentially impossible to monitor, outside of a blanket ban of texting while at work. As text messaging is such a convenient and rapid way to share information, banning its use would be to put the enterprise at a serious disadvantage in terms of efficiency.

The potential for devices to be lost or stolen is another issue to address. Many breaches of PHI occur due to this. If healthcare organizations do not have a system in place to remotely wipe information from the device or block it from accessing PHI, they may face financial or civil penalties.

Secure Messaging: Problem Solved?

A possible solution to these issues may be for healthcare organizations to use a secure messaging tool. These tools include features that allow messaging, monitoring, and remote blocking to be carried out over a secure private network.

Access to data would be controlled, with users verifying their identity by providing unique login details provided by a central administration. Once connected to the network, users can share messages containing PHI with the same convenience and benefits as a regular text messaging platform, but without having to worry as much about the security aspects.

Secure messaging platforms also include administrative, technical, and physical features that allow the tool to be used in compliance with the HIPAA Security Rule. Even so, it should not be assumed that the use of a secure messaging platform negates the need to create a Texting Policy. These platforms enable activity monitoring so that the rules and processes in the Policy can be enforced.

More Information on HIPAA Compliance Policies

A Texting Policy is not the only type of policy that should be introduced by an organization for it to be HIPAA compliant. The HIPAA Security and Privacy Rules also require security management policies, information access policies, security incident policies, and contingency plans.

FaceTime is a video call service offered by Apple between certain iOS devices, but is it HIPAA compliant? Would it be against HIPAA Rules to use FaceTime to share protected heath information (PHI)?

Below, we will review the security measures used by FaceTime; ask whether a business associate agreement (BAA) with Apple would be necessary; and explore whether Apple is willing to sign a BAA to cover FaceTime.

Would Apple Enter a BAA for FaceTime?

A thorough examination of Apple’s online resources did not find any evidence that Apple would be willing to sign a BAA with healthcare entities to use FaceTime or any of its services. HIPAA covered entities are directly mentioned once, but only to state that they should not use Apple’s iCloud to create, receive, maintain or transmit PHI.

As Apple will not sign a BAA to cover FaceTime, it would appear that FaceTime is not HIPAA compliant. There may be a way around this: if Apple does not need to be considered a business associate, then a BAA is not necessary.

The HIPAA Conduit Exception Rule

Some entities, such as postal services, couriers, and landline telephone providers, are not classified as business associates as their services are only used as conduits of information. Internet service providers and other electronic equivalents to these services are also classified differently. These services are covered by the HIPAA Conduit Exception Rule. Could FaceTime be classed as a conduit?

Opinions differ on whether FaceTime falls under the Conduit Exception Rule. Conduits must not store or access PHI and must not possess keys to bypass any encryption.

The Department of Health and Human Services’ Office for Civil Rights (OCR) has previously stated that cloud services, even those that cannot unlock encrypted information, are not exempt under the Rule. Exemptions are for transmission only services, where storage is only transient. Cloud services do not meet this requirement.

FaceTime calls are secured with end-to-end encryption which Apple says it cannot decrypt. No data is stored by Apple and Apple IDs prevent devices being used by unauthorized individuals.

According to Apple, “FaceTime uses Internet Connectivity Establishment (ICE) to establish a peer-to-peer connection between devices. Using Session Initiation Protocol (SIP) messages, the devices verify their identity certificates and establish a shared secret for each session. The cryptographic nonces supplied by each device are combined to salt keys for each of the media channels, which are streamed via Secure Real Time Protocol (SRTP) using AES-256 encryption.”

Is FaceTime HIPAA Compliant?

Knowing this, can we say that FaceTime is HIPAA compliant? While HIPAA compliance depends ultimately on the use and not the technology, FaceTime includes the necessary security measures for it to be used in compliance with HIPAA.

The issue revolves around whether FaceTime qualifies as a conduit or not. We believe it might, as does the US Department of Veteran Affairs, who permit it to be used.

Despite the possible exception, there are other video call service providers that will enter into BAAs. If video calls are necessary for your business, we would recommend taking a more cautious approach by using one of these services instead of FaceTime.

Despite the best efforts of healthcare organizations and their business associates to protect data and follow HIPAA’s Security, Privacy, and Breach Notification Rules, information breaches can and do still happen.

While cybercriminals are the breach bogeymen for most business sectors, healthcare often finds itself let down by its own staff. Even with the best procedures and technology in place, at the end of the day it is up to employees to make sure they act in compliance with HIPAA.

Employees Can Help Reduce HIPAA Violations

Misunderstandings and lack of due care towards HIPAA Rules are common causes of information leaks. Staff should be trained to ensure they are properly aware of when and how it is acceptable to share protected health information (PHI) and the appropriate steps to take to safeguard data. Periodic re-training sessions should also be offered to maintain the level of knowledge.

Staff members should feel empowered to protect PHI and fulfil their roles as stewards of information, in line with HIPAA Rules. Small HIPAA violations could lead to large financial penalties, as well as damaging corporate reputation and putting patients at risk. Even accidental violations have the potential to threaten the employee’s career and may be treated as criminal acts with legal consequences.

If you are an employee of a HIPAA covered entity, it might be worth exploring the list of common mistakes below to make sure you are not accidentally violating HIPAA in your workplace.

How Employees Can Prevent HIPAA Violations

Here are some simple mistakes that healthcare employees often make, violating HIPAA.

Do Not Disclose Passwords or Share Login Information

Staff login details are unique and private to each staff member. They are an employee’s key to access PHI and other information. If login details are shared or written down, it is possible that an unauthorized person could view PHI or that another authorized person could misuse another account to incorrectly alter or share PHI. As user activity is tracked and registered, the person whose account identity was being used could be the one to face consequences.

Do Not Leave Documents or Portable Devices Unsupervised

The Department of Health and Human Services’ Office for Civil Rights (OCR) receives a large number of breach reports resulting from portable devices being lost or stolen and PHI being mismanaged. The loss or theft of an unecrypted device that stores or can be used to view PHI is reportable to the OCR under HIPAA Rules. OCR will then investigate the report to determine whether any Rule has been broken or if a violation has occurred. If the investigation finds that devices were unsupervised, it may result in financial sanctions. Devices should not be left unattended while active.

Physical records must also be secured. Healthcare facilities can be tumultuous places, but documents containing PHI must still be protected and never left somewhere other staff, patients, or unauthorized individuals could view them.

Help your colleagues avoid HIPAA violations by reminding them of the risks of accidental PHI disclosures.

Do Not Transmit Patient Information by SMS

Many people use text messages to transmit information simply and near instantaneously in their personal lives, but they should never be used to send PHI. SMS networks, Facebook Messenger, and even popular encrypted message services like WhatsApp do not meet the HIPAA requirements for information sharing platforms.

Text message services must include user authentication measures, be sufficiently secure, and a HIPAA compliant Business Associate Agreement (BAA) must be in place between the covered entity and the service provider. PHI can only be shared via protected and approved channels, such as a specialized healthcare texting service.

Do Not Throw PHI Away With Normal Waste

Even though the majority of PHI is stored and shared digitally, physical copies and print outs are still created for some tasks. As mentioned above, PHI documents should not be allowed to be viewed by unauthorized individuals and this holds true even when they are being disposed of. PHI must be disposed of in a state that is unreadable, indecipherable, and unable to be reconstructed in order for it to be HIPAA compliant. Covered entities should implement strict procedures to ensure physical copies of PHI are not thrown out with regular waste and are securely disposed of. Staff must be sure to observe these procedures.

Do Not Access Medical Records Out of Curiosity

Accessing PHI without valid cause intrudes on patient privacy and violates HIPAA Rules. Even though most healthcare employees would not do this, it is not entirely uncommon.

Healthcare employees can only access PHI when it is needed to facilitate treatment, operations, or payment. In the case of viewing records relating to treatment, they are only allowed to view the records of patients they themselves are treating.

Access logs which record activity are needed for HIPAA compliance and the logs must be controlled regularly. Whether measures are in place to signal inappropriate access as it occurs or whether later checks reveal it, HIPAA violations will eventually be found.

Unauthorized access can result in employees being fired or even prosecuted. As well as this, it can affect future employment prospects and may result in financial penalties for the employer.

Do Not Bring Medical Records if You Change Jobs

Some people may wish to transfer PHI to their new employer if they change job. Companies may even request this of new hires in order to target new patients. This is not authorized and can lead to criminal charges, even if the employee has been dealing with the particular patient or patients for a long time.

Do Not Access Your Own Medical Records

While the HIPAA Privacy Rule allows patients access to copies of their information, this is only possible on request. Staff should not access their own records, and normally must follow the same procedure as patients by requesting the information from their HIM department.

Do Not Transmit PHI or Photographs Via Social Media

Social media policies detailing how employees may and may not use social media exist in many healthcare organizations. It is generally noted that information related to their professional duties should not be posted or transmitted using social media. Publishing a tweet, Facebook post, or similar message containing patient information or PHI, even in a closed group, is a violation of HIPAA Rules.

Photographs and videos are also included when we talk about PHI, even if patients’ names and other information are not visible or mentioned in the media shared.

Selfies and other photographs that show patients cannot be uploaded to social accounts unless written permission is received from all patients depicted before it is uploaded. If any PHI is visible in the photograph, such as x-rays or documents, this would be a HIPAA violation. A good rule of thumb would be: if in doubt, don’t post. You can speak with your compliance officer to double check. A social media guide for nurses is available form the National Council of State Boards of Nursing (NCSBN).

A number of cases where healthcare employees uploaded inappropriate photographs and videos of patients to social media have been reported recently. These can lead to fines for the employer, loss of employment and licenses for the employee, and lawsuits for all involved.

Reporting Possible HIPAA Violations

If you suspect someone in your organization has committed a HIPAA violation, you must report it to your supervisor or compliance officer so that it can be investigated and procedures be put in place to stop it happening again.

If you feel your employer is not taking sufficient action against potential HIPAA violations, you should speak with your supervisor or compliance officer. If HIPAA Rules are being repeatedly or habitually violated, you can report it directly to the OCR.

Even some of the more basic aspects of the Health Insurance Portability and Accountability Act (HIPAA) can be difficult to understand, but when it comes to self-insured or self-administered health group plans, the level of complexity goes up a notch.

Under HIPAA, healthcare clearing houses, providers, and health plans (referred to as covered entities), are obligated to meet standards relating to electronic healthcare transaction, unique health identifiers, and information security. This is part of HIPAA’s Administrative Simplification Rule.

These standards were laid down and enacted as part of the HIPAA Privacy Rule (2000) and the HIPAA Security Rule (2003). Since these were introduced by the Department of Health & Human Services (HHS), further amendments, guidelines, and companion Rules have altered what HIPAA compliance means for self-insured group health plans as technology evolves and working norms shift.

Definition of a Self-Insured Group Health Plan

To try to simplify this broad and complex topic, we must first define what is meant by a self-insured group health plan. A self-insured group health plan is one in which an employer assumes the financial risk for providing healthcare benefits to its employees as opposed to purchasing a “fully-insured” plan from an insurance carrier.

It is common for self-insured employers to establish a trust fund with employer and employee contributions, or else to use general funds, to pay for incurred claims. The plan can be self-administered or managed by a third party. These plans may also cover medical expense reimbursement flexible spending account plans (medical FSAs) and health reimbursement account plans (HRAs).

HIPAA Exemptions for Self-Insured Companies

In a small number of cases, self-insured companies may be exempt from HIPAA Rules. This applies to self-insured, self-administered health plans for employers with fewer than 50 employees where medical FSAs and HRAs are also managed by the employer. Employee wellness or assistance plans may require self-insured group health plans to be HIPAA compliant.

This leaves some self-insured enterprises in a “partial compliance” gray area. This occurs when health group sponsors or insurance agents do not have access to and do not electronically share protected health information (PHI). This is a rare occurrence and the majority of group health plans need to be HIPAA compliant.

What Does HIPAA Compliance for Self-Insured Group Health Plans Mean?

This is a complicated area of law due to the fact that it is not always clear who is affected. Those who are affected may have different responsibilities based on their size, the type of business, and their internal structure.

Appointing Privacy and Security Officers

A first step for those with self-insured group health plans is to appoint HIPAA Privacy and Security Officers. Both of these roles can be performed by a single person who may already be an employee of the company. The Officer or Officers should start by determining where, why, and how much PHI is created, received, stored, or shared by the group health plan. This will probably require a transverse approach with inputs from HR, IT, legal, and payroll.

Develop HIPAA Compliant Privacy Policies

When the volume and nature of PHI is understood, the self-insured group health plan must introduce procedures to manage how PHI can be used and disclosed, in compliance with HIPAA Rules. Any third party administrators should be considered while developing these. As a Business Associate, they will also be subject to HIPAA regulations and will need to sign a HIPAA Business Associate Agreement (BAA).

Develop HIPAA Compliant Security Policies

The HIPAA Security Rule obliges covered entities to use administrative, technical, and physical safeguards to protect the integrity of electronic PHI (ePHI). Security Officers must carry out risk assessments to search for any areas that may lead to ePHI disclosures. Should such weaknesses be found, plans should be drawn up to minimize and manage the risks.

Develop a Breach Notification Policy

Accidents happen even when robust procedures are in place to limit PHI breaches. Self-insured groups should plan contingencies and develop procedures to notify staff and the HHS as appropriate should ePHI be disclosed.

Training for Staff is Key

Staff must be trained in all aspects of the new procedures for companies to remain HIPAA compliant. Employees, as members of the self-insured plan, should be provided with information about the privacy procedures and why the PHI should be kept securely. They should also receive a record of any disciplinary policy that the company has introduced to enforce HIPAA compliance.

Loss or theft of mobile devices can lead to the breaches of the largest volume of protected health information (PHI), but HIPAA security breaches are most often caused by unauthorized access to patients’ medical records by nosy employees.

Veriphyr Identity and Access Intelligence carried out a survey and found that of the seven-out-of-ten entities that admitted to having at least one security breach, half of these were due to employees gaining unauthorized access to records.

The survey ranked curiosity as the main cause of unauthorized access, with 27% of breaches linked to staff accessing the medical records of a friend or family member and 35% due to staff checking on the records of their co-workers.

The targets of the survey were medium to large healthcare organizations, but it is likely that smaller groups experience a similar problem.

Nosy Employees are Violating HIPAA

While the Office of Civil Rights (OCR) does not need to be notified of breaches of a single patient’s records – only breaches containing the PHI of 500 or more people must be reported – it remains a breach of PHI and a HIPAA violation ad could lead to a full investigation by the OCR.

PHI must be stored in accordance with administrative, technical, and physical protections. While unauthorized access may still occur, data access logs can record breaches and allow swift measures to reduce any damage.

How Healthcare Organizations Can Help Prevent Unauthorized Access

As noted above, HIPAA compliance requires meeting administrative, technical, and physical protection standards for PHI. Meaningful Use also compels organizations to ensure the security of electronic PHI (ePHI). Privacy and Security audits should be carried out to evaluate what risks an organization may face. A full examination of IT systems, procedures, and policies can help identify and manage these risks.

For Privacy and Security audits to reach meaningful conclusions, a four step process should be followed:

• Analyze all IT systems
• Examine and overhaul approaches to risk management
• Develop sanctions to penalize HIPAA violations and ensure all staff are aware of them
• Verify that user session data and access data is being logged and that the logs are being monitored. Strange behavior should be looked into

Employees that require access to PHI for professional use cannot be kept from seeing medical records. They must be made aware of their duties and the relevant safeguards included in Meaningful Use and the HIPAA Privacy and Security Rules. They should also be advised of the possible negative outcomes that can be caused by unauthorized access to PHI.

Nosy employees may not always be able to be curtailed, but unauthorized access to PHI can be reduced. Compliance with the Privacy and Security Rules can potentially reduce the fallout associated with HIPAA violations.

The HIPAA Privacy Rule puts a number of restrictions in place to keep protected health information (PHI) secure. This also hampers healthcare organizations’ ability to share information. A way to share data while remaining HIPAA compliant could be the de-identification of information. PHI that has been de-identified has had its identifying elements removed. HIPAA’s Privacy rule is no longer relevant to this information and it can be shared more freely.

The HIPAA Privacy Rule deals with individually identifiable PHI. Without identifying information, and if re-identification is not possible, transmission of PHI is much less restricted.

De-identification may be carried out to enable sharing of data for mass medical research, comparative effectiveness studies, and other research purposes. Patient privacy is not violated and there is no need to gain permission from a large number of individual patients.

De-identification of PHI to HIPAA Standards

De-identification of PHI to HIPAA standards can be achieved in one of two ways: Expert Determination and Safe Harbor. While both of these leave some risk of re-identification, it is brought down to an acceptable level. Once treated with one of these techniques, PHI is no longer ‘protected’ by the HIPAA Privacy Rule.

1. Expert Determination

This method does not eliminate all risk of an individual being identified at a later date, but it reduces it to a sufficiently low level.

For this method, a HIPAA covered entity needs the professional opinion of a qualified statistical expert that the probability of being able to identify someone from the information is very low. The probability of identification must be low both when the data is taken on its own and also when added to other information that it is likely the eventual user will have access to.

The acceptable level of risk is not defined by HIPAA beyond “very small”. The statistician should make their assessment of the risk by considering the data being examined, the particularities of the environment, and the potential of the receiving body to re-identify patients.

There is no specific qualification needed for someone to be considered an expert in this regard. Experience in de-identifying data is the main criteria necessary. Auditors may review this experience should an examination ever arise.

More information about de-identification of PHI by Expert Determination can be found under 45 CFR § 164.514(b)(1).

2. Safe Harbor – Removing Specific Identifiers

PHI can also be de-identified by removing specific identifiers from the information. Examples of data to remove include:

• Names
• Full face photos and comparable images
• Biometric identifiers (including finger and voice prints)
• Social Security numbers
• Medical Record numbers
• Account numbers
• Health plan beneficiary numbers
• Certificate/license numbers
• Device identifiers and serial numbers
• Vehicle identifiers and serial numbers including license plates
• Any unique identifying numbers, characteristics or codes
• All information related to dates, apart from the year. This applies to admission and discharge dates, birth dates, death dates, ages over 89 years old, and elements of dates (including year) that are indicative of age
• Contact phone or fax numbers
• IP addresses
• Email addresses
• Website URLs
• Locations to areas more specific than state level
• Final two digits of Zip codes – the first three digits can be used provided the areas of full Zip codes starting with those three digits contain over 20,000 people. If not, it should be shown as 000. According to the Bureau of the Census, this means 17 zip codes must be represented as 000: 036, 692, 878, 059, 790, 879, 063, 821, 884, 102, 823, 890, 203, 830, 893, 556, 831. This list is subject to change as demographics shift.

More information about de-identification of PHI by Safe Harbor can be found under 45 CFR § 164.514(b)(2).

The U.S. Department of Health and Human Services’ Office for Civil Rights guidance on PHI de-identification can be found here.

Last year, Deven McGraw of the Department of Health and Human Services’ Office for Civil Rights (OCR) spoke about 2017’s HIPAA guidance. In 2016, the Joint Commission revised their position by allowing the use of text messages for orders, but this was quickly banned again. Later that year the Joint Commission again changed the ruling by permitting the use of secure text messaging platforms for communication between doctors, however text messages – even over a HIPAA compliant platform – would not still not be permitted.

The OCR is often asked about how HIPAA rules apply to text messages and Mr McGraw gave assurances that further guidance was forthcoming.

Speaking with Information Security Group Media, he went on to say “there are a lot of questions whether covered entities can text with patients and whether employees within covered entities can text one another, or text covered entity to covered entity, covered entity to business associate, or covered entity to public health department”.

The OCR committed to clearing up the issue of how text messaging could be used between doctors, healthcare organizations, and to patients, as well as when use of text messages would violate HIPAA Rules.

2016 saw a number of accidental disclosures of protected health information (PHI) occur on social media. Some images and videos were even deliberately posted.

Even though most healthcare employees are aware of what is and is not compliant with HIPAA, particular guidance related to the use of social media was promised by the OCR.

There will also be an update to the OCR’s FAQ section, which McGraw described as “horribly out of date”.

Other areas to be improved were transparency and educating covered entities on what to expect from OCR investigators. Data breaches affecting 500 or more people are investigated by the OCR but little is widely known about how these investigations are conducted.

OCR also said they would be publishing an “Anatomy of a Case” a study of how OCR approaches an investigation and the procedures involved, to explain how CMPs are calculated and how settlements are reached using OCR’s internal criteria.

Personal phones are increasingly finding themselves being used by healthcare professional to share patient data with care teams. This is an obvious breach of HIPAA Rules. Even if the data is sent to authorized individuals, the use of insecure and unencrypted networks to share sensitive information such as test results and patient data is a HIPAA violation.

The intended recipient is not the determining factor in this case. Transferring protected health information (PHI) without a protection such as a firewall creates a risk to information integrity and privacy. While sending messages over a password protected Wi-Fi network may be allowed under HIPAA’s Security Rule, use of normal cellular networks is not.

The Department of Health and Human Services’ Office for Civil Rights (OCR) is the arm that monitors compliance with HIPAA and can impose fines and sanctions against violators. Methods being used by doctors and healthcare providers to share PHI is an area they are paying more attention to. The use of mobile devices is causing heightened concern as there is an increased risk of the data being intercepted or accessed by unauthorized individuals should the device be lost or stolen.

As insecure channels are being used more and more, the OCR has started to make examples of those caught using them. The sharing of PHI must be done with sufficient safeguards to protect patient data.

Although text messages are seemingly sent near instantaneously, they transit through a number of servers. Information may be stored by these servers. As this information could be accessed by unauthorized individuals, it constitutes a HIPAA violation. A simple way to potentially stay compliant with HIPAA would be to encrypt the data being sent. Therefore, even if the information was stored on an unauthorized serer, it would be unreadable and unusable if accessed. A number of smartphone apps exist to facilitate secure healthcare messaging.

The OCR is continually issuing guidance. As technology and communication tools evolve, regulations will need to be drawn up to ensure their judicious use. Until official guidance is published, healthcare providers should err on the side of caution and only share PHI using secure and verified tools.

Texting and HIPAA Compliance for Call Centers

Any company that provides an answering or call-forwarding service for the healthcare sector needs to be aware of their obligations under the Health Insurance Portability and Accountability Act (HIPAA). Following the introduction of the Final Omnibus Rule in 2013, companies that provide services relating to the processing, sharing, or storage of information for the healthcare industry must also be compliant with HIPAA’s Privacy and Security Rules.

A result of this is that call centers for healthcare providers must now have a third party validate that they are HIPAA compliant in their treatment of protected health information (PHI). Measures to ensure texting is done in compliance with HIPAA rules can be introduced simply and economically. HIPAA compliance has also been shown to increase efficiency – lightening workloads and improving service to patients.

Healthcare Organizations and Secure Texting Solutions

The main items concerning call centers are to be found under the HIPAA Security Rule. The Security Rule deals with issues of access to data, integrity of information, and protections against breaches of PHI.

A number of healthcare organizations use secure texting solutions that are HIPAA compliant and these could also be used by call centers. SMS, Instant messaging, and email are not considered compliant under the Security Rule.

By using a secure texting solution, call centers can be sure that the necessary protections, such as access control and message integrity, are in place and their PHI communications are HIPAA compliant.

HIPAA Compliance for Call Centers

Secure texting solutions require a centrally issued unique username and password combination to gain access to a private network. Therefore, only authorized users can connect.

Once connected, authorized users can share files and communicate with each other.

Security measures prohibit transferring data outside of the network, copying and pasting of data, and saving data to external hard drives. Access and behavior is recorded and communications which may breach PHI privacy can be recalled or remotely deleted.

Transmissions are encrypted to ensure they would be unreadable, undecipherable and unusable if they were intercepted on a public network and devices can be remotely locked should one be lost or stolen. All of this prevents unauthorized access to PHI.

Other features which can be introduced include “message lifespans”, which deletes PHI messages from a users’ device after a certain period of time, and time-outs, that log users out if the session has been idle for too long.

The Advantages of HIPPA Compliance for Communicating ePHI

As well as the call center itself benefiting from HIPAA compliance, the healthcare organization they serve will also benefit.

• HIPAA compliant texting services allow greater efficiency of communication with doctors during their shifts.
• Test results, X-rays, and other patient records can be sent to instantly give a more complete patient history
• Delivery notifications and read receipts help users track the information shared
• Call centers and healthcare providers can allow employees to use their own devices with the secure system and still be HIPAA compliant.
• Medical staff can make the most of the convenience offered by their mobile devices to better serve patients
• HIPAA compliant communications tools improve message accountability, as described below

A call center working with El Rio Community Health Centers near Tucson, Arizona, introduced a HIPAA compliant message solution to improve call support, patient follow-up, and message accountability.

They found response times improved such that 95% of concerns were answered in 60 seconds or less, message accountability increased by 22%, and a higher level of service was provided to patients.

Thanks to the ability to monitor communication metrics, Health Center administrators were able to streamline the workload and better address patient follow-up and risk management. Their CIO went on to say that communicating ePHI in compliance with HIPAA eliminated lost message errors which translated into increased patient satisfaction.

HIPAA Compliance for Call Centers – Summary

As mentioned above, call centers need to have their handling of PHI independently verified if they want to provide services to healthcare providers. There are also some other reasons why they should work to become HIPAA compliant.

By building on the streamlined workflow at the call center level, the healthcare provider can further improve their own workflow, leading ultimately to a better service provided to patients. The call center can then use this increase in overall efficiency as a competitive argument.

Secure texting applications are also cheap and easy to introduce as they are not dissimilar from messaging services that employees already regularly use in their personal lives. Therefore, only minimal training is required.

Given that these applications are provided as a “Software-as-a-Service” based in the cloud, there is no need to introduce new hardware, servers, or other IT infrastructure. “Out-of-the-box” solutions, they require minimal time to configure and may be handling all secure texting needs within 24 hours.

The Majority of SMS Messages Violate HIPAA

There is no specific rule under HIPAA that outlaws protected health information (PHI) being sent via SMS – “Short Message Service”. However, there are a number of criteria that must be met for the use of SMS to send PHI to be HIPAA compliant.

Many SMS messages violate HIPAA rules in one or all of several ways: the information is not encrypted; the message cannot be recalled if addressed to an incorrect number; and there is a risk of the message being captured over public Wi-Fi networks. While some of these problems can be overcome, the solutions are seldom put in place.

SMS messages are routinely backed up by service providers. This is an issue for HIPAA compliance, as is the unaccountable nature of SMS messages. PHI should never be included in a message sent via SMS. HIPAA rules on this topic also concern instant messaging applications like WhatsApp, iMessage, and email.

What HIPAA says about SMS, IMs, and Email

Email, SMS, and IMs are dealt with for the most part by the HIPAA Security Rule. This rule requires a number of technical features to be in place to protect information, for example user authorizations, access logs, audit records, data integrity protections, and data transmission safeguards. Required security protocols include:

Unique log-in IDs and passwords to access the system that manages or shares PHI. This allows activity and audit logs to be created.

All devices capable of connecting to the system must have a time-out feature to log out users following a period of inactivity. This minimizes the risk of unauthorized individuals accessing data through an idle device.

PHI sent from the system must be encrypted in transit so that any intercepted message would be “unreadable, undecipherable and unusable”.

These requirements already represent a serious barrier to using SMS, IMs, and email in compliance with HIPAA. While introducing access controls and requiring users to log into systems is not overly complicated, recording and supervising online activity and ensuring sessions are correctly closed represent a greater challenge.

Encryption also represents a hurdle to compliance. An encrypted message service for use by all different actors in the healthcare sector would need to be compatible with multiple operating systems and devices. It would also require a standard decryption key. Instead of solving this problem, certain electronic communications of PHI were accorded an exemption – specifically messages between medical professionals and their patients.

Overcoming HIPAA Regulations for SMS, IMs, and Email

HIPAA regulations concerning SMS, IMs, and email can cause further confusion as they may vary across organizations, subject to their size, the type of service provided, and the amount of PHI they deal with. A solution exists to by-pass the uncertainty surrounding SMS, IMs, and email no matter the conditions of the organization involved – secure messaging.

Secure messaging functions in a similar fashion to SMS and IMs. They can be used for transmitting and receiving encrypted text messages, images, and for holding group chats. Compatible across devices and operating systems, they require a user to input a unique ID and password combination to access the service.

Security measures protect against unauthorized access through idle devices, and even prohibit copying and pasting PHI, storing PHI to an external hard drive, and transmitting PHI to third parties that are not members of the user network.

Access and behavior is recorded, time-out features are applied, and other settings protect the integrity of the data. Should a user’s device ever be misplaced or stolen, for example, administrators have the capability to remotely wipe PHI communications and block access to the secure app.

The Benefits of Secure Messaging

Using secure messaging solutions in place of SMS, IMs, and email offers a number of benefits to healthcare organizations, not least of which is support for HIPAA compliance. The ability to communicate PHI instantly allows for a much more efficient flow of information between healthcare employees and group chats can facilitate administrative tasks such as admissions or discharges.

Coupled with the use of Electronic Medical Records (EMRs), secure messaging solutions can speed up the process of updating notes and give doctors more time to consult with patients. A 2015 study from Carnegie Mellon University’s Tepper School of Business found that use of a secure messaging system reduced patient safety incidents by 27% and medication errors by 30%.

Blockchain technology is widely spoken about when discussing the security of cyptocurrency transactions, but could blockchain be used for medical records? Could the use of blockchain technology benefit and improve the security of healthcare data?

It is still early days when it comes to using blockchain to access medical records, but the potential improvements in security are obvious, and could include lowering the risk of data breaches while also facilitating the sharing of healthcare data between providers, as well as making it easier for patients to access data.

The current system used to store and share medical records is far from ideal. It is inefficient, with a large number of bottlenecks and blocks that do not allow data to be easily shared. This can be a problem as a patient’s medical records may not always be stored by a singe healthcare provider – different fragments of a patient’s medical history may be divided over a number of different healthcare providers’ systems.

This fragmentation means it can be difficult to access and combine all the data to get a full insight into a patient’s history, and it can also lead to an increased risk of data theft. With data spread across several systems, including different healthcare providers and business associates, the risk of a breach occurring is increased. While the Health Insurance Portability and Accountability Act (HIPAA) mandates that all HIPAA-covered entities and their business associates must use technical protections to maintain the confidentiality, integrity, and availability of protected health information (PHI), security is individually managed by each of these actors.

The risk that an error occurs and data is exposed is increased with each different entity that has access to the data. HIPAA-covered entities and their business associates sometimes make mistakes while handing, sending, or saving information. Even when great care is being taken to avoid mistakes, breaches can still occur, as attested to by the Department of Health and Human Services’ Office for Civil Rights’ Breach portal. Introducing blockchain technology to this system could dramatically improve the security of medical records.

Blockchain, as can be inferred from the name, utilizes a chain of data blocks. These blocks record information about transactions and they are encrypted for privacy. Instead of a single storage point of information, blockchain records data to an encrypted ledger which exists across a number of synchronized and replicated databases. Every block in the chain is linked to the block that came before it with a unique public key. Access to the data is strictly controlled.

The recent and considerable data breaches that occurred at Anthem and Equifax show us that holding large amounts of data in single centralized systems is not a viable way to keep that data safe. A potential alternative may be to store data as part of a decentralized system.

Each data block in the chain is encrypted with using public key cryptography and decrypted with a private key or password. For medical records, this private key could be a password held by a patient, for example.

If blockchain were introduced, instead of several healthcare providers all storing their own copy of a patient’s information, a patient would be able to provide a key or password to any provider to enable them to access all of the patient’s medical records.

The data would be securely stored through blockchain and could not be accessed without the key. No single block of data could be hacked without hacking all other blocks in the chain’s chronology at the same time. It would also prevent any changes being made to a data block while attempting to hide that a change had been made.

For cryptocurrencies, for example Bitcoin, the blockchain is used for transactions – trades of the currency. For medical records, the transactions recorded could be any health information such as X-ray images, test results, prescriptions, surgeries, or consultations. Any new data entry would need to be confirmed as valid by a trusted entity that has access to the private key. Once confirmed, it would become a new block in the chain in chronological order and the whole chain would contain a patient’s entire medical history.

Using blockchain for medical records may offer huge benefits to both patients and healthcare providers. The blockchain could increase security while also combining all of a patient’s information together from multiple sources.

Full medical records could therefore be easily shared between providers. No electronic transmission of data between providers would need to occur, future providers could be given the access key and where they could access the information.

Blockchain could also help patients access their information more easily. Instead of making several requests to all their previous providers, they could make a single request and access their full information. Getting access to medical records under the current system can be complicated, time-consuming, and even costly, as providers are allowed to charge a fee for copies of the information.

If data is made available through patient portals, combining and sharing the information can be even more complicated. Another area where blockchain offers advantages is in cases where there are multiple patient identifiers.

Blockchain has been proven to work for financial transactions, so why not medical records? Is it a practical solution? Trials of blockchain to support medical data have already shown positive results. One example, a trial conducted over a period of six months by MIT Media Lab and Beth Israel Deaconess Medical Center, demonstrated blockchain worked well in tracking test results, treatments, and prescriptions for inpatients and outpatients. During the trial, data exchange between two institutions was simulated using two different databases at Beth Israel. There are currently plans to expand the trial.

Some issues do still remain to be resolved. Blockchain is pseudonymous, not anonymous. Certain records, such as psychotherapy notes, should not be accessible to patients, and blockchain does not offer a solution to keeping these accessible to providers but hidden from patients.

Extensive testing with medical records would also need to be carried out and healthcare organizations would need to be persuaded to adopt the blockchain system. In a survey carried out by IBM in 2017, 16% of 200 participating organizations said they aimed to have a commercial blockchain solution established before the start of 2018, which is encouraging news for all who would benefit from this new technology.

Google Docs and Google Drive are tools that facilitate document sharing, but can they be used to share documents containing protected health information (PHI)? Is using Google Docs HIPAA compliant?

Is using Google Docs HIPAA compliant?

The answer to whether using Google Docs is HIPAA compliant or not is both yes and no. Whether a tool is HIPAA compliant is less about the technology behind it and more about how it is used. Software or online storage solutions that are designed and promoted to be HIPAA compliant can still be used in ways that go against HIPAA Rules.
Google Apps – now known as G Suite – covers a range of Google tools, including Google Drive. G Suite does support HIPAA compliant solutions. Use of a G Suite service does not in itself violate HIPAA Rules, but users must ensure that they follow all applicable regulations.
G Suite has options and all the required controls to allow it to be HIPAA compliant, and it can therefore be used to share PHI by HIPAA-covered entities – so long as appropriate rules are followed, the settings are correctly applied, and appropriate security measures are implemented.
Before any software or online storage solution is used to treat or save PHI, the vendor must sign a business associate agreement (BAA) with the HIPAA-covered entity, taking into account all required aspects to comply with HIPAA. Google will sign BAAs to cover the use of G Suite services such as Google Drive, which includes Docs, Sheets, Slides, and Forms. However, this is only available to paying users.
It is important that the covered entity review and sign the BAA with Google before any PHI is entered into any Google service. The BAA may not cover all Google services, so it is essential to note which services are specifically mentioned in the BAA. The BAA will also not cover any third party services, even if they are used in conjunction with G Suite. BAAs must be obtained from each individual provider or developer of the services used.
Even with a signed BAA, a HIPAA covered entity is still responsible to ensure all settings and controls are correctly in place when using the service to treat or store PHI. Google does not accept liability for any incorrect configuration of G Suite services.
Covered entities should also be aware that even though Google encrypts all data uploaded to Google Drive and Google Docs, this encryption is server-side only. Further security is necessary to secure any files or data that are downloaded or synced. Compliance of syncing data and HIPAA is outside of the scope of this piece and it is recommended that syncing be deactivated.
In order to avoid breaking any HIPAA Rules, covered entities should:

• Sign a BAA with Google before inputting any PHI into G Suite services
• Ensure all necessary settings are correctly in place
• Enable two-factor access authentication
• Set strong passwords
• Disable syncing
• Disable link sharing
• Restrict file-sharing outside of the domain (if external access is needed, Google can advise)
• Ensure visibility of documents is private
• Do not allow offline storage for Google Drive
• Turn off third party add-ons and apps
• Do not allow access for add-ons or apps
• Conduct regular audits of access logs, account logs, and shared file reports
• Set alerts to notify administrators of any change to configurations
• Ensure all data uploaded to Google Drive is backed-up
• Ensure staff are trained in the appropriate use of Google Drive and G Suite services
• Ensure file names do not contain PHI

Google has published a HIPAA Compliance Guide for G Suite services to help HIPAA-covered entities to correctly implement and use G Suite and Google Docs.

The ability to sign documents electronically has led to gains in efficiency in many industries, including the healthcare sector. However, there is still doubt over whether e-signatures are acceptable under HIPAA rules. The simple answer is “yes, they are acceptable and can be used”, but steps must be taken to validate the security and legal status of the document and to ensure that there is not a risk of a protected health information (PHI) data breach.

What HIPAA Says About E-Signatures

E-signatures were part of HIPAA rules in the first iteration of the Security Rule back in 2003 before being taken out ahead of the legislation coming into force. The Department of Health and Human Resources website includes a section on Business Associate Agreements and sharing medical data electronically that was posted online following this date. It says:

“No standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.”

In most cases, no signature is needed for healthcare transactions when PHI is revealed for the purposes of payment or treatment. This means the question of whether e-signatures are acceptable under HIPAA is somewhat unnecessary. Certain other cases that are not covered by the HIPAA Privacy Rule, if PHI were to be used for research purposes for example, would require a signed agreement. If this is given as an e-signature, other criteria also need to be met.

The Criteria Needed to Accept E-Signatures Under HIPAA

For an e-signature to be acceptable under HIPAA, it must also be in accordance with the Uniform Electronic Transactions Act (UETA) and the Federal Electronic Signatures in Global and National Commerce Act (ESIGN Act). It must meet the following criteria:

Legal Compliance. The document must comply with federal regulations related to e-signatures. There must be an option for the signatory to receive an emailed or printed copy of the document. Certain information must be clearly demonstrated on the document, such as the terms of any agreement and the intent of the signatory. Legal counsel should be sought by covered entities to ensure the acceptability of the e-signature under HIPAA would not be affected by any local or state laws.

User Authentication. Systems must be put in place by covered entities to verify the identities of all parties of the transaction. Failure to do so could result in questions affecting the validity of the document or the signatory’s authority to enter into any agreement or contract. A number of options exist to minimize this risk, such as two-step verification, voice authorization systems, specialized software, or verification questions.

Message Integrity. To prevent the document being tampered with following signature, a system must be established to protect the contents from alteration while it is both in transit and at rest. This is similar to criteria related to the HIPAA Security Rule and should be considered to be as important. OCR Inspectors could potentially include risk assessments related to e-signatures in future audits and a strong level of message integrity will be needed to ensure acceptability.

Non-repudiation. For e-signatures to be acceptable under HIPAA regulations and avoid claims that signatories did not sign the document, an audit trail should record time stamps, dates, locations, and the chain of custody. This protects the document against disputes over its enforce-ability and claims against the validity of the PHI disclosure authorization.

Ownership and Control. Covered entities must be able to ensure PHI is protected. To do so, they must keep all evidence supporting the validity of the e-signature on the same document retained under their ownership. Any other copy – other than those belonging to the signatory – should be deleted and destroyed. No copies should exist on the servers of e-signature service providers.

Conducting a Risk Assessment to Confirm Whether E-Signatures can be Used Under HIPAA Regulations

E-signatures offer many advantages but go hand in hand with a risk of increasing fraud or medical errors. Risk assessments should always be carried out by covered entities to determine whether their specific situation allows them to accept e-signatures and whether their use is worth any potential increase in risk.

It is of the utmost importance that all relevant HIPAA requirements relating to the use of e-signatures be dealt with before covered entities engage in any communications where e-signatures are used to authorize matters relating to PHI.

Under the Healthcare Insurance Portability and Accountability Act (HIPAA), all HIPAA-covered entities and business associates must appoint a person (or persons) to the role of HIPAA Compliance Officer. A current employee can be appointed or a new role can be created. The Compliance Officer position can even be filled by outsourcing the duties temporarily or permanently.

What is the role of a HIPAA Compliance Officer? What is the workload involved? The answers to these questions depend on the scale of the business associate or covered entity involved, as well as the amount of protected health information (PHI) created, dealt with, or maintained. Larger organizations commonly split the Compliance Officer’s duties between a Security Officer and a Privacy Officer.

The Duties of a HIPAA Privacy Officer

If the organization does not currently have a HIPAA-compliant privacy program, it is up to the HIPAA Privacy Officer to create and introduce one. If the organization does have such a program, then it is the duty of the Privacy Officer to make sure appropriate privacy policies safeguarding PHI are being followed. The Privacy Officer will lead or validate privacy training for staff, carry out risk assessments, and create HIPAA-compliant processes if required.

HIPAA Privacy Officers must ensure that the privacy program is being adhered to and investigate any PHI data breaches which may take place. They also notify necessary bodies should breaches occur and protect patients’ state and federal rights. To effectively carry out the role, a HIPAA Privacy Officer must closely follow developments in federal and local laws related to patient privacy.

The Duties of a Security Officer

HIPAA Security Officers have similar responsibilities to Privacy Officers. Where Privacy Officers develop privacy programs and ensure related tasks are completed, the Security Officer must create and implement the policies, procedures, training and assessments related to security. They must also make sure that theses processes are being followed. A key difference is that Security Officers focus on compliance with the Security Rule’s Administrative, Technical, and Physical Safeguards.

As such, a HIPAA Security Officer’s role may touch on aspects from Disaster Recovery Plans, to PHI access controls, to methods for sharing or saving electronic PHI (ePHI). As the roles of each of these Officers are similar, smaller entities may have one person taking on the duties of both positions.

More Information on a HIPAA Compliance Officer’s Duties

The exact roles and responsibilities of a HIPAA Compliance Officer are not specified in HIPAA regulations. Individual organizations are therefore free to tailor the position to their specific needs. For a HIPAA Compliance Officer to act effectively, those specific needs must be identified and understood.

To facilitate this, a HIPAA Compliance Guide has been created. It includes sections for Covered Entities and Business Associates on crucial HIPAA and HITECH topics, as well as on the Final Omnibus Rule. While all possible scenarios cannot be detailed in a single guide, there are links to further resources and information that should answer almost any question related to HIPAA compliance and Compliance Officers’ duties.

A North Audubon Hospital registered nurse had her employment contract terminated as a penalty following an allegation by a patient that she had violated HIPAA regulations. Dianna Hereford contested the termination on the grounds of a HIPAA violation by filing an action in Jefferson Circuit Court and stating she had “strictly complied with HIPAA regulations”.

The cause of the termination was an alleged impermissible disclosure of protected health information (PHI) before assisting a transesophageal echocariogram in North Audubon’s Post Anesthesia Care Unit. The concerned patient was in an examination area separated from its surroundings by a curtain. As well as Ms. Hereford, a physician and echocardiogram technician were present.

Alleged Improper Disclosure of Sensitive Health Information

Prior to the procedure, Hereford took time with the patient to describe the procedure, ensured the procedure site was appropriately indicated, and that the various diagnostic tools were to hand. Hereford noted that the technician and physician should wear gloves as the patient had hepatitis C.

Following the procedure, a complaint was made by the patient who alleged that other patients and staff could have learned her condition as Ms. Hereford had spoken loudly enough for them to hear. Ms. Hereford was placed on administrative leave as the incident was being investigated, resulting in her termination for an unnecessary disclosure of confidential health information, a violation of HIPAA regulations.

Hereford argued that her dismissal was unfair as the actions should be regarded as an ‘incidental disclosure’, which does not violate HIPAA rules. To support her claim, she pointed to the professional opinion of an employment insurance referee who said that no HIPAA violation had taken place. Hereford also alleged that she was the subject of defamatory statements made to the Metropolitan Louisville Healthcare Consortium.

A motion was filed to dismiss the case by Norton, or alternately for a summary judgment. The motion to dismiss the wrongful termination claim was granted by the Court as it was seen as unnecessary to remind a physician to wear gloves during a procedure to prevent the contraction of an infectious disease. The defamation claim was not dismissed.

In October of 2015, the defamation claim was dismissed with prejudice after Norton sought a summary judgment. The court ruled that no defamation occurred as Norton were telling the truth when they cited Ms. Hereford’s HIPAA violation as the reason for termination.

Appeals Court Confirms HIPAA Violation Judgment Against Nurse

The case then went before the Kentucky Court of Appeals, which stated that “HIPAA’s confidentiality provisions exist to protect patients and not healthcare employees”. Ms. Hereford could not argue for wrongful discharge by relying on HIPAA rules.

When determining the wrongful dismissal action, the court’s ruling was made in respect to the minimum necessary standard. This standard restricts the disclosure of PHI to the absolute minimum needed to carry out the necessary purpose – 45 CFR 164.502 – further stating that “Under HIPAA, Hereford’s statement was not the minimum amount necessary to accomplish the warning”. It was the verdict of the court that HIPAA had been violated by the nurse. The dismissal of the defamation claim was also upheld on similar grounds – no defamation took place when the reason provided to the Metropolitan Louisville Healthcare Consortium for the dismissal was accurate.

What Penalties Could Nurses Face for Violating HIPAA?

There are four separate disciplinary tiers that apply to nurses who breach HIPAA Rules. They are judged on the level of negligence shown, from unknowing to willful negligence.

Each tier has a minimum fine per violation: $100 for tier one; $1,000 for tier two; $10,000 for tier three; and $50,000 for tier four. The final sum is decided by the Department of Health and Human Services, or by the relevant state’s Attorney General, once it has been determined that a penalty is to be imposed following a HIPAA violation.

Is There a Maximum HIPAA Violation Fine for Nurses?

A single HIPAA violation or record carries a maximum penalty of $50,000. Each category of violation is subject to an annual maximum of $1.5 million in fines.

Severe HIPAA violations may lead to criminal charges and a custodial sentence may be given as well as a fine. The Department of Justice deals with criminal violations of HIPAA Regulations.

A nurse who knowingly obtains or discloses individually identifiable PHI could be subject to $50,000 in financial penalties and could face a one year jail sentence. These punishments rise to $100,000 and five years if it is found that the offense was committed under false pretenses. Selling, transferring, or illegally using PHI for commercial advantage, personal gain, or to cause malicious harm could lead to maximum penalties of up to $250,000 and ten years in jail.

In the case of an aggravated identity theft, the Identity Theft Penalty Enhancement Act requires a mandatory minimum prison term of two years.

Almost every HIPAA covered entity, as well as their business associates and the healthcare professionals they employ, does their utmost to guaranteed HIPAA rules are respected – but what happens when an unintentional HIPAA violation occurs? What should covered entities, healthcare employees, and business associates do?

How Should Healthcare Employees Report an Unintended HIPAA Violation?

Despite all precautions, accidents still happen. Should an unauthorized employee view a patient’s record, or a fax be sent to the incorrect number, an email containing protected health information (PHI) be sent to the incorrect address, or some other accidental disclosure of PHI take place, it is vital that the event is noted by the organization’s Privacy Officer.
The Privacy Officer judges the correct procedures to follow in order to reduce risk and minimize potential damage. Incidents should be investigated and there may be a need for a risk assessment study to be carried out. The Department of Health and Human Services’ Office for Civil Rights (OCR) may also need to be given a report of the incident.
The parties involved should explain that an error occurred and the circumstances of how this took place. The relevant patient records which were viewed or disclosed should be identified. Failure to report a breach of this nature runs the risk of creating a major incident out of a simple mistake, an incident which could result in disciplinary measures for the individual, and even sanctions for the employer.

How Should Covered Entities Respond to an Unintended HIPAA Violation?

All unintentional HIPAA violations should be treated seriously and require risk assessments to evaluate the potential that PHI was compromised; what risk may be faced by those whose PHI may have been compromised; and the risk of future breaches occurring.
The risk assessment should determine:

• The breach’s nature
• The kind of information involved
• If PHI was viewed or acquired
• Who saw or came into possession of the information
• The parties to whom information may have been disclosed
• Patients potentially affected
• Whether the information risks being re-disclosed
• If the risk has been mitigated and to what degree

Once the assessment is complete, the risk must be reduced to an acceptable level and managed. Notifications must also be issued, as per the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414). Not all PHI breaches are reportable. Three exceptions to notification exist when there has been an involuntary HIPAA violation:

1. An unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
   Example: A fax or email is sent to a member of staff in error. The information is accessed and viewed, but the mistake is realized and the fax is securely destroyed or the email is deleted and no further disclosure is made.
2. An inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.
   Example: Providing the medical information of a patient to another individual authorized to receive it, but a mistake is made and the information of the wrong patient is disclosed.
3. If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
   Example: A physician gives X-rays films or a medical chart to a person not authorized to view the information, but realizes that a mistake has been made and retrieves the information before it is likely that any PHI has been read and information retained.
   In cases such as these, while they do not require breach notifications, members of staff that find themselves in such a situation should still notify their Privacy Officer of the incident.

In all other cases where a PHI breach has occurred, OCR must be informed of the incident within 60 days and affected individuals should be notified.

How Should Business Associates Respond to an Unintentional HIPAA Violation?

Business Associate agreements should contain the correct procedure to follow if an accidental HIPAA violation occurs.
HIPAA Regulations state that all accidental violations of HIPAA be reported to the covered entity within 60 days of discovery, keeping in mind that notification should be sent as soon as possible and no unnecessary delay should impede notification. Covered entities should receive as much detail as possible from their business associate in the case of an accidental HIPAA breach or violation so that they can plan their response and how to deal with the event.

Can mobile devices be used to transmit health information under HIPAA?

Mobile devices such as smartphones, tablets, and other portable devices have transformed the way people work and send information. Healthcare providers and HIPAA-covered entities are no exception and mobile devices can be found in almost every health facility. Sharing information via mobile data may carry extra risk if the security protecting the data is not strong enough to meet HIPAA requirements. If covered entities violate the HIPAA rules, they could face significant financial penalties.

Healthcare and Mobile Devices

Mobile devices offer a range of benefits for a relatively affordable price and, as such, are attractive to many organizations in the healthcare industry. In some cases, healthcare employees are even being encouraged to bring and use their personal devices at work as part of Bring Your Own Device (BYOD) programs. Certain entities have chosen to offer mobile devices to their staff for professional use as a way to better protect and control the information they deal with.

If a covered entity opts to introduce mobile device use to facilitate their services, HIPAA regulations require that steps be taken to secure any sensitive information saved, sent, or accessed by the device.

Mobile Devices could lead to an explosion of HIPAA violations

The convenience that mobile devices offer is only equaled by the increased risk they create. Healthcare networks must now cater for a much greater number of devices accessing information and this has raised concerns among CIOs, CISOs, Compliance Officers, and IT professionals over the protective measures in place to safeguard mobile data and to ensure HIPAA compliance.

While data and devices may be protected, users may still inadvertently or purposefully violate internal policies or HIPAA regulations. If sufficient checks are not in place, electronic Protected Health Information (ePHI) available on the device could be accessed or disclosed. These devices also represent a significant target for cybercriminals, who may use them as a gateway to healthcare networks.

Currently, mobile devices used in the healthcare industry are not adequately protected and are often connected to open or public Wi-Fi hotspots. They create a considerable risk of loss or theft of information. Mobile data protections must be meticulously examined and any issues found should be dealt with to avoid HIPAA violations and their associated penalties.

Basic HIPAA Compliance for Mobile Devices

HIPAA rules largely exist to safeguard patient privacy. In order to do so, covered entities must accept and introduce some basic controls to protect data and patients.

Comprehensive protection for mobile data is mandatory, as is HIPAA compliance: inability to conform to HIPAA standards or violations of HIPAA rules can lead to hefty fines. Financial penalties of up to $1.5 million can be imposed by the Department of Health and Human Services’ Office for Civil Rights per violation category and per year that the violation has been left to exist. State Attorneys General and some federal agencies can also issue fines. A data breach can itself cost a huge amount of money as it can require significant resources to respond to the crisis.

Risk Assessments and the HIPAA Security Rule

The HIPAA Security Rule requires that a risk assessment study be conducted to determine how mobile data security could affect the risk to patient data. A strong protective framework can be established through the use of normal security controls such as firewalls, anti-virus protection, anti-malware programs, authentication and passwords etc. Nevertheless, a comprehensive risk assessment is crucial to determine what potential weaknesses may still exist in the system.

It is critically important to examine certain aspects of the entity’s security framework, including IT infrastructure, company policies, administrative processes, physical security controls, and all systems and equipment capable of saving, sharing, or accessing ePHI. A risk assessment tool has been made available by the Department of Health and Human Services to help conduct the assessment.

Novel threats are continually emerging and healthcare organizations must enact defenses to protect the data they oversee. As new exploits are developed, these organizations must stay ahead of the threats by updating software and equipment. For this reason, periodic risk assessments should be scheduled.

Technical Safeguards for Mobile Devices and the HIPAA Security Rule

The HIPAA Security Guidelines Series published by the Department of Health and Human Services states that covered entities “must consider the use of encryption for transmitting ePHI, particularly over the Internet”.

They are also obligated to “implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network”.

While data at rest is not specifically required to be encrypted, the Security Guidelines offer advice on data in motion: “As business practices and technology change, situations may arise where ePHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities”.

The Guidelines further state that “Where risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions under the addressable implementation specification for encryption”.

Sending ePHI via SMS or other open networks is a violation of HIPAA regulations and should not be permitted. There is a risk of such data being intercepted on the SMS network, which is not well protected. The risk of a data breach occurring can be reduced by ensuring ePHI is only shared via secure channels incorporating end-to-end encryption.

Mobile Device Audit Controls, Data Access, and Data Integrity

Covered entities are obliged “to implement technical policies and procedures that allow only authorized persons to access Protected Health Information” under HIPAA. Access controls and systems to verify the identity of the user must be in place on any mobile device that can access, share, or save ePHI. The risk of unauthorized access can be further reduced by introducing multi-layered protective controls.

Systems must also be established to permit audits to be carried out on mobile devices to ensure that the information saved or shared on the device has not been deleted or changed. Access logs must also be kept that include data on attempts to access ePHI. There must be a record of any action that could have an impact on data security.

Once suitable protections are implemented, mobile devices can be used by covered entities to vastly increase efficiency, productivity and patient outcomes, while also lowering expenditures. The most important aspects are to ensure patient’s privacy is not compromised and that the devices do not allow criminals to gain access to healthcare networks.

The Health Insurance Portability and Accountability Act, commonly know as HIPAA, has probably been the most significant set of regulations to impact the healthcare industry since it first came into law in 1996. Despite this, there are still a number of insurers and healthcare providers that do not fully understand their requirements under HIPAA, especially the actions required by them under the HIPAA Breach Notification Rule.

Insurers and healthcare providers have recently come under fire following their reactions to data breaches and the time it took them to notify affected patients that data had been lost or divulged to unauthorized persons.

To assist covered entities in fulfilling their obligations under HIPAA and notifying affected individuals more quickly, particularly in light of the recent increase in data breaches, we have compiled a summary of the HIPAA Breach Rule’s key points.

A Summary of the HIPAA Breach Notification Rule

Covered entities and healthcare providers must comply with HIPAA regulations to limit the risks of divulging patient information. Even when robust security measures are in place, unauthorized persons can still gain access to data. The Pentagon’s Twitter account was recently hacked, which just goes to show how vulnerable digital systems can be to attack.

Should a data breach occur at your organization, the scale of the breach and type of data released determine the correct response to take.

Breaches Affecting More Than 500 People

Data breaches that divulge the PHI of 500 individuals or more must be reported to the Department of Health and Human Services’ Office for Civil Rights “without unreasonable delay” and within 60 days of discovering the breach. Reports should be made through the OCR Breach Portal. All individuals impacted by the breach must also be notified by Breach Notification Letters as outlined below.

Issuing Notifications of Breaches to the Media

A prominent media source which serves the state where the affected individuals are located must be alerted when breaches occur that affect more than 500 people. They must be alerted within 60 days of discovering the breach.

Posting of Breach Details to the Company Website

Not all breaches are required to be visible on the company website, however in cases where ten or more people cannot be contacted as a result of incomplete or out of date contact information, there is an option to to either publish information of the breach in a prominent position on the website for 90 days or to publish the information through major broadcast or print media. The company must also provide a toll free telephone number which affected individuals can use to contact for them more information.

Breaches Affecting Fewer Than 500 People

Where breaches occur that affect fewer than 500 people, a notification must be sent to each person without unreasonable delay and within 60 days of discovering the breach. Small scale breaches do not require media notification, even if sensitive data such as Social Security numbers have been divulged.

Breaches affecting fewer than 500 people must still be reported to the Department of Health and Human Services’ Office for Civil Rights, however there is a much longer reporting period allowed. The notification must be made within 60 calendar days after the start of the following year. This means, for example, that a breach that took place on January 1, 2017, would only need to be reported to the Office before March 2, 2018.

Business Associates Responsible for Data Breaches

If a Business Associate discovers that they have caused a PHI breach, their associated covered-entity must be notified within 60 days of discovering the breach. The affected individuals should be identified in-so-far-as-possible, as well as the data that was divulged.

Issuing Breach Notification letters

Should a breach occur, covered entities and business associates must notify the impacted people that their PHI was released and also how the breach occurred; via a hack; a lost or stolen laptop or smartphone; or other device containing unencrypted PHI. Documents, x-rays, and other physical copies of PHI are also covered by the HIPAA Breach Notification Rule and if any of these are lost, stolen, or divulged, the affected people must similarly be notified.

If individuals have not indicated that they are willing to receive communications by email, then Breach Notification Letters must be sent as first class mail items. Otherwise, email can be used to notify of PHI breaches. However the notification is sent, electronically or physically, the same information must be included: details of the breach, which information may have been accessed or released, a summary of the company’s response to the breach, details of action being taken to reduce harm or losses caused by the breach, and courses of action people can follow to reduce risk.

These letters must be sent in cases where the covered entity has evidence that PHI has been accessed or may have been accessed. Letters can be sent before risk assessments have concluded or have begun, but choosing to not send Breach Notification Letters can only be done following the completion of a robust risk assessment study. Such an assessment must examine:

• What kind of data has been exposed and how likely an individual is to be identified from this data
• Who accessed the data and who they may have shared it with
• The likelihood that PHI could be accessed, viewed, or transferred
• The degree to which any potential harm has been reduced

Should a mobile device or computer be misplaced or stolen, the event is only deemed a HIPAA breach warranting Breach Notification Letters if the PHI stored on the device or that can be accessed through the use of the device is unencrypted. In the event where encrypted devices are lost or stolen, letters are only required if the security key has also been lost or taken.

It should be noted that data protected by passwords is not the same as data that has been encrypted. If the data is only protected by passwords, Breach Notification Letters must be sent.

Documentation of Actions Taken

Covered entities are required to log all actions taken in the wake of a breach in case they are requested by OCR auditors. To comply with the Breach Notification Rule, the details of the any sent Notification Letters must be noted, as well as proof that the letters were actually sent.

Should it be judged that the issuance of Breach Notification Letters is not required, documentation and information to justify this course of action must be available.

Penalties for Violating HIPAA Breach Notification Rule

If no Breach Notification Letter has been sent once a period of 60 days following the discovery of the breach has passed, this constitutes a HIPAA Breach Notification Rule violation and may lead to sanctions from the OCR or state Attorneys General. Non-compliance carries a maximum penalty of $1.5 million per category violation per calendar year.

Even in cases where the 60 day period following discovery has not elapsed, any unnecessary delay in issuing Breach Notifications is a violation of the HIPAA Breach Notification Rule and may lead to sanctions. The HIPAA Breach Notification Rule states that notifications must be issued “without unreasonable delay”.

One such case where a company was fined due to delaying the issuance of a Breach Notification occurred in 2017. Despite discovering a breach on October 22, 2013, Presense Health did not notify the OCR until January 31, 2014 – over 100 days after the discovery and over 40 days past the 60 day limit. OCR opened a case against Presense Health which was settled for $475,000.

Further Information on the HIPAA Breach Notification Rule

Further information can be found on the HHS website.

Dropbox offers healthcare organizations a simple tool to store and share files, but is Dropbox HIPAA compliant? Can entities use Dropbox to save or transfer protected health information (PHI)?

Is Dropbox HIPAA Complaint?

Dropbox offers a service where files can be saved to cloud storage and shared with other users. Many individuals and companies share files via Dropbox accounts, but can it be used to share PHI? Is Dropbox HIPAA compliant?

Dropbox has stated that they are compatible for use under HIPAA and the HITECH Act, however this does not necessarily mean that Dropbox is HIPAA compliant. Software or file hosting services cannot be said to be HIPAA complaint in and of themselves, as compliance is dependent on how people make use of these tools. With this in mind, it is possible for healthcare organizations to use Dropbox to save or transfer PHI while still remaining compliant with HIPAA regulations.

Before PHI can be transferred from a HIPAA-covered entity to another entity, a Business Associate Agreement (BAA) must be put in place between these two organizations. As Dropbox is a business, a BAA must be established before PHI can be uploaded to any Dropbox account.

Dropbox has previously signed BAAs with HIPAA-covered entities. It is of the utmost importance that the BAAis signed before any PHI is made available on Dropbox. If data is uploaded before an agreement is in place, that would be a HIPAA violation. A BAA is available from Dropbox on the Account page of the Admin Console and it is acceptable to sign it electronically.

While third party apps are compatible for use with Dropbox, it should be noted that a BAA with Dropbox does not include any agreement with these third parties. Should the company wish to use third party apps, they must be reviewed independently before being used when PHI may be affected.

Dropbox Accounts must be Carefully Configured

Under HIPAA, healthcare organizations must protect the confidentiality, integrity, and availability of PHI. This means that the correct settings must be applied for use of the Dropbox account to be HIPAA compliant. A signed BAA does not prevent HIPAA violations from occurring.

The account settings should ensure that PHI cannot be accessed by unauthorized individuals and sharing permissions can be established to prohibit files being shared with non-team members. Two step authorization should also be enabled as a further protection against unauthorized access.

It is important that files containing PHI cannot be permanently deleted. This can be done by disabling permanent deletions in the Admin Console, which will prevent files from being lost for good.

Access logs must also be kept for the Dropbox account to verify that only authorized actors have accessed PHI data. Access should be restricted to people currently requiring access to PHI and any staff changes or departures should be quickly managed by the administrator. Linked devices should also be verified often. One feature of Dropbox is the ability to remotely delete Dropbox content from linked devices and this should be used if an employee leaves or should a device be misplaced or stolen.

User activity is stored by Dropbox. This means that records of content shared or administrator activities and authorizations can be created. These records should be checked often.

Dropbox’s account management teams can provide information on internal practices as well as independent reports on security measures that they have put in place to protect data. These are available on request.

To summarize, is Dropbox HIPAA compliant? It is a protected platform with measures in place to prevent unauthorized access. Still, Dropbox can only be compliant if the people who use it do not violate any HIPAA rules. With a BAA in force and the correct settings, it is possible for healthcare organizations to use Dropbox to store and transfer PHI to authorized parties and remain compliant with all HIPAA regulations.

Skype and similar messaging platforms are useful tools to rapidly share information, but is Skype compliant with HIPAA regulations? Would sending protected health information (PHI) via Skype as part of an electronic text message violate HIPAA rules?

Currently, the topic of whether Skype is HIPAA compliant is up for debate. While messages are encrypted and a number of security protocols exist to safeguard access to any information sent through Skype, are all necessary HIPAA requirements met by these features?
Here we will try to put forth an answer to whether Skype is HIPAA compliant or not.

Does Skype Count as a Business Associate?

Could we say that Skype is a business associate? This has been subject to a great deal of discussion. There may be a case for considering Skype as an exception under the Conduit Rule as it is just a channel which is used to pass on information. While Skype does not create PHI, PHI is “received” and transmitted by Skype – even if messages are encrypted and not accessed by Microsoft. Could Microsoft access the content of the messages if they tried, or do they have a back door or bypass for the encryption?
Microsoft have been known to supply information to law enforcement and to comply with their requests when required to by law or the courts, for example following a subpoena or court order.

In order to do so, a way to decrypt the data must exist. This ability to decrypt the data and provide information to law enforcement may mean that Skype does not meet the requirements of the conduit exception. Skype is also categorized as a Software-as-a-Service and is not considered to be a common carrier. While not all parties are in agreement, our opinion is that Skype should be classed as a business associate and that a business associate agreement (BAA) would be required.

HIPAA compliant BAAs between Microsoft and covered entities do exist to cover the use of Office 365. It is POSSIBLE that Skype for Business is included in these agreements. If covered entities already have BAAs with Microsoft, they should check carefully to ensure that Skype for Business is included in the agreement. According to Microsoft, not all BAAs are the same.
HIPAA compliance and Skype: Encryption, Access, and Audit Controls

The use of encryption for ePHI is not a specific requirement under HIPAA, but it must be considered. If information is not encrypted, an equivalent method of protecting the data must be used instead. Skype messages are encrypted using AES 256-bit encryption; it is therefore compliant with this particular aspect of HIPAA regulations.

However, appropriate controls necessary for backing up messages (and ePHI) that have been sent over Skype may not be included, and there is no HIPAA-compliant audit trail recorded. It is possible for Skype for Business to be brought up to the necessary standard to be HIPAA compliant if the Enterprise E3 or E5 packages are purchased. Both of these versions include a feature to archive and store all communications. Other iterations of Skype would not meet HIPAA requirements.

Is Skype HIPAA Compliant?

After all of this, is Skype HIPAA compliant? In short, no, but Skype for Business can be made HIPAA compliant if the E3 or E5 packages are used. In the case of these versions, it is the responsibility of the covered entity to guarantee compliance. This means Microsoft must sign a BAA with the covered entity before sending any ePHI using Skype for Business. To be fully HIPAA compliant, the Skype version must also be correctly configured to record an audit of all messages and to create a secure back up of all communications.

All devices using Business for Skype must be protected by access controls to prevent unauthorized disclosures of ePHI. These controls should also prevent any ePHI from being sent outside the organization. Microsoft must provide satisfactory assurances that covered entities will be notified should any security breach occur.

The use of Skype for Business still carries a risk of HIPAA violation, even when using the correct version and with a BAA in place. A plethora of secure messaging tools are available and some of these have been designed specifically for use by covered entities in the healthcare arena. Created with HIPAA compliance in mind, they might be a better choice as they make it much easier to follow the rules, and much more difficult for any accidental HIPAA violations to occur.

Is it possible for patients to sue or file lawsuits for a HIPAA violation? As there is no private cause of action in HIPAA, it is not possible for a patient to sue for a HIPAA violation under HIPAA rules. Patients are not entitled to seek damages for violation of HIPAA rules even in cases where direct harm has been caused by a healthcare provider clearly violating HIPAA rules.

With this question answered, does this mean that patients have no legal recourse against covered entities, even when HIPAA regulations have been violated in obvious ways? Not entirely. Although there is no private cause of action in HIPAA, patients may still be able to pursue a claim against healthcare providers if state laws have been violated.

Certain states allow patients to take legal action against HIPAA-covered entities on the basis of negligence or breach of an implied contract – for example in cases where a covered entity failed to adequately secure medical records. For the action to be successful, it must be proven that the negligence or theft of unsecured data was the cause of damage or harm suffered by the patient.

It can be costly as well as risky to initiate legal action against a covered entity. Before bringing the suit, patients should have specific goals and a strong idea of what they expect to happen through their use of the courts. It may be possible to attain the same outcome though other less expensive or risky options.

Filing Complaints for HIPAA Violations

If a patient thinks that a HIPAA violation has occurred, they can file a complaint with the Department of Health and Human Services’ Office for Civil Rights (OCR). Almost all complaints are investigated. If the basis of the claim is found to be accurate and it is determined that HIPAA rules were indeed violated, then the covered entity may be open to legal challenge.

Anonymous complaints can be submitted, but the OCR will only pursue an investigation into a covered entity if the complainant has given a name and contact information.

Complaints should be filed prior to initiating state law claims against covered entities. Once a violation is discovered, there is a period of 180 days in which a complaint can be filed. In certain circumstances, an extension may be allowed.

State Attorneys General may also accept complaints filed against covered entities as they are in a position to bring legal action against HIPAA-covered entities for HIPAA violations.

A number of elements will determine what action can be taken against the covered entity, such as the type of violation, the seriousness of the violation, how many people were affected, and whether HIPAA rules had been repeatedly violated.

Sanctions following HIPAA violations can be severe, but complaints are often resolved through voluntary compliance, by issuing guidance, or by taking corrective action to address the issue that led to the complaint. The Department of Justice can also become involved should a criminal violation of HIPAA rules be suspected.

A number of professional boards accept complaints against individuals being filed with them, such as the Board of Nursing and the Board of Medicine.

HIPAA password requirements call for a number of processes to be established to create, modify, and protect passwords if no other equally effective security option is in use. We advise the use of two factor authentication as the optimal method to comply with HIPAA password requirements.

The HIPAA Security Rule outlines the HIPAA password requirements as part of Administrative Safeguards. In the section dealing with Security Awareness and Training, §164.308(a)(5) states that covered entities are obliged to introduce “procedures for creating, changing and safeguarding passwords”.

Disagreement on optimal HIPAA Password Policy Compliance

While it is widely accepted that long passwords incorporating numbers, special characters, and both capital and lower case letters are the strongest and should be adopted, there is still disagreement concerning the optimal password policy to use for HIPAA compliance. There is also debate on how often new passwords should be introduced, if ever, and how best to protect them.

On whether passwords should be regularly changed, some experts say that making it mandatory to periodically choose a new password is a better for HIPAA compliance, while others argue that this is irrelevant as experienced hackers will simply use technical, sociological, or subversive methods to overcome password protection.

Optimal methods of protecting passwords are more readily agreed on. For HIPAA compliance, password management tools are widely recommended. While these can themselves be hacked, the program encrypts any passwords it saves, meaning hackers would be unable to make use of them.

HIPAA Password Requirements are Addressable Requirements

A key factor to keep in mind in relation to HIPAA password requirements is their status as an “addressable” requirement. This means that covered entities have the option to “implement one or more alternative security measures to accomplish the same purpose.”

For Administrative Safeguards, HIPAA password requirements should “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. As such, if the covered entity prefers to use a different system that fulfills the same purpose of creating changing, and protecting passwords, this would still be HIPAA compliant.

Two factor authentication meets this need more than adequately. As well as providing usernames and passwords, people trying to access PHI data would receive a PIN code via SMS or another notification system that they would enter to verify their identity. Every attempted access generates a new PIN code so even if an unauthorized individual had the password, they still would be unable to access the information.

Two Factor Authentication is Already Used by Medical Facilities

Some medical facilities already utilize two factor authentication to verify credit card payments in compliance with the Payment Card Industry Data Security Standard (PCI DSS) or to comply with the DEA´s Electronic Prescription for Controlled Substances Rules.

While it has been pointed out that two factor authentication could have an impact on speed, progress being made in LDAP integration and Single Sign-on may help to alleviate this. As no PHI is sent by two factor authentication programs, they are HIPAA compliant and offer a simpler process to password requirement compliance than periodic password changes. In theory, no password would ever need to be changed.

Not forgetting that the password requirements are addressable safeguards, the case for adopting two-factor authentication as an alternative safety measure should be recorded for reference. This record can then be used to address risk analysis requirements and be supplied to auditors should the covered entity be investigated or face an audit.

Cloud storage offers a number of benefits to companies in many industries, but can covered entities in the healthcare industry use Microsoft OneDrive? Is OneDrive HIPAA compliant?

Microsoft Office 365 Business Essentials is a standard software package that is successfully used by healthcare providers. It also includes an online exchange for email. Another feature of Office 365 Business Essentials is OneDrive Online, a cloud storage platform for saving or transferring files.

Microsoft supports HIPAA compliance

HIPAA-covered entities are well within their rights to use OneDrive. Microsoft software supports HIPAA compliance, with OneDrive and other cloud services regularly being used without breaking any HIPAA rules.

However, for this to be the case, the HIPAA-covered entity must enter into a business associate agreement (BAA) with the provider of the cloud service before any protected health information (PHI) is used with the service in any way: created, saved, or sent.

Microsoft was among the first providers of cloud storage to accept entering into a BAA with HIPAA-covered entities and their BAA is proposed in their Online Service Terms. As well as OneDrive for Business, a number of services are covered by these terms, including Azure, Azure Government, Cloud App Security, Dynamics 365, Office 365, Microsoft Flow, Intune Online Services, PowerApps, Power BI, and Visual Studio Team Services.

As part of the terms of their BAA, Microsoft is bound to limit use and disclosure of PHI, to put protections in place to prohibit inappropriate use, and to provide consumers with records and access to PHI if requested, in line with the HIPAA Privacy Rule. Microsoft also engage to hold any subcontractors employed to the same or higher standards when dealing with PHI.

So long as the BAA is signed before OneDrive is used to create, save, or transfer PHI, it can be used in compliance with HIPAA Rules.

Even though Microsoft OneDrive has no HIPAA compliance certification, Microsoft assures users that it contains all necessary security measures and that all programs included in the BAA have been independently verified to meet Microsoft ISO/IEC 27001 certification.

Sufficient measures for compliance with the HIPAA Security Rule, such as encryption of data at rest and in transit, also come as part of the software. Data is protected with 256-bit AES encryption and 2048-bit keys are used when establishing SSI/TLS connections.

HIPAA Compliance Needs More Than ‘HIPAA Compliant’ Software

Even if software providers sign a BAA, this does not automatically mean that all activity on their platform is now HIPAA complaint. Services such as OneDrive may support HIPAA compliance, but they can only be HIPAA compliant if they are used in a HIPAA compliant manner. Microsoft, for example, states “Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

An important task all HIPAA covered entities must complete before using any cloud platform is a detailed risk analysis to examine the developer’s policies and provisions. A risk management program should also be created to introduce processes and tools to limit risk.

Security configurations and access authorizations must be set. Basic measures should be introduced, such as the use of strong passwords; the disabling of external file sharing; the limitation of access only to trusted whitelisted networks; and the sharing of PHI only with authorized individuals. When PHI is shared, the minimum necessary standard should be adhered to. Access logs should record user activity and authorizations should be updated as soon as a user no longer requires access to the information, for example if they leave the organization.

After all this, can we say that OneDrive is HIPAA compliant? The answer is both yes and no. It is possible to use OneDrive in a manner consistent with HIPAA Rules, but the covered entity must ensure that settings and user behavior remain HIPAA compliant.

Every healthcare employee should know how to report a HIPAA violation, who they should report the violation to, and if the violation warrants a report to the Department of Health and Human Services’ Office for Civil Rights (OCR).

HIPAA covered entities and their business associates are obliged to investigate any possible HIPAA violation that occurs in order to assess the nature of the breach, the risk to people affected, and whether urgent action is required to fix the violation or reduce risk. The earlier a possible violation is found and reported, the simpler corrective action is likely to be.

How to Internally Report a HIPAA Violation

Should you think that a co-worker or your employer is violating or has violated HIPAA rules, the point of contact should be your supervisor, your Privacy Officer, or the person responsible for HIPAA compliance within your entity.

Accidental HIPAA violations can happen despite peoples’ best efforts. The violation should be examined internally to determine how it needs to be reported under the HIPAA Breach Notification Rule. Minor violations are often found to not warrant a notification being issued. This can happen if minor errors are made in good faith or if there is minimal risk of disclosed PHI being retained.

Should it occur that you accidentally view PHI belonging to a patient you do not have authorization to view, make some other mistake, or suspect someone else in your organization of having violated HIPAA, you should report it without delay. If you do not and this is found out at a later date, it could reflect very badly on you.

How to Report a HIPAA Violation to the HHS’ Office for Civil Rights

Staff and patients can report suspected HIPAA violations directly to the OCR, without passing through the covered entity, if it is thought that there has been a violation of the HIPAA Privacy, Security, or Breach Notification Rules. The OCR should be directly notified of all severe violations, such as possible criminal violations, deliberate or widespread neglect of HIPAA, or when multiple violations are thought to have occurred.

Reports can be made through OCR’s online portal or by letter, fax, or email.

The basis for the report should be stated, as well as the suspected HIPAA violation. Information on the covered entity or business associate should be included, as well as the date of the suspected violation, the location it took place, and the date on which the person reporting the incident became aware of it.

Complaints should be made within 180 days of discovery, although extensions may be accorded if there is a sufficiently strong reason.

Anonymous reports will not be investigated. The OCR requires a reporter’s name and contact details to pursue an investigation.

Complaints are reviewed and those thought to contain suspected violations are further investigated.

HIPAA violations do not always lead to settlements or financial sanctions. Complaints may be addressed through voluntary compliance, technical guidance, or by the covered entity or business associate agreeing to take corrective action.

The Health Insurance Portability and Accountability Act, commonly known as HIPAA, is a law that people often talk about, but why is HIPAA so important? What did HIPAA change and how does it impact patients and the healthcare industry?

HIPAA came into effect in 1996 with the goal of addressing the issue of health insurance for people that were between jobs. Prior to HIPAA, people were faced with the prospect of being uninsured while they were changing employment.

A secondary issue was to ensure the security of protected health information (PHI) and to combat healthcare fraud.

Why is HIPAA Important for Healthcare Organizations?

HIPAA facilitated the shift from paper based to electronic based medical records. It also helped to lighten administrative functions, improved efficiency, and introduced safeguards to protect PHI and how it is shared.

The standardization of ways to record and transfer medical data ensured a coherent approach across the industry. Code sets and identifiers were unified, meaning all HIPAA covered entities use the same terminology, allowing PHI to be more simply understood when shared between providers, health plans, or other groups.

Why is HIPAA Important for Patients?

HIPAA provides a number of benefits for patients. In order to comply with HIPAA, all covered entities, such as healthcare providers and their associates, must introduce various protections to secure patients’ information.

Even if healthcare organizations do not want to reveal or lose PHI, or to have it stolen from them, HIPAA requires these organizations by law to protect the information – and introduces sanctions for those that do not.

HIPAA rules include provisions to restrict access to and sharing of PHI. It also ensures that all PHI handled by covered entities, created, sent, or stored by them, must be adequately protected. It also allows patients greater authority on who their information is shared with.

HIPAA lets patients take more control over their healthcare and their information. Despite the best intentions of healthcare organizations, they may introduce mistakes into a patient’s data. When patients are able to review the files themselves, they can spot these errors and have them rectified.

The ability to obtain copies of their records can help patients should they change to a new healthcare provider. This can save time, as results of previous tests can be shared, and the new provider can base their decisions on a review of the patient’s full medical history. Before HIPAA’s Privacy Rule was introduced, healthcare organizations were under no obligation to provide copies of patients’ information.

For the moment, Amazon’s Alexa is not HIPAA compliant. This reduces its utility to those in the healthcare field. This is surely only temporary and a HIPAA compliant version may be on its way.

Amazon’s cloud platform, Amazon Web Services (AWS), can be used in compliance with HIPAA, and Amazon are said to be interested in integrating their voice recognition technology into the health sector. Before Alexa can be introduced into this ecosystem, Amazon will have to add measures to make it HIPAA compliant.

There are a number of obvious possible uses for Alexa in healthcare: from transcribing physicians’ notes; to acting as a virtual office assistant; to remotely monitoring patients. Already present in 30 million homes in America, Alexa could help patients to take more responsibility for their healthcare

Trials underway

Trials of Alexa for use in healthcare are already underway. An Alexa skill has been created by WebMD to allow people to access their content from household Alexa devices. A pilot scheme using simulated data to evaluate how Alexa could perform in an inpatient setting was carried out by Beth Israel Deaconess Medical Center (BIDMC). It generated very positive results. BIDMC intend to integrate Alexa into the clinical setting once the necessary protections have been introduced and they can obtain a business associate agreement (BAA) from Amazon.

Another pilot was run by Boston’s Children’s Hospital (BCH) to test how Alexa could help provide information to clinical staff, though this was conducted with non-identifiable health information as no BAA was in place. BCH have also created an Alexa skill, KidsMD, for use by parents who want to find out information related to medical conditions and basic health advice.

The Alexa Diabetes Challenge

Pharmaceutic giant Merck launched the Alexa Diabetes challenge in April 2017 to encourage people to find ways that Alexa could be used to benefit the almost 30 million Americans living with type 2 diabetes.

While lifestyle changes and treatments to manage the disease can help people enjoy long, healthy lives, self-management of diabetes can be a struggle – particular for those who are new to the routine required to deal with it. Amazon reached out and asked for ideas on how Alexa’s voice recognition technology could be used to benefit sufferers.

In September 2017, Oxana Pickeral, AWS’s Global Segment Leader for Healthcare and Life Sciences, recognized that HIPAA was a barrier to Alexa’s widespread adoption in the healthcare market. However, she is confident of its potential, saying “while Alexa and Lex are not HIPAA-eligible, this [the Diabetes Challenge] has provided us an opportunity to envision what is possible”. HIPAA compliance for Alexa is currently being explored by Amazon.

The Next Steps

Although a number of elements are already in place from the push to make AWS HIPAA compliant, Alexa and its underlying Lex platform do not yet include the necessary data protections to comply with the HIPAA Security Rule. For now, it cannot be used with PHI in any capacity by HIPAA covered entities.

It seems like it will only be a matter of time before Amazon releases a HIPAA compliant version of Alexa, but without the sufficient features to meet HIPAA rules, Alexa is not currently eligible to be used with any identifiable health information.

Google Voice is a telephony service from Google used by people as a call forwarding and messaging service, among other functions. Many are asking the question of whether Google Voice is HIPAA compliant or not – can it be used by healthcare employees in compliance with HIPAA rules?

Is Google Voice HIPAA compliant?

Google Voice provides services such as voicemail, voicemail to text conversion, a free text messaging feature, and a number of other useful functions. As a result, many healthcare professionals would like to use it during their work.

For this to be possible, there must be a way to configure the tool for it to be HIPAA compliant – before it can be used to treat or deal with any protected health information (PHI).

A tool like Google Voice has two potential options for it to be considered as HIPAA compliant – it can be covered by the conduit exemption rule (which was introduced with the HIPAA Omnibus Final Rule) or features can be added to protect the information as stipulated by the HIPAA security Rule.

Like SMS messages, faxes, and emails, Google Voice cannot be classed as a conduit. It must therefore be brought in line to conform with the HIPAA Security Rule.

This would require developing settings to secure access, record logs, enable audits, protect data integrity, and safeguard data transmission. Any information saved to Google servers would also need to be sufficiently secured for it to be HIPAA compliant. Further, Google would need to sign business associate agreements (BAAs) with covered entities to commit to observing HIPAA standards.

A signed BAA with Google would be required before Google Voice could be used with PHI.

Is Google Willing to Sign BAAs for Google Voice?

Google already enters into BAAs with covered entities to allow them to use G Suite, another of its services. However, this is only for paying customers. Google has recommended that their free services not be used for professional purposes as they were developed solely with personal use in mind.

Google Voice is a separate software to G Suite, Google Apps, and Google Cloud, and it is not referred to in BAAs relating to any of these services.

To conclude, is Google Voice HIPAA compliant? The short answer is “no”. The slightly longer answer is “no, not until a professional version is introduced that will be backed up by Google through a signed BAA”. For now, Google Voice is not HIPAA compliant, cannot be used with PHI, and should not be used for professional purposes by healthcare employees.

Following the introduction of end-to-end encryption, many Covered Entities are wondering is WhatsApp HIPAA compliant. Although end-to-end encryption protects PHI during transit, the popular messaging app does not include all the features required to comply with the Health Insurance Portability and Accountability Act.

It is a common misconception that encryption alone make an app HIPAA compliant. In fact, HIPAA does not even stipulate that encryption is mandatory – instead classifying it as an “addressable” requirement that does not have to be implemented if a Covered Entity believes (and documents) an alternative safeguard is equally as effective at ensuring the confidentiality, integrity and availability of PHI.

Furthermore, even if an app encrypts messages in transit, other security mechanisms need to be present in order to for the app to be HIPAA compliant. WhatsApp lacks these security mechanisms so, although it is safe to send de-identified information via the messaging app, the answer to the question Is WhatsApp HIPAA Compliant is definitely “No”.

What Security Mechanisms are WhatsApp Lacking?

In order for WhatsApp to be HIPAA compliant, there would have to be a significant number of security mechanisms added to the software. These include:

• On-device encryption. The end-to-end encryption provided by WhatsApp is only a tunnel. Once a message arrives on a device, it is decrypted.
• Access controls to stop anybody picking up a mobile device onto which WhatsApp has been installed and reading confidential messages.
• Similarly, WhatsApp would have to have an automatic time-out function to prevent unauthorized access to a mobile device left unattended.
• Message notifications would have to be changed as, in their current format, they can be viewing without unlocking the device or opening the app.
• There are no audit controls and chat history is stored on the device, so if a device is lost or stolen, there is no way of deleting messages remotely.
• The issue about remotely deleting messages containing PHI also occurs should an employee leave the employment of a Covered Entity.

The above list is not exhaustive but unfortunately, it has been reported some healthcare professionals are using WhatsApp to communicate PHI. Not only does this risk the unauthorized disclosure of PHI, but users could delete PHI without it being properly recorded elsewhere. There is also a risk that the device could be hacked remotely – exposing all the PHI stored on the device to cybercriminals.

Issues with Regard to Business Associate Agreements

There are also issues with regard to Business Associate Agreements that further address the question of Is WhatsApp HIPAA Compliant. There is an argument that, as WhatsApp only acts as a conduit for the communication of PHI and does not have access to the content, a Business Associate Agreement would not be necessary.

However, WhatsApp could be required to comply with a court order to release user information that – although not including messaging content – could include personal information about the user, their profile, their address book and groups they belong to. In theory, these elements of a WhatsApp account could provide sufficient personally identifiable information to constitute a violation of HIPAA.

In conclusion, no messaging app should be considered HIPAA compliant because HIPAA compliance is about how users use the software rather than the software itself. Regarding the question of are alternative messaging service to WhatsApp HIPAA Compliant, Covered Entities should seek professional advice before permitting staff to use them for communicating PHI.

Although Microsoft has developed a number of products to meet the needs of businesses in regulated industries, not all are HIPAA compliant. Is Microsoft Outlook HIPAA compliant? That depends on the version of Outlook used, how it is configured, and the content of the Business Associate Agreement supporting the service.

As HIPAA is technology neutral, it makes no recommendations about what software can be used or how it should be configured. What is stipulated with the HIPAA regulations is that any software used to create, maintain or transmit Protected Health Information (PHI) must satisfy the administrative, technical and physical safeguards of the Security Rule.

Furthermore, by providing a service to a HIPAA Covered Entity, Microsoft automatically becomes a Business Associate (as its systems have access to PHI). Therefore, before using any of Microsoft´s product or services to create, maintain or transmit PHI, a Covered Entity must sign a Business Associate Agreement with Microsoft.

Is Microsoft Outlook HIPAA Compliant?

This depends on which version of the software is used. Standard Outlook software is targeted at consumers and not suitable for communicating PHI. By comparison, the Outlook software packaged into Office 365 for Business can be HIPAA compliant if supported by an E3 or E5 Enterprise Agreement, Microsoft Exchange Online Protection and a Business Associate Agreement.

The reason for an E3 or E5 Enterprise Agreement being necessary is because Office 365 for Business alone does maintain audit logs – a feature that is required by HIPAA, but only available at a premium from Microsoft. Microsoft Exchange Online Protection provides many other HIPAA compliant features, such as encryption, data loss prevention, and the facility to remotely remove data from mobile devices.

Not only do these features have to be enabled in order for the enterprise version of Microsoft Outlook to be HIPAA compliant, but the software has to be configured for access controls, single sign on, data backups and two factor authentication. Thereafter, it will be necessary to provide training to end users on how the software is set up and how it should be used compliantly.

Check the Microsoft Outlook BAA Carefully

One further item to consider before deciding is Microsoft Outlook HIPAA compliant is Microsoft´s Business Associate Agreement (BAA). Even if a Covered Entity has subscribed to an appropriate Enterprise Agreement and Microsoft Exchange Online Protection, not every product and service provided will be included in the BAA.

Covered Entities need to ensure the products and services they wish to use in order to create, maintain or transmit PHI are covered by the BAA. They also need to be aware that having a BAA does not guarantee HIPAA compliance. As an answer given in Microsoft´s community forum relating to is Microsoft Outlook HIPAA compliant states:

“By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Covered Entities and Business Associates unsure about using Microsoft products and services to create, maintain or transmit PHI in compliance with HIPAA should seek professional advice.

Although the Health Insurance Portability and Accountability Act stipulates employee training is mandatory, neither the Privacy Rule not the Security Rule provide guidelines regarding the HIPAA training requirements. This can be a significant obstacle to Covered Entities working towards HIPAA compliance.

Businesses in the healthcare and health insurance industries (Covered Entities) and businesses providing services to Covered Entities (Business Associates) need their employees to know about maintaining the security, confidentiality and integrity of Protected Health Information (PHI). If PHI is accessed or disclosed without authorization, Covered Entities and Business Associates could be in violation of HIPAA.

Therefore training employees is essential. However, although HIPAA stipulates “necessary and appropriate” training should be provided for employees to “carry out their functions [in compliance with HIPAA]”, and that a security awareness and training program should be implemented, no light is shed on what the security awareness and training programs should consist of.

This leaves many Covered Entities and Business Associates in the dark. Naturally, training will be provided to employees who work with computer systems in order to mitigate the threats from malware, ransomware and phishing; but how will it be possible to know whether or not the training is sufficiently “necessary and appropriate” to comply with the HIPAA training requirements?

How to Resolve the HIPAA Training Requirements Issue

The way to resolve the HIPAA training requirements issue is to conduct a risk assessment on each employee with regard to how they “carry out their functions”. In some ways, an employee risk assessment is similar to that an IT manager would conduct on a computer network in terms of identifying how PHI is created, maintained and shared.

The employee risk assessment should be followed by a risk analysis, which – like a risk analysis on a computer network – should identify any areas in which PHI could be accessed or disclosed without authorization. Once any potential weaknesses and vulnerabilities have been identified, a schedule can be compiled that addresses the employee´s specific HIPAA training requirements.

The task may seem daunting at first for a Covered Entity with thousands of employees, but many employees will have similar HIPAA training requirements. Security awareness training – addressing similar weaknesses and vulnerabilities – can be provided for groups of employees simultaneously in order to cut down on the workload and ensure disruption to the workflow is minimized.

Tips for Delivering Effective HIPAA Compliance Training

In order to fulfill the HIPAA training requirements, HIPAA compliance training has to be effective. The ultimate objective of security awareness training is for employees to “carry out their functions [in compliance with HIPAA]”; and, if the training is ineffective, this element of the HIPAA training requirements will not be satisfied. Furthermore, PHI will be at risk of unauthorized disclosure.

Therefore, when delivering HIPAA compliance training, businesses should keep the training sessions short and relevant. No employee will be able to absorb the entirety of the Privacy and Security Rules in a six-hour training session, nor will likely pay full attention during a speech on the motives of the HIPAA legislation. Other considerations businesses may wish to bear in mind include:

• Use whatever tools are at your disposal to make the training memorable. Interactive simulations and multimedia presentations can be accessed online, or purchased from a specialist HIPAA compliance company.
• Ensure employees are made aware of the consequences of unauthorized disclosure – not just the financial consequences to the business, but also to themselves (via a sanctions policy), colleagues, and those whose PHI has been compromised.
• Not only is it important that senior management is seen to be involved in the training, but it is a stipulation of the HIPAA training requirements that businesses “implement a security awareness and training program for all members of the workforce” (45 CFR §164.308).
• It is important that all HIPAA compliance training is documented to meet the burden of proof it has been conducted (45 CFR §164.530). The documentation can be requested at any time by a Department of Health and Human Services inspector or an Office for Civil Rights auditor.

The consequences of failing to comply with the HIPAA training requirements can be substantial – particularly in the event of a breach of PHI, when the lack of effective HIPAA compliance training could be considered “willful neglect”. If a business subject to HIPAA law is unsure about its ability to deliver effective HIPAA compliance training, professional advice should be sought as a matter of urgency.

To answer the question Is Slack HIPAA Compliant, one has to look at its functions and, more importantly, the mechanisms it has in place to protect the integrity of Protected Health Information at rest and in transit. Also, one has to look at the content of the company´s Business Associate Agreement.

Slack – an acronym for “Searchable Log of All Conversation and Knowledge” – is a real-time messaging and file-sharing app that also has search engine capabilities. Many businesses have implemented Slack as an effective collaboration tool so that team members can communicate without the use of email and SMS messaging.

In addition to being used for intra-business communications, Slack has also developed into a public platform. Private channels allow members of a larger group to conduct private conversations, and these private channels often expand into the public domain. This would imply the answer to the question is Slack HIPAA compliant a resounding “No”!

The Introduction of Slack Enterprise Grid

In order to overcome data security concerns, Slack Enterprise Grid was released in 2017 – a revised version of the basic app that allows administrators to control permissions and configure integrations on a per-workspace basis. The new app also incorporates several features that would appear to resolve the issues preventing Slack being HIPAA compliant. The new features include:

• Data encryption at rest and in transit.
• Customer message retention (to maintain an audit trail).
• Support for data loss prevention via off-site backups.

In addition, mechanisms exist to remotely terminate connections, create access logs, and support two-factor authentication. Slack Enterprise Grid is compliant to the NIST standards required by HIPAA, is SOC 2 and SOC 3 certified and has achieved ISO/IEC 27001 and 27018 for its information security systems and the protection of personally identifiable information.

Is Slack HIPAA Compliant? It´s Still Unclear

Despite advertising the HIPAA logo on its security page and claiming that “organizations in highly regulated industries can take advantage of Slack´s FINRA and HIPAA Offerings” in the blog post announcing the introduction of Slack Enterprise Grid, the Terms of Service for Healthcare Customers would imply something different. The Terms read:

“Unless Customer has entered into a written agreement with Slack to the contrary, Customer acknowledges that Slack is not a “Business Associate” as defined in the Health Insurance Portability and Accountability Act and related amendments and regulations as updated or replaced (“HIPAA”), and that the Services are not HIPAA compliant.”

Although this leaves the door open for a Covered Entity to enter into a written agreement with Slack, there is no indication it would constitute a Business Associate Agreement as required by HIPAA. Furthermore, it has been reported that despite its enhanced controls, Slack Enterprise Grid can be used in a manner that is not compliant with HIPAA.

We recommend Covered Entities still wishing to use Slack as a HIPAA compliant tool seek professional legal advice about any written agreement offered. If the agreement is appropriate and the platform configured to prevent non-compliant use, policies and procedures will still need to be implemented – and employees trained – in order for the Covered Entity to use Slack in compliance with HIPAA.

Google Hangouts is one among many apps, social media tools, and messaging services that healthcare professionals want to use to share protected health information (PHI). Is Google Hangouts HIPAA compliant and can it be used to share PHI?

Is Google Hangouts HIPAA Compliant?

Healthcare organizations use a range of Google services every day. Google Hangouts, which evolved from the Hangouts video chat program and Huddle, the Google+ messenger, is another Google service that could be used to share PHI but it is confusing as to whether it is HIPAA compliant or not. Existing as a cloud based platform, Google Hangouts includes video chat, SMS, Voice Over Internet Protocol (VOIP), and instant messaging features.

Many Google services are included with the business associate agreement (BAA) for G Suite, as listed below:

• Gmail
• Calendar
• Google Drive (Includes Google Docs, Google Sheets, Google Slides, and Google Forms)
• Apps Script
• Keep
• Sites
• Jamboard
• Google Cloud Search
• Vault (If applicable)
• Google Hangouts (Chat messaging)
• Hangouts Meet

Notably absent from the BAA are Google Groups, Google Contacts, and Google+. These programs cannot be used to treat, share, or store PHI. Google recommends that G Suite services such as YouTube, Blogger, and Google Photos be disabled.

As we can see above, the chat messaging feature of Google Hangouts can be used by covered entities in compliance with HIPAA Rules, but only if a BAA is in place between Google and the covered entity before any PHI is input on the tool.

The other features, unfortunately, are not covered by the BAA, so entities should be careful not to use these with PHI.

Google has published guides to assist healthcare organizations in using Google Hangouts in compliance with HIPAA.

HIPAA Compliance for Google Hangouts is User Dependent

If your organization accepts the use of Google Hangouts, policies should be put in place to clearly show what is allowed and not allowed under HIPAA. Employees should be trained in these policies and how to use the tool, especially which features they are prohibited to use. Should your organization require the use of video chat, Google Hangouts would not suit your needs.

To repeat something we often mention, BAAs don’t guarantee HIPAA compliance. Important aspects to consider are the settings put in place and how people make use of the tool.

Remember to Use Extra Protections for Mobile Devices

Mobile devices represent a huge potential for HIPAA violations, particularly with Google Hangouts. Google’s strong account protections should be enabled to quickly raise the alarm in case the account is accessed without authorization. Mobile devices should also use features that guarantee the protection of any PHI stored or accessible on them should they be lost or stolen. A robust access control system could accomplish this.

Covered entities should implement policies to require that any misplaced or stolen device be quickly reported so that accounts and information can be protected. It is also strongly advisable to use features that can remotely lock, locate, or wipe the device.

Is Facebook Messenger HIPAA compliant and can it be used by healthcare professionals to share protected health information (PHI) in compliance with HIPAA Rules?

Healthcare professionals are increasingly using non-traditional communication tools and platforms. Many are wondering if these platforms can be used to share PHI. Somewhat thanks to Facebook’s popularity, their chat application Facebook Messenger is one of the most common messaging services used. Below, we will explore the HIPAA rules concerning Facebook Messenger and ask if Facebook Messenger is HIPAA complaint.

HIPAA requires that any platform used to share PHI must include a number of measures to protect the information and prevent it being accessed while in transit. One way to achieve this is to encrypt the data. Like a number of messaging apps, Facebook messenger can encrypt data in transit, and this is done to standards that meet HIPAA requirements. This is an optional feature which users must specifically enable. Once his has been done, only the recipient and sender will be able to view the message.

Access and authorization controls are also necessary for HIPAA compliance. Should a phone be lost or stolen, unauthorized individuals could gain access to the data if sufficient security measures are not in place. The device itself would need to be protected as the Messenger app does not require a user to log in to each session.

Another required feature is the ability to maintain an audit trail. Back-ups of PHI shared through Facebook Messenger would need to be kept and some procedure would need to be put in place to allow for activity to be monitored. Facebook Messenger does not currently include a feature that would facilitate an audit trail and users are free to delete messages without any back-up.

Is a Business Associate Agreement Required?

In accordance with the HIPAA Conduit Exception, some services used to send data, such as Internet Service Providers and the US Postal Service, do not need to have business associate agreements (BAAs) in place, as they are considered information conduits.

Cloud platforms do not fall under this exception. The Department of Health and Human Services specifically states on its website that “CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.”

Because of this, a BAA between Facebook and the covered entity would be required. To date, Facebook have given no indication that they would be willing to enter into a BAA with a covered entity for the Messenger app.

Workplace by Facebook

Workplace by Facebook is a professional messaging service to facilitate internal messaging in a business. If it is internal only, is Workplace by Facebook HIPAA compliant? Unfortunately not, according to the Workplace Enterprise Agreement, which states “you agree not to submit to Workplace any patient, medical or other protected health information regulated by HIPAA or any similar federal or state laws, rules or regulations (“Health Information”) and acknowledge that Facebook is not a Business Associate or subcontractor (as those terms are defined in HIPAA) and that Workplace is not HIPAA compliant.”

Is Facebook Messenger HIPAA Compliant?

Having examined all of this information, is Facebook Messenger HIPAA compliant? Lacking an audit control feature, as well as sufficient access safeguards, it appears that Facebook Messenger is not HIPAA compliant. Should your business require a chat platform to share PHI, there are a number of options available, such as TigerText, that have been designed with the healthcare sector in mind. Incorporating all required security measures and controls to protect PHI, such as end-to-end encryption, these may be a much better choice for HIPAA covered entities.

HIPAA covered entities must know their obligations under the HIPAA Breach Notification Rule and have processes ready to be put in place should a protected health information (PHI) disclosure be discovered.

Even if covered entities are familiar with the requirements in theory, those who have never suffered a breach may not understand their duties in practice. Service providers that are new to the healthcare sector may also be uncertain of their role in the case of a breach.

Issuing breach notifications is essential for HIPAA compliance should unencrypted PHI be leaked. The Breach Notification Rule carries hefty penalties for entities that do not correctly notify relevant parties. To help covered entities and business associates better understand the breach notification requirements, we have put together the summary below.

Summary of HIPAA Breach Notification Requirements

The HIPAA Breach Notification Rule – 45 CFR §§ 164.400-414 – compels covered entities and business associates to notify certain stakeholders of PHI breaches. Any acquisition, access, use, or disclosure of PHI in a manner not permitted by HIPAA Rules is classified as a breach.

Unauthorized access by staff is also considered a breach, as are improper disclosures, exposures of PHI, and ransomware attacks. Some cases are exempt, such as breaches involving encrypted data where the encryption key has not been acquired; inadvertent disclosures by personnel authorized to view PHI to other authorized personnel; cases where a disclosure occurs but the responsible party has a good faith belief that information could not have been retained by the unauthorized party; and “any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure”.

Should a notifiable breach occur, the following HIPAA Breach Notification rules should be observed:

Notify Individuals Impacted or Potentially Impacted

Anyone who had or can be reasonably believed to have had their PHI accessed, acquired, used, or disclosed must be made aware of the breach.

Breach Notification letters must be issued within 60 days of discovering the breach, except when law enforcement has requested a delay. Should a delay be requested and granted, notification should be issued as soon as the delay has passed. Breaches affecting fewer than 500 people do not need to be reported to the Department of Health and Human Services (HHS) as quickly, as outlined below, but affected individuals must still be notified in this time frame.

Breach Notifications must be sent either by first class mail to the last known address of the impacted persons, or by email if the individual has consented to being contacted in this manner.

Notification letters must explain the situation in plain language, detail the information that has been stolen or exposed, include a short overview of the steps the covered entity is taking to reduce any damage the breach may cause and limit the chances of future breaches occurring, and advise individuals on what they can do to reduce harm. A toll free telephone number, postal address, and email address must also be given to victims for them to contact the entity for more information.

Notify the Department of Health and Human Services

The Secretary of the Department of Health and Human Services must be notified and this can be done on the Office for Civil Rights’ (OCR) breach portal. Notification requirements under HIPAA depend on the number of people affected.

If more than 500 people are affected, HHS must be must be notified with 60 days of discovery. No unnecessary delay should stop the notification from being issued as soon as possible within this 60 day period. If fewer than 500 people are affected, the covered entity must notify HHS within 60 days of the end of the calendar year in which the breach was discovery – i.e. a breach discovered in January 2009 must be reported to HHS before early March 2010.

Notify the Media

The media also may need to be notified to comply with HIPAA breach notification requirements. This can sometimes be forgotten by covered entities who are already occupied notifying the HHS, state Attorneys General, and impacted patients, but failing to notify the media is a HIPAA violation.

Prominent media covering states or jurisdictions where individuals affected by larger breaches of unsecured PHI, those affecting more than 500 people, must be notified of the breach to comply with 45 CFR §§ 164.406. Media exposure allows those whose contact information is out of date to be informed of the breach. Media notification must also be done within 60 days of discovery.

Post a Substitute Breach Notice on the Breached Entity’s Internet Home Page

If current contact information is unavailable for 10 or more affected individuals, the breached entity must prominently host a link to a substitute breach notice on the home page of their website for 90 consecutive days. If contact information is out of date for fewer than 10 people, other methods can be used to try and reach them.

Data Breaches by HIPAA Business Associates

Business Associates are also subject to HIPAA Rules and can be sanctioned similarly to covered entities for notification violations.

Should unsecured PHI be disclosed, associates have 60 days from discovery to notify the appropriate parties and, as with covered entities, should not unnecessarily delay notification. Unnecessary delays are HIPAA violations.

Covered entities are normally the ones who issue notifications to the people affected, even if it is the business associate that experienced the breach. The associate will need to identify the patients involved to the entity as well as notifying the entity of the breach. It is recommended to quickly advise the entity of the breach and follow-up with more details as they become available. BAAs may oblige associates to issue their own notifications.

Deadlines for Breach Notifications

Notifications must be issued within 60 days of discover without unnecessary delays during that period, unless asked to delay by law enforcement. PHI breach investigations can be lengthy processes but notifications should be issued as soon as sufficient information has been obtained.

It is important not to delay notifications unnecessarily within the 60 day period and doing so can lead to fines. A number of cases resulting from late notifications have occurred recently.

State Laws May be Stricter Than HIPAA Laws

Many states also have legislation governing breach notifications. Often, the State Attorney General and victims must be notified. Some states have much shorter time periods than HIPAA allows for breach notifications to be issued.

State attorneys general may fine covered entities for late notifications even if HIPAA’s 60 day period is respected. State laws are more subject to change than federal laws and they should be closely monitored.

Penalties for HIPAA Breach Notification Requirement Violations

Covered entities must follow breach notification requirements or risk sanctions from states or the OCR.

2017 saw the first covered entity fined due to deadline violations alone. Presense Health settled the case with OCR for $475,000 after they waited three months following their discovery of a breach before issuing notifications. The maximum fine for a HIPAA Breach Notification Rule violation is $1,500,000, more if the delay is greater than 12 months.

Responding to a Healthcare Data Breach

The Health Insurance Portability and Accountability Act, more commonly known as HIPAA, imposes a number of restrictions and requirements on the healthcare sector, but what is the purpose of HIPAA? Healthcare staff can be quite vocal on things prohibited by HIPAA, but are the gains worth the effort?

What is the Purpose of HIPAA?

Enacted in 1996, the original goal of HIPAA was to provide health insurance to people while they were between jobs. It also aimed to protect patient data and fight against fraud – but this rule was written later.

HIPAA obliged healthcare organizations to introduce common standards to improve administrative efficiency. Code sets being used with patients identifiers allowed for smoother sharing of information between organizations and insurers, facilitating billing, payments, and other tasks.

HIPAA also brought in requirements for group health plans and changed the tax rules relating to medical savings accounts and life insurance loans.

HIPAA regroups legislation from a number of other Acts, such as the Public Health Service Act, Employee Retirement Income Security Act, and, more recently, the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Health Data Privacy and Security

HIPAA’s most well known aspects are from 2000’s HIPAA Privacy Rule and 2003’s HIPAA Security Rule, which introduced protections for patients’ data and privacy. Legislation governing how people should be informed of disclosures of their health information came into force with 2009’s Breach Notification Rule.

The Privacy Rule restricted when protected health information (PHI) could be used or shared, under what circumstances this could be done, with whom, and when. This rule also allowed patients to request access to their information. The Security Rule added a number of safeguards to govern how data could be stored, sent, and accessed, as well as how this access could be monitored and controlled.

To sum up, what is the purpose of HIPAA? HIPAA aims to increase efficiency in the healthcare sector, facilitate the portability of health insurance, safeguard the privacy of individuals, protect healthcare data, and make sure people are informed when their data has been compromised.

If you need to make a HIPAA complaint, do you know who complaints should be directed to within your covered entity? All healthcare staff who believe that have knowledge of a violation of HIPAA should report the violation internally. Generally, organizations have an appointed Privacy Officer, and this is normally the person you should report violations to.

Reporting HIPAA Violations Internally

As part of your internal HIPAA training, you should have been informed about who you should direct any HIPAA complaints to, as well as the process of how to make complaints about possible HIPAA violations. In general, HIPAA violations are reported to someone inside the organization who has been tasked with managing HIPAA compliance: normally a Privacy Officer or CISO. You can also report potential incidents to your supervisor.

Every HIPAA violation should be reported, including seemingly small or inconsequential violations. They may be a sign of a wider issue and should therefore be looked into as soon as possible. Involuntary violations should be reported too – it would be much worse if something were found during an audit or by regulators than if it had been self reported.

Covered entities have a duty to investigate HIPAA complaints and judge whether a violation has occurred or not, as well as whether it warrants notification to the Department of Health and Human Services’ Office for Civil Rights (OCR), in line with the HIPAA Breach Notification Rule. Some breaches do not need to be reported. Risk assessments should be carried out to establish which breaches should be reported.

Covered entities and their business associates are obligated under the Breach Notification Rule to report relevant HIPAA violations to the OCR within defined deadlines. Notification should be given for breaches affecting over 500 people as early as possible and within a hard deadline of 60 days from the date of discovering the breach. If fewer than 500 people are affected, a looser deadline is enforced – the event must be reported within 60 days of the start of the following calendar year (so a breach discovered in January 2009 would need to be reported to the OCR by early March 2010 at the latest). In both small and large scale breaches, patients and those affected must be informed within 60 days of discovery of the breach.

When Should HIPAA Violations be Reported to OCR?

As mentioned above, every HIPAA violation or potential violation should be reported within your organization, but they can also be reported directly to the OCR. It is important to be aware that the OCR does not investigate anonymous reports and will only act if the complainant includes their details.

If a Nurse violates HIPAA rules, what happens next? How would this HIPAA violation be dealt with and what penalties could an individual face for accidentally or deliberately violating HIPAA by accessing, disclosing, or sharing protected health information (PHI) without proper authorization?

All covered entities and their business associates must follow the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. HIPAA covered entities could face significant penalties if they fail to comply with HIPAA Rules. A covered entity’s business associates may also face direct fines for violating HIPAA rules, but can individual healthcare workers – nurses for example? If a nurse violates HIPAA rules, what happens?

What penalties could a nurse face for violating HIPAA?

Even when nurses are mindful of following HIPAA rules, HIPAA violations can happen accidentally. Even though every HIPAA violation could result in punitive action, many employers accept that some accidental violations will undoubtedly occur eventually. Often, minor HIPAA violations may be dealt with internally and do not result in negative consequences. An employer may even decide to offer additional HIPAA training to ensure all requirements are understood.

Should a nurse accidentally violate HIPAA, it is of the utmost importance that the contact responsible for HIPAA compliance in the organization – a supervisor or the Privacy Officer if such a position exists – be notified of the violation. A minor violation can lead to major consequences if it is not reported. More information on accidental HIPAA violations is available here.

Serious HIPAA rule violations, even if they occur without any intent of malice, will more probably face disciplinary action, which may include punishment by a board of nursing or termination. Termination resulting from a HIPAA violation may mean more than just the loss of current employment and benefits – it can also make it difficult for a nurse to find future employment. Entities that are covered by HIPAA are less likely to hire a nurse if their dismissal was for violating HIPAA Rules.

Deliberate HIPAA rule violations, for example using PHI with malicious intent or stealing PHI for personal gain, may result in criminal penalties for violating HIPAA. It is probable that entities covered by HIPAA would report incidents of this kind to law enforcement leading to further investigation. HIPAA violations submitted to the Office for Civil Rights may be referred to the Department of Justice, which may lead to penalties such as fines or imprisonment. While criminal prosecutions remain rare, stealing PHI for financial gain can carry a jail sentence of up to 10 years.

No private cause of action exists in HIPAA. Should a nurse violate HIPAA, a patient would not be in a position to sue the individual nurse for this violation. However, some state laws may allow a viable claim to be made.

More detail on penalties for HIPAA violations is available here.

Nurse HIPAA Violation Examples

• There are many ways in which a nurse could potentially violate HIPAA, however the most common violations caused by nurses are listed below:
• Accessing the PHI of patients you are not required to treat
• Leaving PHI in a location where it can be accessed by unauthorized individuals
• Using PHI to cause harm
• Stealing PHI for personal gain
• Gossip – Talking about specific patients and disclosing health information to family, friends, or colleagues
• Bringing PHI to a new employer
• Disclosing PHI to anyone not authorized to receive the information
• Disclosing excessive PHI and violating the HIPAA minimum necessary standard
• Improperly disposing of PHI – Discarding PHI with normal trash
• Using the credentials of another employee to access EMRs/Sharing login credentials
• Sharing PHI on social media networks (See below)

HIPAA Violations by Nurses on Social Media

Further explanation is required on the topic of sharing PHI on social media websites. In recent years, several instances of nurses violating HIPAA on social media have occurred.

The posting of any part of PHI on social media websites, even on closed forums such as private Facebook groups, is a serious violation of HIPAA Rules. The sharing of photographs or videos through messaging apps such as Skype, Facebook messenger, or WhatsApp is also a serious violation. Without previous written authorization received from a patient, nurses should not share any videos, photographs, or PHI on social media sites. A useful guide has been created by the National Council of State Boards of Nursing (NCSBN) on the use of social media (available here).

Recently, there has been a number of cases where nurses have taken videos or photographs of patients in compromising positions, recorded abuse of nursing home patients, or shared embarrassing or degrading photographs with friends.

This, along with the publication of a report on the scale of the issue by ProPublica (summary available here), has generated considerable publicity. The report uncovered 35 individual cases where photographs of patients were shared via Snapchat.

A nursing assistant who shared videos and photographs of a patient with Alzheimer’s disease on Snapchat was fired in January 2017. The assistant now faces up to three and a half years in jail if they are convicted following the filing of a criminal complaint.

A Declaratory Ruling and Order to clarify HIPAA rules concerning patient telephone calls has been issued by the Federal Communication Commission (FCC)

Understanding of and compliance between the Telephone Consumer Protection Act (TCPA) and patient telephone call rules under HIPAA have long caused trouble for a number of healthcare providers. Finally, 24 years after the introduction of the TCPA and 19 years after the introduction of HIPAA, the Federal Communication Commission (FCC) has issued a Declaratory Ruling and Order to clarify the situation.

The Ruling addresses regulations concerning patient telephone calls, HIPAA, and covered entities and their Business Associates. The Ruling further liberates covered entities and Business Entities from a subset of TCPA regulations, should certain conditions are met.

HIPAA Rules Concerning Patient Telephone Calls

In the FCC Order on regulations affecting patient telephone calls and HIPAA, it is stated that if a patient provides a contact telephone number to a healthcare provider, the provision of that telephone number constitutes express consent for telephone calls to be made, subject to certain restrictions under HIPAA. This consent covers both text messages and calls, provided they are in relation to:

• Health checkups.
• Notifications about prescriptions.
• The provision of medical treatment.
• Laboratory test results.
• Appointments and reminders.
• Pre-operative instructions.
• Hospital pre-registration instructions.
• Post discharge follow up calls.
• Home healthcare instructions.

When making a call, providers of healthcare are obligated to give their name and details with which the patient can contact them. FCC recommendations outline that telephone calls should be concise – limited to 60 seconds in most instances. Text messages should not exceed 160 characters. Frequency is restricted such that patients should not receive more than three calls per week and a maximum of one text message per day.

All communications content remains subject to relevant HIPAA restrictions, one such restriction being the Minimum Necessary Rule. Only calls made for the purposes outlined above are permitted and they cannot include any advertising, solicitation or telemarketing. Telephone calls and text messages that are exempt from TCPA regulations remain subject to other restrictions;

• Telephone calls and text messages cannot be charged to the client, or counted against plan limits, and those calls can only be made to the wireless telephone number provided by the patient.
• Patients may have given prior express consent to receive voice calls and text messages, however consent can be rescinded. Patients should be reminded of this and given a means of opting out of future communications.
• If a message is left on an answering machine, patients should be given a toll-free telephone number on which they can contact the healthcare provider.
• Calls remain subject to TCPA rules if they are made regarding Social Security disability eligibility, payment notifications, debt collections, accounting issues and other financial matters.

Also covered by the FCC Declaratory Ruling and Order clarifying regulations relating to HIPAA and patient telephone calls is the provision of prior express consent accorded to a third party, for example in cases where a patient may be incapacitated. If, due to incapacity, a patient cannot personally give consent, the FCC allows for a third party to give consent. In cases where the patient recovers their capacity and is in a position to personally give consent, consent provided by a third party would not be valid and consent would need to be sought by the healthcare provider from the patient.

Automated Calls to Patients and HIPAA compliance

Even following this Ruling, some ambiguity remains – particularly in relation to the HIPAA compliance of automated telephone calls to patients. While great detail is given as to what may be considered auto-dialing devices, the FCC Ruling does not go far enough in explaining how the ban on automatic dialing systems contacting mobile telephone devices by either telephone call or text message may impact otherwise HIPAA compliant communication actions.

Before the ban was enacted, an existing patient-healthcare provider relationship allowed for consent to be inferred. Following October 16, 2013, however, prior written and unambiguous consent is required by the FCC from the receiver of the calls authorizing contact to be made to a mobile telephone from an auto-dialing system.

While HIPAA compliant automated telephone calls to patients’ landlines were exempted, patients should be asked to provide written consent to healthcare providers authorizing the provider to contact them on their mobile telephones using auto-dialing systems in order to avoid liability for possible breaches of the Electronic Communications Privacy Act (ECPA).

Currently, the FCC Ruling allows for appointment reminders to be sent to patients’ mobile devices via third party texting services, so long as the third party has signed a Business Associate Agreement (BAA). Further clarification of the HIPAA compliance of automated telephone calls is hoped for in the near future. For full details of the Declaratory Ruling and Order, please click here.