HIPAA Archives - Conventus

Healthcare Providers and Texting: What You Need to Know About Privacy Risks

March 10, 2023 by Abbie Mood

Texting has become a communication method of choice these days, especially for Millennials and Gen Zers. And for good reason – it’s quick, easy, and businesses can even automate messages. But texting also comes with privacy risks when it comes to the healthcare industry and sharing Protected Health Information (PHI or ePHI).

Below, we answer some of the most common questions about texting patients and the risks associated with it.

What is PHI?

Protected Health Information (PHI or ePHI) is defined as “any information about health status, provision of health care, or payment for health care that can be linked to a specific individual,” and consists of 18 different “identifiers” which could connect specific details to a patient (such as photographs of the patient, their social security number, or their telephone number). The Privacy and Security Regulations within HIPAA apply to medical professionals, health insurance providers, health insurance clearing houses (including fund administrators and managers), and any subcontractor who has access to protected health information (regardless of whether it is stored electronically or not).

What are the risk issues associated with texting PHI?

Due to changing work practices and technological advances, the majority of healthcare professionals now access PHI or communicate patient data via their mobile devices. Text messages may remain on mobile devices for an indefinite amount of time, and without proper precautions, may be exposed to unauthorized access. According to HHS.gov, 74% of data breaches in the health industry were due to external threats related to a lack of HIPAA compliant encryption. Hacking is now the greatest threat to the privacy and security of PHI in the healthcare sector.

What are the fines for unsecured text messaging of PHI?

Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules. Minimum fine of $100 per violation, up to $50,000.
Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care, but falls short of willful neglect of HIPAA Rules). Minimum fine of $1,000 per violation, up to $50,000.
Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation. Minimum fine of $10,000 per violation, up to $50,000.
Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days. Minimum fine of $50,000 per violation.

For more information on HIPAA breach fines, please visit: HIPAAJournal.com

What are some other consequences of a HIPAA breach?

The U.S. Department of Health and Human Services Office for Civil Rights lists the breach on its “Cases Currently Under Investigation” and gives a general description of the violation. (Find the full list here.) The OCR also conducts HIPAA audits.

When does a HIPAA Breach need to be reported?

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases the media, of a breach of unsecured PHI. Most notifications must be provided without unreasonable delay and no later than 60 days following discovery of a breach. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. The Breach Notification Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate. For more information, please visit the U.S. Department of Health and Human Services website.

Why is SMS Texting not HIPAA Complaint?

In order for an SMS to be HIPAA compliant, both the sender and the recipient should be authorized users of a secure messaging system that enables them to access and transmit ePHI as required. With a secure messaging platform, all messages are encrypted and do not have the security risks associated with standard messaging systems, aka SMS. The secure messaging system must be capable of removing users and remotely deleting messages sent within the application, in case a personal mobile device is lost, replaced, or stolen. The application must also provide system administrators with the ability to gather audit logs to adhere to best practices policy for HIPAA compliance and SMS.

Do both the sender and receiver need to be on a secure platform?

Yes, both the sender and recipient should be authorized users of the secure messaging system. Also, in addition to employers, health insurance providers, health insurance clearinghouses, and medical professionals, the rules for text messages and HIPAA compliance now apply to associates, subcontractors, or any third-party service provider who has access to PHI. This means that if an insurance provider wants details of the treatment a patient has received in the hospital, it must also be an authorized user on a secure messaging system to retrieve that information.

The changes to the HIPAA regulations for SMS messaging extended to who must comply with the mandated best practices. In addition to medical professionals, health insurance providers (including employers), health insurance clearing houses (including fund managers), and any subcontractor, “associate,” or third-service provider who has access to PHI is now also subject to the HIPAA regulations for texting.

Does Centers for Medicare & Medicaid Services (CMS) allow texting?

CMS has issued a clarification on texting by medical providers regarding patient care. In unequivocal terms, CMS has declared that providers:

MAY NOT text patient orders. Texting of orders would be considered out of compliance with requirements of a medical record.
MAY communicate other patient information using a secure text messaging platform on their smart devices. (SMS text messaging is not considered secure.)
Should continue to utilize computerized physician order entry (CPOE) or written orders.

For more information on the CMS texting clarification, please read the CMS memo here.

Support for Conventus Members

As always, Conventus members can also call the Practice Resource Department at (877) 444-0484, ext. 7466 to speak with a member of our team for assistance with understanding or questions regarding your requirements under these regulations.

HIPAA Breach Part I: Business Associate Agreement

May 4, 2018 by Conventus

NJ Physician Group Fined $417,000 for HIPAA Security Breach Part I: Business Associates

Physician practices are considered “Covered Entities” (CE) under the Health Insurance Portability and Accountability Act (HIPAA) Law and Regulation, which requires a formal, written Business Associate Agreement (BAA) with 3^rd party vendors. But, now the NJ Division of Consumer Affairs has indicated that medical practices must also have stricter vendor oversight by ‘fully vetting’ the HIPAA compliance of their business associates or risk hefty fines. Virtua Medical Group (VMG), a network of greater than 50 physicians in South Jersey, agreed to pay $417, 816 and improve data security practices to settle allegations it failed to properly protect the privacy of more than 1,650 patients whose medical records were made viewable on the internet due to a server misconfiguration by a private vendor. The Office of the Attorney General and the NJ Division of Consumer Affairs issued a news release and statement about it on April 4, 2018. Sharon M. Joyce, the Division’s Acting Director, said, “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough…You must fully vet your vendors for their security as well.” So, what happened? And, what does this mean to you and how can you protect your practice?

What Happened

Best Medical Transcription, a Georgia-based vendor hired to transcribe dictation, updated software on a password-protected File Transfer Protocol website (“FTP site”) used to transfer and store files containing ePHI to and from VMG. The vendor unintentionally misconfigured the web server during the update, allowing the FTP Site to be accessed without a password. After the FTP site became unsecured, anyone who searched Google using terms contained within the dictated information could access and download the documents on the FTP site. Best Medical Transcription restored the password protection, but Google retained the cached indexes of files, which remained publicly accessible on the internet. Unfortunately, VMG was not notified of the breach by the 3^rd party vendor and only became aware of it when a patient’s mother contacted them that she found portions of her daughter’s medical record online. VMG investigated to see where the breach occurred, notified law enforcement 2 weeks later, and individually removed each patient’s information from Google’s cache.

The Violations

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) provisions make Bas directly liable for most HIPAA requirements. However, the Privacy Rule requires that a covered entity obtain reasonable and satisfactory assurances in writing (i.e. “Business Associate Agreement”) from its BAs that they will appropriately safeguard PHI (Protected Health Information) received on behalf of the covered entity. In this case, the Attorney General alleged that both HIPAA and the NJ Consumer Fraud Act were violated, which constitutes ‘separate and additional unconscionable commercial practices.’ At the federal level, the Office of Civil Rights (OCR) may also be expecting a greater level of vendor due diligence under HIPAA. And, Sharon Joyce of the NJ Division of Consumer Affairs indicated that “although it was a third -party vendor that caused the data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it. The Division cited VMG for the following violations:

Failure to implement a security awareness and training program for all members of its workforce, including management.
Delay in identifying and responding to the security incident; mitigating its harmful effects; and documenting the incident and its outcome.
Failure to establish and implement procedures to create and maintain retrievable exact copies of ePHI maintained on the FTP site.
Improper disclosure of protected health information (PHI) of its patients.
Failure to maintain a written or electronic log of the number of times the FTP site was accessed. The HIPAA Regulation requires that an audit log/trail of when/who accessed which files.

There are several major implications for physician practices based on these findings. “HIPAA Security Breach Part I” will focus on Business Associates.

Who is a Business Associate?

A Business Associate (BA) is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a Covered Entity (CE). A member of the CE’s workforce is not a business Associate. BA functions and activities include: claims processing or administration; billing; data analysis; quality assurance; utilization review; benefits management; practice management; and repricing. BA services include: consulting, data aggregation; management; administrative; accreditation; and financial. Independent medical transcription services and billing companies would also be considered BAs. See the full definition of “business associate” at CFR 160.103.

What are the Responsibilities of a Business Associate and the Covered Entity?

BAs are obligated to comply with the HIPAA Security Rule under the HITECH Act. The BA can be held directly liable for any unauthorized disclosures or breaches, including its subcontractors, which can subject it to civil and criminal penalties. BAs are obligated to comply with the HIPAA Security Rule even if no HIPAA Business Associate Agreement (BAA) exists. However, it is the CE’s responsibility to obtain “satisfactory assurance” that a BA is HIPAA compliant. If the CE fails to do so and a breach occurs, the CE may be held liable for the BA’s and/or subcontractor’s breach. HIPAA violation fines can be very hefty, and violator names are posted on the HIPAA Wall of Shame, resulting in further negative publicity. Therefore, it is imperative that CEs perform their due diligence obligations to obtain “satisfactory assurance” for all BAs, not just those that are perceived to be “higher risk.”

How Should A Covered Entity Monitor a Business Associate?

Although a CE has not been required to monitor the BA or its subcontractors for HIPAA compliance, it can still be held responsible for the BA’s breaches. Therefore, it’s the CE’s responsibility to ensure compliance with the Rules, which require administrative (i.e., policies/procedures), physical (i.e., physical access and data storage controls), and technical safeguards (i.e., protection of PHI electronically over networks). To accomplish this, it is recommended that a CE do the following:

Obtain an updated Business Associate Agreement (BAA), which specifies who has access to the CE’s data.
Request and review the BA’s:
1. Security Risk Analysis and Risk Assessments for the last 3 years, as well as corresponding Management Plans
2. Policies and procedures for the HIPAA Privacy and Security Rule, breach notification, notice of privacy practices, and employee training
3. Security audits and incident logs
Engage a HIPAA expert to review BA materials to better assure relevant safeguards are in place. Conventus members have access to HIPAA experts at discounted rates through strategic partner alliances. For more information, contact the Practice Resources Department at 877-444-0484, x7466.
Require the BA to notify the CE when system updates and configuration changes will occur with their software/product.
Test the upgraded software/product to identify and address any security issues.
For FTP sites:
1. Maintain a written or electronic log of the number of times the FTP site has been accessed.
2. Establish and implement procedures to create and/or maintain exact copies of the e-PHI maintained on the FTP site or ensure that the BA is sending you regular back-ups of stored data in a standard format.

Business Associate Agreements: What should be in a Business Associate Agreement?

A HIPAA Business Associate Agreement (BAA) is a contract between a CE and a BA, or between a BA and a sub-contractor, indicating how PHI can be used. It sets out the terms of permissible use based on the relationship between the parties and the activities or services provided by the BA and/or sub-contractor. The HIPAA rules require that a CE and a BA enter into a BAA. Click here for full information on required BAA provisions, as well as a sample agreement. It is a prudent practice to regularly review your vendors, and ensure BAAs are in place that comply with the law. In addition to the required items, it is recommended that BAAs also include the following:

Require that the BA notifies the CE within 3 – 5 days of a breach as defined in HIPAA, so that the CE can report “without unreasonable delay.”
If feasible, require the BA to indemnify the CE from all liabilities arising from lost, stolen, destroyed, or breached data.
Guarantee availability of data in a standard format once it is transferred to and controlled by the vendor.
Provision for a termination clause if the CE experiences any issues, such as a breach.
Specify that the BA does not own the CE’s data, but has a limited license to use the data for the purposes prescribed in the contract. The license should expire when the agreement terminates.
The BA must abide by HIPAA Privacy and Security Rule requirements. If the BA carries out any of the CE’s obligations under the Privacy Rule, the BAA must require that the BA agree to abide by the Privacy Rule.
Conventus members can contact the Practice Resources Department at 877-444-0484, x7466, for additional resources and questions about HIPAA and BAs. An expert member of the Department would be happy to speak with you.

Protect Your Practice Cyber Security: Disaster Planning

November 16, 2016 by Conventus

91% of all healthcare organizations reported at least one data breach over the last two years. With medical practices a main target, it’s critical for your practice to have IT security measures and a disaster plan in place. Join our live webinar as Nelson Gomes, President & CEO of PriorityOne Group, details how to correct common security mistakes and actionable tips for preventing and recovering from damaging cyber attacks.

WHAT YOU WILL LEARN

Top patient privacy and security concerns
Common compliance and security mistakes medical groups make
Proper IT security and compliance
Simple security measures your practice can implement now
Strategies for preventing and recovering from a cyber attack
Key disaster planning takeaways

Presenter:

Nelson Gomes
President & CEO, PriorityOne Group

Nelson Gomes is the President and CEO of PriorityOne Group. As the founder of PriorityOne Group, Mr. Gomes is a seasoned veteran with over 20 years of experience in IT. For the last 15 years he has specifically focused on healthcare IT. He attributes his proven proficiency in healthcare IT to a solid foundation built during his years of service with the Valley Hospital and Baptist Health. Nelson’s extent of experience and proven results continue to help healthcare organizations of all sizes. The key to his success is his unique method of leveraging technology in order to allow physicians to deliver better and smarter healthcare, driven by a single mission of enabling healthcare organizations to make the most of their technology.

Nelson is a frequently called upon for his expertise by professional groups and associations. He is a graduate of DeVry University and is a certified project manager associate. He is also a member of NJMGMA, NJAASC, PMI and HIMSS.

About Us

Solutions

Knowledge Center