OCR Publishes Guidance on Audio-Only Telehealth After the COVID Public Health Emergency is Over

Begin planning now and be sure that your telehealth services are HIPAA compliant because as soon as the COVID-19 Public Health Emergency (PHE) ends, so do all telehealth HIPAA flexibilities. In relation to this, the Department of Health and Human Services’ Office for Civil Rights published new guidance regarding HIPAA and audio-only telehealth services.

The Ending of the Period of Enforcement Discretion

The HHS’ Office for Civil Rights released in March 2020 a Telehealth Advisory that it would be implementing enforcement discretion. That means it won’t enforce sanctions and fines for HIPAA violations with regard to providing telehealth services in good faith. The action was supposed to make it less difficult for healthcare companies to provide telehealth services to individuals to help stop passing on COVID-19.

OCR allowed healthcare companies to employ remote communication resources for telehealth, including applications and websites that wouldn’t typically be regarded as ‘HIPAA-compliant,’ and didn’t call for HIPAA-covered entities to sign a business associate agreement with the companies offering remote communication solutions. The notification of enforcement discretion mentioned that it continued throughout the PHE. If the Secretary of the HHS announces there’s no more COVID-19 PHE, or when the declared PHE expires, whichever comes first, the ending of the period of enforcement discretion follows. If entities continue to use remote communication tools, they could possibly violate the HIPAA Rules. That could result to financial fines and other remedies to take care of the HIPAA violations.

In the latest guidance on HIPAA and audio-only telehealth entitled Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth, OCR makes clear the conditions when audio-only telehealth is allowed as per HIPAA. OCR affirmed that telehealth services are allowed under HIPAA, however, HIPAA-regulated entities must implement acceptable safety measures to secure protected health information (PHI) privacy, for example, making sure that telehealth services are used in private settings, and utilizing reduced voices to lessen the possibilities for incidental PHI disclosures. It is additionally required to confirm the identification of the patient, verbally or on paper.

The Application of the HIPAA Security Rule on Telehealth

The HIPAA Security Rule could be applicable to telehealth. Whenever offering audio-only telehealth services using regular phone lines (landlines), the HIPAA Security Rule is not applicable because the data transmitted isn’t digital. The HIPAA Security Rule applies whenever digital communication systems are employed, such as “Voice over Internet Protocol (VoIP) and mobile systems that utilize electronic media, i.e. the Internet, extra-, and intranets, Wi-Fi and cellular.

If these technologies are employed, the HIPAA Security Rule demands the implementation of safety measures to protect the confidentiality, availability, and integrity of electronic PHI (ePHI). Risks and vulnerabilities should be determined, evaluated, and dealt with together with a covered entity’s risk evaluation and management procedures. OCR states that because of the pace at which communication systems develop, a strong inventory and asset administration procedure is advised to spot such technologies and the IT systems that utilize them. This will aid in ensuring a precise and comprehensive risk evaluation.

The Requirement for Business Associate Agreements

Any vendor that gets ePHI access, or views ePHI, must sign a business associate agreement (BAA) with an entity covered by HIPAA. Companies that provide platforms for telehealth may be required to sign BAAs. A BAA is simply necessary if a telecommunication service provider (TSP) is serving as a business associate.

If the TSP has merely transient access to the PHI being transmitted, the HIPAA conduit exception can be applied. If the TSP is not generating, receiving, or retaining PHI for the covered entity, and the TSP doesn’t get regular access to the PHI being transmitted in the call, there is no business associate relationship. For that reason, a BAA is not required.

A BAA is mandatory if a TSP is not just a conduit or not just offering data transmission services. If it is either generating, receiving, or retaining ePHI, a BAA is mandatory before using the service. That is applicable to remote communication systems, mobile applications, and Internet and cloud solutions.

Audio telehealth plays an important part in reaching patients based in rural communities, people with handicaps, and others wanting the ease of remote solutions. This guidance clarifies how the HIPAA Rules enable health care organizations and plans to provide audio telehealth and at the same time protect the privacy and security of the health information of individuals.

Reasons Why HIPAA Compliance is Crucial for Healthcare Experts

A lot of resources describing why HIPAA compliance is vital for healthcare experts often look at the goal of HIPAA rules instead of the advantages of compliance to healthcare experts. The same resources likewise are inclined to spotlight how noncompliance impacts patients and companies, instead of the effects it can bring on the lives of healthcare professionals.

This post talks about why HIPAA compliance is essential for healthcare experts from a healthcare expert’s point of view. It describes why healthcare experts cannot avoid HIPAA; therefore, by HIPAA compliance, healthcare experts can promote patient confidence, keep patients more secure, and bring about better patient results. This consequently boosts morale, produces a more gratifying work experience, and allows healthcare experts to receive more from their occupation.

On the other hand, the inability to adhere to HIPAA can have considerable professional and personal implications. However, the inability to adhere to HIPAA isn’t always the fault of a healthcare professional. At times it could be because of inadequate training or cultural practice. This post examines why Covered Entities may not often be able to give adequate training or keep track of HIPAA compliance, why they might not take responsibility if a preventable HIPAA breach happens, and how to steer clear of HIPAA violations because of insufficient knowledge.

Why It’s Impossible for Healthcare Experts to Avoid HIPAA

One of the goals of HIPAA is to give privacy protections for personally identifiable health data kept by Covered Entities. To achieve this, the Privacy and Security Regulations impose specifications Covered Entities should adhere to so as to secure the privacy of “Protected Health Information” (PHI). The inability to adhere to the HIPAA requirements can lead to sizeable financial fines – even if no data breach occurs and PHI isn’t exposed.

The majority of healthcare companies are Covered Entities and, therefore, must carry out guidelines and procedures to adhere to the Privacy and Security Rule requirements. As workers of Covered Entities, healthcare experts must adhere to their employer´s guidelines and procedures. Because of this healthcare experts cannot steer clear of HIPAA. Nevertheless, this isn’t the sole reason why HIPAA compliance is vital for healthcare experts.

The Advantages of HIPAA Compliance for Healthcare Experts

Trust is the most essential component of a patient/healthcare specialist relationship. Patients entrust healthcare experts with their personal information because they believe healthcare experts think about their best interests to achieve the best health results. Nevertheless, trust may be a delicate commodity. If their sensitive information are compromised as a result of HIPAA violation, patients might hold back data important for the giving of care regardless of the possible long-lasting effects for their health.

Healthcare experts can offset the risk of breaking trust by adhering to the guidelines and procedures enforced by their company to avoid HIPAA violations. Whenever patients are assured their privacy is given respect, this encourages trust that leads to the giving of better treatment to get the best health results. Better patient results boost the morale of healthcare experts and create a more gratifying work experience.

The Personal and Professional Effects of Noncompliance

One of the guidelines a Covered Entity needs to carry out is a sanctions policy whenever employees fail to adhere to HIPAA guidelines and procedures. Covered Entities must implement the sanctions policy and take action on HIPAA violations by healthcare experts since not imposing the sanctions policy violates the HIPAA. In addition, when the Covered Entity doesn’t act, noncompliance could fall into a cultural norm.

Being penalized for a HIPAA violation might have personal and professional implications for healthcare experts. Fines can be in the form of a verbal warning or loss of professional certification, which will make it hard for a healthcare expert to find another work – and, in case a criminal sentence results from the violation, it will probably be mentioned in the press which will have consequences for the personal reputation of a healthcare professional.

Who is Liable for HIPAA Violations?

As pointed out earlier, the inability to adhere to HIPAA isn’t generally the healthcare expert´s error. Though Covered Entities must offer training on guidelines and procedures that correspond with the functions of healthcare experts, they may not get the resources to offer training on each imaginable scenario a healthcare expert may come across or to keep track of compliance 24 hours a day so as to avoid the creation of cultural norms.

As a result, accidental violations of HIPAA can happen as a result of insufficient understanding. Nevertheless, Covered Entities aren’t always ready to take responsibility for accidental violations because of insufficient knowledge since it suggests they did not carry out a comprehensive risk evaluation, disregarded a risk to PHI privacy, and did not give essential and proper training or, if a cultural norm is created, did not keep track of compliance with guidelines and procedures.

How You Can Prevent Unintentional HIPAA Violations

In order to prevent unintentional violations of HIPAA and the personal and professional implications of noncompliance, healthcare professionals must make sure that their understanding of HIPAA includes all areas of their role and the situations they may come across. To accomplish this level of knowledge, it is necessary to take third-party HIPAA training programs that offer an exhaustive understanding of HIPAA and its regulations.

Being responsible for the understanding of HIPAA and utilizing that information to work in a HIPAA-compliant fashion keeps the career of healthcare professionals safe, increases their career prospects, and allows them to receive more from their career. Provided with the choice, the majority of healthcare experts would rather work in a setting that works compliantly to provide better patient results, where morale is great, and healthcare experts enjoy a more gratifying work experience.

Changes to Indiana Data Breach Notification Law Lessens Length of Time for Issuing Notifications

Revised HB 1351 data breach notification laws will become effective in Indiana on July 1, 2022. The new law requires the sending of breach notifications within 45 days from the time of identifying an exposure of the personally identifiable information (PII) of Indiana locals.

At the moment, the data breach notification specifications are for breach notifications to be released with no unreasonable delay. The change has been made to make sure that persons whose PII were compromised get a prompt notification. When PII is exposed, individual notices must still be sent without unreasonable delay.

A reasonable delay is any time one of these circumstances applies:

1) It is needed to hold off notification to recover the functionality of computer systems

2) It is required to postpone notification to find out the extent of the breach

3) If the state attorney general or law enforcement requests to hold off notifications to make certain civil or criminal investigations aren’t impeded, or if notifications can possibly put national security at risk.

In these cases, notifications ought to be given as soon as the reliability of computer systems has been recovered, when the scope of the breach is known, or if law enforcement or the state attorney general tells the breached entity that it is no longer needed to postpone notification as criminal/civil investigations are not delayed or there is no more a risk to national protection.

The new legislation applies to breaches of the security of a system storing unencrypted PII, when PII is recognized to have been stolen or may have been stolen, and when encrypted PII is compromised or stolen and an unauthorized person might have gotten access to the encryption key to permit decryption of data.

Personal information includes a Social Security number, a person’s first initial and last name, or first and last names, and one or more of the following data elements: state identification card number; driver’s license number; credit card number; financial account number or debit card number along with a password, security code, or access code.

Consumer reporting organizations ought to be informed when the breach impacts more than 1,000 Indiana residents. Breach reports should be sent to the state attorney general as well. The failure to adhere to the data breach notification conditions could lead to civil monetary penalties of as much as $150,000 issued by the state attorney general and valid attorney general fees to cover investigating and maintaining the action.

Entities not affected by the new legislation include those that keep their own data security procedures included in an information privacy policy, security policy, or compliance plan according to:

  • The Health Insurance Portability and Accountability Act (HIPAA)The
  • Gramm-Leach-Bliley Act
  • Executive Order 13224
  • The USA Patriot Act
  • The Fair Credit Reporting Act
  • The Driver Privacy Protection Act

Connecticut Approves Comprehensive Data Privacy Law

Connecticut, just like Colorado, California, Utah, and Virginia, has passed a comprehensive new data privacy legislation that establishes obligations for companies that gather and process the personal information of state locals and gives individuals new rights. The Connecticut Data Privacy Act (Senate Bill 6) had been passed in the Senate 35-0 and in the House of Representatives 144-5 and is now with the state Governor Ned Lamont for signature. The new privacy rule will become effective on July 1, 2023.

The new rule makes a platform for managing and processing the personal records of state citizens, sets privacy protection requirements for data controllers and data processors, and provides state residents rights regarding the collection and use of their personal information. Consumers will be provided the right to access their personal records held by a business, get a copy of that information, and correct any errors. Consumers will furthermore possess the right to be forgotten and to have their personal information removed. Consumers may additionally choose to opt-out of the processing of their personal data for targeted marketing, selected sales of personal records, and profiling in the development of decisions that generate legal or equivalent significant effects concerning consumers.

The new law looks like the Colorado Privacy Act (CPA) as well as the Virginia Consumer Data Protection Act (CDPA), with the scope of the law falling somewhere between the two. The legislation will apply to organizations that keep the information of over 100,000 consumers or those people that get 25% and up of their annual income from the sale of data of greater than 25,000 customers, with the protections stronger compared to those of Utah and Virginia, however falling short of the privacy rule in Colorado.

The new legislation will end the right to cure on December 31, 2024. So from July 1, 2023 to December 31, 2024, organizations known to violate the Connecticut Data Privacy Act will have the chance to take corrective steps to deal with the zones of non-compliance and avert a financial penalty or perhaps other sanctions. The elimination of the right to cure ought to encourage companies to follow the new law.

Selected entities will be exempted from complying with the Connecticut Data Privacy Act: state and local governments, nonprofits, national securities organizations registered under the Securities Exchange Act of 1934, financial companies governed by the Gramm-Leach-Bliley Act, as well as covered entities and business associates subject to the Health Insurance Portability and Accountability Act. There are additionally exceptions for specific data types, for example, data governed by FERPA, HIPAA, Fair Credit Reporting Act, the Airline Deregulation Act, Farm Credit Act, and the Driver’s Privacy Protection Act.

Adherence to the Connecticut Data Privacy Act will be put into effect by the Connecticut Attorney General. A standing working committee will be created to evaluate emerging matters that the legislation can be corrected to address.

Knowing About HIPAA Exceptions

The objective of HIPAA is not just to secure patient privacy. The Act is likewise designed to improve healthcare functions and enhance performance in the healthcare sector. Not knowing the HIPAA exceptions can result in the application of the regulations more strictly than required by covered entities – possibly stifling healthcare operations and hurting efficiency.

This article will highlight some of the most common exceptions. Covered Entities are encouraged to get expert compliance guidance to determine others that may be appropriate to their particular situations.

HIPAA General Rule Exceptions

The first HIPAA exceptions are mentioned in General Rule (45 CFR § 160.102). According to the General Rule, when there is a conflict between HIPAA and State legislation, HIPAA takes priority. Nonetheless, there are several exceptions stated in the General Rule which include that State legislation preempts HIPAA if the State legislation:

  • Has stricter privacy terms than HIPAA
  • Offers reporting data to public health organizations
  • Calls for a health plan to report data for audit reasons, etc.

The first exception has resulted in more difficulties for HIPAA Covered Entities compared to the others. This is because almost every state has got a law pertaining to the privacy of patient data with stricter privacy terms than HIPAA. Nonetheless, a lot of state laws are applicable to just one component of privacy data (i.e., HIV-related data), only in particular situations (i.e., for emergency care), or just to particular entities (i.e., pharmacists).

The 2nd and 3rd General Rule exceptions may likewise be troublesome for Covered Entities since, even if a State law may allow a number of disclosures of PHI to state and government institutions, the information given to state and federal organizations may be accessed through the Freedom of Information requests. When Freedom of Information requests show the Covered Entity has given far more PHI than the least required, they would violate HIPAA.

Other usages of the word “exception” in the HIPAA refer to exclusions from transaction requirements and/or medical code sets. Nevertheless, it is worth remembering that exceptions are there to have the right to repeal a patient consent for the disclosure of PHI and to whom ought to be provided Notices of Privacy Practices (i.e., inmates of correction institutions). Covered Entities having public-facing operations should be acquainted with these HIPAA exclusions.

Other State and Government HIPAA Exceptions

The relationship between HIPAA and other federal and state legislation can make HIPAA compliance more complicated because of several HIPAA exceptions. One example of this kind of complicated relationship is the one between HIPAA, the Texas Medical Records Privacy Act (as modified by HB300), and the Family Education Rights and Privacy Act (FERPA).

In general, public schools, universities, and other educational organizations that offer medical services for students and employees (as a job benefit) are not regarded as Covered Entities under HIPAA. This is due to the fact medical treatments given to students are categorized as academic records and covered by FERPA, whereas medical services given to staff are categorized as non-portable benefits.

Complications begin to come up when an educational organization gives medical services to the public (for example, a medical teaching college). Under these conditions, the educational organization turns into a hybrid entity and must have safety measures to segregate FERPA-covered treatment documents from HIPAA-covered PHI and implement two sets of guidelines for employees.

If the educational organization is protected by the Texas Medical Records Privacy Act, all medical treatment documents associated with students, employees, and the public are governed by HIPAA-Esque privacy requirements. This is even more made complex by the Texas Medical Records Act covering all citizens of Texas irrespective of their location. As a result, a medical teaching college or university in New York may have to comply with 3 different regulations in case it will take mature Texas students.

Operational and Occupational Exceptions

There are operational and occupation exceptions to HIPAA that can apply in several different conditions. For instance:

Ambulance services that generate electronic billing are covered by HIPAA; however, in counties with no electronic billing, HIPAA is not applicable to ambulance services.

Certain uses and disclosures of PHI permitted by the Privacy Rule aren’t permitted by the Federal Substance Abuse Confidentiality Requirements (42 CFR Part 2).

Exceptions occur to the privacy specifications for psychotherapy notes if state legislation requires a duty to report (i.e. abuse) or duty to warn (i.e. of imminent harm).

Exceptions to the right of a patient to an accounting of disclosures occur when a Covered Entity is instructed not to disclose the data by a health oversight bureau or law enforcement official.

HIPAA exceptions additionally are present in the military. Military treatment facilities are considered as HIPAA Covered Entities; nonetheless, with the Military Command Exception, healthcare experts are permitted to disclose PHI to command authorities without the authorization of the patient so as to state the patient’s fitness for duty, fitness to carry out a task, or fitness to execute another task required for a military mission.

HSCC Launches Model Contract Template for Healthcare Delivery Organizations and Medical Device Manufacturers

The latest Model Contract Language template has been released by the Healthcare and Public Health Sector Coordinating Council (HSCC). Healthcare delivery organizations (HDOs) are to utilize the template whenever getting new devices from medical device manufacturers (MDMs) to make sure every party knows its cybersecurity responsibilities and device management.

Medical device cybersecurity responsibility and accountability between HDOs and MDMs is challenged by different conflicting elements, which include unequal MDM capabilities and capital spent in cybersecurity control integrated into device design and development; differing objectives for cybersecurity among HDOs; and great cybersecurity management expenses in the HDO operational environment by means of the device lifecycle. These variables have brought in and sustained vagueness in cybersecurity accountability between HDOs and MDMs that in the past were reconciled at best unpredictably in the process of purchase contract negotiation, resulting in downstream disagreements and likely patient safety risks.

The Model Contract Language is to be used as a reference with regard to shared cooperation and coordination between MDMs and HDOs
for safety, compliance, control, operation, services, and MDM-monitored medical devices, solutions, and associations. The goal is to enable HDOs to minimize the cost, difficulty, and time expended in the process of contracting, lessen privacy and security threats, and protect the integrity, confidentiality, and availability of HDO healthcare systems.

The contract framework is dependent on 3 of the basic pillars of cybersecurity, which are maturity, performance, and product design maturity. These 3 pillars are further broken down into 14 key principles.

Key Principles of the HSCC Model Contract Language for Medtech Cybersecurity

The contract says that MDMs have to make their products safe by default, enable all security functions, minimize the attack surface as much as is possible, and make sure their products are without any malware and unwanted code and services. Every product must have these standard security controls:

  • Network controls
  • Anti-malware
  • Data encryption
  • Physical security
  • Intrusion detection
  • Access management
  • Security patching
  • Security against malicious code
  • Audit & logging
  • Privilege escalation controls
  • Remote access controls
  • Document reference architecture

HDOs, MDMs, and group purchasing organizations ought to evaluate the Model Contract Language template and use it as required for their company. The more standard and predictability the industry can accomplish in cross-enterprise cybersecurity management requirements, the bigger breakthroughs it will have toward patient security and a safer and stronger healthcare system.

Due date for Reporting 2021 PHI Breaches Impacting Less Than 500 People

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule strictly limits the time for sending notification letters to people who had their protected health information (PHI) exposed or impermissibly disclosed. The breached entity has up to 60 days from the time of data breach discovery to send notifications to affected individuals. However, notification letters must be provided “without unreasonable delay.”

Besides sending breach notification letters to people impacted by a data breach, the HIPAA Breach Notification Rule likewise requires sending notifications to the Secretary of the Department of Health and Human Services (HHS) concerning a data breach. The time frame for sending that notification is dependent on the number of people impacted by the data breach.

In case a data breach impacts 500 and up persons, the Secretary of the HHS should likewise be informed without unreasonable delay and no longer than 60 calendar days following the breach discovery. When all data concerning the breach is not known in 60 days, the breach report must still be submitted to the HHS, and it could be corrected later on when additional information is available.

In case a data breach has impacted less than 500 people, HIPAA-regulated entities can report the breaches later to the HHS. However, the time period for sending individual notices remains 60 days from the time of discovering the breach, irrespective of how many people were impacted.

The due date for sending reports of breaches involving less than 500 individuals’ PHI to the HHS is 60 days from the last day of the calendar year during which the breach was identified. So, all PHI breaches identified in 2021 that impacted the PHI of less than 500 people ought to be reported to the Secretary of the HHS no after March 1, 2022, 11:59:59 p.m. Every breach should be reported to the HHS individually through the breach reporting program on the HHS portal.

A lot of HIPAA-regulated entities do not report their breaches until the reporting deadline is close at hand, therefore the breach reporting website will likely see a lot of traffic when the due date approaches, which can possibly cause accessibility issues. It is consequently a good idea to report breaches much earlier than the breach reporting due date.

You ought to remember that a number of states have approved laws that cover data breach reporting, and the time period for submitting breach reports may be shorter compared to those of the HIPAA Breach Notification Rule. In a lot of instances, HIPAA-regulated entities are not affected by state breach notification laws as long as they adhere to the reporting conditions of HIPAA. In case they aren’t compliant with the Breach Notification Rule, an investigation by the state attorneys general may lead to the issuance of civil monetary penalties for HIPAA or state regulations violations.

Healthcare Supply Chain Association Provides Guidance about Medical Device and Service Cybersecurity

The Healthcare Supply Chain Association (HSCA) has released guidance for healthcare delivery companies, medical device producers, and service suppliers on obtaining medical devices to make them more resistant to cyberattacks.

The use of medical devices in the industry has grown at an unbelievable rate and they are currently depended upon to provide essential clinical capabilities that cannot be compromised without lowering patient care. Medical devices are, nonetheless, frequently susceptible to cyber threats and may be attacked to bring about hurt to patients, be taken out of service to compel healthcare organizations into meeting the extortion demands of attackers, or can be accessed remotely to get sensitive patient information. Medical devices are usually linked to the Internet and could quickly be attacked, therefore it is important for proactive steps to be taken to enhance security.

The HSCA represents medical care group purchasing organizations (GPOs) and promoters for fair procurement practices and education to enhance the efficiency of purchases of healthcare products and services and, therefore, has a one of a kind line of sight concerning the whole healthcare supply chain. The HSCA guidance is made for the overall supply chain and describes a few of the key issues for medical device companies, HDOs, and service providers to enhance cybersecurity and deal with weaknesses before exploitation by cyber attackers.

Two of the most crucial steps to take on are to get involved in an Information Sharing and Analysis Organization (ISAO), like the Health Information Sharing and Analysis Center (H-ISAC), and to undertake an IT security risk evaluation methodology, for example, the NIST Cybersecurity Framework (CSF).

An ISAO is a community that actively collaborates to determine and share actionable threat information regarding the most recent cybersecurity threats that enable members to take proactive steps to decrease risk. The NIST CSF and other cybersecurity frameworks assist organizations in setting up and strengthening their cybersecurity plan, prioritizing activities, comprehending their present security standing, and knowing the security gaps that must be resolved.

HCSA additionally recommends employing an information technology and/or network security officer who takes overall responsibility for the safety of the organization who can speak about risks to decision-makers and supervise the security work of the company.

Cybersecurity training for the employees is vital. All workers should be aware of the risks they may encounter and must be taught with regards to best practices to observe to minimize risk. Training ought to be provided yearly, and phishing simulations performed routinely to strengthen training. Any worker who fails a simulation must have more training.

Good patch management practices are crucial for responding to known vulnerabilities prior to being exploited; anti-virus software program must be used on all endpoints and be kept up to date, firewalls ought to be carried out at the network perimeter and internally, least-privilege access must be employed to system resources, and networks must be segmented to avoid lateral movement in the event of a breach. Password policies that are in line with the most recent NIST guidance ought to also be put in place.

To avert the interception of sensitive data, all information in transit ought to be encrypted, backup and data restoration processes must be enforced and frequently tested to make sure recovery is possible if a cyberattack happens, and the life expectancy of all units and software solutions must be selected in all purchase contracts, which include all supporting parts. Plans ought to be set to upgrade equipment and software applications prior to reaching end-of-life.

Besides these regular cybersecurity guidelines, HCSA has given certain concerns for HDOs, device makers, and service providers in the guidance – Medical Device and Service Cybersecurity: Key Considerations for Manufacturers & Healthcare Delivery Organizations – which could be downloaded from the HCSA website.

FAQs on HIPAA Training for Employees

The rules associated with HIPAA training for employees are purposely versatile due to the varied functions Covered Entities do, the varied tasks of workers, and the varied level of Protected Health Information (PHI) access every worker gets.

The level of versatility can produce misunderstandings regarding which workers need training, what training must be given, how training must be presented, and when training must be received.

Which Employees Need to Have HIPAA Training?

According to the HIPAA Privacy Rule (45 CFR § 164.530) and the HIPAA Security Rule (45 CFR § 164.308), all employees must be given training. That includes agency personnel, consultants, and contractors whether or not they have any interaction with PHI.

While the HIPAA Security Rule is applicable to Covered Entities and Business Associates, on the other hand, the HIPAA Privacy Rule just concerns Covered Entities. As a result, Business Associates just have to develop a security awareness and training program as mandated by the Security Rule and make sure that all employees get HIPAA training irrespective of their part or task.

What HIPAA Training Must be Given to Employees?

Under the HIPAA Privacy Rule, each Covered Entity needs to create policies and procedures and train all employees regarding these policies and procedures. This is required and just right for employees to be able to perform their jobs within the Covered Entity.

This means the material of the HIPAA training will be based on the created policies and procedures by the Covered Entity. It will also be based on the policies and procedures that are appropriate so that every employee can perform their duties while complying with HIPAA.

How Should HIPAA Compliance Training be Provided for Employees?

There are several options for providing HIPAA compliance training for the workforce. In the past, HIPAA compliance training was done in a classroom led by an instructor, normally the HIPAA Privacy Officer or HIPAA Security Officer. Nonetheless, classroom-based training may generally be ineffective since there’s a lot to discuss in HIPAA.

For instance, a classroom-based training program for patient-facing workers must cover aspects of HIPAA like the terms of Privacy Notices, the Minimum Necessary Standard, and the Patients´ Rights under HIPAA, utilizing systems like EHRs compliantly, as well as the Breach Notification Rule. There is a lot to deal with in one training session, and a lot of for employees to keep in mind.

HIPAA Training Video for Employees

A HIPAA training video may be utilized to educate workers instead of classroom-based training. Videos allow trainers to break down and discuss HIPAA visually, which can result in more engagement and better retention. If utilized as an option for classroom-based teaching, videos could likewise take care of the problem of having trainees in one place simultaneously.

A problem with HIPAA training videos for employees is that it could be impractical to create another video that is appropriate for every employee´s function due to the cost. Consequently, though a HIPAA training video can be somewhat beneficial – for instance, for explaining PHI – it usually does not perfectly address the HIPAA training requirements.

Online HIPAA Training for Employees

Giving employees online HIPAA training made up of mix-and-match modules is better since it allows Covered Entities and Business Associates to comply with the requirements of HIPAA training. The modules could be grouped together to be applicable to every employee´s job – or employee group functions – and every employee could personally go through the training in their own schedule.

With online training, it is easier for a Covered Entity or Business Associate to give employees preliminary training, it is additionally easier to give refresher training or training mandated by HIPAA every time functions are impacted by a change in the policies or protocols since individual modules are less difficult to revise than full training programs.

When Should Employees Get HIPAA Training?

Covered Entities must give training on HIPAA policies and protocols within a reasonable time after an individual is employed by the Covered Entity and every time functions are impacted by a change in the policies or protocols. There’s no time frame established for when it is necessary to provide a security awareness training program.

Moreover, Covered Entities and Business Associates need to include HIPAA training for workers in risk analyses. This will help determine when more training is required by the employees to avoid unauthorized PHI uses or disclosures that were developed by way of poor practices. When a need for training is determined, it should be given within a reasonable time period.

NSA/CISA Publish Guidance on Choosing Secure VPN Solutions and Toughening Security

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released new guidance 
about choosing and enhancing the security of Virtual Private Networks (VPN) solutions.

VPN solutions enable remote workers to safely be connected to business sites. Data traffic is sent through a virtual tunnel that is encrypted to avoid the theft of sensitive information and to prohibit external attacks. Hackers like to target VPNs. Several Advanced Persistent Threat (APT) groups have already targeted the vulnerabilities in VPN solutions. APT actors were seen taking advantage of vulnerabilities in VPN solutions to get access to business sites, collect credentials, remotely implement code on the VPN devices, seize encrypted traffic sessions, and acquire sensitive information stored in the devices.

A number of common vulnerabilities and exposures (CVEs) were used to get access to the unsecured devices, such as Fortinet FortiOS SSL VPN (CVE-2018-13379), Pulse Connect Secure SSL VPN (CVE-2019-11510), and Palo Alto Networks PAN-OS (CVE_2020-2050). In certain instances, threat actors have exploited vulnerabilities in VPN solutions in just 24 hours after the patches become available.

At the beginning of this year, the NSA and CISA gave a notice that APT groups connected to the Russian Foreign Intelligence Service (SVR) had succeeded in exploiting the vulnerabilities in Fortinet and Pulse Secure VPN solutions to obtain access to the networks of American firms and government bureaus. It is believed that Chinese nation-state threat actors have taken advantage of a Pulse Connect Secure vulnerability to acquire access to the systems of the U.S. Defense Industrial Base Sector. Ransomware groups are also targeting vulnerabilities in VPNs to get preliminary access to networks to perform extortion ransomware attacks.

The guidance document is designed to assist companies in selecting safe VPN solutions from respected vendors that follow industry security specifications who have a tested reputation of remediating identified vulnerabilities immediately. The guidance advises only utilizing VPN products that are proven, validated and listed in the National Information Assurance Partnership (NIAP) Product Compliant List. It is recommended not to use Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs, because they utilize non-standard functions to tunnel traffic through TLS, which creates further exposure to risk.

The guidance document likewise gives recommendations for toughening security and lowering the attack surface, for example setting up strong cryptography and authentication, solely initiating features that are absolutely needed, safeguarding and tracking access to and from the VPN, employing multi-factor authentication, and making sure to use patches and implement updates immediately.

CISA Issues Guidance on Protecting Sensitive Data and Dealing With Double-Extortion Ransomware Attacks

Ransomware attacks are significantly higher in 2020 and there is no sign that cyberattacks utilizing the file-encrypting malware will diminish. Attacks continue to increase this year to the level where there was nearly half the number of attempted ransomware attacks in Quarter 2 of 2021 as there were in the entire 2019.

The majority of threat actors executing ransomware attacks are now making use of double extortion techniques, where ransoms should be paid not only to get the keys to decrypt files but also to avoid the publication of information stolen in the attacks. The theft of records prior to file encryption has helped ransomware gangs to demand big ransom payments because the threat to leak the data has considerably increased the possibility of getting ransom payments. A lot of victims pay the ransom to stop data exposure, although they have good backups that can enable them to recover the encrypted information for free.

The Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance to help public and private sector institutions deal with the danger of double-extortion ransomware attacks. The guidance includes best practices for avoiding cyber threat actors from getting access to networks, actions to make sure sensitive data are secured, and procedures that ought to be adopted when responding to a ransomware attack.

There are a number of measures specified in the document that is essential not just for stopping ransomware attacks but likewise for restricting their severity. It is important to retain offline, encrypted backups of information and to routinely test the backups to ensure that file recovery is really achievable. It is furthermore essential to create and maintain a basic cyber incident response plan, resiliency plan, and related communications plan, and to conduct exercises to make sure that a quick response to an attack is achievable. To prevent attacks, steps should be taken to deal with the major attack vectors, such as phishing, RDP compromises, and the exploitation of internet-facing vulnerabilities and misconfigurations. Naturally, all companies must also make certain to follow good cyber hygiene procedures.

To protect sensitive information, institutions should know where sensitive records are kept and who has got access to those data databases. It is additionally crucial to make sure that sensitive information is just stored for as long as is strictly needed. Physical and cybersecurity recommendations ought to be enforced, including encrypting sensitive data at rest and in transit, limiting access to physical IT assets, and employing firewall and network segmentation to impede attempts at lateral movement within systems. CISA likewise advises making sure the cyber incident response and communications plans consist of response and notification processes for data breach occurrences.

Fast and effective response to a ransomware attack is crucial for restricting the harm triggered and holding costs down. The cyber incident response plan must detail all the steps that must be taken, and the order that they ought to be undertaken. The preliminary step is learning which systems were impacted and quickly isolating them to protect network operations and prevent further data loss. The next step should only be done if its’ not possible to take out affected devices from the network or to temporarily shut down the network, and that is to power down impacted devices to stop further passing on the ransomware infection.

After that, triage impacted systems for restoration and recovery, consult with the security group to develop and document an initial comprehension of what has happened, then engage internal and external groups and stakeholders and give instructions on how they can help with the response and recovery processes. Institutions must then comply with the notification specifications discussed in their cyber incident response plan.

The guidance document – Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches – is available on this link.

NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance

The National Institute of Standards and Technology (NIST) is considering to revise and update its guidance on enforcing the HIPAA Security Regulation and is in search of feedback from stakeholders on areas of the guidance that must be modified.

NIST released the guidance – NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – on October 2008. In the past 13 years, cybersecurity has changed and the threat conditions has changed significantly. NIST’s cybersecurity assets have likewise changed throughout that time and a revision to the guidance is already long overdue.

NIST will be changing the guidance to include its new cybersecurity solutions, is going to increase knowledge of non-NIST sources related to compliance with the HIPAA Security Rule, and will revise its observance guidance for HIPAA-covered organizations and business associates.

Particularly, NIST has asked for comment from stakeholders regarding their experiences using and following the resource guide, which includes the parts of the guidance that were helpful and those that were not, together with the reasons why.

NIST would like to find out from covered entities and business associates that have utilized the guidance and have discovered key ideas to be missing, and for stakeholders who observed that the guidance is not applicable to their company to provide data on how it can be made much more relatable, helpful, and actionable to a larger selection of audiences.

Covered entities and business associates have followed the HIPAA Security Law in different means. NIST is looking for data on any tools, resources, and strategies that were followed that have been proven beneficial, and for covered entities that have enjoyed positive results with their compliance plans to share details on how they handle compliance and security at the same time, evaluate risks to ePHI, identify whether the security procedures put in place are efficient at protecting ePHI, and how they document demonstrating sufficient implementation. NIST additionally wishes to hear from any covered entity or business associate that has enforced known security procedures that have diverged from the observance of the HIPAA Security Rule.

Stakeholders are asked to post feedback  until June 15, 2021 for consideration before the proposed update. Submitted remarks will be considered and implemented as much as it is practicable.

Recommendations for Network Defenders to Determine and Avert Russian Cyber Operations

A joint cybersecurity alert was released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Homeland Security (DHS) regarding the Russian Foreign Intelligence Service or SVR’s persistent cyber operations.

The notification offers more information about the tactics, techniques, and procedures (TTPs) utilized by SVR attackers to get access to networks and the sneaky attack tradecraft employed to move laterally in breached systems. Best practices were presented to permit network defenders to enhance their defenses, secure their networks, and perform investigations to find out whether their systems were already compromised.

The alert comes after the April 15, 2021 joint notice from the NSA, CISA, and FBI that states the U.S. Government’s formal declaration that the SolarWinds supply chain attack was done by SVR cyber actors known as CozyBear, the Dukes, APT29 and Yttrium. The CVR operatives are mainly targeting government agencies, policy analysis agencies and think tanks, IT businesses, and critical infrastructure organizations to collect intelligence data.

Prior to 2018, SVR agents were mostly utilizing stealthy malware on victims’ systems however have already evolved their focus to target web resources, such as cloud-based email services like Microsoft Office 365, as was the SolarWinds supply chain attack.

Misconfigurations of systems are exploited and breached accounts are utilized to mimic regular traffic in online environments. The hackers can steer clear of detection when attacking cloud resources as a lot of companies don’t efficiently secure, monitor, or even completely understand these environments.

The SVR operatives have formerly employed password spraying to find out weak passwords related to administrative accounts. These attacks are carried out in a slow and low way to avert detection, for instance attempting small numbers of passwords at periodic periods employing IP addresses in the country where the target is based. As soon as administrator access is acquired, modifications are created to the permissions of email accounts on the network to enable the interception of emails. After an account is compromised, it is normally accessed utilizing one IP address on a leased virtual private server. In case an account is accessed which turns out to be useless, permissions are modified back to the default settings to reduce the chance of detection.

Zero-day vulnerabilities in virtual private networks (VPN), which includes the Citrix NetScaler vulnerability CVE-2019-19781, were also exploited to acquire network access. When exploited, user credentials are gathered and utilized to authenticate systems on the network with no multifactor authentication enabled. Attackers tried also to access web-based resources with information of interest to the foreign intelligence service.

A Go-based malware variant referred to as WELLMESS has been employed to get persistent access to systems and, in 2020, was mainly utilized in targeted attacks on businesses involved in the development of the COVID-19 vaccine, with the attackers focusing on Active Directory servers and research repositories.

The SVR cyber actors are using custom malware and open source and commercially sold tools in their attacks. A number of recommendations and best practices are available to assist network defenders to boost the methods used by SVR agents and identify potential attacks that are happening.

Secured Vendor Access and HIPAA Compliance

Before the enactment of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, paper files were still stashed in cabinets and sensitive data was typically transmitted by hand or via a fax machine.

After almost 25 years, , the healthcare industry looks entirely different, with the exception of the use of fax machines by some. Everything is now saved on computers and sent over the web. It is more efficient but there are some risks. Serious data breaches connected to healthcare entities increased resulting in the exposure of very sensitive personal health information (PHI). Many data breaches involve third-party and vendor access that cost more in terms of penalties and reputational ruin.

A hacker is able to easily access countless patient records and bring about extensive damage – releasing private data, deleting crucial health information, stealing identify, and attacking using ransomware.

Today, healthcare organizations not only deal with problems related to patient health care. There are now complicated cybersecurity problems beyond the medical environment that must be dealt with.

Taking into consideration the challenges of HIPAA noncompliance, healthcare organizations usually benefit from using the services of third-party vendors that particularly manage HIPAA regulatory compliance. To completely protect patients, vendors must have clear guidelines that limit access, continue to be transparent and auditable, and sustain the most up-to-date information security steps.

Importance of Limiting Vendor Access

Who can access patients’ data, how do they access the data, and how much data do they access (or should access)? These are vital concerns for technology vendors.

First, every member of the IT team must only get the level of access necessary to make sure HIPAA compliance and data security, which include constraints on time, extent, and job functionality. Every vendor rep must utilize a unique username and password to sign in to the system and undergo multi-level authentication that is linked to their personal details. In addition, an auto logoff when inactive for a brief period could stop unauthorized access using another person’s credentials.

The Necessity of Auditable Reports

An automatic audit program enables healthcare organizations to filter unauthorized access and to track the data breach source. An efficient audit system retains specific login data of each support connection system and provides comprehensive detail of each sign in, including place, time, personnel and extent of access to the patients’ information, and other sensitive data.

These reports are not just important for internal security reasons but are essential for showing HIPAA compliance in connection with permitting vendors to access your network.

The Value of Data Reliability and Security

The weakness in data security typically happens at access points and transmission. Nevertheless, frequent updates to security configurations secure data from problems and avoid data breaches during transmission. To maintain data integrity and security, the following are recommended:

  • advanced transmission standards (AES) in 128-, 192- and 256-bit modes
  • customer control of configurable encryption
  • data encryption standards (DES) of Triple DES10

The healthcare industry is responsible when patient data is compromised. Therefore, a third-party IT security vendor must know how to satisfy the highest standards of HIPAA compliance. Remote access to the network of a healthcare facility is often neglected. It could potentially result in data exposure and breaches. Make sure that your vendors have legit reasons to access your patients’ data and are HIPAA compliant.

FTC Reaches an Agreement with SkyMed to Settle a 2019 Consumer Data Breach Case

SkyMed, an emergency services provider in Nevada, has agreed to a settlement with the Federal Trade Commission (FTC) after the audit of its information security strategies, which was prompted by a 2019 data breach that compromised the personal data of consumers.

Security researcher Jeremiah Fowler informed SkyMed in 2019 that a misconfiguration of the Elasticsearch database resulted in the leaking of patient information. The data of 136,995 patients was accessible online without needing any authentication. The database can be viewed by using any web browser. The personal data in the database can be downloaded, modified, or deleted.

The information contained in the database included patient names, email addresses, addresses, birth dates, membership account numbers, and health data. Fowler likewise found artifacts associated with ransomware in the database. Upon notification, SkyMed started an investigation yet did not find any evidence that suggests the misuse of any content in the database.

According to SkyMed’s breach notification, some old information might have been exposed briefly when data was transferred from the old system to the new one. The compromised information is no longer accessible and only included names, physical and email addresses, telephone numbers, and membership ID numbers. No healthcare data or payment data was accessible and there’s no evidence that data was misused.

The FTC looked into the incident and did an audit to find out if the FTC Act was breached. The FTC determined several failures in security and breach responses. The FTC claimed SkyMed did not investigate if the unauthorized persons accessed the database when security was down, and that the provider didn’t sufficiently examine the database to know what data it stored. SkyMed consequently failed to ascertain if any health data was potentially exposed. When SkyMed verified the exposure of the database, the company removed the database to avert any unauthorized access. SkyMed additionally was unable to determine the people impacted by the breach.

The FTC stated that SkyMed’s website showed a “HIPAA Compliance” seal, giving the notion that the provider’s privacy and security policies were HIPAA compliant. However, SkyMed hadn’t been through a third-party review of its information security procedures and no government organization had evaluated its HIPAA compliance statements. As per the FTC, SkyMed had fooled customers for over 5 years by showing the HIPAA Compliance seal to its clients.

The FTC explained that SkyMed had no “reasonable measures” in place for securing the personal data of people who registered for its emergency services. SkyMed had no data loss prevention solutions, lack access controls, and failed to employ authentication for its systems. When SkyMed encountered a security breach, it failed to identify the compromised database containing personal data for 5 months until a security researcher found it.

The type of data exposed could likely bring about considerable damage to customers. SkyMed could have avoided or mitigated these data security issues if it had employed promptly available, and fairly low-cost, procedures.

The FTC alleged SkyMed had violated Section 5 of the FTC Act by engaging in unfair and/or misleading acts or procedures, which resulted in two counts of deception, one for the HIPAA compliance and another for its breach response. SkyMed additionally engaged in unfair information security practices.

Concerning the settlement, SkyMed is forbidden from misrepresenting its information security policies, data breach response, and the way the company safeguards the security, privacy, integrity, and confidentiality of the personal data, and involvement in any privacy or security plan sponsored by the federal government or any third party, which include self-regulatory or standard establishing company.

SkyMed needs to notify all affected consumers and give details regarding any information that was possibly exposed. A data security program needs to be implemented and managed by selected, competent staff. The program should consist of a company-wide risk assessment to pinpoint possible internal and external hazards, and safeguards ought to be integrated to make sure to mitigate risks and protect personal information.

There must be records of the database that can be accessed for monitoring. Data encryption should be enforced for sensitive information like financial account information, passport numbers, and medical data. All databases that contain personal data are necessary for monitoring and there must be restrictions to control access to sensitive information. SkyMed is additionally necessary to approve yearly compliance with the FTC settlement.

OCR Releases HIPAA Guidance on Disclosures of PHI to Health Information Exchanges

A new Health Insurance Portability and Accountability Act (HIPAA) Rules guidance has been released by the Department of Health and Human Services’ Office for Civil Rights that address disclosures of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA).

An HIE is an entity that allows electronic PHI (ePHI) sharing between over two unaffiliated entities including health plans, healthcare providers, and business associates. The purpose for sharing ePHI includes patient treatment, billing, or medical operations; for reporting public health activities to PHAs, and for offering other products and services like patient record storage and data collection and analysis.

HIPAA allows using HIEs and disclosing health information to enhance public health, which has become particularly crucial throughout the COVID-19 public health emergency. Under the HIPAA Privacy Rule, HIPAA-covered entities and their business associates can share PHI to an HIE for submitting reports to a PHA that is involved in public health, without getting individual authorization first.

This kind of disclosures are allowed under the following circumstances:

  • If disclosures are mandated by federal, state, local, or other legislation that the court can enforce
  • If the HIE is operating under the authority or agreement with a PHA for a public health action
  • If the HIE is a business associate of the covered entity or another business associate and wants to share ePHI to a PHA for public health reasons*

*The HIPAA Privacy Rule just allows an HIE which is a business associate of the covered entity or another business associate to share ePHI to a PHA for public health reasons when it is specifically mentioned that they can do this in the business associate agreement (BAA) it signed with the covered entity. But because of the COVID-19 public health emergency, OCR issued a notice of enforcement discretion saying that it will not take action against a business associate not expressly permitted to share ePHI to a PHA in their BAA in case it shares ePHI to a PHA in good faith and for public health reasons. In such instances, the business associate should notify the covered entity in 10 calendar days regarding the disclosure. The notice of enforcement discretion is good only until a COVID-19 public health emergency is in effect.

ePHI disclosure by an HIE to a PHA is limited to the minimum required data to accomplish the goal for the disclosure. It is expected to get a request from a PHA to share a summary report to the PHA or HIE as the minimum required PHI to accomplish the public health goal of the ePHI disclosure.

The HIPAA Privacy Rule allows a covered entity to share ePHI to a PHA via an HIE, even though it did not receive a direct request for the PHI from the PHA, as long as the covered entity is aware that the PHA is utilizing the HIE to get such data, or that the HIE is operating on account of the PHA.

Although in this case there is no need to acquire authorizations from persons whose PHI is being disclosed, those persons should be notified regarding the disclosures. That may be done by saying ePHI disclosures will take place for public health reasons in the provider’s Notice of Privacy Practices.

The new OCR guidance, including a number of examples associated with COVID-19, is available on the HHS website.


New Resources for MHealth App Developers and Cloud Services Providers Available at OCR Portal

The Department of Health and Human Services’ Office for Civil Rights has released more resources targeted for mobile health application developers and gave its Health App Developer Portal a new name after updating it.

The portal called Resources for Mobile Health Apps Developers gives mobile health application developers guidance on the HIPAA Privacy, Security, and Breach Notification regulations and their importance to mobile health applications and application programming interfaces (APIs).

The portal contains a Health App Use Scenarios and HIPAA guidance document, which talks about the need for mHealth applications to comply with the HIPAA Rules and whether an app developer is going to be considered as a business associate.

OCR explained that integrating privacy and security protections into technology solutions boosts their value by giving users some assurance that the data is safe and is going to be utilized and shared only as authorized or required. Federal and state laws sometimes require such protections, for instance, the HIPAA Security, Privacy, and Breach Notification Rules.

The Federal Trade Commission (FTC) together with the Food and Drug Administration (FDA) and the HHS’ Office of the National Coordinator for Health IT (ONC) developed the portal that gives access to the Mobile Health Apps Interactive Tool. Developers of health-related apps can use this Tool to know what federal regulations are likely applicable to their apps. By providing answers to questions with regards to the nature of the apps, developers will learn which federal regulations are applicable and will be given resources with more detailed information concerning each federal rule.

The portal likewise contains information regarding patient access rights as provided by HIPAA, how they affect the data obtained, stored, processed, or sent via mobile health applications, and how the HIPAA Rules impact APIs.

The portal was updated following the ONC’s final rule that required health IT developers to create a safe, standards-based API that providers can utilize to help patients access the information saved in their electronic health records. Although having quick access to health data is essential for patients so that they could check errors, request corrections, and share their health information for research uses, transmitting information to third-party apps, which HIPAA may not cover, may create a privacy risk.

OCR has earlier stated that the moment healthcare companies have provided a patients’ health information with a third-party application, as permitted by the patient, the data is not covered by HIPAA in case the app developer isn’t a healthcare provider’s business associate. Healthcare providers won’t be accountable for any resultant use or sharing of any electronic protected health information (ePHI) distributed to the app developer.

The portal also has an FAQ that makes clear how HIPAA is applicable to Health IT. There is also a guidance document detailing how HIPAA is applicable to cloud computing so cloud services providers (CSPs) can fully understand their accountabilities under HIPAA.

OCR Emphasizes the Value of Creating and Keeping a Comprehensive IT Asset Inventory

Though risk analysis is a very important requirement of the HIPAA Security Rule, the Office for Civil Rights data breach investigations and compliance audits show that it is often not complied with. There are HIPAA-covered entities that completely ignored this requirement, but most cases of noncompliance were because of the inability to conduct a comprehensive risk analysis throughout the organization.

Before conducting a comprehensive risk analysis, it is necessary to know first how your organization receives ePHI, where it goes, where it is stored, and what systems are used to access that data. One common cause of risk analysis noncompliance is not understanding the location of all ePHI in the organization.

The Summer 2020 Cybersecurity Newsletter of OCR featured the essentiality of having  a complete information technology (IT) asset inventory and details its role in the risk analysis process. An IT asset inventory lists all the organization’s IT assets, including descriptions, serial numbers, names, and other data used to distinguish the asset, such as its location, version (operating system/application), and the individual responsible for the asset.

Although an IT asset inventory is not required under the HIPAA Security Rule, it is a helpful tool for the development of a complete, organization-wide risk analysis. It helps organizations to know where ePHI may be located, and improve their HIPAA Security Rule compliance.

An IT asset inventory does not just include physical hardware like mobile gadgets, servers, workstations, peripherals, portable media, firewalls, and routers. Software assets and applications, such as operating systems, anti-malware tools, email, administrative and financial records systems, databases, and electronic health record systems, are also included.

IT solutions such as backup software, virtual machine managers/hypervisors, and other administrative tools should also be included. Data assets that contain ePHI that an organization generates, receives, stores on its electronic devices or and media, and sends via its network should be included as well.

Small healthcare providers can create and maintain an IT asset inventory manually. Large and more complex companies can use dedicated IT Asset Management (ITAM) solutions, which use automated discovery and update processes to make sure no asset is overlooked.

In creating an IT asset inventory, be sure to add assets that may be used to access ePHI or networks or ePHI storage devices. Though IoT devices are not used for storing or accessing ePHI, they may be used to get network or device access that enable ePHI viewing.

If vulnerable IoT devices are unpatched, an intruder could exploit it to get a foothold into a company’s IT network and possibly access ePHI. There have been several reported incidents such as this.

Organizations that lack a complete IT asset inventory may fail in recognizing and mitigating risks to ePHI. A comprehensive view of the company’s environment is necessary to ensure the performance of an accurate and detailed risk analysis that comply with the Security Rule.

Another purpose of an IT asset inventory is in the creation of policies and procedures that cover the acceptance and withdrawal of hardware and electronic media containing ePHI in and out of the company. The IT asset inventory can help spot unauthorized devices that someone connected to the network. It can also help ensure that no device, software, or IT asset is missed when performing updates and security patches.

The NIST Cybersecurity Framework can help organizations create an IT asset inventory. A guidance on IT asset management in its Cybersecurity Practice Guide published by NIST is available. Another tool from HHS that can help with IT asset management includes inventory capabilities that permit  manual or bulk input of asset information with regards to ePHI.

Data Breaches Announced by University of Maryland Faculty Physicians and Highpoint Foot & Ankle Center

A phishing attack on the University of Maryland Faculty Physicians, Inc. (FPI) potentially permitted unauthorized people to obtain access to the protected health information (PHI) of the University of Maryland Medical Center (UMMC) patients.

FPI, which is a physician practice group composed of faculty members from the University of Maryland School of Medicine, offers support services to doctors and personnel at UMMC facilities.

Upon learning about the unauthorized email account access, FPI secured the email account and started a thorough investigation to ascertain the nature and magnitude of the breach. On May 26, 2020, FPI affirmed that an unauthorized individual obtained access to the account comprising the PHI of 33,896 patients from February 6, 2020 to February 11, 2020.

The types of data contained in the email account differed from one patient to another and might have included these data elements in combination with patient names: Birthdate, medical record number, and clinical data correlated to the treatment acquired at a UMMC facility or from an FPI-affiliated doctor. A few Social Security numbers were likewise identified in email messages and file attachments. There’s no proof found hinting that the attacker accessed or acquired patient information.

FPI and UMMC have carried out an assessment of policies and procedures and took action to strengthen email security in order to avoid further breaches in the future.

25,554 Patient Data of Highpoint Foot & Ankle Center Potentially Exposed

Highpoint Foot & Ankle Center based in Chalfont, PA uncovered that an unauthorized person carried out a remote access attack and obtained access to its network comprising 25,554 patient files. The healthcare provider discovered the data breach on May 20, 2020 and took immediate action to stop further unauthorized access to the system.

A prompt internal investigation done showed that the unauthorized person accessed patient data that comprised patient names, birth dates, addresses, telephone numbers, diagnosis and treatment data, and Social Security numbers. In spite of the verified unauthorized access by the hacker, there is no proof identified that showed the access or copying of patient data. There is likewise no report filed indicating the misuse of patient information.

Highpoint Foot & Ankle Center has put in place extra precautions to avoid more security breaches and has given the impacted patients free membership to credit monitoring and identity theft protection services via MyIDCare.

Guidance For Contacting COVID-19 Patients Concerning Blood and Plasma Donations

Whenever patients get an infectious respiratory disease like COVID-19, the immune system produces antibodies that give protection to the body when the pathogen is contracted again. The antibodies found in the blood of patients who get healed from this kind of sickness are invaluable, because they not only give protection to the patient, but that protection can be transmitted to other patients as well.

Two preparations can be made from the donation of plasma and blood: hyperimmune immunoglobulin and convalescent plasma. Hyperimmune immunoglobulin and convalescent plasma were both used to effectively treat patients who got other viral respiratory illnesses. Considering the severeness of COVID-19 and the high fatality rate, these therapies can be important for patients who are finding it hard to combat the illness. Research studies are currently ongoing to test if antibody treatments are potent against COVID-19.

To take part in these programs, previously diagnosed COVID-19 patients must be contacted and questioned if they would like to donate their blood and plasma. However, does the HIPAA Privacy Rule permit this contact?

On June 12, 2020, the Department of Health and Human Services’ Office for Civil Rights published guidance for healthcare organizations regarding the HIPAA Privacy Rule and the permission to get in touch with COVID-19 patients to ask for blood and plasma donations.

According to OCR, the HIPAA Privacy Rule doesn’t stop healthcare organizations from getting in touch with COVID-19 patients to ask for blood and plasma donations and there is no need to ask for prior consent from the patient.

Healthcare organizations can get in touch with patients to tell them about the options to donate blood and plasma to help in the COVID-19 response to boost the chances of other patents to fight the disease.

HIPAA covered entities and business associates responding on their behalf could use or share PHI for reasons of treatment, medical operations, and payment without the need to get patient authorization first. Asking for a blood or plasma donation doesn’t fall under the classification of a treatment since the blood/plasma is not going to be used for patient treatment, rather it is being employed for population-based medical care operations to better health, case supervision, and coordination of care, which are listed in the meaning of healthcare operations.

Certain misunderstandings regarding the contacting of patients to request blood donations would make up marketing communications, which are typically not allowed by the HIPAA Privacy Rule without getting patient authorization first.

In this instance, there is an exception to the Privacy Rule’s Marketing provision as per the OCR guidance. A covered health care entity is allowed to communicate regarding the covered entity’s population-based case supervision and associated medical care operations activities, so long as the covered entity does not get direct or indirect payment from, or for the third party whose service is referred to in the communication (for example, a blood and plasma donation center).

Patient authorization is necessary before disclosing PHI to a third party, like a blood and plasma donation center, to permit contact of a COVID-19 patient to ask for blood and plasma donations on behalf of the donation center’s own needs.