Archive for HIPAA privacy
Since 2010, there has been a 100% increase in breaches caused by criminal attacks, according to the Ponemon Intitute’s “Fourth Annual Benchmark Study on Patient Privacy and Data Security,” sponsored by ID Experts®.
The study also revealed new security and privacy threats to hospitals and the patient records they manage, such as what researchers describe as “unproven security” in the health insurance marketplace created as a result of the Affordable Care Act.
Top threats include:
- Criminal attacks
- Employee negligence
- Unsecured mobile devices (e.g., smartphones, laptop computers, tablets), and third parties
A majority of organizations surveyed said employee negligence is their biggest worry (75%), followed by use of public cloud services (41%), mobile device insecurity (40%), and cyber attackers (39%). However, 55% of organizations think their policies and procedures will prevent or quickly detect unauthorized patient data access, loss, or theft, up from 41% four years ago.
OCR announced in the February 24 Federal Register its plan to survey up to 1,200 covered entities and business associates to determine suitability for its HIPAA audit program.
The survey is intended to provide OCR information that will determine whether a respondent is suitable for an audit. Data collected through the survey will include the number of patient visits or insured lives, use of electronic information, revenue, and business locations.
HHS is seeking comments on aspects of the Information Collection Request and the burden estimate, which is 600 total burden hours. Submit comments by email at Information.CollectionClearance@hhs.gov or by telephone at 202-690-6162.
Skagit County in Washington state has agreed to a $215,000 fine and corrective action plan (CAP) to settle HIPAA violations with HHS. This is HHS’ first settlement with a county government, according to a press release.
An OCR investigation revealed that Skagit County exposed the ePHI of 1,581 individuals when files were moved to a publicly-accessible server maintained by the county. The county also failed to comply with the HIPAA Privacy, Security, and Breach Notification Rules, according to HHS.
The CAP requires Skagit County to provide regular status reports to OCR. It also must establish written policies and procedures, documentation requirements, training, and other measures to comply with HIPAA.
The HIPAA Omnibus Rule changed the breach notification process by introducing a four-factor risk assessment process and requiring covered entities (CE) and business associates (BA) to demonstrate whether the probability that PHI was compromised is low. In response, the Workgroup for Electronic Data Interchange (WEDI) recently released an issue brief that provides breach notification guidance.
The issue brief describes the following processes for establishing probability and requirements for notification:
- Determine whether the data is PHI. If it is not PHI, further breach notification action is not required.
- Determine whether the data is unsecured PHI. No further action is required if the PHI is secured and the organization can document that the method for securing PHI was enabled at the time of the breach. If the breach involved unsecured PHI, proceed to the next step.
- Determine and document whether the incident falls within one of the breach notification exceptions, in which case breach notification is not necessary. If the disclosure does not fall within an exception, proceed to the next step. The exceptions include the following:
- Unintentional access to PHI in good faith while performing a job that does not result in further impermissible use or disclosure of PHI.
- Unintentional disclosure of PHI by a CE or BA authorized to access PHI to another person authorized to access PHI at the same CE, BA, or affiliated organized healthcare arrangement.
- When PHI is improperly disclosed, but the CE or BA thinks that the recipient is unable to retain the information.
An organization that immediately decides to proceed with notification does not need to perform the four-factor risk assessment process. Otherwise, the process is required after a breach of PHI is discovered, according to WEDI. If the probability that PHI was compromised is low, notification is not necessary and the organization should document the process for future reference. WEDI recommends remediation even in the event of a low probability breach determination.
HHS recently released new HIPAA Privacy Rule FAQ on sharing information related to mental health. The guidance clarifies the following:
- Providers may communicate with a patient’s family members, friends, or others involved in the patient’s care when the patient has the capacity to make healthcare decisions so long as the patient does not object
- Providers may communicate with a patient’s family members, friends, or others involved in the patient’s care when the patient is incapacitated if the provider determines doing so is in the patient’s best interest
- Providers need to obtain a patient’s authorization prior to disclosing psychotherapy notes for any reason
- Providers may disclose PHI that is directly relevant to the patient’s care to the patient’s family, friends, or other persons involved in the patient’s care or payment for care in emergency situations
- Providers may disclose general treatment information of a minor patient to a parent, guardian, or other person acting in loco parentis except in situations when the parent is not the minor child’s personal representative
- Providers may not provide a minor patient’s parents copies of psychotherapy notes, but may provide a parent who is a personal representative a copy of his or her child’s mental health information contained in the medical record, including information about diagnosis, symptoms, or treatment plans
- Providers may disclose information to family members of an adult patient who has capacity and indicates that he or she does not want the disclosure made if the provider perceives a serious and imminent threat to the health or safety of the patient or others and the family member is in a position to lessen the threat
- Providers may disclose necessary information about a patient to law enforcement officials, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others
- Covered entities may disclose certain PHI, including the date and time of admission and discharge, to law enforcement officials upon request for the purpose of locating or identifying a suspect, fugitive, material witness, or missing person
- Under limited circumstances in which the HIPAA Privacy Rule may apply to health information in a school setting, disclosing information to parents of a minor patient or to law enforcement officials is permitted