Rural Hospital Cybersecurity Enhancement Act and Better HIPAA Protections for Reproductive Health Data

The Rural Hospital Cybersecurity Enhancement Act

The bill forwarded by Senate Homeland Security and Governmental Affairs Committee attempts to deal with the present scarcity of cybersecurity expertise in rural hospitals, which are more and more attacked by cybercriminals. Rural hospitals lack the resources required to use cybersecurity and find it hard to get skilled cybersecurity experts and, therefore, are looked at as soft targets by cybercriminals.

Sen. Josh Hawley (R-MO) with Sens. Gary Peters (D-MI) and Jon Ossoff (D-GA) as co-sponsors, presented the Rural Hospital Cybersecurity Enhancement Act, which demands the development of a complete rural hospital cybersecurity workforce development strategy to deal with the present deficit of cybersecurity personnel at rural hospitals. The Rural Hospital Cybersecurity Enhancement Act necessitates the Secretary of the Department of Homeland Security to create an extensive rural hospital cybersecurity workforce development strategy to handle the increasing requirement for skilled cybersecurity experts in rural hospitals within a year of passing the act.

When creating the cybersecurity workforce development strategy, the Secretary must think about partners among rural hospitals, private industry entities, educational organizations, and non-profits to broaden cybersecurity education and training classes focused on the requirements of rural hospitals, the creation of a cybersecurity program and teaching assets for rural schools, and make recommendations for legislation, rulemaking, and/or assistance for applying the strategy.

Rural hospitals are working under growing financial stress and do not have the required financing for cybersecurity. Presently, a number of rural hospitals have committed cybersecurity employees and IT personnel are typically lacking and overworked. Cybersecurity roles in rural hospitals usually have small salaries, and having fewer funds means people who have cybersecurity jobs don’t have access to the most recent cybersecurity resources that could be available in other jobs. The worldwide deficit of competent cybersecurity experts is unlikely to be solved soon, therefore the purpose of the bill is to tackle the lack through training programs at rural schools and training rural hospital employees through education on basic elements of cybersecurity.

Sen. Rand Paul (R-TX) tabled a revision to the first bill, stating that CISA must not request more money for the suggested measures, and the revised bill will now be up for voting on the Senate floor. The progress of the Rural Hospital Cybersecurity Enhancement Act happened a couple of days after the news that an Illinois rural hospital will be closed on June 16, 2023, because, partly, to the monetary pressures of a ransomware attack.

24 State Attorneys General Give Help for Better HIPAA Protections for Reproductive Health Data

An alliance of 24 state attorneys general wrote to the Department of Health and Human Services (HHS) to give their assistance for the suggested change to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to reinforce reproductive health data privacy.

Background
The Supreme Court decision in Dobbs v. Jackson Women’s Health Organization in June 2022 revoked Roe v. Wade and took away the federal right to abortion. A lot of states created their own legislation prohibiting or severely limiting abortions in their specific states, and that legislation allows criminal or civil penalties for anybody that seeks, offers, or helps with an abortion. Presently, 15 states have released nearly complete prohibitions on abortions and many others have limited abortions or are about to introduce prohibitions or limitations. Idaho has additionally lately passed an abortion trafficking regulation, which is going to limit the capability of state residents to go out of state to get an abortion.

Subsequent to the Supreme Court decision, the HHS’ Office for Civil Rights (OCR) released instructions to HIPAA-covered entities about the HIPAA Privacy Law and how it allows but doesn’t call for disclosures of reproductive health data when the disclosure is necessitated by law or is for the purpose of law enforcement. OCR affirmed that when a patient residing in a state that has prohibited abortions notifies their healthcare provider that they are looking for an abortion in a state where abortion is lawful, the HIPAA Privacy Rule wouldn’t let the healthcare provider expose that data to the authorities to be able to stop the abortion.

OCR consequently released a notice of proposed rulemaking (NPRM) regarding an intended change to the HIPAA Privacy Rule to further reinforce reproductive health information privacy, making it unlawful to disclose a patient’s PHI when that data is wanted for particular civil, criminal, and administrative inspections or proceedings versus a patient in association with a legitimate abortion or other reproductive treatment.

According to the NPRM, an alliance of 24 state attorneys general lately wrote to the OCR Director, Melanie Fontes Rainer, and HHS’ Secretary, Xavier Becerra, to validate their agreement to the recommended HIPAA Privacy Rule modifications. The alliance is led by New York Attorney General, Leticia James, and the letter has been approved by the state Attorneys General in Arizona, Colorado, California, Connecticut, Delaware, Illinois, Hawaii, Maine, Massachusetts, Maryland, Minnesota, Michigan, Nevada, New York, New Jersey, North Carolina, New Mexico, Oregon, Pennsylvania, Vermont, Rhode Island, Wisconsin, Washington, and Washington D.C. The state AGs asked for the HHS to move quickly to challenge [the proposed rule] and implement the regular compliance date of 180 days following the successful date of the final rule.

Suggestions to Further Enhance Reproductive Health Data Privacy

Besides verifying their support, comment is given on places where the protections mentioned in the suggested rule could be increased more. The suggested Privacy Rule update explores a wide meaning of “reproductive health care” as a subsection of health care; however, the state AGs suggest likewise making another meaning of “reproductive health,” to make it very clear that the update is not just applicable to companies of gynecological and/or fertility-related care but likewise to other HIPAA regulated entities. This could aid to prevent any probable vagueness regarding the types of health care included in the suggested rule and they suggest that good examples of reproductive health care are included into the regulating text of the final rule.

The state AGs additionally demand the HHS to determine “birth” and “death” individually, to be able to explain that finishing the pregnancy isn’t a public health reporting event and is consequently not governed by the HIPAA Privacy Rule reporting specifications. They additionally require securing of the language in the proposed ruling, which forbids “use or disclosure “mainly for investigation on any individual for the simple act of looking for, getting, offering, or assisting reproductive health care. There is an issue that a different principal objective may be created as a pretext for acquiring PHI for a forbidden reason. This possible loophole may be shut by leaving the word ‘primary’.

Amongst the other suggestions are for the HHS to make sure that requesters and companies get sufficient guidance on the attestation requirement of the proposed ruling, which demands attestation that the request isn’t being done to get reproductive health data to take legitimate action versus a person, and for the HHS to make a nationally accessible, online system to give patients correct and clear details on reproductive care and privacy privileges, and to perform a public awareness plan to advertise the website.

HIPAA Violations That Are Visible on Background Checks

The visibility of A HIPAA violation on a background check is dependent on the type of violation, the effects of the violation, and the reason for the violation. Although it is presently unusual for a HIPAA violation to appear on a background check, this could change because of a proposed revision to the Privacy Rule.

There are several types of HIPAA violations. Certain violations have little effect and no long-term effects – for example, an unintentional disclosure of PHI that is overheard, although nothing happens because of it – while others could have a big effect on a company and critical results for people impacted by the violation – for example, the intentional misuse of account credential that compromises a database with PHI.

The majority of employee HIPAA violations are dealt with based on a Covered Entity’s sanctions policy. Workers liable for minor violations shall be sanctioned with written or verbal warnings and extra HIPAA training. People liable for recurrent or critical violations may be sanctioned with a termination or suspension of work or loss of license.

A termination, suspension, or loss of license will be documented in an employment report, but it will not be visible on a background check except if the grounds for the HIPAA violation were the deliberate and wrongful disclosure of individually identifiable health data with no consent. That constitutes a violation of the HIPAA and §1177 of the Social Security Act.

HIPAA Violations That Show Up on a Background Check

If a HIPAA violation also violates the Social Security Act, a company needs to submit a violation report to law enforcement and also HHS’ Office for Civil Rights. The case will be forwarded to the Department of Justice, who will follow it up with a criminal conviction for the HIPAA violation. The penalties for a criminal violation of HIPAA include:

  • For wrongfully and deliberately violating §1177 of the Social Security Act, the penalty is as much as $50,000 and/or a prison sentence of about one year.
  • For an offense that is carried out under false pretenses (for example, with somebody else’s account credentials), the penalty is as much as $100,000 and/or a prison sentence of about five years.
  • For an offense that is undertaken for malicious harm, personal gain, or commercial advantage, the penalty is up to $250,000 and/or imprisonment of up to ten years.

Whatever the sentence enforced, the HIPAA violation, the effects of the HIPAA violation, and the fine, the HIPAA violation will become part of the public record and will be visible on a background check. This will unquestionably stop an individual from getting a job in a healthcare position and probably hinder work in any other position wherein the individual will get access to sensitive information.

The Proposed Changes to the Privacy Rule

Last April 2023, HHS’ Office for Civil Rights released a Notice of Proposed Rulemaking in the Federal Register as a response to the Supreme Court’s ruling in Dobbs v. Jackson Women`s Health Organization. Several states created anti-abortion laws and women needed to go to other states where abortions remain legal.

States that have anti-abortion laws cannot stop women from going to other states to have a termination. However, some states have introduced more laws criminalizing the act of helping or aiding a termination procedure. Since this can result in PHI disclosure to go after a criminal conviction associated with a medical procedure that was lawful in the state it was done, HHS` Office for Civil Rights is suggesting a change to the Privacy Rule.

The revision would include another category of uses and disclosures (“attestation”) in addition to those that already exist (“required”, “opportunity to agree”, “permitted”, and “authorized”). Afterward, particular types of PHI regarded as more sensitive compared to other types can only be utilized or shared if the recipient concurs, the PHI won’t be further utilized or disclosed for a forbidden purpose (in this instance to go after a criminal conviction associated with a legal procedure).

If approved, the new category will not just be applicable to PHI associated with terminations. It will apply to all reproductive healthcare, which includes contraception, miscarriages, and fertility treatment. The category can likewise be employed to line up the Privacy Rule more tightly with the confidentiality of substance use disorder medical records (42 CFR Part 2), and secure other types of sensitive information from misuse or exposures that counter Health and Human Services’ messaging.

How the Revision Could Result in More §1177 Violations

The update could result in more §1177 violations because when an individual to whom sensitive PHI is shared under an attestation later uses or exposes the PHI for a forbidden purpose, they will be regarded to have deliberately and improperly disclosed individually identifiable health data with no consent.

Notably, the individual who provided a false attestation will not just be blamed for a §1177 violation, the Covered Entity (or staff of a Covered Entity) who exposed the data will also be charged with a §1177 violation in case they knew, or must have been aware that sensitive PHI will be utilized or exposed for a forbidden purpose.

When a staff of a Covered Entity is determined guilty of a §1177 violation, this HIPAA violation will be visible on a background check. Consequently, if the proposed changes to the Privacy Rule are approved, Covered Entities must ensure policies and procedures represent the new category of uses and disclosures, and all employees should be trained regarding the revised policies and procedures to avert preventable violations of HIPAA.

HC3’s New DDoS Guide and NIST’s New Cybersecurity Guide

The Health Sector Cybersecurity Coordination Center (HC3) at the Department of Health and Human Services has published a DDoS manual for the healthcare industry that contains details on the danger and suggested mitigations to control the intensity and effect of DDoS attacks.

Distributed-Denial-of-Service (DDoS) attacks are a kind of attack that causes a flood of resource exhaustion. This entails using up the resources of a service, server, or system to block legit usage. These attacks usually use botnets of breached computer systems and IoT devices to send to a particular IP address a flood of traffic to overwhelm the service, server, or network. These attacks can prompt denial of service to regular visitors because of the log jam created by the massive amount of malicious traffic. These attacks normally trigger disruption for a couple of hours, but attacks may keep on for a few days.

These attacks generally only bring about short-term disruption to services and usually no data theft or damage to hardware is involved. However, attacks may be used as a cover-up to sidetrack security teams. When the security team deals with the DDoS attack, the threat actor tries to attack simultaneously – for instance by means of port scanning, a phishing attack, malware delivery or data theft.

DDoS attacks might possibly be carried out as well together with an extortion attack, in which the attacker issues a ransom demand and expects to receive payment to end the attack. HC3 states that these ransom DDoS attacks are more common today. The attacks had a 24% quarter-over-quarter increase and a 67% year-over-year increase. They are usually carried out on web apps like patient portal sites, webmail, patient tracking apps, and telehealth solutions.

A pro-Russian hacktivist group known as Killnet is presently targeting healthcare and public health (HPH). Killnet is launching DDoS attacks in nations that are supporting Ukraine. Hospitals and medical organizations are usually targeted. Though the group has given the warning to steal and expose sensitive patient information to the public, these statements may just be meant to seek attention. The DDoS attacks performed by the group in recent weeks seem to be not connected with any other malicious activity except that of prompting a denial-of-service attack on sites and web apps.

Although it is hard to stop targeted DDoS attacks, there are steps that can be done to control the seriousness and effect of DDoS attacks. Considering that attacks usually focus on websites and web apps, these assets should have proper security controls. HC3 Gives the following suggestions:

  • Healthcare organizations must sanitize
  • They must have more resource availability
  • Cross-site scripting (XSS) and cross-site request forgery (XSRF) protections must be implemented
  • The Content Security Policy (CSP) must be enforced
  • Companies need to review third party codes
  • Run static and dynamic security scanning of the website code and system
  • Set up web application firewalls
  • Take advantage of content delivery systems to keep malicious web traffic at bay
  • Provide load balancing and resilience against big volumes of traffic.

Considering that threat actors usually employ SYN (synchronize), User Data Protocol (UDP), and Transmission Control Protocol (TCP) to bolster DDoS attacks, network defenders should also focus on these resources.

The advisory has a few other suggestions for stopping attacks, evaluating and minimizing attacks in progress, and enhancing security and incident response processes to reduce the damage that future attacks can cause.

HSCC & HHS Launch Guide to Aid Healthcare Companies Follow the NIST Cybersecurity Framework

The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group together with the U.S. Department of Health and Human Services (HHS) published a new guide to aid healthcare companies line up their cybersecurity plans with the NIST Framework for Improving Critical Infrastructure Cybersecurity.

The NIST Cybersecurity Framework is a commonly followed framework for determining and controlling cybersecurity problems. The NIST released the framework in 2015 and updated it in 2018. The NIST CSF 2.0 will be released soon this year. The basis of the NIST CSF are the following five primary functions: Identify, Detect, Protect, Respond, and Recover.

All five functional areas have suggested cybersecurity controls to implement. The framework likewise consists of four tiers used to rate organizations according to their usage of the framework. This enables them to determine whether they are realizing their cybersecurity goals based on standards. The NIST CSF is what government organizations and private industry companies use as a standard cybersecurity framework for controlling cybersecurity threats.

Cybercriminal groups and nation-state actors commonly attack the healthcare sector. Healthcare organizations need to defend against more advanced threats. To do so, they need to address problems associated with fragmented infrastructures, obsolete systems, large numbers of applications, and the ever-growing number of network-linked medical devices. As a result, numerous healthcare companies have trouble handling cybersecurity efficiently.

HHS Assistant Secretary for Preparedness and Response, Dawn O’Connell, said that the fastest rising kind of cybercrime is healthcare cyberattacks. These jeopardize patient care, ruin the reliability of healthcare systems, and endanger the U.S. market. Healthcare companies need to protect their IT systems to avert attacks and develop a safe cyber lifestyle in the healthcare industry.

As per the HSCC, an all-inclusive cybersecurity framework like the NIST CSF will give a common language and framework for conversations about risk and the strategies and tools employed to handle risk to a degree that is acceptable both to the company and other stakeholders, for example, business partners, clients, and industry and federal regulators. Healthcare companies that tailor their cybersecurity plans on the NIST CSF could better deal with operational, capital, and resource allocations to businesses producing the biggest return on safeguarding assets/data and reducing exposure to risk.

Although the NIST CSF was created to be suited to companies of various sizes in different sectors, a number of healthcare companies found it hard to take on the framework. The Cybersecurity Framework Implementation Guide is supposed to aid healthcare companies to use the NIST CSF and explains specific actions that could be undertaken to promptly take care of cyber threats to their IT systems and better safeguard against the complete selection of cyber risks. The guide will enable healthcare companies to evaluate their present cybersecurity procedures and risks and determine breaks for remediation.

With double the number of data breaches now and nearly 400 ransomware attacks compared to the last five years, it is very clear that the healthcare sector must up its game, stated Bryan Cline, industry head for the guide and Lead Research Officer for HITRUST. Health sector stakeholders of different sizes and subsectors can minimize their exposure to cyber risk by using this resource and a lot of others created by the HSCC and government associates.

The NIST, the HSCC and the HHS, and other federal organizations jointly developed the Cybersecurity Framework Implementation Guide. This guide is an addition to a prior joint publication of the HHS/HSCC 405(d) Program called the ‘Health Industry Cybersecurity Practices’. This is in-line with the NIST Cybersecurity Framework. With this toolkit, companies of various sizes could carry out cybersecurity best practices, safeguard their patients, and make the industry tougher, stated HSCC Cybersecurity Working Group Chair and Intermountain Healthcare CISO Erik Decker.

Ex-Medical Assistant at Axia Women’s Health Charged with Patient Data Theft

An ex-employee of Axia Women’s Health in Pennsylvania was indicted in a case of 39 counts for stealing patient data for personal profit. The Upper Moreland Police Department in Montgomery County, PA, discovered a sophisticated plan that involve stealing the identities of patients in order to get loans and credit cards, lease luxurious apartments, and get furniture worth several thousand dollars.

The investigation focused on Gwendolyn Murray of Philadelphia. Murray’s cellphone contained text messages with screenshots of patient records that were sent by Ashley Latimer, 34 years old, of Philadelphia. It was confirmed that Latimer send the messages while she was employed at AFC Urgent Care in South Philadelphia. Extra investigation showed that Latimer was employed at AFC Urgent Care from September 16, 2021 to December 26, 2021. She was terminated after being alleged of stealing from the cash drawer a total of $3,200.

Latimer then got hired at Axia Women’s Health as a medical assistant. She received access to patient files as part of her work responsibilities. While working at Axia Women’s Health, Latimer took photos of patient data that contains driver’s license numbers and other data. She sent the photos to Murray who makes fake customer accounts and gets credit using the victims’ names. Other fake accounts at Wayfair, Carvana, Bob’s Discount Furniture, and Mattress Queen were created using the stolen identities.

The police took Latimer’s cell phone and discovered 41GB of information including text messages with Murray. There were also photos of computer screens and paper records that contain the personal data of patients of Axia Women’s Health, the workplace of Latimer during the 1st and 2nd quarters of 2022. The detectives additionally retrieved photos of lease applications, Experian Credit Reports, and credit applications and approvals at Carvana and Wayfair utilizing the names of patients from Axia Women’s Health.

Attorney General Josh Shapiro of Pennsylvania reported that Latimer was detained on November 10, 2022 and indicted for her part in the scam. The data stolen by Latimer was employed to apply for credit cards and buy products worth over $31,000. Latimer is facing one count of forgery, 4 counts of computer theft, 7 counts of theft, and 27 counts of identity theft.

Latimer is charged with exploiting her position and breaking her trust and accountability as a medical specialist. That should not be. Individuals must not be allowed to endanger patients and breach their Commonwealth’s health care systems.

Importance of HIPAA Training

A completely trained and compliant employee is beneficial to HIPAA-covered entities. HIPAA training is required by the Privacy and Security Regulations. Based on the Privacy Rule, Covered Entities need to train employees on the HIPAA-associated guidelines and procedures appropriate to their functions. Although based on the Security Rule, Covered Entities as well as Business Associates should have a security awareness and training plan for all employees – including those without any ePHI access.

Here are 5 reasons concerning the importance of HIPAA training:

1. Minimize the Danger of HIPAA Violations

The objective of training employees on HIPAA-related policies and security awareness is to help them do their assignments compliantly and steer clear of making errors that could lead to privacy violations. The most critical reason for training is to make sure to keep the privacy of protected health information secure and stop HIPAA violations.

2. Show a Good Faith Effort

At times, in spite of a company´s best efforts, employees may break the HIPAA Policies. All violations need to be reported to the HHS´ Office for Civil Rights (OCR) and OCR may decide to investigate. In case an investigation is started, a HIPAA-covered entity should show its good faith effort to attain HIPAA compliance. Offering proof that training was given to the employees will show that this was a singled-out incident, which can result in the prevention of sanctions and fines.

3. Give an Effective Workplace Framework

Through effective HIPAA training, employees learn what needs to be done to be HIPAA compliant and why a particular action is necessary with regard to protected health information (PHI). This gives an effective workplace structure wherein time-wasting because of insufficient knowledge is lessened. Effectively, the price of HIPAA training pays for itself through increased productivity, better patient care, and Medicare star ratings.

4. Tougher Defense Against Cyberattacks

HIPAA training is necessary since all employees must know HIPAA compliance. Security awareness training is necessary because employees are taught the security guidelines to avoid the compromise of PHI and to make it more difficult for malicious actors to get patient information. The security awareness training specifications of HIPAA help to strengthen a company’s security posture and avoid data breaches.

5. Stimulate the Patient’s Openness

Research indicates that whenever patients rely on their medical providers to protect their personal data, they become more open regarding their symptoms and express health issues with their healthcare companies. The patients’ openness helps healthcare professionals in making appropriate diagnoses and better-educated treatment decisions leading to better patient results. One of the best means of protecting patient privacy is HIPAA compliance and making sure to provide employees with regular training.

Conclusion

OCR manages a publicly accessible breach portal that records all data breaches involving 500 and up records that OCR investigated. The records include cases that were closed, such as settlements with a financial penalty, technical assistance or corrective action plan. More or less 33% of the settled cases required the provider to conduct more training or increase the number of active security awareness training.

This indicates that a lot of companies are not taking HIPAA and security awareness training seriously. Although having HIPAA and security awareness training is not an assurance that no violations will happen, having an effective training program can help minimize the sanctions enforced by OCR. In certain instances, this can considerably decrease the indirect costs connected with changing guidelines and procedures, giving training on the changes, and the business interruption this will bring about.

Additionally, HIPAA training can aid in the development of an effective workplace structure, create tougher cyber protection, and promote patient openness that leads to better patient results. Covered Entities and Business Associates that are uncertain about any possible gaps in their training plans ought to seek expert compliance guidance.

 

Responding to a Subpoena for Medical Records

There are various ways to answer a subpoena for health records based on the subpoena issuer and the type of subpoena (deposition, witness, or duces tecum). It is essential to answer properly when health records are subpoenaed considering that wrong responses can cause HIPAA violations. That is why healthcare companies and administrators must get legal advice to determine if medical records may be subpoenaed in the particular situations of every subpoena.

The importance of the issuer of the subpoena is that a healthcare provider cannot refuse a court order, a subpoena that is signed by a magistrate, judge, or administrative tribunal, or a subpoena by a grand jury. In these instances, it is required to observe the subpoena for medical records and take action by sharing the PHI specifically asked for by the subpoena – even though the information of the subpoena is subject to the Privacy Rule provisions (for example, return or removal of PHI, etcetera).

In case a court clerk or lawyer signs a subpoena, HIPAA may require more assurances. For instance, when a subpoena asks for medical records associated with substance abuse disorder, the medical records are not valid except if it is supported by a signed court order allowing the disclosure. In the same way, when patient authorization is necessary to answer a subpoena, healthcare companies must utilize their own authorization form instead of a waiver together with the subpoena sent by a lawyer.

Not Accepting a Subpoena for Medical Records

Healthcare companies can choose not to accept a subpoena for medical records if a court clerk or lawyer has signed it for different reasons. These consist of (but aren’t restricted to):

  • The subpoena doesn’t give the healthcare company enough time to gather the data asked for.
  • The subpoena calls for the disclosure of PHI needing consent and it is not possible to get consent from the patient.
  • The subpoena produces undue stress on the healthcare company – usually when the PHI of several patients is required for a class action.
    The subpoena is irrational or oppressive, or it is procedurally faulty (i.e., there was no requested protective order to avoid additional disclosures).

Typically there is a period of time for submitting a subpoena objection, and this could change based on where the subpoena is released. In the same way, there could be other explanations for objecting to a subpoena for medical records based on state legislation. Therefore, professional and specialist legal counsel is required for the particular situations of every subpoena, and healthcare companies and administrators must always acquire legal counsel prior to answering a subpoena for medical records.

Can Medical Records be Subpoenaed?

Yes, medical records can be subpoenaed since all types of records may be subpoenaed. In such a case, what is the proper response of healthcare providers?

In almost all states, three types of subpoenas exist

  • a witness subpoena calls for the appearance of an entity in court to provide evidence
  • a deposition subpoena demands an entity to present copies of documents and/or be present during a deposition hearing
  • a subpoena duces tecum demands an entity to give copies of documents and/or be present during a court hearing

The three types of subpoenas may be utilized to subpoena health records or call for a healthcare company to reply to questions/give testimony concerning a medical record. Though not exclusive to any specific kind of case, a witness subpoena is employed in a legal case where a healthcare company and a patient are the parties in a case (such as, a medical negligence claim).

The last two types of subpoenas are most frequently used for cases wherein the healthcare company does not act as a party in a criminal or civil action (such as., an injury compensation claim). However, the patient´s health records are necessary to aid discovery and/or settle the action. In such instances, it is crucial to know that the subpoena of medical records must comply with HIPAA.

HIPAA and the Subpoena of Medical Records

§164.512 of the Privacy Rule states the terms of HIPAA associated with the subpoena of medical records. It is not required to get patient authorization for the [Permissible] uses and disclosures of medical records or for the chance to concur or object, in particular, Section C concerns disclosures for judicial and administrative proceedings. This section claims that healthcare companies can share PHI when responding to a subpoena so long as:

  • Only PHI specifically required by the subpoena is shared and de-identified data cannot reasonably have been utilized.
  • The data requested is pertinent to a legit proceeding and the request is precise and restricted in scope.
  • The subject of the PHI is sent a notification about the subpoena or good efforts have been exerted to alert the person.
  • The subject of the PHI does not file an objection and the filing period for the objection has passed.
  • Any PHI shared in reply to a subpoena isn’t employed for any purpose except the reason for which it was asked.
  • The party looking for the disclosure has set up or asked for a protective order to avoid more disclosures.
  • Any PHI shared in accordance with the subpoena for health records will be returned or discarded when the cases for which they were asked have ended.

It is crucial to take note that the conditions of Section C don’t supersede other conditions of the Privacy Rule. As a result, it is still required to get authorization prior to revealing substance abuse disorder health documents or psychotherapy notes. The Minimum Required Standard is still applicable, and Covered Entities must adhere to the terms of any state regulations that pre-empt HIPAA when more rigid privacy protections are used.

Things to Know About HIPAA Medical Records Destruction Rules

One of the biggest penalties involving HIPAA violations is the failure to comply with the rules on medical records destruction. Therefore, it is important for Covered Entities and Business Associates to know how to destruct medical records properly.

Every state has its own rules for keeping medical records; and, in certain instances, particular types of medical records need to be kept longer than others. Federal regulations can likewise stipulate how long particular records must be kept (i.e., OSHA 1910.1200(g) https://www.osha.gov/laws-regs/standardinterpretations/1987-10-01), and when these records are kept in a specified record set, they’re regarded as PHI and Covered Entities need to keep them up to the expiry of the retention period.

Though HIPAA has requirements for document retention, medical records have no minimum retention times. Nevertheless, the Privacy Rule demand that Covered Entities use proper technical, administrative, and physical safety measures to secure the privacy of health records for the period of maintaining the records by the Covered Entity. This requirement also applies to the destruction of medical records.

The HIPAA Rules on Medical Records Destruction

Though there is no particular HIPAA medical records destruction rule, it is required by the Privacy Rule for Covered Entities to know the reasonable steps to secure medical records during the destruction process and create and enforce policies and processes to execute those steps. In identifying what is reasonable, possible risks to patient privacy must be assessed taking into consideration the form of data and how it is destroyed.

Furthermore, the Security Rule calls for Covered Entities and Business Associates to create and enforce policies and processes to destroy electronic PHI and/or media where it is stored compliantly. Any employee engaged in the destruction procedure, or who watches over the employees in charge of destroying medical records should get training about the policies and procedures on PHI destruction.

Not implementing reasonable safety measures to secure PHI connected with its destruction can cause impermissible PHI disclosures. A number of Covered Entities have been fined for not complying with the HIPAA rules on medical records destruction.

  • CVS Pharmacy Inc. paid a $2.25 million settlement in 2009
  • The pharmacy chain Rite Aid  paid a $1 million settlement in 2010
  • Medical billing practice in 2013 paid $140,000 in settlement
  • The New England Dermatology and Laser Center paid $300,640 in settlement and implemented a Corrective Action Plan for 2 years

How to Destroy Health Records as Per HIPAA

HHS´ Office for Civil Rights has provided guidance before about destroying health records in accordance with HIPAA. The agency suggests shredding paper records or destroying PHI so that it becomes basically unreadable, indecipherable, and can’t be reconstructed before placing it in a dumpster.

If bulk destroying PHI, The agency advises putting PHI in secured dumpsters that only authorized persons can access or keeping PHI in a protected place until a disposal company takes it to destroy professionally. In such instances, it will be required to sign a Business Associate Agreement with the entity in charge of destroying the data.

When destroying stored ePHI, HHS´ Office for Civil Rights recommends clearing and destroying electronic media by disintegration, pulverization, incinerating, melting, or shredding. It is essential to take note that certain clearing and purging procedures aren’t 100% efficient on contemporary hard drives, and it’s possible to retrieve erased data in certain instances.

It is additionally essential to take note that a number of states have stricter medical records destruction regulations compared to HIPAA; and, in a few states, any company that creates, retains, or sends personal health information may be governed by medical records destruction regulations – not only HIPAA Covered Entities and Business Associates. When you are not sure which medical records destruction rules are applicable to your company, it is advisable to get expert compliance advice.

Feds Notify Danger of Maui Ransomware Attacks Executed By North Korean State-Sponsored Hackers

The Federal Bureau of Investigation (FBI), the Department of the Treasury, and Cybersecurity and Infrastructure Security Agency (CISA) published a joint security warning to the healthcare and public health field with regard to the danger of Maui ransomware attacks.

As of May 2021, North Korean state-sponsored cyber attackers have been targeting companies in the U.S. healthcare and public health industry and were encrypting servers used for electronic medical record systems and imaging, diagnostic, and intranet solutions. These attacks have contributed to data encryption that has disturbed the services offered to patients and, in a few instances, has led to disruption to services for extended periods.

As per the alert, first access is obtained to healthcare systems and the ransomware is started manually. The cyber actors employ a command-line interface to regulate the ransomware payload and kick off attacks. Healthcare providers are an appealing target for ransomware attacks since they are seriously dependent on information for giving their services. Attacks could lead to big interruption, loss of income, and can jeopardize patient protection. Consequently, healthcare companies are seen as very likely to make ransom payments and make a deal fast. That is why, CISA, the FBI, and the Treasury feel that the healthcare and public health field will always be targeted.

The FBI acquired a sample of Maui ransomware and gave technical facts according to its examination. The methods utilized by North Korean attackers to obtain preliminary access to healthcare sites aren’t grasped at this level, however, information was shared regarding how attacks are performed, coupled with indicators of compromise (IoCs) and a listing of mitigations that healthcare and public health segment providers are urged to apply without delay.

The FBI, CISA, and the Treasury dissuade payment of ransom demands. Payment will never ensure file retrieval. More ransom demands could be asked after payment is sent, and there isn’t any assurance of file decryption after paying the ransom. The notification additionally pulls attention to the threat of sanctions by the Office of Foreign Assets Control (OFAC) of the U.S. Treasury when payment is given.

The notification highlights a September 2021 alert released by the Treasury that encourages all entities, such as those in the medical and public health market to use and strengthen their cybersecurity tactics. When the advised OFAC actions are put in place, OFAC will be more probable to clear sanctions violations relating to ransomware attacks having a nonpublic enforcement action.

The FBI states it is aware that whenever a healthcare company is up against an incapability to perform, all possibilities must be looked at, which include paying the ransom to secure shareholders, staff members, and patients. In case of an attack, irrespective of whether the ransom is paid, the FBI ought to be informed, and data provided concerning the attack, such as boundary records featuring conversation to and from foreign IP addresses, the decryptor file, benign examples of encrypted files, and /or bitcoin wallet details.

A very long checklist of mitigations was given to help medical care and public health industry companies boost their protection versus these and other cyberattacks. The mitigations, IoCs, and technical investigation of Maui ransomware could be found on this link.

OCR Publishes Guidance for Organizations and Patients After the Release of Supreme Court Decision on Roe v. Wade

President Biden and Secretary Xavier Becerra of the U.S. Department of Health and Human Services (HHS) lately called the attention of HHS agencies to do something to safeguard access to sexual and reproductive healthcare, such as abortion, pregnancy problems, and other associated care. This is in connection with the Supreme Court decision in the case of Dobbs vs. Jackson Women’s Health Organization. The Supreme Court reversed Roe v. Wade and Planned Parenthood v. Casey and overturned women’s right to get a safe and legalized abortion.

The HHS Office for Civil Rights (OCR) released new guidance for healthcare companies and patients seeking reproductive health care services to make sure their patient privacy is secured. The guidance clarifies the requirement of the federal Health Insurance Portability and Accountability Act (HIPAA) to keep private and confidential individuals’ private medical data, including details regarding abortion along with other sexual and reproductive health care. The HIPAA classifies that data as protected health information (PHI) and healthcare organizations do not need to disclose PHI to third parties.

The guidance furthermore points out that private medical data stored on personal cell phones and tablets aren’t covered by HIPAA and therefore individuals’ privacy isn’t protected whenever utilizing period trackers and other health data applications. Such information can possibly be abused by people trying to deny them medical care access.

HHS Secretary Xavier Becerra explained that access to health care shouldn’t allow you to be targeted for discrimination. HHS is for the protection of patients and providers with regards to HIPAA privacy rights and reproductive health care data. Becerra is urging those who think their privacy rights were violated to submit a complaint with OCR. Safeguarding access to health care, including abortion care and other types of sexual and reproductive health care, is a priority for OCR’s enforcement.

The guidance for healthcare providers talks about the HIPAA Privacy Rule allowing HIPAA-covered entities, such as healthcare providers and business associates, to make known the PHI of an individual without getting consent from that person for reasons expressly permitted or required, like healthcare, medical operations, and payment, however, other disclosures, for example, to law enforcement officials, are authorized only in limited situations, focused on securing the person’s privacy and supporting their health care access, including abortion care. The guidance additionally points out the limitations on PHI disclosures under the HIPAA Privacy Rule when requested by law, for law enforcement reasons, and to avoid a threat to health or security.

Different guidance was published for people concerning securing the privacy and security of their health data when utilizing their own cell phones or tablets. It is essential for people to know that the majority of health applications, such as period trackers, aren’t covered by the HIPAA Privacy or Security Rules. Therefore, any personal healthcare information inputted, gathered, or sent by those applications or is saved on smartphones or tablets, isn’t secured and there are no limitations on sharing of that data.

The guidance points out tips to consider whenever utilizing these health applications that will reduce the personal data obtained by the applications and restrict the chance of disclosures of personal data – such as geolocation information – without the person’s awareness. The guidance details how to switch off the location feature on Android and Apple devices, and provides suggestions about choosing apps, web browsers, and search engines that value privacy and security.

Read the information on individuals’ rights to reproductive healthcare on this page.

OCR Publishes Guidance on Audio-Only Telehealth After the COVID Public Health Emergency is Over

Begin planning now and be sure that your telehealth services are HIPAA compliant because as soon as the COVID-19 Public Health Emergency (PHE) ends, so do all telehealth HIPAA flexibilities. In relation to this, the Department of Health and Human Services’ Office for Civil Rights published new guidance regarding HIPAA and audio-only telehealth services.

The Ending of the Period of Enforcement Discretion

The HHS’ Office for Civil Rights released in March 2020 a Telehealth Advisory that it would be implementing enforcement discretion. That means it won’t enforce sanctions and fines for HIPAA violations with regard to providing telehealth services in good faith. The action was supposed to make it less difficult for healthcare companies to provide telehealth services to individuals to help stop passing on COVID-19.

OCR allowed healthcare companies to employ remote communication resources for telehealth, including applications and websites that wouldn’t typically be regarded as ‘HIPAA-compliant,’ and didn’t call for HIPAA-covered entities to sign a business associate agreement with the companies offering remote communication solutions. The notification of enforcement discretion mentioned that it continued throughout the PHE. If the Secretary of the HHS announces there’s no more COVID-19 PHE, or when the declared PHE expires, whichever comes first, the ending of the period of enforcement discretion follows. If entities continue to use remote communication tools, they could possibly violate the HIPAA Rules. That could result to financial fines and other remedies to take care of the HIPAA violations.

In the latest guidance on HIPAA and audio-only telehealth entitled Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth, OCR makes clear the conditions when audio-only telehealth is allowed as per HIPAA. OCR affirmed that telehealth services are allowed under HIPAA, however, HIPAA-regulated entities must implement acceptable safety measures to secure protected health information (PHI) privacy, for example, making sure that telehealth services are used in private settings, and utilizing reduced voices to lessen the possibilities for incidental PHI disclosures. It is additionally required to confirm the identification of the patient, verbally or on paper.

The Application of the HIPAA Security Rule on Telehealth

The HIPAA Security Rule could be applicable to telehealth. Whenever offering audio-only telehealth services using regular phone lines (landlines), the HIPAA Security Rule is not applicable because the data transmitted isn’t digital. The HIPAA Security Rule applies whenever digital communication systems are employed, such as “Voice over Internet Protocol (VoIP) and mobile systems that utilize electronic media, i.e. the Internet, extra-, and intranets, Wi-Fi and cellular.

If these technologies are employed, the HIPAA Security Rule demands the implementation of safety measures to protect the confidentiality, availability, and integrity of electronic PHI (ePHI). Risks and vulnerabilities should be determined, evaluated, and dealt with together with a covered entity’s risk evaluation and management procedures. OCR states that because of the pace at which communication systems develop, a strong inventory and asset administration procedure is advised to spot such technologies and the IT systems that utilize them. This will aid in ensuring a precise and comprehensive risk evaluation.

The Requirement for Business Associate Agreements

Any vendor that gets ePHI access, or views ePHI, must sign a business associate agreement (BAA) with an entity covered by HIPAA. Companies that provide platforms for telehealth may be required to sign BAAs. A BAA is simply necessary if a telecommunication service provider (TSP) is serving as a business associate.

If the TSP has merely transient access to the PHI being transmitted, the HIPAA conduit exception can be applied. If the TSP is not generating, receiving, or retaining PHI for the covered entity, and the TSP doesn’t get regular access to the PHI being transmitted in the call, there is no business associate relationship. For that reason, a BAA is not required.

A BAA is mandatory if a TSP is not just a conduit or not just offering data transmission services. If it is either generating, receiving, or retaining ePHI, a BAA is mandatory before using the service. That is applicable to remote communication systems, mobile applications, and Internet and cloud solutions.

Audio telehealth plays an important part in reaching patients based in rural communities, people with handicaps, and others wanting the ease of remote solutions. This guidance clarifies how the HIPAA Rules enable health care organizations and plans to provide audio telehealth and at the same time protect the privacy and security of the health information of individuals.

Reasons Why HIPAA Compliance is Crucial for Healthcare Experts

A lot of resources describing why HIPAA compliance is vital for healthcare experts often look at the goal of HIPAA rules instead of the advantages of compliance to healthcare experts. The same resources likewise are inclined to spotlight how noncompliance impacts patients and companies, instead of the effects it can bring on the lives of healthcare professionals.

This post talks about why HIPAA compliance is essential for healthcare experts from a healthcare expert’s point of view. It describes why healthcare experts cannot avoid HIPAA; therefore, by HIPAA compliance, healthcare experts can promote patient confidence, keep patients more secure, and bring about better patient results. This consequently boosts morale, produces a more gratifying work experience, and allows healthcare experts to receive more from their occupation.

On the other hand, the inability to adhere to HIPAA can have considerable professional and personal implications. However, the inability to adhere to HIPAA isn’t always the fault of a healthcare professional. At times it could be because of inadequate training or cultural practice. This post examines why Covered Entities may not often be able to give adequate training or keep track of HIPAA compliance, why they might not take responsibility if a preventable HIPAA breach happens, and how to steer clear of HIPAA violations because of insufficient knowledge.

Why It’s Impossible for Healthcare Experts to Avoid HIPAA

One of the goals of HIPAA is to give privacy protections for personally identifiable health data kept by Covered Entities. To achieve this, the Privacy and Security Regulations impose specifications Covered Entities should adhere to so as to secure the privacy of “Protected Health Information” (PHI). The inability to adhere to the HIPAA requirements can lead to sizeable financial fines – even if no data breach occurs and PHI isn’t exposed.

The majority of healthcare companies are Covered Entities and, therefore, must carry out guidelines and procedures to adhere to the Privacy and Security Rule requirements. As workers of Covered Entities, healthcare experts must adhere to their employer´s guidelines and procedures. Because of this healthcare experts cannot steer clear of HIPAA. Nevertheless, this isn’t the sole reason why HIPAA compliance is vital for healthcare experts.

The Advantages of HIPAA Compliance for Healthcare Experts

Trust is the most essential component of a patient/healthcare specialist relationship. Patients entrust healthcare experts with their personal information because they believe healthcare experts think about their best interests to achieve the best health results. Nevertheless, trust may be a delicate commodity. If their sensitive information are compromised as a result of HIPAA violation, patients might hold back data important for the giving of care regardless of the possible long-lasting effects for their health.

Healthcare experts can offset the risk of breaking trust by adhering to the guidelines and procedures enforced by their company to avoid HIPAA violations. Whenever patients are assured their privacy is given respect, this encourages trust that leads to the giving of better treatment to get the best health results. Better patient results boost the morale of healthcare experts and create a more gratifying work experience.

The Personal and Professional Effects of Noncompliance

One of the guidelines a Covered Entity needs to carry out is a sanctions policy whenever employees fail to adhere to HIPAA guidelines and procedures. Covered Entities must implement the sanctions policy and take action on HIPAA violations by healthcare experts since not imposing the sanctions policy violates the HIPAA. In addition, when the Covered Entity doesn’t act, noncompliance could fall into a cultural norm.

Being penalized for a HIPAA violation might have personal and professional implications for healthcare experts. Fines can be in the form of a verbal warning or loss of professional certification, which will make it hard for a healthcare expert to find another work – and, in case a criminal sentence results from the violation, it will probably be mentioned in the press which will have consequences for the personal reputation of a healthcare professional.

Who is Liable for HIPAA Violations?

As pointed out earlier, the inability to adhere to HIPAA isn’t generally the healthcare expert´s error. Though Covered Entities must offer training on guidelines and procedures that correspond with the functions of healthcare experts, they may not get the resources to offer training on each imaginable scenario a healthcare expert may come across or to keep track of compliance 24 hours a day so as to avoid the creation of cultural norms.

As a result, accidental violations of HIPAA can happen as a result of insufficient understanding. Nevertheless, Covered Entities aren’t always ready to take responsibility for accidental violations because of insufficient knowledge since it suggests they did not carry out a comprehensive risk evaluation, disregarded a risk to PHI privacy, and did not give essential and proper training or, if a cultural norm is created, did not keep track of compliance with guidelines and procedures.

How You Can Prevent Unintentional HIPAA Violations

In order to prevent unintentional violations of HIPAA and the personal and professional implications of noncompliance, healthcare professionals must make sure that their understanding of HIPAA includes all areas of their role and the situations they may come across. To accomplish this level of knowledge, it is necessary to take third-party HIPAA training programs that offer an exhaustive understanding of HIPAA and its regulations.

Being responsible for the understanding of HIPAA and utilizing that information to work in a HIPAA-compliant fashion keeps the career of healthcare professionals safe, increases their career prospects, and allows them to receive more from their career. Provided with the choice, the majority of healthcare experts would rather work in a setting that works compliantly to provide better patient results, where morale is great, and healthcare experts enjoy a more gratifying work experience.

Changes to Indiana Data Breach Notification Law Lessens Length of Time for Issuing Notifications

Revised HB 1351 data breach notification laws will become effective in Indiana on July 1, 2022. The new law requires the sending of breach notifications within 45 days from the time of identifying an exposure of the personally identifiable information (PII) of Indiana locals.

At the moment, the data breach notification specifications are for breach notifications to be released with no unreasonable delay. The change has been made to make sure that persons whose PII were compromised get a prompt notification. When PII is exposed, individual notices must still be sent without unreasonable delay.

A reasonable delay is any time one of these circumstances applies:

1) It is needed to hold off notification to recover the functionality of computer systems

2) It is required to postpone notification to find out the extent of the breach

3) If the state attorney general or law enforcement requests to hold off notifications to make certain civil or criminal investigations aren’t impeded, or if notifications can possibly put national security at risk.

In these cases, notifications ought to be given as soon as the reliability of computer systems has been recovered, when the scope of the breach is known, or if law enforcement or the state attorney general tells the breached entity that it is no longer needed to postpone notification as criminal/civil investigations are not delayed or there is no more a risk to national protection.

The new legislation applies to breaches of the security of a system storing unencrypted PII, when PII is recognized to have been stolen or may have been stolen, and when encrypted PII is compromised or stolen and an unauthorized person might have gotten access to the encryption key to permit decryption of data.

Personal information includes a Social Security number, a person’s first initial and last name, or first and last names, and one or more of the following data elements: state identification card number; driver’s license number; credit card number; financial account number or debit card number along with a password, security code, or access code.

Consumer reporting organizations ought to be informed when the breach impacts more than 1,000 Indiana residents. Breach reports should be sent to the state attorney general as well. The failure to adhere to the data breach notification conditions could lead to civil monetary penalties of as much as $150,000 issued by the state attorney general and valid attorney general fees to cover investigating and maintaining the action.

Entities not affected by the new legislation include those that keep their own data security procedures included in an information privacy policy, security policy, or compliance plan according to:

  • The Health Insurance Portability and Accountability Act (HIPAA)The
  • Gramm-Leach-Bliley Act
  • Executive Order 13224
  • The USA Patriot Act
  • The Fair Credit Reporting Act
  • The Driver Privacy Protection Act

Connecticut Approves Comprehensive Data Privacy Law

Connecticut, just like Colorado, California, Utah, and Virginia, has passed a comprehensive new data privacy legislation that establishes obligations for companies that gather and process the personal information of state locals and gives individuals new rights. The Connecticut Data Privacy Act (Senate Bill 6) had been passed in the Senate 35-0 and in the House of Representatives 144-5 and is now with the state Governor Ned Lamont for signature. The new privacy rule will become effective on July 1, 2023.

The new rule makes a platform for managing and processing the personal records of state citizens, sets privacy protection requirements for data controllers and data processors, and provides state residents rights regarding the collection and use of their personal information. Consumers will be provided the right to access their personal records held by a business, get a copy of that information, and correct any errors. Consumers will furthermore possess the right to be forgotten and to have their personal information removed. Consumers may additionally choose to opt-out of the processing of their personal data for targeted marketing, selected sales of personal records, and profiling in the development of decisions that generate legal or equivalent significant effects concerning consumers.

The new law looks like the Colorado Privacy Act (CPA) as well as the Virginia Consumer Data Protection Act (CDPA), with the scope of the law falling somewhere between the two. The legislation will apply to organizations that keep the information of over 100,000 consumers or those people that get 25% and up of their annual income from the sale of data of greater than 25,000 customers, with the protections stronger compared to those of Utah and Virginia, however falling short of the privacy rule in Colorado.

The new legislation will end the right to cure on December 31, 2024. So from July 1, 2023 to December 31, 2024, organizations known to violate the Connecticut Data Privacy Act will have the chance to take corrective steps to deal with the zones of non-compliance and avert a financial penalty or perhaps other sanctions. The elimination of the right to cure ought to encourage companies to follow the new law.

Selected entities will be exempted from complying with the Connecticut Data Privacy Act: state and local governments, nonprofits, national securities organizations registered under the Securities Exchange Act of 1934, financial companies governed by the Gramm-Leach-Bliley Act, as well as covered entities and business associates subject to the Health Insurance Portability and Accountability Act. There are additionally exceptions for specific data types, for example, data governed by FERPA, HIPAA, Fair Credit Reporting Act, the Airline Deregulation Act, Farm Credit Act, and the Driver’s Privacy Protection Act.

Adherence to the Connecticut Data Privacy Act will be put into effect by the Connecticut Attorney General. A standing working committee will be created to evaluate emerging matters that the legislation can be corrected to address.

Knowing About HIPAA Exceptions

The objective of HIPAA is not just to secure patient privacy. The Act is likewise designed to improve healthcare functions and enhance performance in the healthcare sector. Not knowing the HIPAA exceptions can result in the application of the regulations more strictly than required by covered entities – possibly stifling healthcare operations and hurting efficiency.

This article will highlight some of the most common exceptions. Covered Entities are encouraged to get expert compliance guidance to determine others that may be appropriate to their particular situations.

HIPAA General Rule Exceptions

The first HIPAA exceptions are mentioned in General Rule (45 CFR § 160.102). According to the General Rule, when there is a conflict between HIPAA and State legislation, HIPAA takes priority. Nonetheless, there are several exceptions stated in the General Rule which include that State legislation preempts HIPAA if the State legislation:

  • Has stricter privacy terms than HIPAA
  • Offers reporting data to public health organizations
  • Calls for a health plan to report data for audit reasons, etc.

The first exception has resulted in more difficulties for HIPAA Covered Entities compared to the others. This is because almost every state has got a law pertaining to the privacy of patient data with stricter privacy terms than HIPAA. Nonetheless, a lot of state laws are applicable to just one component of privacy data (i.e., HIV-related data), only in particular situations (i.e., for emergency care), or just to particular entities (i.e., pharmacists).

The 2nd and 3rd General Rule exceptions may likewise be troublesome for Covered Entities since, even if a State law may allow a number of disclosures of PHI to state and government institutions, the information given to state and federal organizations may be accessed through the Freedom of Information requests. When Freedom of Information requests show the Covered Entity has given far more PHI than the least required, they would violate HIPAA.

Other usages of the word “exception” in the HIPAA refer to exclusions from transaction requirements and/or medical code sets. Nevertheless, it is worth remembering that exceptions are there to have the right to repeal a patient consent for the disclosure of PHI and to whom ought to be provided Notices of Privacy Practices (i.e., inmates of correction institutions). Covered Entities having public-facing operations should be acquainted with these HIPAA exclusions.

Other State and Government HIPAA Exceptions

The relationship between HIPAA and other federal and state legislation can make HIPAA compliance more complicated because of several HIPAA exceptions. One example of this kind of complicated relationship is the one between HIPAA, the Texas Medical Records Privacy Act (as modified by HB300), and the Family Education Rights and Privacy Act (FERPA).

In general, public schools, universities, and other educational organizations that offer medical services for students and employees (as a job benefit) are not regarded as Covered Entities under HIPAA. This is due to the fact medical treatments given to students are categorized as academic records and covered by FERPA, whereas medical services given to staff are categorized as non-portable benefits.

Complications begin to come up when an educational organization gives medical services to the public (for example, a medical teaching college). Under these conditions, the educational organization turns into a hybrid entity and must have safety measures to segregate FERPA-covered treatment documents from HIPAA-covered PHI and implement two sets of guidelines for employees.

If the educational organization is protected by the Texas Medical Records Privacy Act, all medical treatment documents associated with students, employees, and the public are governed by HIPAA-Esque privacy requirements. This is even more made complex by the Texas Medical Records Act covering all citizens of Texas irrespective of their location. As a result, a medical teaching college or university in New York may have to comply with 3 different regulations in case it will take mature Texas students.

Operational and Occupational Exceptions

There are operational and occupation exceptions to HIPAA that can apply in several different conditions. For instance:

Ambulance services that generate electronic billing are covered by HIPAA; however, in counties with no electronic billing, HIPAA is not applicable to ambulance services.

Certain uses and disclosures of PHI permitted by the Privacy Rule aren’t permitted by the Federal Substance Abuse Confidentiality Requirements (42 CFR Part 2).

Exceptions occur to the privacy specifications for psychotherapy notes if state legislation requires a duty to report (i.e. abuse) or duty to warn (i.e. of imminent harm).

Exceptions to the right of a patient to an accounting of disclosures occur when a Covered Entity is instructed not to disclose the data by a health oversight bureau or law enforcement official.

HIPAA exceptions additionally are present in the military. Military treatment facilities are considered as HIPAA Covered Entities; nonetheless, with the Military Command Exception, healthcare experts are permitted to disclose PHI to command authorities without the authorization of the patient so as to state the patient’s fitness for duty, fitness to carry out a task, or fitness to execute another task required for a military mission.

HSCC Launches Model Contract Template for Healthcare Delivery Organizations and Medical Device Manufacturers

The latest Model Contract Language template has been released by the Healthcare and Public Health Sector Coordinating Council (HSCC). Healthcare delivery organizations (HDOs) are to utilize the template whenever getting new devices from medical device manufacturers (MDMs) to make sure every party knows its cybersecurity responsibilities and device management.

Medical device cybersecurity responsibility and accountability between HDOs and MDMs is challenged by different conflicting elements, which include unequal MDM capabilities and capital spent in cybersecurity control integrated into device design and development; differing objectives for cybersecurity among HDOs; and great cybersecurity management expenses in the HDO operational environment by means of the device lifecycle. These variables have brought in and sustained vagueness in cybersecurity accountability between HDOs and MDMs that in the past were reconciled at best unpredictably in the process of purchase contract negotiation, resulting in downstream disagreements and likely patient safety risks.

The Model Contract Language is to be used as a reference with regard to shared cooperation and coordination between MDMs and HDOs
for safety, compliance, control, operation, services, and MDM-monitored medical devices, solutions, and associations. The goal is to enable HDOs to minimize the cost, difficulty, and time expended in the process of contracting, lessen privacy and security threats, and protect the integrity, confidentiality, and availability of HDO healthcare systems.

The contract framework is dependent on 3 of the basic pillars of cybersecurity, which are maturity, performance, and product design maturity. These 3 pillars are further broken down into 14 key principles.

Key Principles of the HSCC Model Contract Language for Medtech Cybersecurity

The contract says that MDMs have to make their products safe by default, enable all security functions, minimize the attack surface as much as is possible, and make sure their products are without any malware and unwanted code and services. Every product must have these standard security controls:

  • Network controls
  • Anti-malware
  • Data encryption
  • Physical security
  • Intrusion detection
  • Access management
  • Security patching
  • Security against malicious code
  • Audit & logging
  • Privilege escalation controls
  • Remote access controls
  • Document reference architecture

HDOs, MDMs, and group purchasing organizations ought to evaluate the Model Contract Language template and use it as required for their company. The more standard and predictability the industry can accomplish in cross-enterprise cybersecurity management requirements, the bigger breakthroughs it will have toward patient security and a safer and stronger healthcare system.

Due date for Reporting 2021 PHI Breaches Impacting Less Than 500 People

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule strictly limits the time for sending notification letters to people who had their protected health information (PHI) exposed or impermissibly disclosed. The breached entity has up to 60 days from the time of data breach discovery to send notifications to affected individuals. However, notification letters must be provided “without unreasonable delay.”

Besides sending breach notification letters to people impacted by a data breach, the HIPAA Breach Notification Rule likewise requires sending notifications to the Secretary of the Department of Health and Human Services (HHS) concerning a data breach. The time frame for sending that notification is dependent on the number of people impacted by the data breach.

In case a data breach impacts 500 and up persons, the Secretary of the HHS should likewise be informed without unreasonable delay and no longer than 60 calendar days following the breach discovery. When all data concerning the breach is not known in 60 days, the breach report must still be submitted to the HHS, and it could be corrected later on when additional information is available.

In case a data breach has impacted less than 500 people, HIPAA-regulated entities can report the breaches later to the HHS. However, the time period for sending individual notices remains 60 days from the time of discovering the breach, irrespective of how many people were impacted.

The due date for sending reports of breaches involving less than 500 individuals’ PHI to the HHS is 60 days from the last day of the calendar year during which the breach was identified. So, all PHI breaches identified in 2021 that impacted the PHI of less than 500 people ought to be reported to the Secretary of the HHS no after March 1, 2022, 11:59:59 p.m. Every breach should be reported to the HHS individually through the breach reporting program on the HHS portal.

A lot of HIPAA-regulated entities do not report their breaches until the reporting deadline is close at hand, therefore the breach reporting website will likely see a lot of traffic when the due date approaches, which can possibly cause accessibility issues. It is consequently a good idea to report breaches much earlier than the breach reporting due date.

You ought to remember that a number of states have approved laws that cover data breach reporting, and the time period for submitting breach reports may be shorter compared to those of the HIPAA Breach Notification Rule. In a lot of instances, HIPAA-regulated entities are not affected by state breach notification laws as long as they adhere to the reporting conditions of HIPAA. In case they aren’t compliant with the Breach Notification Rule, an investigation by the state attorneys general may lead to the issuance of civil monetary penalties for HIPAA or state regulations violations.

Healthcare Supply Chain Association Provides Guidance about Medical Device and Service Cybersecurity

The Healthcare Supply Chain Association (HSCA) has released guidance for healthcare delivery companies, medical device producers, and service suppliers on obtaining medical devices to make them more resistant to cyberattacks.

The use of medical devices in the industry has grown at an unbelievable rate and they are currently depended upon to provide essential clinical capabilities that cannot be compromised without lowering patient care. Medical devices are, nonetheless, frequently susceptible to cyber threats and may be attacked to bring about hurt to patients, be taken out of service to compel healthcare organizations into meeting the extortion demands of attackers, or can be accessed remotely to get sensitive patient information. Medical devices are usually linked to the Internet and could quickly be attacked, therefore it is important for proactive steps to be taken to enhance security.

The HSCA represents medical care group purchasing organizations (GPOs) and promoters for fair procurement practices and education to enhance the efficiency of purchases of healthcare products and services and, therefore, has a one of a kind line of sight concerning the whole healthcare supply chain. The HSCA guidance is made for the overall supply chain and describes a few of the key issues for medical device companies, HDOs, and service providers to enhance cybersecurity and deal with weaknesses before exploitation by cyber attackers.

Two of the most crucial steps to take on are to get involved in an Information Sharing and Analysis Organization (ISAO), like the Health Information Sharing and Analysis Center (H-ISAC), and to undertake an IT security risk evaluation methodology, for example, the NIST Cybersecurity Framework (CSF).

An ISAO is a community that actively collaborates to determine and share actionable threat information regarding the most recent cybersecurity threats that enable members to take proactive steps to decrease risk. The NIST CSF and other cybersecurity frameworks assist organizations in setting up and strengthening their cybersecurity plan, prioritizing activities, comprehending their present security standing, and knowing the security gaps that must be resolved.

HCSA additionally recommends employing an information technology and/or network security officer who takes overall responsibility for the safety of the organization who can speak about risks to decision-makers and supervise the security work of the company.

Cybersecurity training for the employees is vital. All workers should be aware of the risks they may encounter and must be taught with regards to best practices to observe to minimize risk. Training ought to be provided yearly, and phishing simulations performed routinely to strengthen training. Any worker who fails a simulation must have more training.

Good patch management practices are crucial for responding to known vulnerabilities prior to being exploited; anti-virus software program must be used on all endpoints and be kept up to date, firewalls ought to be carried out at the network perimeter and internally, least-privilege access must be employed to system resources, and networks must be segmented to avoid lateral movement in the event of a breach. Password policies that are in line with the most recent NIST guidance ought to also be put in place.

To avert the interception of sensitive data, all information in transit ought to be encrypted, backup and data restoration processes must be enforced and frequently tested to make sure recovery is possible if a cyberattack happens, and the life expectancy of all units and software solutions must be selected in all purchase contracts, which include all supporting parts. Plans ought to be set to upgrade equipment and software applications prior to reaching end-of-life.

Besides these regular cybersecurity guidelines, HCSA has given certain concerns for HDOs, device makers, and service providers in the guidance – Medical Device and Service Cybersecurity: Key Considerations for Manufacturers & Healthcare Delivery Organizations – which could be downloaded from the HCSA website.

FAQs on HIPAA Training for Employees

The rules associated with HIPAA training for employees are purposely versatile due to the varied functions Covered Entities do, the varied tasks of workers, and the varied level of Protected Health Information (PHI) access every worker gets.

The level of versatility can produce misunderstandings regarding which workers need training, what training must be given, how training must be presented, and when training must be received.

Which Employees Need to Have HIPAA Training?

According to the HIPAA Privacy Rule (45 CFR § 164.530) and the HIPAA Security Rule (45 CFR § 164.308), all employees must be given training. That includes agency personnel, consultants, and contractors whether or not they have any interaction with PHI.

While the HIPAA Security Rule is applicable to Covered Entities and Business Associates, on the other hand, the HIPAA Privacy Rule just concerns Covered Entities. As a result, Business Associates just have to develop a security awareness and training program as mandated by the Security Rule and make sure that all employees get HIPAA training irrespective of their part or task.

What HIPAA Training Must be Given to Employees?

Under the HIPAA Privacy Rule, each Covered Entity needs to create policies and procedures and train all employees regarding these policies and procedures. This is required and just right for employees to be able to perform their jobs within the Covered Entity.

This means the material of the HIPAA training will be based on the created policies and procedures by the Covered Entity. It will also be based on the policies and procedures that are appropriate so that every employee can perform their duties while complying with HIPAA.

How Should HIPAA Compliance Training be Provided for Employees?

There are several options for providing HIPAA compliance training for the workforce. In the past, HIPAA compliance training was done in a classroom led by an instructor, normally the HIPAA Privacy Officer or HIPAA Security Officer. Nonetheless, classroom-based training may generally be ineffective since there’s a lot to discuss in HIPAA.

For instance, a classroom-based training program for patient-facing workers must cover aspects of HIPAA like the terms of Privacy Notices, the Minimum Necessary Standard, and the Patients´ Rights under HIPAA, utilizing systems like EHRs compliantly, as well as the Breach Notification Rule. There is a lot to deal with in one training session, and a lot of for employees to keep in mind.

HIPAA Training Video for Employees

A HIPAA training video may be utilized to educate workers instead of classroom-based training. Videos allow trainers to break down and discuss HIPAA visually, which can result in more engagement and better retention. If utilized as an option for classroom-based teaching, videos could likewise take care of the problem of having trainees in one place simultaneously.

A problem with HIPAA training videos for employees is that it could be impractical to create another video that is appropriate for every employee´s function due to the cost. Consequently, though a HIPAA training video can be somewhat beneficial – for instance, for explaining PHI – it usually does not perfectly address the HIPAA training requirements.

Online HIPAA Training for Employees

Giving employees online HIPAA training made up of mix-and-match modules is better since it allows Covered Entities and Business Associates to comply with the requirements of HIPAA training. The modules could be grouped together to be applicable to every employee´s job – or employee group functions – and every employee could personally go through the training in their own schedule.

With online training, it is easier for a Covered Entity or Business Associate to give employees preliminary training, it is additionally easier to give refresher training or training mandated by HIPAA every time functions are impacted by a change in the policies or protocols since individual modules are less difficult to revise than full training programs.

When Should Employees Get HIPAA Training?

Covered Entities must give training on HIPAA policies and protocols within a reasonable time after an individual is employed by the Covered Entity and every time functions are impacted by a change in the policies or protocols. There’s no time frame established for when it is necessary to provide a security awareness training program.

Moreover, Covered Entities and Business Associates need to include HIPAA training for workers in risk analyses. This will help determine when more training is required by the employees to avoid unauthorized PHI uses or disclosures that were developed by way of poor practices. When a need for training is determined, it should be given within a reasonable time period.

NSA/CISA Publish Guidance on Choosing Secure VPN Solutions and Toughening Security

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released new guidance 
about choosing and enhancing the security of Virtual Private Networks (VPN) solutions.

VPN solutions enable remote workers to safely be connected to business sites. Data traffic is sent through a virtual tunnel that is encrypted to avoid the theft of sensitive information and to prohibit external attacks. Hackers like to target VPNs. Several Advanced Persistent Threat (APT) groups have already targeted the vulnerabilities in VPN solutions. APT actors were seen taking advantage of vulnerabilities in VPN solutions to get access to business sites, collect credentials, remotely implement code on the VPN devices, seize encrypted traffic sessions, and acquire sensitive information stored in the devices.

A number of common vulnerabilities and exposures (CVEs) were used to get access to the unsecured devices, such as Fortinet FortiOS SSL VPN (CVE-2018-13379), Pulse Connect Secure SSL VPN (CVE-2019-11510), and Palo Alto Networks PAN-OS (CVE_2020-2050). In certain instances, threat actors have exploited vulnerabilities in VPN solutions in just 24 hours after the patches become available.

At the beginning of this year, the NSA and CISA gave a notice that APT groups connected to the Russian Foreign Intelligence Service (SVR) had succeeded in exploiting the vulnerabilities in Fortinet and Pulse Secure VPN solutions to obtain access to the networks of American firms and government bureaus. It is believed that Chinese nation-state threat actors have taken advantage of a Pulse Connect Secure vulnerability to acquire access to the systems of the U.S. Defense Industrial Base Sector. Ransomware groups are also targeting vulnerabilities in VPNs to get preliminary access to networks to perform extortion ransomware attacks.

The guidance document is designed to assist companies in selecting safe VPN solutions from respected vendors that follow industry security specifications who have a tested reputation of remediating identified vulnerabilities immediately. The guidance advises only utilizing VPN products that are proven, validated and listed in the National Information Assurance Partnership (NIAP) Product Compliant List. It is recommended not to use Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs, because they utilize non-standard functions to tunnel traffic through TLS, which creates further exposure to risk.

The guidance document likewise gives recommendations for toughening security and lowering the attack surface, for example setting up strong cryptography and authentication, solely initiating features that are absolutely needed, safeguarding and tracking access to and from the VPN, employing multi-factor authentication, and making sure to use patches and implement updates immediately.