New HIPAA Penalties are now available from the Department of Health and Human Services after it published a notice on April 30th. HHS is exercising its discretion in how it applies its regulations on the assessment of Civil Monetary Penalties (CMPs) under HIPAA. Currently HHS applied the same cumulative annual limit to the four categories of violations.
Pending further rule making HHS will now apply different cumulative annual CMP limits. This will be instead of the maximum $1.5 million for each level of violation. This is a reduction in the maximum limit, scaling down based on the level of culpability. Consequently HHS will use the new penalty structure until further notice. It is important to understand the new HIPAA Penalties from HHS.
Based on four categories of culpability HHS has provided covered entities and business associates with a whole new structure for penalties. In mostcases the amount of penalty will be significantly less than what we have experienced in the past.
For a category of no knowledge the minimum penalty is now $100, and the annual limit will be $25,000 down from $1.5 million.
For a reasonable cause $1,000 is the minimum and $100,000 for an annual limit down from $1.5 million.
Next, willful neglect with a correction it would be $10,000 as a minimum and $250,000 for annual limit.
Finally the highest is for Willful neglect with no correction with $50,000 as a minimum with an annual limit of $1,500,000.
This new guidance changes significantly the penalty structure for HIPAA violations and must be considered and understood by covered entities and business associates who deal with protected health information.
To read this important notice on new HIPAA Penalties from HHS, visit the Federal Register using the link below.
Many breaches of Protected Health Information are a serious matter. A breach is an impermissible use or disclosure of protected health information or PHI. Consequently, it compromises privacy or security of PHI. It is presumed to be a breach unless certain criteria are met. The covered entity or business associate must demonstrate there is a low probability that the phi has been compromised based on a risk assessment of the following:
Firstly, the nature and extent of the PHI involved, including the types of identifiers and the likelihood of identification
Secondly, the unauthorized person to whom the disclosure was made.
Third, whether the PHI was acquired or viewed.
Finally, the extent to which the risk to the patient was mitigated.
There are many forms of Breaches of Protected Health Information. Some examples of breaches of paper phi are loss of paper files, unsecure disposal, and paperwork given to the wrong person. As a result, all entities that handle paper PHI must be aware of how important it is when sharing or disposing of this information. It is not uncommon for patients to receive the discharge summary of other patients or to see old medical records simply thrown away in the trash.
Examples of electronic PHI breaches include loss of an unencrypted mobile device and sharing PHI on an unsecured document sharing internet site. Most importantly, all organizations must create a process by which electronic PHI is protected on the cloud.
Consequently all of these have been the subject of Office for Civil Rights penalties.
Verbal breaches of PHI occur if PHI is disclosed to the wrong individual or if its overheard when safeguards are not used.
It is important for all covered entities and business associates to review their policies. As A result they will be able to better protect PHI whether it is paper, electronic or spoken.
Please contact us, for more information about breaches or about HIPAA. Follow us on Facebook or Twitter.
Social media offers many benefits for health care organizations because it allows interaction with patients and others. It offers education, and services. As a result, it is an essential communication and marketing tool and part of strategic marketing plans. Due to this organizations turn to social media to communicate with their employees. Unfortunately HIPAA and Social Media can be problematical.
Authorization to use PHI
It is possible to violate HIPAA Rules and patient privacy while using social media, if not managed correctly. Due to this it is important for health care organizations to disclose protected health information carefully. An organization must do so only with patient authorization for interviews, photographs and marketing communications.
Media Posts May Risk Privacy
Posts of PHI done by employees will violate the HIPAA Rules and result in a reportable breach of PHI. Social media posts are not a permissible use or disclosure of PHI. The ability to post simultaneously in several platforms increases the risk for an organization. Remember that to de-identify PHI, all 18 identifiers must be removed. There must also be low risk it could be used to identify the patient. Facial images, and other identifiers such as tattoos must also be removed. Learn more.
Preventing HIPAA Privacy Risk
Employees should be trained on the dangers of using social media inappropriately from the very onset of their employment. Many organizations deal with the issue through development of a social media use policy. They also monitor social media activity. If not addressed, HIPAA and Social Media can be problematical.
Permitted uses and disclosures of PHI are possible for a number of different purposes within the healthcare sector. By following these guidelines, an organization may stay in compliance with HIPAA’s rules and be able to share protected health information. An organization must recognize these rules. All employees of an organization that acts as a covered entity or business associate must be aware of these guidelines. It is always permitted to use and disclose PHI for treatment, payment and health care operations.
Sharing with Health Care Providers
Keep in mind that HIPAA was written to not only protect PHI but to assist treatment providers in caring for the patient without requiring patient authorization in order to share their PHI. For example, it is permissible to share protected health information with health care providers who will treat the patient in their office or after hospital discharge. The sharing may be electronically and must be in a manner that is compliant with the Security Rule.
Sharing for Care Coordination
We now see the need to share data with health care providers for purposes of care coordination. This has expanded the “permitted uses and disclosures of PHI.” This activity didn’t exist when HIPAA was written and is now required by CMS and is part of a treatment plan. A health care provider may disclose PHI to another for this treatment purposes without patient authorization. This information must be shared with all employees of the organization.
By following these simple guidelines organizations will be able to stay in compliance with HIPAA as they manage their PHI. One must also realize that there are other ways that one may safely share PHI without having to obtain permission. An example would be if there is an order from a court or for law enforcement purposes.
To use the PHI of an individual one must often obtain an authorization. Authorization and the HIPAA Rule is very specific. The use of PHI for treatment, payment or healthcare operation purposes does not require authorization. In addition if there are specific laws an authorization is not required.
An authorization for disclosure to an attorney’s office, and to a life or disability insurance company is another example.
To disclose medical records when a patient consents to participate in a research project and when they request a transfer of medical records to another medical providers office an entity must obtain authorization.
A request with a court order signed by a judge from a court with jurisdiction will not require authorization. To report an infectious disease according to state law does not require authorization. To disclose PHI for research, if an IRB (Institutional Review Board) grants a waiver of authorization does not require authorization.
State Law is Important
The HIPAA compliant authorization must contain certain elements, but don’t forget to look at state law requirements. There are many states with laws that are more protective of PHI than the Federal HIPAA Rules and they will require additional elements added to the authorization.
Using cybersecurity to protect PHI is a key feature of HIPAA. Electronic protected health care information or EPHI is at increased risk from many sources:
Foreign hackers looking for data to sell – usually on the dark web
Ransomware attacks that lock up data until a ransom payment is received
Phishing schemes that lure the user into clicking a link or opening an attachment to deploy malicious software; and
Spear phishing –a targeted attack on a specific person that appears to come from a legitimate source usually instructing a transfer of funds.
What You Can Do
In order to safeguard EPHI against threats:
Firstly, know how to spot phishing emails.
Secondly, use strong passwords, two factor authentication and encryption.
Finally, have policies, procedures and safeguards in place to protect EPHI and Know who to report an incident to in your organization.
Prepare for Cyberattacks
In the case of a cyberattack or similar emergency an entity must:
Execute it response and mitigation procedures and contingency plans.
Report the time to other law enforcement agencies.
Should report all cyber threat indicators to federal and information-sharing and analysis organizations.
Finally, it must report the breach to OCR as soon as possible, but not later than 60 days after the discovery of a breach affecting 500 or more individuals.
Most importantly, OCR considers all mitigation efforts taken by the entity during in any particular breach investigation. For instance, such efforts include voluntary sharing of breach-related information with the appropriate agencies.
Keep in mind that the purpose of HIPAA is to protect PHI. In addition, it assists treatment providers in caring for the patient without requiring patient authorization to share their PHI. For example, it is permissible to share PHI with health care providers who will treat the patient in their office or after hospital discharge. As a result, PHI can be shared for treatment electronically and must be in a manner that is compliant with the Security Rule. The disclosure of PHI may be made also for payment purposes as with a billing company. Finally the PHI may be shared for healthcare operation activities.
The Office of Civil Rights reports that healthcare data breaches increased continuously over the last few months of this year. For example, there were a total of 41 breaches in April affecting a greater number of people than previous months. The breaches affected a total of 894,874 records. Unfortunately, over the years since 2009, the number of breaches of over 500 records increased from 18 to 365. Meanwhile, 2018 was the worst in number of breaches but only the fourth in total numbers.
Unauthorized Access a Cause of Breaches
The healthcare industry continues to be a big target for hackers as healthcare data breaches increase. In 2018 there was 161% more healthcare records involved. Unauthorized access/disclosure incidents was one of the biggest cause of breaches. The mean breach size of unauthorized access increased by 115% percent. Fortunately, loss, theft and improper disposal incidents appear to have all declined. Despite the bad news it is likely that cyber security defenses have been effective in preventing hackers from gaining access to data.
Phishing is a Risk
Most importantly, the data from 2018 highlights the importance of increasing email security in addition to training employees. One main cause of healthcare breaches in the month of April was due to phishing attacks. For instance, in April nine cases of successful phishing attack related breaches were reported. Other causes are unauthorized email access and misdirected emails. In conclusion, it will be important to improve technology to prevent the delivery of malicious emails to inboxes of healthcare workers.
Exposed PHI Remains a Problem
In short, it appears that 75% of breaches affected healthcare providers, 14% health plans and 11% business associates of covered entities. Most importantly, the breaches associated with business associates were the most severe and represented 42% of all exposed records.
It is in the best interest of covered entities and business associate to promote safeguards to protect PHI and train employees on this process.