Protected health info and HIPAA focus of HHS discussion

With 2017 just beginning, covered entities under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) need to be aware of current trends in the realm of protected health information (PHI). In a Health Care Compliance Association webinar titled “What’s New on the HIPAA Front?” Vaniecy Nwigwe and Debbie Campos of HHS Office for Civil Rights presented an overview discussion of PHI designation and authorization, PHI breaches, enforcement matters, and marketing.

The HIPAA Privacy Rule generally requires covered entities, i.e. health plans and most health care providers, to provide individuals, upon request, with access to the PHI about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice, as described in 45 C.F.R. Sec. 164.524(c)(3).

PHI designations

Designation occurs when an individual directs the covered entity to transmit the PHI about the individual directly to another person or entity designated by the individual. Conversely, authorization occurs when an individual gives permission to another person to direct the covered entity to transmit the PHI to another person (or entity) designated by the authorized individual (or entity).

The same requirements for providing the PHI to the individual, such as the fee limitations and requirements for providing the PHI in the form and format and manner requested by the individual, apply when an individual directs that the PHI be sent to another person.

According to the speakers, this distinction matters because of fees. The fee limitations only apply to individuals who direct a covered entity to send PHI to another person or entity. Under the Privacy Rule, a covered entity is prohibited from charging an individual who has requested a copy of her PHI more than a reasonable, cost-based fee for the copy that covers only certain labor, supply, and postage costs that may apply in fulfilling the request.


From September 2009 through November 2016, approximately 1,738 instances involving a breach of PHI affecting 500 or more individuals were reported. Of that, 60 percent of the breaches initiated through theft or loss. In addition, there were over 58,000 reports of breaches of PHI affecting less than 500 individuals during calendar year 2016 alone.


Highlighting some of HHS’ enforcement actions, the speakers noted that over 125,445 complaints had been received as of December 31, 2015, and over 30,000 cases have been resolved with corrective action or technical assistance. HHS expects to receive 22,000 complaints in 2017.

In one prime example of a major breach, the speakers noted that nonprofit health system, St. Joseph Health’s ePHI was publicly accessible on the internet from February 1, 2011, to February 13, 2012, affecting the records of over 31,800 individuals. St. Joseph Health agreed to adopt a comprehensive corrective action plan and pay $2.4 million to settle allegations that the health system violated the HIPAA Privacy and Security rules (see Health system slammed over searchable internet server, Health Law Daily, October 19, 2016). St. Joseph Health also agreed to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on the revised policies and procedures.


Generally, a communication about a product or service that encourages recipients of the communication to purchase or use the product or service is considered marketing. In the case of covered entities, if the communication rises to this level, the covered entity must obtain an individual’s authorization to do so. Another form of marketing communication is an arrangement between a covered entity and any other entity whereby the covered entity discloses PHI to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.

Kusserow on Compliance: Tips for protecting data against attacks and breaches

The media is filled with stories of data breaches in all business sectors. Larger organizations are not immune. In fact, the larger the organization, the better the target appears for attackers. The largest breaches have been with the Federal Government. In the health care sector, data breaches involving Protected Health Information (PHI) have been rising at a great rate. Patient records are very valuable and are sold on a per record basis. Providers are also considered “soft targets”, especially by those engaged in “Ransomeware” extortions; and many pay the demands to regain access to their patient records.

No one seems immune to these types of attacks. One can hardly forget that one of the biggest successful penetration attacks on data was with the U.S. Office of Personnel Management, where sensitive information was compromised, including the Social Security Numbers, of 21.5 million individuals, including 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants. Even law firms that provide advice on data security to their clients have been victimized and among those with the weakest controls to protect their data. Survey reporting by Marsh found four out of five of the largest 100 law firms had been hacked. As is common in any business arena, they noted that many don’t know they have been hacked. The following are best practice tips to assist in preventing and/or mitigating attacks and breaches.

  1. Have a dedicated information security officer that has the responsibility as well as the authority to adopt, implement, and enforce adequate security protocols, including ensuring (a) the IT infrastructure and data creation, transmission, and storage protect data from unauthorized disclosure; (b) ensuring legitimacy of data received, source and content; and (c) accessible for auditing and monitoring.
  1. Develop and implement data security policies for:
  • all external drives and mobile devices (including personally owned)
  • location and remote-erase options in case of loss or theft
  • data backup
  • installation of firewalls
  • data encryption
  • password protection
  • how to respond to any data breach
  • disaster recovery
  • records retention
  • business continuity in case of loss to data
  • uses of social media
  • vendors relation requirements
  • use of free public wi-fi
  1. Institute safeguards and device management to protect information, such as encryption and passwords for all devices (USB drives, cell phones, tablets)
  1. Engage in ongoing monitoring to ensure that policies and procedures are being properly followed; and periodic outside auditing of the systems.
  1. Train all covered persons on existing policies and procedure relating to data protection, and report any suspected unusual emails. This is important as most successful attacks are the result of email users opening attachments that give entry to a wrongdoer. Users are often the ones that detect early irregularities occurring as result of an attack and the quicker they report it, the better it is to contain the attack.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.

Cloud services providers subject to HIPAA when handling ePHI

Entities subject to Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) compliance may use cloud services to store and process electronic protected health information (ePHI). According to HHS’ health information privacy guidance, to do so, the covered entity or the entity’s business associate must enter into a HIPAA-compliant business associate agreement (BAA) or contract with the entity’s chosen cloud services provider (CSP).

CSP requirements

CSPs are legally separate entities from the covered entity, and offer online access to shared computing resources. Functions include data storage to software solutions, such as electronic medical record systems. When a HIPAA-covered entity retains a CSP’s services to handle ePHI, that CSP becomes a business associate under HIPAA, even if the CSP is a subcontractor under another business associate. Even if the ePHI processed or stored by the CSP is encrypted and the CSP does not have an encryption key, the CSP is subject to HIPAA rules.

Business associate agreement

A BAA establishes the permitted and required uses and disclosures of ePHI for the CSP, and is a requirement under HIPAA. A covered entity must have clear understanding of the services provided by the CSP to ensure that a risk analysis can be conducted and the appropriate provisions are included in the BAA. More specific business expectations may be included in a service level agreement (SLA), and the SLA’s provisions should be consistent with HIPAA and the BAA.

The BAA can also establish the way the CSP is to report security incidents to the covered entity. The Security Rule (45 C.F.R. Part 160, 164) requires that business associates identify and respond to security incidents, mitigate the effects, document incidents, and report the incidents. The BAA must require such reporting, but the rule is flexible and allows the parties to determine the frequency, level of detail, and format of reports.