In our most recent post, the Top 5 Common HIPAA Mistakes to Avoid in 2018, we noted that the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has recently published guidance on disclosing protected health information (PHI) related to overdose victims. OCR published this and other guidance within the last two months in response to the Opioid Crisis gripping the nation and confusion regarding when and to whom PHI of patient’s suffering from addiction or mental illness may be disclosed.

Pills and capsules on white backgroundTo make the guidance easily accessible to patients and health care professionals, OCR published two webpages, one dedicated to patients and their family members and the other dedicated to professionals.

  • Patients and their family members can find easy-to-read commentary addressing the disclosure of PHI in situations of overdose, incapacity or other mental health issues here.
  • Physicians and other health care professionals can find similar fact sheets tailored to their roles as covered entities here.
  • OCR also recently issued a two-page document summarizing its guidance on when health care professionals may disclose PHI related to opioid abuse and incapacity [accessible here].

The main points from this guidance include:

  1. If a patient has the capacity to make decisions regarding his or her health care, a health care professional may not generally share any PHI with family, friends or others involved in the patient’s care (or payment for care), unless the patient consents to such disclosure.  However, a health care professional may disclose PHI if there is a serious and imminent threat of harm to the patient’s health and the provider in good faith believes that the individual to whom the information is disclosed would be reasonably able (or in a position) to prevent or lessen such threat. According to OCR, in the context of opioid abuse, this rule allows a physician to disclose information about the patient’s opioid abuse to any individual to whom the physician in good faith believes could reasonably prevent or lessen the harm that could be caused by the patient’s continued opioid abuse following discharge.
  2. If the patient is incapacitated or unconscious, HIPAA allows health care professionals to disclose certain PHI to family and close friends without a patient’s permission where (i) the individuals are involved in the care of the patient, (ii) the health care professional determines that disclosing the information is in the best interests of the patient, and (iii) the PHI shared is directly related to the family or friend’s involvement in the patient’s health care (or payment for such health care). As an example, OCR clarified that a physician may, in his or her professional judgment, share PHI regarding an opioid overdose and related medical information with the parents of someone who is incapacitated due to an overdose.
  3. OCR also addressed the difficult situation where a patient is severely intoxicated or unconscious, but may regain sufficient capacity to make health care decisions several hours after arriving in the emergency room.   In such situations, HIPAA would allow a physician or nurse to share PHI related to the patient’s overdose and medical condition with the patient’s family or close personal friends while the patient is incapacitated, so long as the nurse or doctor believes that it is in the patient’s best interest to do so and the information shared with the family member or friend is related to the individual’s involvement in the patient’s health care.

OCR published similar guidance, available at the above websites, regarding the disclosure of PHI related to the mental health of a patient.  Included in that guidance is clarification that HIPAA does not prohibit treating physicians from sharing PHI of a patient with a mental illness or substance use disorder for treatment purposes, except in the case of psychotherapy notes.

However, it is important to understand that OCR’s guidance on these issues does not supersede state laws or other federal laws or rules of medical ethics that would apply to disclosure of a patient’s PHI, including the federal confidentiality regulations [located at 42 CFR Part 2] pertaining to patient records maintained in connection with certain federally-assisted substance use disorder treatment programs.  The “Part 2” regulations (as well as state patient confidentiality laws that are more restrictive than HIPAA) could prohibit some or all of the disclosures which OCR has now clarified are permitted under HIPAA.

If you have a question regarding how this new guidance may affect your practice, please contact a knowledgeable attorney.

Heading into its 22nd year, HIPAA continues to be misunderstood and misapplied by many, including health care industry professionals who strive for (or at least claim the mantle of) HIPAA compliance. Here is my “top 5” list of the most frequent, and most frustrating, HIPAA misperceptions seen during 2017:

  1. “If I’m using or disclosing protected health information (PHI) for health care operations purposes, I don’t need a Business Associate Agreement.”

Yes, HIPAA allows PHI to be used or disclosed for treatment, payment and health care operations purposes, but the term “health care operations” is defined to include specific activities of the covered entity performing them. In addition, the general provision permitting use or disclosure for health care operations purposes (45 C.F.R. 164.506(c)) allows such use or disclosure for the covered entity’s “own” health care operations. So if the covered entity (or business associate) is looking to a third party to perform these activities (and the activities involve the use or disclosure of PHI), a Business Associate Agreement is needed.

  1. “I don’t need to worry about HIPAA if I’m only disclosing a patient’s/member’s telephone number, since that’s not PHI.”

If the data disclosed was ever PHI, it’s still PHI (unless it has been de-identified in accordance with 45 C.F.R. 164.514). For example, if data is received by a health care provider and relates to the provision of care to patient (e.g., as a phone number listed on a patient intake form), it’s PHI – even though, as a stand-alone data element, it doesn’t appear to have anything to do with the patient’s health. Unless the patient has signed a HIPAA authorization allowing the disclosure of the phone number to a third party vendor, the vendor receiving the phone number from the provider to perform patient outreach on behalf of the provider is a Business Associate.

  1. “When a doctor leaves a practice, she can take her patients’ medical records with her.”

This is not automatic, particularly if the practice is the covered entity responsible for maintaining the records and the patient has not expressly allowed the disclosure of his or her records to the departing doctor. In most cases, the practice entity transmits health information in electronic form in connection with a HIPAA transaction and acts as the covered entity health care provider responsible for HIPAA compliance. The patient can access his or her records and direct that they be sent to the departing physician (see guidance issued by the U.S. Department of Health and Human Services (HHS) on individual’s access rights), and if the patient shows up in the departing doctor’s new office, the practice can share the patient’s PHI under the “treatment” exception. If the practice wants the departing doctor to maintain the records of patients she treated while part of the practice, it can enter a records custodian agreement and Business Associate Agreement with the departing doctor.

  1. “I can disclose PHI under the “sales exception” to anyone involved in due diligence related to the sale of my health care practice/facility without getting a Business Associate Agreement.”

HIPAA prohibits the sale of PHI, but excluded from this prohibition is “the sale, transfer, merger, or consolidation of all or part of the covered entity and for related due diligence” as described in the definition of health care operations. The definition of health care operations, in turn, includes the “sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity.”  This “sales exception” is a bit vague and the cross-referencing of other regulations adds to the confusion, but the fact that disclosing PHI in connection with due diligence related to a possible sale of a covered entity is not prohibited as a “sale” does not mean it’s permitted without regard to other HIPAA requirements and protections. Attorneys, consultants, banks, brokers and even potential buyers should consider whether they are acting as business associates, and careful buyers and sellers may want to require Business Associate Agreements with those accessing PHI.

  1. “If I’m treating an overdose victim [or other unconscious or incapacitated person], I can’t share his/her PHI with family members or caregivers.”

The HHS Office for Civil Rights recently published guidance to clarify that HIPAA does not prohibit health care professionals from sharing information with family members and others in crisis situations, such as those involving overdose victims. I blogged on a related topic, involving the nightclub shooting tragedy in Orlando, Florida, back in 2016. The bottom line is that HIPAA allows the disclosure of PHI in two circumstances that are often forgotten: (1) where the patient is unconscious or incapacitated and the provider believes sharing information with family and close friends involved in the patient’s care is in the best interests of the patient; and (2) where the provider believes that sharing information will prevent or lessen a serious and imminent threat to the patient’s health or safety.  More stringent laws may apply, such as those governing substance use disorder treatment records created or maintained by certain federally-assisted substance use disorder treatment providers or state laws, but HIPAA permits providers to exercise discretion in crisis situations.

Our partner Elizabeth Litten and I were recently featured again by our good friend Marla Durben Hirsch in her article in the April 2017 issue of Medical Practice Compliance Alert entitled “Business associates who farm out work create more risks for your patients’ PHI.” Full text can be found in the April, 2017 issue, but a synopsis is below.

In her article Marla cautioned, “Fully one-third of the settlements inked in 2016 with OCR [the Office of Civil Rights of the U.S. Department of Health and Human Services] dealt with breaches involving business associates.” She pointed out that the telecommuting practices of business associates (“BAs”) and their employees with respect to protected health information (“PHI”) create heightened risks for medical practices that are the covered entities (“CEs”) — CEs are ultimately responsible not only for their own HIPAA breaches but for HIPAA breaches of their BAs as well.

Kline observed, “Telecommuting is on the rise and this trend carries over to organizations that provide services to health care providers, such as billing and coding, telehealth providers, IT support and law firms.” Litten commented, “Most business associate agreements (BAAs) merely say that the business associate will protect the infor­mation but are not specific about how a business associate will do so, let alone how it will when PHI is off site.”

Litten and Kline added, “OCR’s sample business associate agreement is no dif­ferent, using general language that the business associate will use ‘appropriate safeguards’ and will ensure that its subcontractors do so too.”

Kline continued, “You have much less control over [these] people, who you don’t even know . . . . Moreover, frequently practices don’t even know that the business associate is allowing staff or subcontractors to take patient PHI off site. This is a collateral issue that can become the fulcrum of the relationship. And one loss can be a disaster.”

Some conclusions that can be drawn from Marla’s article include the following items which a CE should consider doing  when dealing with BAs:

  1. Select BAs with due care and with references where possible.
  2. Be certain that there is an effective BAA executed and in place with a BA before transmitting any PHI.
  3. Periodically review and update BAAs to ensure that they address changes in technology such as telecommuting, mobile device expansion and PHI use and maintenance practices.
  4. Ask questions of BAs to know where they and their employees use and maintain PHI, such as on laptops, personal mobile devices or network servers, and what encryption or other security practices are in place.
  5. Ask BAs what subcontractors (“SCs”) they may use and where the BAs and SCs are located (consider including a provision in BAAs that requires BAs and their SCs to be legally subject to the jurisdiction of HIPAA, so that HIPAA compliance by the CE and enforcement of the BAA can be more effective).
  6. Transmit PHI to the BA using appropriate security and privacy procedures, such as encryption.
  7. To the extent practicable, alert the BA in advance as to when and how transmission of PHI will take place.
  8. Obtain from each BAA a copy of its HIPAA policies and procedures.
  9. Maintain a readily accessible archive of all BAAs in effect to allow quick access and review when PHI issues arise.
  10. Have a HIPAA consultant available who can be contacted promptly to assist in addressing BA issues and provide education as to best practices.
  11. Document all actions taken to reduce risk from sharing PHI with BAs, including items 1 to 10 above.

Minimizing risk of PHI breaches by a CE requires exercising appropriate control over selection of, and contracting and ongoing interaction with, a BA. While there can be no assurance that such care will avoid HIPAA breaches for the CE, evidence of such responsible activity can reduce liability and penalties should violations occur.

A patient requests a copy of her medical record, and the hospital charges the per-page amount permitted under state law. Does this violate HIPAA? It may.

In the spring of 2016, the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services, the agency that enforces HIPAA, issued a new guidance document on individuals’ right to access their health information under HIPAA (“Access Guidance”).   The Access Guidance reminds covered entities that state laws that provide individuals with a greater right of access (for example, where the state law requires that access be given within a shorter time frame than that required by HIPAA, or allows individuals a free copy of medical records) preempt HIPAA, but state laws that are contrary to HIPAA’s access rights (such as where the state law prohibits disclosure to an individual of certain health information, like test reports) are preempted by HIPAA.

For New Jersey physicians, for example, this means they may not automatically charge $1.00 per page or $100.00 for the a copy of the entire medical record, whatever is less, despite the fact that the New Jersey Board of Medical Examiners (“BME”) expressly permits these charges.  In fact, according to the Access Guidance, physicians should not charge “per page” fees at all unless they maintain medical records in paper form only.  New Jersey physicians also may not charge the “administrative fee” of the lesser of $10.00 or 10% of the cost of reproducing x-rays and other documents that cannot be reproduced by ordinary copying machines.  Instead, a New Jersey physician may charge only the lesser of the charges permitted by the BME or those permitted under HIPAA, as described below.

HIPAA limits the amount that covered entities may charge a patient (or third party) requesting access to medical records to only a “reasonable, cost-based fee to provide the individual (or the individual’s personal representative) with a copy” of the record.  Only the following may be charged:   

(1) the reasonable cost of labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, but not costs associated with reviewing the request, searching for or retrieving the records, and segregating or “otherwise preparing” the record for copying;  

(2) the cost of supplies for creating the paper copy (e.g., paper, toner) or electronic media (e.g., CD or USB drive) if the individual requests the records in portable electronic media; and  

(3) actual postage costs, when the individual requests mailing. 

The fee may also include the reasonable cost of labor to prepare an explanation or summary of the record, but only if the individual, in advance, chooses to receive and explanation or summary AND agrees to the fee to be charged for the explanation or the summary.   

A provider may calculate its actual labor costs each time an individual requests access, or may develop a schedule of costs for labor based on the average (and HIPAA-permitted types of) labor costs incurred in fulfilling standard types of access requests.  However, a provider is NOT permitted to charge an average labor cost as a per-page fee unless the medical record is: (1) maintained in paper form; and (2) the individual requests a paper copy or asks that the paper record be scanned into an electronic format.  Thus, under HIPAA, a per-page fee is not permitted for medical records that are maintained electronically.  As stated in the Access Guidance, “OCR does not consider per page fees for copies of … [protected health information] maintained electronically to be reasonable” for purposes of complying with the HIPAA rules.   

A provider may also decide to charge a flat fee of up to $6.50 (inclusive of labor, supplies, and any applicable postage) for requests for electronic copies of medical records maintained electronically.    OCR explains that the $6.50 is not a maximum, simply an alternative that may be used if the provider does not want to go through the process of calculating actual or average allowable costs for requests for electronic copies. 

OCR has identified compliance with “individual access rights” as one of seven areas of focus in the HIPAA audits of covered entities and business associates currently underway, signaling its concern that physicians and other covered entities may be violating HIPAA in this respect.  All covered entities should, therefore, calculate what HIPAA permits them to charge when copies of medical records are requested by an individual (or someone acting at the direction of or as a personal representative of an individual), compare that amount to the applicable state law charge limits, and make sure that only the lesser of the two amounts is charged.

 

According to the latest HIPAA-related guidance (Guidance) published by the U.S. Department of Health and Human Services (HHS), a cloud service provider (CSP) maintaining a client’s protected health information (PHI) is a business associate even when the CSP can’t access or view the PHI. In other words, even where the PHI is encrypted and the CSP lacks the decryption key, the CSP is a business associate because it maintains the PHI and, therefore, has HIPAA-related obligations with respect to the PHI.

HHS explains:

While encryption protects ePHI by significantly reducing the risk of the information being viewed by unauthorized persons, such protections alone cannot adequately safeguard the confidentiality, integrity and availability of the ePHI, such as ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remains available to authorized persons even during emergency or disaster situations. Further, encryption does not address other safeguards that are also important to maintaining confidentiality, such as administrative safeguards to analyze the risks to the ePHI or physical safeguards for systems and services that may house the ePHI.”

It makes sense to treat a CSP as a business associate if it holds PHI, even if it cannot view or access that PHI. After all, a business associate is a person or entity that performs a function or service on behalf of a covered entity (or another business associate) that requires it to create, receive, maintain, or transmit PHI.

Still, HHS’s explanation is less than satisfying, perhaps because it rather crudely mixes together very distinct HIPAA obligations:  protecting the confidentiality of PHI, on one hand, and protecting the integrity and availability of PHI, on the other.

Under the HIPAA regulations, a business associate is only required to provide notice to the covered entity following the discovery of a breach of unsecured PHI. “Unsecured” PHI is defined as PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary [of HHS]…” – in other words, PHI that is not encrypted at a level that meets HHS’s standards. The HIPAA regulations also say that a breach excludes a “disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.” Obviously, a disclosure of PHI that cannot be viewed will also not be able to be retained.

HHS contends that encryption “alone cannot adequately safeguard the confidentiality” of the PHI, but, later in the Guidance, concedes that if the PHI is encrypted at a level that meets HHS’s standards, an unauthorized incident would fall within the breach “safe harbor” and would not need to be reported to the CSP’s customer. In such a case, the confidentiality of the PHI would be adequately safeguarded by encryption alone and the CSP arguably would not have an obligation to do anything else under HIPAA to protect the confidentiality of the PHI.  The CSP would have an ongoing obligations, however, to protect the integrity and accessibility of the encrypted PHI under HIPAA. The encryption “blindfold” will simplify the CSP’s obligations under HIPAA.

A CSP is in a tricky position if it holds encrypted PHI for a customer, but does not know that it holds it. The Guidance emphasizes that if a CSP maintains PHI for a customer that is a covered entity or business associate, it must execute a business associate agreement with the customer, and risks enforcement action (such as reported here) by the Office of Civil Rights (OCR) within HHS if it doesn’t have one.

“OCR recognizes that there may, however, be circumstances where a CSP may not have actual or constructive knowledge that a covered entity or another business associate is using its services to create, receive, maintain, or transmit ePHI.  The HIPAA Rules provide an affirmative defense in cases where a CSP takes action to correct any non-compliance within 30 days … of the time that it knew or should have known of the violation… This affirmative defense does not, however, apply in cases where the CSP was not aware of the violation due to its own willful neglect.”

Two key takeaways from the Guidance for a CSP? If you are blindfolded from viewing the data you maintain or transmit on behalf of a customer, or otherwise do not know whether the data might bring HIPAA obligations along with it, take reasonable steps to find out if the customer is a covered entity or business associate and whether the data includes PHI.  If so, execute a business associate agreement. Then, make sure the blindfold (i.e., encryption level) meets HHS’s standards and do NOT accept or have access to the decryption key.  This way, you can focus your HIPAA compliance efforts on protecting the integrity and accessibility of the data, not on protecting its confidentiality.

Last week, I blogged about a recent U.S. Department of Health and Human Services Office of Civil Rights (OCR) announcement on its push to investigate smaller breaches (those involving fewer than 500 individuals).   The week before that, my partner and fellow blogger Michael Kline wrote about OCR’s guidance on responding to cybersecurity incidents.  Today, TechRepublic Staff Writer Alison DeNisco addresses how a small or medium sized business (MSB) can deal with the heightened threat of OCR investigations or lawsuits emanating from a security breach.  Alison’s piece, “Security breaches:  How small businesses can avoid a HIPAA lawsuit”, is must-read for MSBs struggling to understand and prioritize their cybersecurity needs.

Michael and I spoke with Alison about the recent OCR pronouncements, and she pulled several of our comments together to create a list of tips for an SMB to consider to minimize HIPAA security breach headaches. The following 6 tips are excerpted from the full article:

  1. Hire a credible consultant to help you approach the issue, and how you would respond in the event of a breach. [In other words, perform your own security risk assessment, or, if impractical, hire an expert to perform one.]
  2. Document that you have policies and procedures in place to fight cyber crime. “If you didn’t document it, it didn’t happen,” Kline said.
  3. Stay informed of cybersecurity news in your industry, or join an association. Be aware of what other companies in your space are doing to protect themselves.
  4. Update your security settings on a regular basis, perhaps every time you add new employees or change systems, or on an annual basis.
  5. Present annually to your company board on where the company is in terms of cybersecurity protection, and where it needs to be to remain as safe as possible in the future.
  6. If you’re an IT consultant working with a healthcare organization, be clear with your client what you need to access and when, Litten said. “A client that has protected health information in its software should carefully delineate who has access to that software,” she added.

The article also quotes Ebba Blitz, CEO of Alertsec, who offers an equally important tip for the SMB dealing with employees’ use of mobile devices that contain or are used to transmit PHI:

“You need a good plan for mitigating BYOD,” Blitz said. She further recommends asking employees to document their devices, so businesses can keep track of them and install security tools.”

In summary, confronting ever-growing and evolving challenges of cybersecurity for SMBs is dependent upon serious planning, development and implementation of current policies and procedures, documentation of cybersecurity measures taken and entity-wide commitment to the efforts.

What you might have thought was not a big breach (or a big deal in terms of HIPAA compliance), might end up being a big headache for covered entities and business associates. In fact, it’s probably a good idea to try to find out what “smaller” breaches your competitors are reporting (admittedly not an easy task, since the “Wall of Shame” only details breaches affecting the protected health information (PHI) of 500 or more individuals).

Subscribers to the U.S. Department of Health and Human Services Office of Civil Rights (OCR) listserv received an announcement a couple of weeks ago that OCR would begin to “More Widely Investigate Breaches Affecting Fewer than 500 Individuals”. The announcement states that the OCR Regional Offices investigate all reported breaches involving PHI of 500 or more individuals and, “as resources permit”, investigate breaches involving fewer than 500.  Then the announcement warns that Regional Offices will increase efforts “to identify and obtain corrective action to address entity and systemic noncompliance” related to these “under-500” breaches.

Regional Offices will still focus these investigations on the size of the breach (so perhaps an isolated breach affecting only one or two individuals will not raise red flags), but now they will also focus on small breaches that involve the following factors:

*          Theft or improper disposal of unencrypted PHI;

*          Breaches that involve unwanted intrusions to IT systems (for example, by hacking);

*          The amount, nature and sensitivity of the PHI involved; and

*          Instances where numerous breach reports from a particular covered entity or business associate raise similar concerns

If any of these factors are involved in the breach, the reporting entity should not assume that, because the PHI of fewer than 500 individuals was compromised in a single incident, OCR is not going to pay attention. Instead, whenever any of these factors relate to the breach being reported, the covered entity (or business associate involved with the breach) should double or triple its efforts to understand how the breach occurred and to prevent its recurrence.  In other words, don’t wait for the OCR to contact you – promptly take action to address the incident and to try to prevent it from happening again.

So if an employee’s smart phone is stolen and it includes the PHI of a handful of individuals, that’s one thing. But if you don’t have or quickly adopt a mobile device policy following the incident and, worse yet, another employee’s smart phone or laptop is lost or stolen (and contains unencrypted PHI, even if it only contains that of a small handful of individuals), you may be more likely to be prioritized for investigation and face potential monetary penalties, in addition to costly reporting and compliance requirements.

This list of factors really should come as no surprise to covered entities and business associates, given the links included in the announcement to recent, well-publicized OCR settlements of cases involving smaller breaches.  But OCR’s comment near the very end of the announcement, seemingly made almost in passing, is enough to send chills down the spines of HIPAA compliance officers, if not induce full-blown headaches:

Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.”

In other words, if the hospital across town is regularly reporting hacking incidents involving fewer than 500 individuals, but your hospital only reported one or two such incidents in the past reporting period, your “small breach” may be the next Regional Office target for investigation. It will be the covered entity’s (or business associate’s) problem to figure out what their competitors and colleagues are reporting to OCR by way of the “fewer than 500” notice link.

In a recent Guidance, the Office of Civil Rights of the U.S. Department of Health and Human Services (“OCR”) appears to have attempted to reverse an impression that its emphasis is more on privacy of protected health information (“PHI”) than on security of PHI. Its July 2016 article draws attention to the need by covered entities and business associates for equal attention to PHI security.

Relative to this OCR initiative, our partner Elizabeth Litten and I were recently featured again by our good friend Marla Durben Hirsch in her article in the August 29, 2016 issue of Environment of Care Leader entitled “OCR: Providers need to assess cybersecurity response.” Full text can be found in the August 29, 2016 issue, but a synopsis is below.

Litten and Kline observed that the Guidance provided less specificity than prior guidance releases in the HIPAA area and seemed to be  more geared to large providers and managed healthcare systems. Nonetheless, Litten observed, “The bar [for PHI security] is higher than what some providers thought, especially if you read this with the [contemporaneous OCR] guidance on ransomware. So you may need [to take more steps] to protect your software.” Kline added, “OCR is going to say that if we tell you to do this and you don’t, tough on you.”

Some of the tips provided by Litten and Kline in the article include the following:

  1. Litten: Protect your electronic patient information if you haven’t done so already, taking into account your particular resources and limitations. “You don’t need a forensic analyst on staff, but you may want the contact information of one in your address book. If you’re not sure how to proceed or even where to start, you may need to hire a consultant to help you.”
  2. Kline: Develop policies and procedures to address cybersecurity. “The fact that you’ve done something constructive and documented that you’ve tried to comply, you’re so much better off [if you get audited by OCR].”
  3. Kline and Litten: Review your cybersecurity response policies, plans and procedures annually.
  4. Litten: Ask your electronic health record and other health IT vendors about the cybersecurity capabilities of their systems. “You want to make use of tools you have or at least know what you don’t have.”
  5. Kline: Understand that OCR considers a cybersecurity incident, not just a breach and not just ransomware, a reportable breach that must be put through the four-part risk analysis to determine whether that presumption can be refuted. “It’s not just [clear] breaches that need a HIPAA risk analysis.”
  6. Kline and Litten: Document all of your plans, policies and pro­cedures your facility has to respond to a cybersecurity incident and what you have done if you have been subject to one.
  7. Litten: Use free or easily available resources when you can. For instance, OCR has tools on its website, such as a sample risk analysis to determine vulnerabilities of electronic patient data. Your local medical societies may also offer tools, webinars and training.
  8. Litten: Make sure that your business associates also have cybersecurity protections in place. “The [G]uidance specifies that business associates as well as covered entities need to have this capability. Because it’s the covered entity that’s ultimately responsible for protecting its patient data and for reporting security breaches, it falls to the entity to ensure that the business associate complies.” So you need to ask business associates what their cybersecurity response plans entail and make sure that they’re adequate, include the fact that they have such a plan in the representa­tions and warranties of your business associate agreement, require swift reporting to you of any cybersecurity incidents suffered by a business associate and make sure that business associates limit access to your patients’ data. “You don’t want seepage of patient protected health information.”

In light of the clear concerns of OCR that covered entities and business associates, both large and small, pay sufficient attention to security of PHI, current compliance efforts should evidence relevant concrete policies and procedures that cover not only privacy but also security. Documentation of such efforts should specifically address current issues such as ransomware and risk analysis to demonstrate that the covered entity or business associate is staying current on areas deemed to be of high risk by OCR.

We blogged on this back in early May, but compliance with individuals’ rights to access their PHI under HIPAA is even more critical now that OCR has announced that its current HIPAA audits will focus on an audited Covered Entity’s documentation and process related to these access rights.

In an email sent to listserv participants on July 12, 2016 from OCR-SECURITY-LIST@LIST.NIH.GOV, the U.S. Department of Health and Human Services (HHS) included the following list of areas of focus for the desk audits:

Requirements Selected for Desk Audit Review
Privacy Rule
Notice of Privacy Practices & Content Requirements  [§164.520(a)(1) & (b)(1)]
Provision of Notice – Electronic Notice   [§164.520(c)(3)]
Right to Access  [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
Breach Notification Rule
Timeliness of Notification  [§164.404(b)]
Content of Notification  [§164.404(c)(1)]
Security Rule
Security Management Process —  Risk Analysis  [§164.308(a)(1)(ii)(A)]
Security Management Process — Risk Management  [§164.308(a)(1)(ii)(B)]

As discussed in our prior post, HHS issued guidance regarding individuals’ rights to access PHI earlier this year. Here is a link to this PHI access guidance:  Individuals’ Right under HIPAA to Access their Health Information | HHS.gov

The HHS access guidance stresses that Covered Entities should provide individuals with “easy access” to their PHI and cannot impose “unreasonable measures” on the individuals with respect to this right to access. The HHS access guidance provides important information regarding the different rules that apply when an individual provides a signed authorization for release of their PHI versus when an individual is really making a request for access to his or her PHI.

If an individual is asking for the PHI to be provided to him or her, this is really a request for access even if the individual is providing a signed authorization for release of the PHI.

If the individual is asking the PHI to be directed to a third party, this can be either a situation when a signed authorization is needed or can be an access request, depending on who is really originating the request (the individual or the third party). A Covered Entity cannot require an individual to provide a signed authorization to make an access request.  A Covered Entity can require that the access request be in writing and can require use of a form as long as it does not impose undue burden on the individual’s right to access.

The HHS access guidance also indicates that if an individual requests that his or her PHI be provided by email, the Covered Entity is required to do so and further, if the individual requests in writing that the PHI be provided by unsecure, unencrypted email, the Covered Entity is required to do so after notifying the individual in writing of the risks of this method of transmission. (This notice can be included on the access request form.)

As a result of the HHS access guidance, a Covered Entity may need to review and amend its HIPAA Privacy Policies and Procedures governing individual rights with respect to access to PHI, the form it uses for individual access requests, and its employee training protocols to be sure employees aren’t requiring a patient  (or member, in the case of a health plan Covered Entity) to sign an authorization form when the patient is requesting access to PHI.

Jessica Forbes Olson and T.J. Lang write:

In Part 1, we noted that on March 21, 2016, the Office of Civil Rights (“OCR”) announced it will launch a second round of HIPAA audits this year. As with the first round of audits, in round two OCR will be reviewing compliance with HIPAA Privacy, Security and Breach Notification rules. New for this round, the 2016 audits will focus on covered entities, including health care providers and health insurers, and their business associates.

A HIPAA compliance checklist for health care providers and insurers follows:

  • Determine whether for HIPAA purposes you are a hybrid entity, an affiliated covered entity or part of an organized health care arrangement. Document that status.
  • Appoint a HIPAA privacy official.
  • Appoint a HIPAA security official.
  • Appoint a HIPAA privacy contact person who will handle complaints and respond to the exercise of patient or participant rights.
  • Determine where PHI is located, whether hard copy, electronic, or spoken.
  • Determine the reasons why PHI is used or disclosed (e.g., treatment, payment, health care operations, public health reasons, public policy reasons, to government agencies or officials).
  • Determine which departments and workforce members have access to PHI, why they have such access and the level of access needed.
  • Identify and document the routine requests, uses and disclosures of PHI and the minimum necessary for those requests, uses and disclosures.
  • Identify all business associates: vendors that create, maintain, use or disclose PHI when performing services for your entity.
  • Have executed business associate agreements with all business associates.
  • Have and follow written HIPAA privacy, security and breach notification policies and procedures.
  • Train all workforce members who have access to PHI on the policies and procedures and document the training.
  • Have and use a HIPAA-compliant authorization form.
  • Have and follow process for verifying the status of personal representatives.
  • Distribute a notice of privacy practices and providers must attempt to obtain acknowledgment of receipt of notice from patients and post one in each facility where patients can view it.
  • Establish and document reasonable administrative, technical and physical safeguards for all PHI, including hard copy and spoken PHI.
  • Conduct and document a HIPAA security risk analysis for all electronic PHI (e.g., PHI on desktops, laptops, mobile phones, iPads and other electronic notebooks, copy machines, printers, discs and thumb drives).
  • Address risks to ePHI that are identified in the HIPAA security risk analysis.
  • Update your HIPAA security risk analysis periodically or when there is a material change in your environment that does or could impact PHI or if there are changes in the law impacting PHI.
  • Encrypt PHI to fall within the breach safe harbor.
  • Have written disaster recovery and contingency plans.
  • Prepare for and respond to security incidents and breaches.
  • Comply with HIPAA standard transactions and code set rules related to electronic billing and payment.
  • Although it will not be covered by the audits, comply with more stringent state privacy and security laws (e.g., document retention; patient consent; breach reporting).
  • Maintain HIPAA compliance documentation in written or electronic form for at least 6 years from the date the document was created or last in effect.

For more information about OCR audits or assistance in conducting a HIPAA compliance review, please contact any member of the Fox Rothschild Health Law practice group.


Jessica Forbes Olson is a partner and TJ Lang is an associate, both resident in the firm’s Minneapolis office.