Posts

Enforcement Trends: Lessons from the HIPAA Privacy Rule

Enforcement of the HIPAA Privacy Rule

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy Rule. Enforcement trends are the most direct way that the OCR can tell us what or where they’re looking at. In the most recent enforcement results, the OCR reports that it has received over 171,161 complaints since the HIPAA Privacy Rule took effect in 2003. These complaints have been against all types of covered entities, such as national pharmacies, medical centers, health plans, hospital chains, outpatient facilities, and private practices. 98% of these cases have been resolved through enforcement actions including investigations, fines, and corrective actions that require systemic changes in privacy practices and technical assistance.

From the OCR’s enforcement trends, we can see that the most frequently investigated compliance issues in relation to the HIPAA Privacy Rule are impermissible uses and disclosures of PHI, lack of safeguards of PHI, lack of patient access to PHI, and use or disclosure of more than minimum necessary PHI. We can also see that the most common types of covered entities required to take corrective action are hospitals, private practices, outpatient facilities, pharmacies, and health plans. Let’s take a look at the most frequently investigated HIPAA Privacy Rule compliance issues to see what lessons your organization can learn from enforcement trends.

Impermissible Uses and Disclosures of PHI

To provide the best care possible, health care professionals need information. Treatment, research, quality, payment – it all requires information about patients. But, how do you determine when information sharing is permissible under the HIPAA Privacy Rule and when it is not? In general, HIPAA supports the sharing of PHI when it falls under treatment, health care operations, and payments. For example, a covered entity could disclose PHI to another covered entity or business associate in order to treat or coordinate care for patients, enable case management, for quality assessment or improvement purposes, and for population health purposes. Even with this general definition, there can still be misunderstanding over impermissible uses and disclosures of PHI. The U.S. Department of Health & Human Services’ guidance states, “Confusion about the rules has been cited by many as a potential obstacle to interoperability of digital health information.”

Impermissible uses and disclosures of PHI is an enforcement trend because there’s so many situations where this could apply – employers, family members, other patients, law enforcement, media, etc. To help you understand impermissible uses and disclosures of PHI, let’s consider how the HIPAA Privacy Rule would function within a doctor’s office. The HHS describes this scenario: in a public waiting room, a member of a medical practice discussed HIV testing procedures with a patient. By discussing this in a public area and using a device that displayed PHI, the staff member disclosed PHI to the other individuals in the waiting room. Among other corrective actions, the OCR required this medical practice to revise and implement its policies and procedures regarding safeguards the communication of PHI. How do your organization’s policies and procedures cover impermissible uses and disclosures of PHI? Enforcement trends highlight that it’s vital to include details like these so that you can comply with the HIPAA Privacy Rule in any type of situation.

Lack of Safeguards of PHI

The HIPAA Privacy Rule requires that covered entities apply administrative, technical, and physical safeguards to protect PHI. These safeguards could be things like access controls, physical security measures, or secure disposal policies. Training your employees and implementing these safeguards is vital in protecting your organization from a lack of safeguards of PHI.

To demonstrate the danger of lack of safeguards of PHI, let’s look at this example: an employee of a pharmacy placed a customer’s insurance card in another customer’s prescription bag. Would you think that an insurance card is considered PHI? The pharmacy didn’t, but the OCR explained to the pharmacy that insurance cards do meet the definition of PHI. The pharmacy was required to amend its policies and procedures regarding PHI and re-train staff. From this enforcement trend, we can learn that organizations should evaluate the effectiveness of their safeguards by asking what risks for disclosure exist for each process and determining whether there are sufficient controls in place to prevent those risks from being exploited.

Lack of Patient Access to PHI

The HIPAA Privacy Rule exists so that patients know they have rights, what those rights are, and how those rights are respected; providing patients with easy access to their own PHI is a part of those rights. What if you couldn’t monitor a chronic condition because you didn’t have access to your medical records? What if you couldn’t identify all of your allergies because a covered entity refused to give you access to your medical records? A lack of patient access to PHI can make individuals feel out of control, or that they cannot make the most-informed medical decisions possible. Guidance regarding patient access to PHI states, “With limited exceptions, the HIPAA Privacy Rule provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.”

To help you understand a lack of patient access to PHI, consider this scenario at a private practice. A complainant claimed that a private practice denied her access to her PHI because of an outstanding balance, which was confirmed during the OCR’s investigation. Corrective actions for this private practice included technical assistance to explain that, in general, a covered entity cannot deny a patient access to their PHI because of an outstanding balance. The covered entity was also required to provide the complainant with a copy of her medical record. Do your policies and procedures create obstacles to patient access to PHI? If so, you must determine whether they have a legal basis for maintaining those obstacles.

Use or Disclosure of More Than Minimum Necessary PHI

In many frameworks, it’s required that organizations make an effort to use, disclose, and request only the minimum amount of sensitive information needed for an intended purpose or to carry out a function; this is also the case for the HIPAA Privacy Rule. 45 CFR 164.502(b), 164.514(d) states, “PHI should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of PHI.”

The more people who have access to PHI, the more risk there is. At a dentist office, the OCR investigated claims that some medical records were marketing with an “AIDS” label on the outside cover, and records were handled in a way so that other patients and staff without need to know could read the sticker. To resolve this issue, the dentist office was required to immediately remove the “AIDS” labels and amend its policies and procedures to outline that labels such as these should be on the inside cover of medical records. From this enforcement trend, the lesson is to determine if instances of disclosing PHI are necessary to treat, operate, or obtain payment.

If your organization follows the HIPAA Privacy Rule, you must pay attention to enforcement trends. These trends can help you focus on and re-evaluate controls that the OCR may audit. From recent enforcement trends, your organization can evaluate:

  • How do your policies and procedures cover impermissible uses and disclosures of PHI, lack of safeguards of PHI, lack of patient access to PHI, and use or disclosure of more than minimum necessary PHI?
  • How do you evaluate the effectiveness of your safeguards?
  • Do your policies and procedures create obstacles to patient access to PHI?
  • How do you determine if instances of disclosing PHI are necessary to treat, operate, or obtain payment?

Contact us to learn more about enforcement trends and how a HIPAA Privacy Rule Assessment can help ensure your compliance.

How Does the HIPAA Privacy Rule Affect Your Practice?

Many business associates and covered entities are already overwhelmed with responsibilities, so it can be a struggle to find the staff and resources to dedicate to managing strict regulatory demands. In our highly data-driven world, ensuring the privacy of customer data, specifically protected health information (PHI) and patient data, is becoming a top priority of organizations worldwide. In the world of healthcare, the HIPAA Privacy Rule exists to aid business associates and covered entities in ensuring they are doing their due diligence to protect PHI. What is the HIPAA Privacy Rule? Who needs HIPAA Privacy? What does a HIPAA Privacy Rule assessment include? So, how does the HIPAA Privacy Rule affect your practice? Read on to find out.

What is the HIPAA Privacy Rule?

The Privacy Rule is a national standard intended to protect patient’s protected health information (PHI). The HIPAA Privacy Rule requires healthcare organizations and their third parties to implement appropriate safeguards to protect the privacy of this information. It regulates things like appropriate use and disclosure of PHI, patient access to PHI, and patient rights. The HIPAA Privacy Rule is important because without it, healthcare organizations can disclose and distribute protected health information (PHI) without the consent of the individual. If this sensitive data were to end up in the wrong hands, it could negatively impact the individual.

Who Needs HIPAA Privacy?

According to the HIPAA Privacy Rule, healthcare organizations such as private practices, general hospitals, outpatient facilities, pharmacies, and health plans are subject to comply with the HIPAA Privacy Rule. If you are considered to be of these entities, it’s important to understand and ask yourself, how does the HIPAA Privacy Rule affect your practice? Non-compliance can result in OCR sanctions and hefty fines for these entities. As healthcare data continues to be a major target for cyber criminals, healthcare organizations must take steps that go above and beyond HIPAA Privacy Rule compliance through sophisticated information security and risk management practices.

What Does the HIPAA Privacy Rule Cover?

There are five main areas of the HIPAA Privacy Rule according to 45 CFR Part 160 and Subparts A and E of Part 164. A HIPAA Privacy Rule Assessment evaluates policy and procedure documentation relating to these areas, which include:

  1. Notice of Privacy Practices – This is the method for communicating patient rights to patients. This document should establish the basis for a patient’s understanding of what will happen with their PHI.
  2. Patient Rights – This refers to a patient’s rights with respect to PHI, including their right to authorize uses and disclosures.
  3. Minimum Necessary Standard – This states that organizations must make an effort to use, disclose, and request only the minimum amount of PHI needed for the intended purpose of the use and disclosure of the PHI.
  4. Administrative Requirements – A designated Privacy Officer should be responsible for developing and implementing policies and procedures. The Privacy Officer must have appropriate administrative, technical, and physical safeguards in place to protect the privacy of PHI.
  5. Uses and Disclosures – The HIPAA Privacy Rule requires that organization define the uses and disclosures of PHI for treatment, payment, and operational purposes, including an example for each purpose.

The HIPAA Privacy Rule exists so that patients know they have rights, what those rights are, and how those rights are respected. Is your organization is struggling to answer the question, how does the HIPAA Privacy Rule affect your practice? Contact us to learn more about how a HIPAA Privacy Rule Assessment can help ensure your compliance.

Penetration Testing for HIPAA Compliance

What is Penetration Testing?

Penetration testing is a critical line of defense when protecting your organization’s sensitive assets from malicious outsiders. Penetration testing is the process of performing authorized security testing of an environment to identify and exploit weaknesses associated with the targeted systems, networks, and applications before those weaknesses can be exploited by a real attacker. When performed in support of HIPAA compliance, the goal is to identify issues that could result in access to Electronic Protected Health Information (ePHI). The most common penetration testing types include:

  • Internal and External Infrastructure testing focuses on servers, workstations, and other network devices that are within the target environment. The goal is to identify exploitable weaknesses that could allow an attacker to gain access to these systems, ultimately leading to access to sensitive data.
  • Web Application testing involves attempting to identify and exploit common web vulnerabilities as well as business logic flaws that could allow an attacker to gain access to sensitive data.
  • Wireless Assessments assess the configuration and protections associated with wireless deployments, which can highlight issues that could allow unauthorized use of this connection. Wireless Assessments can also be performed to identify unauthorized access in your environment by performing rogue access point (AP) identification.
  • Social Engineering focuses on the human element that affects the security of your environment. Through email, phone, and SMS-based social engineering, it is possible to identify areas where employees are likely to fall victim to attackers attempting to convince them to provide information or take other actions that could lead to the compromise of systems and sensitive data. Performing this type of assessment can help your organization to highlight areas that should be strengthened through future security awareness training.

Listen to the full webinar to learn KirkpatrickPrice’s penetration testing methodology, penetration testing approaches, and how penetration testing fits into HIPAA laws.

More Penetration Testing for HIPAA Compliance Resources

HHS.gov HIPAA Security Rule for Professionals

164.308(a)(8) Standard: Evaluation

NIST SP800-66 – (HIPAA Implementation Guidance)

National Institute of Standards and Technology (NIST) SP800-115

Open Source Security Testing Methodology Manual (OSSTMM)

Open Web Application Security Project (OWASP)

Penetration Testing Execution Standard (PTES)

Penetration Testing Framework

What Will Be in My HIPAA Compliance Report? The 4 Main Components to a HIPAA Compliance Report

You’ve partnered with a third party, you’ve properly scoped your environment, you’ve conducted a HIPAA Risk Analysis, you’ve remedied any non-compliant findings, you’ve worked with your auditor, you’ve completed your HIPAA audit, and now you’re finally receiving your HIPAA compliance report. Congratulations! So, what’s actually included in a HIPAA compliance report? Here are the 4 main components of a HIPAA compliance report:

The 4 Main Components to a HIPAA Compliance Report:

  1. Scope of Engagement

This section will report on the auditor’s review of controls over access to electronically protected health information (ePHI), which ensure that access to ePHI meets HIPAA requirements. The Scope of Engagement also includes the auditor’s determination of the level of compliance with the HIPAA Security Rule’s Administrative, Physical, and Technical Safeguards.  These safeguards are an important part of preventing and mitigating a breach. This section also includes a report of the auditor’s evaluation of the level of compliance with the HIPAA Security Rule’s risk analysis and training requirements.

  1. Executive Summary

The second component of a HIPAA compliance report provides the purpose of the engagement and a description of the independent review of the information security control structure. The Executive Summary also includes a statement on the information security control structure’s compliance with the HIPAA Security Rule.

  1. Assessment Method

The Assessment Method describes the three main phases of the assessment: Planning, Control Identification, and Control Testing. The first phase consists of the assessor firm and client working to define the scope of the environment, identify areas of concern, and produce a work plan. During the second phase, the assessor interviews staff and examines relevant documentation. This phase results in the identification of key controls and testing methods to be used during the assessment. The third phase, Control Testing, occurs when the assessor conducts a review based on the key controls. The controls are then matched with the requirements of the HIPAA Security Rule and tested. The assessor must determine that the controls not only met the intent and rigor of the control objective, but were also implemented and operating.

  1. Assessment of Security Safeguards

This section outlines a few items: standards/implementation specifications and compliance descriptions. This means that it gives a brief summary of each standard, how each standard is implemented, and a description of how the standard is compliant.

Your organization can use your HIPAA compliance report to provide stakeholders or outside parties with an independent third-party verification that all access controls to ePHI stored on your systems are in compliance with HIPAA requirements.

Video Transcription

A HIPAA Report contains four main components. The first component is Scope of Engagement. The Scope of Engagement reports on the auditor’s review of controls over access to electronically protected health information. It also reports on the auditor’s evaluation of the level of compliance with the HIPAA Security Rule’s administrative, physical, or technical safeguards. Lastly, it reports on the auditor’s evaluation of the level of compliance with the HIPAA Security Rule’s risk assessment and training requirements. Next, we have Executive Summary. The Executive Summary provides a description of an independent review of the information security control structure and its compliance with the HIPAA Security Rule. Next, we have Assessment Method. The Assessment Method provides a description on the three phases of the assessment: planning, control identification, and control testing. Lastly, we have Assessment of Security Safeguards. This section provides a description on standards, implementation specifications, compliance descriptions.

What are HIPAA Physical Safeguards?

The HIPAA Security Rule requires that business associates and covered entities have physical safeguards and controls in place to protect electronic Protected Health Information (ePHI). These safeguards provide a set of rules and guidelines that focus solely on the physical access to ePHI.

Stephanie Rodrigue discusses the HIPAA Physical Safeguards

What are Physical Safeguards?

According to the Security Rule, physical safeguards are, “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Each organization’s physical safeguards may be different, and should be derived based on the results of the HIPAA risk analysis.

There are four standards included in the physical safeguards. These include:

  1. Facility Access Controls – These policies and procedures should limit physical access to all ePHI to that which is only necessary and authorized. Some common controls include things like locked doors, signs labeling restricted areas, surveillance cameras, onsite security guards, and alarms. Personnel controls could include ID badges and visitor badges.
  2. Workstation Use – Workstation use covers appropriate use of workstations, such as desktops or laptops. These policies and procedures should specify the proper functions that should be performed on workstations, how they should be performed, and physical workstation security.
  3. Workstation Security – Workstation security is necessary to restrict access to unauthorized users.
  4. Device and Media Controls – Device and media controls are policies and procedures that govern how hardware and electronic media that contains ePHI enters or exits the facility. These controls must include disposal, media reuse, accountability, and data backup and storage.

In order for organizations to satisfy this requirement, they must demonstrate that they have the appropriate physical safeguards in place and that they are operating effectively. For more help with determining whether your organization has the proper controls in place, contact us today.

Video Transcription

The Security Rule requires that you have physical controls in place to protect PHI. This is going to look different for every organization, so it’s important that you go back to your risk analysis to understand which physical controls are appropriate for your organization.

When we talk about physical controls, some of it’s really simple, like having a lock on your server room door or having security cameras or a security guard onsite. We’re talking about prevention of the physical removal of PHI from your facility. In order to be compliant in this area, you’re going to have to be able to provide evidence that your controls are in place and operating effectively.