OCR Official Speaks About Compliance Concerns for HIPAA Covered Entities and Business Associates

Related Practices & Jurisdictions

Monday, August 21, 2023

What do ransomware, Yelp, and website tracking technologies all have in common? They are troubling areas of concern for HIPAA covered entities and business associates, according to one official from the federal Office for Civil Rights (OCR) which enforces the HIPAA privacy and security rules. Recently, the Executive Editor of Information Security Media Group’s (ISMG’s) HealthcareInfoSecurity.com media site, Marianne Kolbasuk McGee, sat down with Susan Rhodes, the OCR’s acting deputy for strategic planning and regional manager to discuss these issues.

We briefly summarize the discussion below, but you can access the short interview here (~10 min.). It is worth a listen.

Ms. Rhodes outlined three troublesome areas that OCR is watching closely:

Ms. McGee also inquired about areas where covered entities and business associates’ HIPAA compliance frequently falls short. Ms. Rhodes mentioned a few:

The HIPAA privacy and security rule continue to raise significant compliance challenges for covered entities and business associates. It is important to those that those challenges do not just exist in the physician’s office, but must be managed on line as well, including on organizations’ website.

Jackson Lewis P.C. © 2023National Law Review, Volume XIII, Number 233

What Doctors Wish You Knew About HIPAA and Data Security

“Epic and others like it were not designed for use by clinicians on the front line trying to help patients,” he says. “These systems are giant billing platforms. It’s varying fields of data to be walled off.”

Sadly, Epic and others like it are all they have when it comes to storing patient data safely, and despite their flaws, these portals are still the safest available option for doctors and patients. Health care facilities are strictly regulated to receive federal government funding, and they must pass safety certifications, including security protections for patient data. They also seek to maintain industry recognition in order to stay credible and competitive. Want to make a hospital exec nervous? Tell them the Joint Commission is coming by for a visit. They need those gold star approval ratings.

Some patients are under the misconception that these systems are not really that secure. But in the past few years, data breaches have been rare (though they do happen). Hackers frequently target hospitals and health care systems for ransomware attacks, but it doesn’t pay for hackers to demand money when robust backups exist. While the industry has made some progress, the problem of individuals taking personal risks continues.

A former Department of Homeland Security adviser and a doctor, Chris Pierson is CEO of BlackCloak, a company that specializes in personal digital protection from financial fraud, cybercrime, reputational damage, and identity theft. He believes vigilance is key for doctors and patients alike.

Protect Your Entire Family

“I don’t think people realize that once someone is able to get just one piece of information, that can lead to opening others’ private data,” Pierson says. “It’s no longer the original individual on their computer, but additional family members’ identity that can be compromised.”

He explains that even if one organization keeps your data safe, another associated one may not, and that’s where criminals will strike. 

“It’s not just medical offices. It’s your pharmacy, labs, insurance company, anyone who keeps personal information. That has real value, and selling it is the priority.”

Victims of identity theft can be revictimized when personal information gets into multiple hands. A street address and Tested phone number can go far, especially if the phone contains many contacts, who then become vulnerable to attack themselves.

“If you get Mom’s info, you can get the child’s as well. An ID card, social security, all of it, and then they have the ability to collect false medical claims or just extortion. It’s a two for one.”

Two-Factor Authentication Is Worth the Effort

Pierson mentions how critically important it is to use a multistep authentication system. Your level of protection goes up considerably just by using secure passwords and one-time authentication codes.

Thankfully, setting all this up is easier than it sounds. Apps on your phone or tablet can help. Google Authenticator, when paired with a service that supports authenticator apps, provides a six-digit number that changes every few seconds and can keep people out of your data even if they have your username and password. Other companies ask users to enter an SMS code as the second authentication factor, in addition to a password, although SMS codes are less secure than authenticator apps. Either approach is better than none—unless a hacker is in physical possession of your phone, they are not getting access.

Social Media and Tracking

Social media is becoming a popular way for health care providers and entrepreneurs to connect with the public—and often to sell them treatments or advice. These Instagram or TikTok accounts may offer tips from someone in the medical industry, which can appeal to those facing rising health care costs and difficulties accessing care. But an internet doctor’s background or popularity does not ensure that they observe strong privacy guidelines or secure their transactions.

My Instagram is flooded with offers promising everything from better sleep to improved sexual health. It’s nice to have options, but that help and any information you receive from those accounts or send to them isn’t covered under HIPAA. Any time you pay out of your own pocket for health-related items or services, or on a direct-to-consumer health app, there is no recourse if someone steals your personal information or shares it.

Along with social media and direct-to-consumer health options comes large-scale data tracking. Outside of official medical practices, you should view surveillance as an expectation, rather than an exception.

Ask Questions

When you sign up for any service, whether through a new doctor’s patient portal or an online supplement shop, ask how your data is stored and where it goes. Read the privacy policies and settings, even briefly, to find out what options you have to restrict the sale or reuse of your data. Check the default settings to make sure you’re not giving away too much information. Find out if the service or platform offers two-factor authentication and set that up if it’s available. Know that it’s rare for anyone to need your social security number, no matter what a customer service agent says. A birth date and address is usually enough.

Pierson and others agree that they all need to consider security from several angles and do their best to protect ourselves and their loved ones. “The sophistication of identity attacks will always evolve and change. Remember, they only have to get it right once, but they have to guess right all of the time.”

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act

HIPAA is a federal law covering healthcare and health insurance industries. It addresses a number of courses and mandates that PHI (also referred to ePHI if it is in electronic form) must be protected in order to maintain the privacy and confidentiality of patients’ medical information. This mandate is addressed in two key HIPAA provisions: the Privacy Rule and the Security Rule.

PHI is individually identifiable health information, including demographic information, that is:

HIPAA mandates that PHI must be protected in both physical and digital form. Such information is classified as Restricted/PHI by UAB’s Data Classification Rule. Examples of HIPAA/PHI data that must be protected include names, address, dates, phone numbers, email addresses, SSNs, account numbers, photos, etc.

PHI can appear in a number of different formats. Examples of media on which PHI can appear include, but are not limited to, the following:

The HIPAA Privacy Rule states that PHI may be used and disclosed to facilitate treatment, payment, and healthcare operations (TPO). When HIPAA permits the use or disclosure of PHI, the covered entity must use or disclose only the minimum necessary PHI required to accomplish the business purpose of the use or disclosure. Even when PHI is used or disclosed for appropriate business purposes, if the PHI is not limited to the necessary minimum, it is a HIPAA violation. The only exceptions to the necessary minimum standard are those times when a covered entity is disclosing PHI for the following reasons:

The Security Rule and its associated regulations contain 18 standards that must be met in order to provide the appropriate security safeguards to protect the confidentiality, integrity, and availability of patients’ PHI. These regulations address a number of issues regarding the protection of PHI. Examples of such issues include, but are not limited to, prohibiting downloading or copying of PHI, conducting risk exams at least every two years, requiring the encryption of all hard drives containing PHI, etc.

To ensure that the requirements of the Security Rule are met, UAB has adopted a set of Security Core Policies and the Data Protection Rule which describes security requirements that must be followed.

A covered entity can share PHI with a third party, but that party must be an authorized Business Associate (BA) and there are requirements and stipulations on how PHI can be shared. Examples of BAs include an electronic patient record vendor or a company that shreds physical media that contain PHI.

In order to share PHI with a BA, a UAB covered entity must execute a signed Business Associate Agreement (BAA) with the third party before the PHI can be shared.

For more on HIPAA, BAs and BAAs, and the associated forms, visit UAB’s HIPAA web site. Note: Users must be on either the UAB or UABMC network to access this site.

The Department of Health and Human Services (HHS enforces a tiered civil penalty system for non-compliance with the HIPAA Privacy Rule and Security regulations. The following actions could occur should a non-compliance issue arise:

The U.S. Department of Justice is responsible for enforcing criminal penalties for non-compliance with the HIPAA Privacy Rule. Criminal penalties for “wrongful disclosure” include both large fines of $50,000 to $250,000 and up to 10 years in prison. Examples of wrongful disclosures include accessing health information under false pretenses, releasing patient information with harmful intent, or selling PHI.

Note: Penalties and fines apply to members of the workforce and other individuals, not just to the covered entities.

In addition to the federal and state penalties and fines, members of the UAB/UABHS workforce are subject to disciplinary action, up to and including termination of employment or assignment, for non-compliance with HIPAA privacy and security regulations, policies, and procedures.