Media Creates Dangerous HIPAA Violations

Social Media
Social Media on iPhone

The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. 

Death of Celebrities and HIPAA

With the recent deaths of several celebrity musicians, media outlets have an ever-growing source of news and information; some of which is dug up in less than lawful ways. Unfortunately this media creates HIPAA breaches.

HIPAA Cases In Point

The UCLA Medical Center recently had to pay $865,500 in fines for the negligence of patient (mostly celebrity) health information. These breaches constitute a serious risk for hospitals and health centers because the information leaks are often times easily traceable. The demand for media to obtain this information, even through breaches, is high considering the public craves information on the lives of their favorite celebrities but the repercussions can be great.

Employees can be surprisingly negligent with celebrities’ sensitive information. Workers have caused breaches at major hospitals. Cedars-Sinai Hospital in Los Angeles fired five employees and a student assistant in 2013. The hospital traced a breach of Kim Kardashian’s pregnancy information back to them.

Prince’s Medical Information Leak

This issue becomes relevant today considering the recent passing of Prince in April. His health was relatively fine before, and his death came as a shock to many. His death was a great mystery too many. TMZ reported Prince’s medical condition before any official public health announcements. Once again media creates HIPAA breaches.

HIPAA does not apply to TMZ. An employee of the hospital leaked the information. Consequently, the hospital is responsible for a breach of private information.

Just recently it was released that Prince died of a drug overdose but sensitive information can easily be leaked and create legal issues for health providers, especially when it makes its rounds in the news.

HIPAA Breaches Result From Media Coverage

While the demand for information and gossip on celebrities is high and can cloud better judgment, celebrities have the same rights as the rest of us under HIPAA. It is important to restrict media access to a hospital or health center and to inform employees of the legal ramifications of a HIPAA breach. Training employees is crucial and HIPAA Associates can make it easier for you through our expertise on HIPAA compliance and training.

Keep your team informed on standards of HIPAA — Contact HIPAA Associates today for your HIPAA training.

New HIPAA Penalties from HHS

New HIPAA Penalties
Judge handing out New HIPAA Penalties

 

Direction from HHS on Penalties

 New HIPAA Penalties are now available from the Department of Health and Human Services after it published a notice on April 30th.    HHS is exercising its discretion in how it applies its regulations on the assessment of Civil Monetary Penalties (CMPs) under HIPAA. Currently HHS applied the same cumulative annual limit to the four categories of violations.

Pending further rule making HHS will now apply different cumulative annual CMP limits.  This will be instead of the maximum $1.5 million for each level of violation. This is a reduction in the maximum limit, scaling down based on the level of culpability. Consequently HHS will use the new penalty structure until further notice.  It is important to understand the new HIPAA Penalties from HHS.

Read about Data Breaches.

The Four Categories

Based on four categories of culpability HHS has provided covered entities and business associates with a whole new structure for penalties.  In mostcases the amount of penalty will be significantly less than what we have experienced in the past.

For a category of no knowledge the minimum penalty is now $100, and the annual limit will be $25,000 down from $1.5 million.

For a reasonable cause $1,000 is the minimum and $100,000 for an annual limit down from $1.5 million.

Next, willful neglect with a correction it would be $10,000 as a minimum and $250,000 for annual limit.

Finally the highest is for Willful neglect with no correction with $50,000 as a minimum with an annual limit of $1,500,000.

This new guidance changes significantly the penalty structure for HIPAA violations and must be considered and understood by covered entities and business associates who deal with protected health information.

To read this important notice on new HIPAA Penalties from HHS, visit the Federal Register using the link below.

Filing a HIPAA Privacy Complaint

Filing a  Privacy Complaint
How to File a Privacy Complaint.

Procedures for Making a Complaint

A covered entity must have a procedure for filing a HIPAA privacy complaint by individuals regarding its privacy practices or for an alleged violation of the Privacy Rule.  Most importantly the Notice of Privacy Practices must contain contact information for the covered entity’s privacy officer and information on how to submit a complaint to the Office for Civil Rights.  In addition,  an organization must file complaints within 180 days of when you knew the violation occurred.

Privacy Officer

The privacy officer or designee investigates all complaints involving privacy of protected health information.   The organization should maintain records on the complaints and their resolution. The Privacy Officer will determine whether or not there has been a violation or a breach of unsecured PHI.  In a filing to the OCR, there should be information about the complainant.  There should be details of the complaint and any additional information that might help OCR when reviewing the complaint.

On behalf of the covered entity, the Privacy Officer will respond to inquiries initiated by the Office for Civll Rights as it investigates complaints.

No Retaliation for Filing a Privacy Complaint

Above all an organization must not retaliate for filing a HIPAA privacy complaint under the HIPAA rules. Most importantly, an organization must encourage employees to file a complaint if they feel a violation took place. Finally, an organization must resolve and prevent them from happening again which helps protect the organization.  On the other hand, an employee may complain directly to the OCR if retaliatory action occurred.

In conclusion there must be a good process for filing a privacy complaint and there should be not retaliation for doing so.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic.

For more information.

Breaches of Protected Health Information

Breaches of Protected Health Information
Breaches of PHI

Breach Notification Rule

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.

Definition of Breach

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. Firstly, the nature and extent of the PHI involved, including the types of identifiers and the likelihood of identification
  2. Secondly, the unauthorized person to whom the disclosure was made.
  3. Third, whether the PHI was acquired or viewed.
  4. Finally, the extent to which the risk to the patient was mitigated.

Breaches Are A Serious Matter

Many breaches of Protected Health Information are a serious matter.  A breach is an impermissible use or disclosure of protected health information or PHI.  Consequently, it compromises privacy or security of PHI.  It is presumed to be a breach unless certain criteria are met.  The covered entity or business associate must demonstrate there is a low probability that the phi has been compromised based on a risk assessment.

Paper Breaches

There are many forms of Breaches of Protected Health Information.  Some examples of breaches of paper phi are loss of paper files, unsecure disposal, and paperwork given to the wrong person.  As a result, all entities that handle paper PHI must be aware of how important it is when sharing  or disposing of this information.  It is not uncommon for patients to receive the discharge summary of other patients or to see old medical records simply thrown away in the trash.

Electronic Beaches

Examples of electronic PHI breaches include loss of an unencrypted mobile device, lap top computers and sharing PHI on an unsecured document sharing internet site.  Most importantly, all organizations must create a process by which electronic PHI is protected on the cloud such that only the authorized person would have access.

Consequently all of these have been the subject of Office for Civil Rights penalties.

Verbal Breaches

Verbal breaches of PHI occur if PHI is disclosed to the wrong individual or if its overheard when safeguards are not used.  This is common in waiting rooms, hospital hallways, clinics and pharmacies.  Every organization must make an effort to consider how verbal PHI can be protected.

It is important for all covered entities and business associates to review their policies.  As A result they will be able to better protect PHI whether it is paper, electronic or spoken.

Covered entities and business associates, in some situations, have permission to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.

Three exceptions to definition of breach

  • “Applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.” 
  • “Applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both situations, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. 
  • “Applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Unsecured Protected Health Information

Covered entities and business associates must only provide the required notifications, if the breach involved unsecured protected health information. If the information has been secured using available technology, it may not be necessary to report.  Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons using a technology or methodology specified by the Secretary in guidance. 

It is of great importance that all protected health information be protected by appropriate technological tools such as encryption or by complete destruction of the PHI such that it cannot be used by unauthorized individuals. These technologies and methodologies will render PHI unusable, unreadable, or indecipherable to unauthorized individuals.  An organization is given the opportunity to choose the appropriate technology that works best for their needs.

Encryption of PHI

Electronic PHI can be encrypted by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached.  To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. 

Destruction of PHI

The media on which the PHI is stored or recorded may be destroyed in one of the following ways:

  • Paper, film, or other hard copy media may be shredded or destroyed in a way that the PHI is not readable or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction due to the ability of reversing the process.
  • Electronic media may be cleared, purged, or destroyed consistent with NIST Special Publication 800-88 such that the PHI cannot be retrieved.  This will ensure complete obliteration of the data.

Breach Notification Requirements

In the case of a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.  The notification process is important to stay in compliance with the HIPAA Privacy Rule.  There are several key features to remember dependent on the number of records involved in the breach.

Notification of Individuals

Covered entities must notify all affected individuals as soon as a breach of unsecured protected health information is discovered or recognized. Covered entities must provide individuals notice in written form by first-class mail or by e-mail if the affected individual has agreed to receive such notices in a prior interaction. 

Public Notice

If the covered entity is unable to reach 10 or more individuals due to  insufficient or out-of-date contact information, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. 

If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means.  

Notification Process

These individual notifications must be provided as soon as feasible and no later than 60 days following the disclosure of a breach.  The notification must include a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).

In the case of a breach involving a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate.  Covered entities and business associates should consider which entity is in the best position to provide notice to the individual.  This may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.  

Media Notice

Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.  Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area.  Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.

Notice to the Secretary

In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form.

500 or more individuals

If a breach affects 500 or more individuals, covered entities must notify the Secretary as soon as possible and in no case later than 60 days following a breach.

Fewer than 500

If a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis.

Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.

Please contact us, for more information about breaches or about HIPAA. 

Notification by a Business Associate

If a breach of unsecured protected health information occurs due to a business associate, the business associate must notify the covered entity following the discovery of the breach.  A business associate must provide notice to the covered entity without delay and no later than 60 days from the discovery of the breach. 

As completely as possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals. 

Administrative Requirements and Burden of Proof

Covered entities and business associates must be able to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach. In the case of an impermissible use or disclosure, a covered entity (or business associate) should maintain documentation that all required notifications were made.   

Documentation must be made to demonstrate that notification was not required by the following: (1) its risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure; or (2) the application of any other exceptions to the definition of “breach.”

Covered entities are also required to comply with certain administrative requirements with respect to breach notification.  For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.

Please contact us, for more information about breaches or about HIPAA.

Direction from HHS on Penalties

 New HIPAA Penalties are now available from the Department of Health and Human Services after it published a notice on April 30th.    HHS is exercising its discretion in how it applies its regulations on the assessment of Civil Monetary Penalties (CMPs) under HIPAA. As of this time HHS applied the same cumulative annual limit to the four categories of violations.

Pending further rule making HHS will now apply different cumulative annual CMP limits.  This will be instead of the maximum $1.5 million for each level of violation. This is a reduction in the maximum limit, scaling down based on the level of culpability. Consequently HHS will use the new penalty structure until further notice.  It is important to understand the new HIPAA Penalties from HHS.

The Four Categories

Based on four categories of culpability HHS has provided covered entities and business associates with a whole new structure for penalties.  In most cases the amount of penalty will be significantly less than what we have experienced in the past.

For a category of no knowledge the minimum penalty is now $100, and the annual limit will be $25,000 down from $1.5 million.

For a reasonable cause $1,000 is the minimum and $100,000 for an annual limit down from $1.5 million.

Willful neglect with a correction it would be $10,000 as a minimum and $250,000 for annual limit.

Finally the highest is for Willful neglect with no correction with $50,000 as a minimum with an annual limit of $1,500,000.

This new guidance changes significantly the penalty structure for HIPAA violations and must be considered and understood by covered entities and business associates who deal with protected health information.

Social Media & PHI

Social media offers many benefits for health care organizations because it allows interaction with patients and others.  It offers education, and services.  As a result, it is an essential communication and marketing tool and part of strategic marketing plans.  Due to this organizations turn to social media to communicate with their employees. Unfortunately HIPAA and Social Media can be problematical.

Authorization to use PHI

It is possible to violate HIPAA Rules and patient privacy while using social media, if not managed correctly.  Due to this it is important for health care organizations to disclose protected health information carefully.   An organization must do so only with patient authorization for interviews, photographs and marketing communications.

Media Posts May Risk Privacy

Posts of PHI done by employees will violate the HIPAA Rules and result in a reportable breach of PHI. Social media posts are not a permissible use or disclosure of PHI.   The ability to post simultaneously in several platforms increases the risk for an organization. Remember that to de-identify PHI, all 18 identifiers must be removed.   There must also be low risk it could be used to identify the patient. Facial images, and other identifiers such as tattoos must also be removed.   

Preventing HIPAA Privacy Risk

Employees should be trained on the dangers of using social media inappropriately from the very onset of their employment.  Many organizations deal with the issue through development of a social media use policy.   They also monitor social media activity.  If not addressed, HIPAA and Social Media can be problematical.