Privacy & Security

This covers the gamut of patient information privacy and security concerns related to the use of information technology to create, access, maintain, or transmit patient health information, regardless of whether that technology is via an electronic health record, a patient portal, a personal electronic health record hosted by a web or mobile app, medical device technology, a mobile medical application, web-hosted medical device software, or any other form of electronic technology.

New HIPAA Final Rule Supporting Reproductive Health Care Privacy Also Requires Amending Notices of Privacy Practices

April 25, 2024April 29, 2024 nsreenan Data Privacy & Security, HIPAA, Privacy & Security abortion, confidentiality of sud records, HIPAA, notice of privacy practices, NPP, OCR, Part 2, reproductive health, substance use disorder (SUD)

By: Margaret Young Levi

On April 22, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a Final Rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. This Final Rule not only bolsters the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, HIPAA) by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances, but also requires HIPAA covered entities (health care providers, health plans, and health care clearinghouses) to amend their Notices of Privacy Practices (NPPs).

HIPAA and Reproductive Health Care Privacy

HHS is issuing this Final Rule because of concerns that officials in states with more extreme abortion bans, like Kentucky, will seek medical records from states where abortion is legal (or even from their own states) in order to prosecute individuals who cross state lines to seek an abortion. To prevent those medical records from being used against people for providing or obtaining lawful reproductive health care, the Final Rule prohibits the use or disclosure of PHI by a covered entity—or their business associate—for the following activities:

To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided;
To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; or
The identification of any person for the purpose of conducting such investigation or imposing such liability.

The covered entity or business associate must reasonably determine the reproductive health care is lawful under the law of the state in which such health care is provided or otherwise protected by federal law. In certain circumstances, covered entities and business associates may presume that the care provided was lawful.

Covered entities and business associates must demand and receive a valid attestation in order to process a request for PHI potentially related to reproductive health care that will be used for health oversight activities, judicial or administrative proceedings, law enforcement purposes, or disclosures to coroner and medical examiners. This valid attestation must be written in plain language and contain, among other things, the name of the person requesting the information, an attestation that the use or disclosure is not for a prohibited purpose, and a statement putting the requestor on notice that they may be subject to criminal penalties pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation of HIPAA obtains or discloses individually identifiable health information. Fortunately, OCR intends to publish model attestation language before the compliance date, which will aid covered entities in adopting that new form.

In a Fact Sheet accompanying the Final Rule, HHS reminds covered entities (and business associates) that HIPAA permits, but does not require, certain disclosures to law enforcement and then only when all conditions are met. Referring to previous OCR guidance, HHS explains that covered entities (and business associates) are “only permitted to disclose PHI for law enforcement purposes where they suspect an individual of obtaining reproductive health care (lawful or otherwise) if the covered entity or business associate is required by law to do so and all applicable conditions are met.” Under this Final Rule, HHS cautions that a disclosure to law enforcement is only permitted where all three of the following conditions are met:

The disclosure is not subject to the prohibition,
The disclosure is required (not simply permitted) by law, and
The disclosure meets all applicable conditions of the HIPAA exception for permission to use or disclose PHI as required by law set forth in 45 CFR 164.512(a).

In light of these changes in the Final Rule, covered entities and business associates will need to adopt an Attestation form, revise policies and procedures relating to the disclosure of PHI to address these new restrictions on disclosures of PHI containing information about reproductive health care, and consider appropriate revisions to their Business Associate Agreements. Affected members of the workforce will also need to be trained in these new procedures.

The Notice of Privacy Practices (NPP) will need to be amended

Covered entities will also need to revise their NPPs pursuant to the Final Rule’s modification of 45 C.F.R. 164.520. This modification will require covered entities to amend their NPPs not only as to reproductive health care privacy but also to address the confidentiality of substance use disorder (SUD) patient records, as required by the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020.

Reproductive Health Care Records. Per the Final Rule, covered entities must provide individuals with additional information about how their PHI may or may not be disclosed for purposes related to reproductive health care. Specifically, covered entities must modify their NPPs to inform individuals that their PHI may not be used or disclosed for a purpose prohibited under the Final Rule, including at least one example of the types of uses and disclosures prohibited under new 45 CFR 164.502(a)(5)(iii) in sufficient detail for an individual to understand the prohibition. The NPP must also contain a description, including at least one example of the types of uses and disclosures for which an attestation is required under new 45 CFR 164.509.

The NPP must include a statement to place the individual on adequate notice of the potential for information disclosed pursuant to HIPAA to be subject to redisclosure by the recipient and no longer protected by HIPAA. This change will afford transparency and assist covered entities in explaining the limitations of HIPAA to individuals.

Part 2 Substance Use Disorder Records. The Final Rule also includes changes to align NPP requirements for HIPAA covered entities with similar requirements for programs that provide SUD treatment under 42 U.S.C. 290dd-2 (Part 2). Currently, Part 2 programs must provide a written confidentiality notice to patients (the Patient Notice), while covered entities must provide individuals with their NPP. HHS has now revised both these confidentiality requirements that will allow a combined Patient Notice and NPP. On February 16, 2024, HHS released a final rule entitled Confidentiality of Substance Use Disorder (SUD) Patient Records (“2024 Part 2 Rule”) finalizing confidentiality requirements for SUD patient records under Part 2 consistent with the CARES Act to align the requirements for the Patient Notice as closely as possible with the NPP requirements. Now this Final Rule similarly amends the NPP requirements, allowing covered entities to combine the Patient Notice and NPP. They may continue to provide separate documents if desired.

The Final Rule requires covered entities that create or maintain PHI that is also a record of SUD treatment provided by a Part 2 program, i.e., covered entities that are Part 2 programs and covered entities that receive Part 2 records from a Part 2 program, to provide notice to individuals of the ways in which those covered entities may use and disclose such records, and of the individual’s rights and the covered entities’ responsibilities with respect to such records. A covered entity that receives or maintains records subject to Part 2 must supply an NPP written in plain language and containing the elements required.

Consistent with the CARES Act, where NPP’s descriptions of uses or disclosures that are permitted for treatment, payment, and operations (TPO) or without an authorization must reflect “other applicable law” that is more stringent than HIPAA, note that other applicable law includes Part 2. Likewise, Part 2 is specifically included in the “other applicable law” referenced in the requirement to describe uses and disclosures that are permitted for TPO or without an authorization sufficient to place an individual on notice of the uses and disclosures that are permitted or required by HIPAA and other applicable law.

Covered entities must provide notice to individuals that a Part 2 record, or testimony relaying the content of such record, may not be used or disclosed in a civil, criminal, administrative, or legislative proceeding against the individual absent written consent from the individual or a court order, consistent with the requirements of 42 CFR Part 2.

Covered entities must provide individuals with a clear and conspicuous opportunity to elect not to receive any fundraising communications before using Part 2 records for fundraising purposes for the benefit of the covered entity.

OCR clarifies that although separate covered entities that participate in an organized health care arrangement (OHCA) may issue a joint NPP for the OHCA, Part 2 requirements continue to apply to the Part 2 records maintained by covered entities that are part of OHCAs and individuals who are the subjects of such records maintain all rights under Part 2.

While making these required changes, it is also a good time for a covered entity to review its NPP in its entirety to see if other changes are necessary and to ensure that it remains current and adequately describes how the covered entity uses and discloses PHI as well as how individuals may access their records.

Effective Dates and Compliance Dates

The Final Rule will be effective 60 days after publication in the Federal Register. Except for the NPP requirements discussed below, the compliance date will be 180 days after the effective date. Covered entities will have 240 days, in total, beyond publication to fully comply with most provisions in the Final Rule, which OCR is expected to publish in the next week or so.

Mercifully, OCR extended the compliance date for amending the NPP until February 16, 2026, substantially later than the compliance date for most of this Final Rule. This extension aligns the compliance date with the compliance date in the 2024 Part 2 Rule and recognizes the considerable time and effort required for compliance with these new rules. It allows covered entities regulated under both this Final Rule and the 2024 Part 2 Rule to implement all changes to their NPPs at the same time.

Looking for assistance with your organization’s privacy policies? We work with clients in the preparation and updating of privacy policies and procedures to comply with the HIPAA Privacy Rule and more. Such policies are essential to meet patients’ expectations surrounding the protection of their privacy as well as the expectations of regulatory enforcement agencies such as the HHS Office for Civil Rights. If you are looking for assistance in this area, or to learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, please contact: Margaret Young Levi, mlevi@wyattfirm.com, at 859.288.7469.

CMS Issues Updated Guidance on Texting Patient Orders

February 22, 2024March 1, 2024 Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, Electronic Health Records, Health Information Technology, HIPAA, Privacy & Security computerized provider order entry, Cyber Security, data security, EHR, Health IT, healthcare, HHS CMS, HIPAA, Joint Commission, Medicare CoPs, technology

By: Margaret Young Levi

On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) issued a memorandum entitled Texting of Patient Information and Orders for Hospitals and CAHs (the 2024 Memo), which provides updated guidance to State Survey Agency Directors. This 2024 Memo now permits the texting of patient orders among members of the hospital care team—if the texting is accomplished on a secure platform that protects the privacy and integrity of the patient information.

This new guidance updates CMS’ previous memorandum entitled Texting of Patient Information among Healthcare Providers in Hospitals and Critical Access Hospitals (CAHs) (the 2017 Memo), which permitted texting patient information if done through a secure platform, but prohibited texting of patient orders regardless of the platform utilized.

Even though texting of patient orders through a secure platform is now permitted by CMS, that does not mean it is recommended. CMS still prefers that providers enter their orders into the medical record via computerized provider order entry (CPOE) or even a handwritten order because of concerns about medical record retention, accuracy, privacy and security, etc. as set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Medicare Conditions of Participation (CoPs), and, if applicable, The Joint Commission (TJC) standards discussed below.

To comply with HIPAA regulations, in its 2024 Memo CMS recommends that providers utilize and maintain systems/platforms that are “secure and encrypted and must ensure the integrity of author identification as well as minimize the risks to patient privacy and confidentiality.” CMS continues, “Providers should implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized to avoid negative outcomes that could compromise the care of patients.”

The hospital and CAH CoPs at 42 C.F.R. 482.24 and 485.638, respectively, require among other things that inpatient and outpatient medical records be “accurately written, promptly completed, properly filed and retained, and accessible.” They also require that the hospital must use “a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries.” In addition, the CoPs require that medical records must be retained in their original or legally reproduced form for a period of at least 5 years. The CoPs also require that all orders, including verbal orders, must be dated, timed, and authenticated promptly by the ordering practitioner and be included in the medical record. Any secure texting platform must not only protect the privacy and security of the information contained in the order but also allow the order to be securely transmitted into the hospital’s electronic medical record hospital to comply with these CoPs.

TJC previously prohibited texting orders and is now reconsidering its stance on the topic. TJC’s website currently states, “The practice of texting patient orders is currently under review,” and TJC has promised to publish updates in the Perspectives Newsletters. TJC accredited facilities may want to wait for TJC guidance on this topic before implementing secure texting of orders.

In summary, we recommend that hospitals implement texting of patient orders with caution and only after addressing these concerns. Hospitals should assess any secure texting platform to ensure it protects the privacy and security of any PHI as well as allows the hospital to meet the Medicare CoPs and, if applicable, TJC standards. Hospitals should also re-assess texting platforms routinely to ensure they continue to meet these standards.

Contact a member of Wyatt’s data privacy and cyber security practice if you have questions or require assistance. To learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, contact: Kathie McDonald-McClure, kmcclure@wyattfirm.com, at 502.562.7526

FTC Enforcement Action Against Company and CEO Provides Roadmap for Reasonable Data Security Measures

November 8, 2022November 9, 2022 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, FTC Enforcement account credentials, consumer privacy and security, FTC Act Section 5, FTC enforcement action, multi-factor authentication, passwords

Company’s Security Failures Exposed Data of 2.5 Million Consumers

By Kathie McDonald-McClure

On October 24, 2022, the Federal Trade Commission (FTC) announced enforcement action against Drizly, an online alcohol marketplace and subsidiary of Uber, and the Drizly CEO, over allegations that Drizly and the CEO failed to implement safeguards to prevent unauthorized access to consumer data stored on the Amazon Relational Database Service (Amazon RDS) that Drizly used to host its online marketplace platform. The FTC said that Drizly and its CEO were alerted to a security issue two years before the breach yet failed to take appropriate responsive action to secure personal information of consumers stored on Drizly’s Amazon RDS.

Employee posted company account login information on GitHub contributing to 2018 and 2020 security breaches. In 2018, a Drizly employee posted company cloud computing account login information on GitHub. GitHub is a free, online software development and hosting platform used for storing, tracking and collaborating on software projects. Drizly uses GitHub not only to manage and support its e-commerce website, but also to store spreadsheets, data sets, and repositories of past company data and projects.

The GitHub repositories included the AWS credentials used to access Drizly’s production environment. This security lapse allowed hackers to use Drizly’s servers to mine cryptocurrency in 2018. Upon discovering this, Drizly changed the login information for its cloud computing account and publicly claimed that it used adequate data security protections. Its website privacy policy stated: “We use standard security practices such as encryption and firewalls to protect the information we collect from you.”

Company employee is allowed access to GitHub repositories for a hackathon, using compromised credentials. According to the FTC complaint, in 2020 the company granted a company executive access to the GitHub repositories in order to participate in a one-day hackathon. The company failed to terminate the executive’s access after the event was over. At the time of granting such access, Drizly had not required unique and complex passwords nor multifactor authentication for access to the GitHub repositories. As a result, the executive had used a seven-character, alphanumeric password that he had used for other personal accounts and that was the subject of an unrelated data breach. The hacker used the executive’s compromised password to gain access to his GitHub account and to then access the company’s AWS and database credentials stored in the repositories. Ultimately, the hacker located the customer information stored on the company databases and put the information up for sale on two publicly available websites on the dark web.

Large volume of nonpublic, personal information was accessed by hacker. The FTC said Drizly’s security failures led to a breach of the personal information of about 2.5 million consumers. The personal information includes data collected from consumers who visited or placed e-commerce orders on the platform, such as name, age, email address, postal address, phone numbers, unique device identifiers, order histories, partial payment information, geolocation information, as well as personal information automatically collected from consumer computers and mobile devices by the website’s data collection tools.

In addition, the personal information included consumer data that Drizly purchased from third parties such as income level, marital status, gender, ethnicity, existence of children, and home value. The Drizly databases also contained consumer account passwords that were hashed using MD5 which the FTC said is “cryptographically broken and widely considered insecure.”

The FTC complaint provides a roadmap for minimum reasonable data security measures. The FTC complaint alleges that Drizly failed to implement “reasonable information security practices” to protect consumers’ personal information. These reasonable security practices include:

Continue reading →

OCR Issues Guidance on HIPAA, COVID-19 Vaccination and the Workplace

October 8, 2021January 19, 2022 Margaret Young Levi HIPAA, Privacy & Security COVID Vaccines, HIPAA, Privacy of Vaccination Status

By: Margaret Young Levi

On September 30, 2021, the Office for Civil Rights (OCR) issued welcome guidance concerning when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine—and when it does not apply.

The guidance aims to clear up misperceptions about who can ask questions about vaccination. In general, OCR reminds that HIPAA only applies to HIPAA covered entities, such as health care providers (physicians, hospitals, etc.) and health plans, and it does not apply to employers or employment records. The guidance addresses common workplace situations, provides helpful examples, and answers frequently asked questions for HIPAA covered entities, businesses, and the public.

HIPAA does not prohibit businesses, individuals, or HIPAA covered entities from asking whether their customers or clients have received a COVID-19 vaccine. HIPAA does not prohibit any person, whether an individual or a business or a HIPAA covered entity, from asking individuals whether they have received a COVID-19 vaccine. First, OCR makes it clear that HIPAA only applies to HIPAA covered entities, and it does not apply to other individuals or entities. Second, even though HIPAA regulates how and when HIPAA covered entities may use or share information about COVID-19 vaccinations, it does not limit the ability of covered entities to ask patients or visitors whether they have been vaccinated.

The guidance clarifies that HIPAA does not apply when an individual:

Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
Asks another individual, their doctor, or a service provider whether they are vaccinated.
Asks a company, such as a home health agency, whether its workforce members are vaccinated.

Continue reading →

Healthcare Privacy Practices Notice Must Include Nondiscrimination Notice

February 26, 2018February 26, 2018 WyattLLP Cyber Security and Cyber Crime, Data Privacy & Security, Health care reform, Health Information Technology, HIPAA, Privacy & Security

By Margaret Young Levi and Kathie McDonald-McClure privacy policy

Among the many mandates of the Affordable Care Act (ACA) (a/k/a “Obama Care”) still in force today is Section 1557. Section 1557 prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is the agency vested with responsibility for implementing and enforcing Section 1557. On May 16, 2016, OCR issued a Final Rule that requires entities covered by the ACA to notify beneficiaries, enrollees, applicants, or members of the public of Section 1557’s nondiscrimination prohibitions. This notice must be included in the entity’s “significant” publications and communications.

You might ask, “Why am I reading about this on a legal blog about privacy and security?” This is because OCR determined that the Notice of Privacy Practices, which healthcare providers and health plans issue to patients and plan members, is a “significant” publication or communication. As a result, health care providers and health plans that are subject to both Section 1557 and the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) must add the Section 1557 nondiscrimination notices and taglines to their Notice of Privacy Practices. Health plans should add such notices and taglines to their Summary of Benefits and Coverage as well.

Continue reading →