Protected Health Information: HIPAA PHI Compliance

HIPAA Learning Objectives  (Estimated Read Time – 8 mins)

There are countless HIPAA Settlements each year. With well over half involving digital and network compliance.

At the end of this you will learn:

  1. A brief overview of HIPAA and fines.
  2. What Is PHI? And ePHI.
  3. What the Biggest overlooked gap in HIPAA compliance is.
  4. Example cases.
  5. WHY you should care.
  6. How to close those gaps.

HIPAA Overview

Who falls under HIPAA?

Covered Entities (CE) medical providers, mental health providers, medical insurance providers, and yes that includes medical insurance brokers/agents. Pretty much anyone who accepts insurance as a form of payment, companies who handle Protected Health Information (PHI), or electronic PHI (ePHI), or come in potential contact with it fall under some level of HIPAA. This includes third parties that have entered a Business Associate Agreement (BAA) (And only if they have signed a BAA.)

“A Covered Entity is any entity that receives federal financial assistance from the Department of Health and Human Services or is covered under Title II of the Americans with Disabilities Act as a program, service, or regulatory activity relating to the provision of health care or social services.” HHS

Who doesn’t fall under HIPAA?

Any company that doesn’t handle or has the potential to see/ interact with PHI. That includes your contractor who is building your IT network or repairing your office if they don’t have a BAA.  (See the problem if you don’t do an effective risk analysis for PHI)

If I don’t accept insurance and only accept cash do I have to worry about HIPAA?

It depends.

First, we recommend talking to a lawyer that specializes in HIPAA about your situation. Good rule of thumb: If you have ever fallen under the CE rule, accepted insurance in the past, currently, or will potentially in the future, you still have to protect all of that data. (Some lawyers have even mentioned if you included HIPAA releases on your intake forms you, fall under it.) HIPAA Is Past, Current, and Future client’s PHI.

HOWEVER, even if you are not under HIPAA, you are still open to the governing laws of your state and professional license. While HIPAA has a lot to do with how to best protect data, not protecting your data can open you up to the new consumer protection laws that states are adopting which can still hit you with big fines.

HIPAA Violations and Fines

The Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS) publishes a list of the largest fines and breaches. The HHS lists all HIPAA breaches involving 500 individuals or more on the OCR Portal. There are over 500 large breaches as of 2019 over a 24 month period. The largest fines and select breaches are listed on HIPAA Resolution Agreements website.

Large beaches are only a small fraction of the fines assessed every year.

If you have a breach, you risk not only having a very public description of your incident, you also face a financial penalty based on the size and severity of the breach and practice’s culpability. Not to mention the loss of patient trust and news coverage.

In addition to fines, you may face criminal charges if the violation merits it.

Important to note: You do not need to have a breach to face HIPAA penalties.

What is the penalty for a HIPAA Violation?

There are five tiers based on the violations and what level of responsibility (and negligence) the entity acted in at the time of the violation.

Tier 1: Minimum fine of $100 per violation up to $50,000, with a per-year maximum of $25,000 that the issues persisted.
Tier 2: Minimum fine of $1,000 per violation up to $50,000, with a per-year maximum of $100,000
Tier 3: Minimum fine of $10,000 per violation up to $50,000, with a per-year maximum of $250,000
Tier 4: Minimum fine of $50,000 per violation, with a per-year maximum of $1,500,000.

As of April 2019, fines were adjusted to reflect the maximum amount per tier violation. But the figures could change as they are still pending additional rule-making. Federalregister.gov

It is important to remember that each State Attorney General can also impose HIPAA fines which the State keeps a percentage. As you can see, a multi-state data breach can get quite costly quickly and the incentive for a state AG to push a case.

Each Tier has maximum criminal penalties as well.

Tier 1: Maximum Up to 1 year in jail
Tier 2: Maximum Up to 5 years in jail
Tier 3: Maximum Up to 10 years in jail

Plus up to 2 years for PHI theft and potential payment of restitution.

What Is PHI and ePHI?

What is PHI?

HIPAA protected health information (PHI) is any information about an individual created in the provision of medical care. This includes past, current, and future care.

Examples of PHI include:
  • Name
  • Any part of the address and this can be even the general subdivision the person is located in.
  • Telephone and fax numbers
  • Email
  • Social Security Number
  • Any dates (minus years) related to an individual, admission or discharge, birth, date of death, or the exact age if older than 89
  • Any account numbers (bank, health record, health plan beneficiary number, etc)
  • Credentials such as certificate/license number
  • Device serial numbers or models etc
  • Vehicle identifiers, serial numbers, or license plate numbers
  • Web URLs
  • IP address
  • Biometric identifiers (fingerprints or voiceprints)
  • Full-face photos
  • Identifying diagnosis and treatment notes
  • Any other unique identifying numbers, characteristics such as tattoos or body marks, or codes

What is ePHI?

ePHI is simply the electronic; storage, transmission, or creation of PHI information which can be on any device. For example: computer, thumb drive, internet, cellphone or any recording device.

HIPAA treats any company that stores or transmits PHI as a Business Associate (BA) with the Covered Entity (CE) and requires a Business Associate Agreement (BAA). If the CE does not get a signed BAA, the CE is the one that will incur the HIPAA violations even if the BA is at fault. Technically a BA does not even have to view the PHI data to fall under the BAA requirement. A BAA helps safeguard both the CE and BA with clear responsibilities in handling PHI and liability in the event of a breach. It also helps lower the risk of a breach since both parties understand and follow HIPAA best practices. Also having a good BAA and documented procedures can help lower the fines associated with a breach or violation.

That means if you create, transmit, pass through, store, potentially see, ePHI with them, they need a signed BAA. But more on that later.

What Is The Most Overlooked Gap HIPAA Compliance Risk?

Digital marketing and websites.

How?

PHI pertains to past, current, and the most commonly overlooked future clients. Remember our list of PHI data? IP addresses, contact information, etc. Yes, you may have invested thousands on protecting at your physical location, staff training, and internal network but you may have left the backdoor wide open.

Your Website

If your site is not hosted on a HIPAA compliant server or does not have end-to-end encryption, and has any of the following: contact form, chat, server hosted email, and a whole host of potential website security gaps, then you are potentially exposed. We have seen some big providers of “medical websites” who built non-compliant sites.

Why is that important?

Your website is the portal of first contact so if it is susceptible to hackers or malware, then your patient data may be intercepted.

Did you know?
  • IP data can be harvested from a website even if you do not have a contact form?
  • A hacker can install fake forms, add content, or access the server if the site is vulnerable.
  • If your internal network connects to your website then even more data can be mined.
  • Even if you do not connect your website to your network, a compromised site can expose your internal computers to malware or employee logins to hacking attempts.
  • If you do not have a SSL (the padlock on your site’s URL) installed any information entered on your site (visitors, or employee’s login) can be intercepted in plain text.
Example: Look at all of these glowing reviews and comment cards

Your web designer may post testimonials on your website without a signed release.

This office was one the hook for $25,000 for posting testimonials and photos on their website.

Digital Marketing

While a non-compliant website can cause a huge issue when you start to market online, the company you hire can be an even bigger risk.

More often than not, you may hire a marketing company who does not handle the data (such as lead information) with HIPAA in mind and inadvertently cause a breach. If you don’t have a BAA with them, then you are fully on the hook for their mistakes (not to mention the violation from not having a BAA). And it could put you and your practice at risk.

But how could that happen?

Search Engine Optimization (SEO)

Example: You hire an SEO consultant or company who is helping your site reach the top of the search results. If they know what they are doing, they will ask for FTP access to your site. As well as higher-level access than your average user.

You could be on the hook for $300,000 like this Tennessee medical imaging company who let a contractor have FTP access and did no due diligence.

Or they may install call tracking software to show you proof ot their results, logging all calls to your business, owner name, and traffic source.

Social Media Marketing and Lead generation

Example: Posting a picture of a patient without a signed consent can get you in trouble (even if they are in the background inadvertently).

OR

Your lead generation company may be selling or buying your leads on the open market. Or using your patient list to create lookalike audiences on Facebook. We don’t need to get into the data breaches that Facebook has had…

Real posts from one large Facebook marketing group looking to buy or sell lead data.

Or your marketing company can leave their server open exposing your new clients.

But it doesn’t take much searching to find examples of potential HIPAA violations. There are literally thousands of examples of how your practice can be exposed by third-party vendors.

Why Should You Care?

If you are still in doubt as to why HIPAA compliance or proper vendor due diligence is something to care about, then please re-read or look up fluffy cat videos on YouTube.

How To Close HIPAA Digital Compliance Gaps.

  • Review your digital vendor list and their access.
  • Complete digital audit of 3rd party vendors who come in contact with PHI/ePHI and see if they are compliant. Don’t forget about Apps, CRM, Plugins, etc.
  • Identify any red flags. Did your marketing or web design company ask you for a BAA or did they even mention it? Do your BA have 3rd party vendors that they are outsourcing your work to? Did they disclose it and are they also compliant?
  • Get BAA or terminate.
  • Write up procedures to mitigate future risk according to HIPAA guidelines.
  • Self report potential breach or violations (Consult with a HIPAA Security expert and HIPAA Lawyer first to assess severity and appropriate response)

Take our HIPAA compliance quiz to see where you may be at risk and/or contact us to schedule a digital risk assessment.

Want even more examples of Digital HIPAA Violations?

$100,000 HIPAA Breach due to compromised Username and Password

Open Server Database in Search Engines.

Mental health non-profit pays $150,000 fine for un-patched and noncompliant software.

$500,000 for sharing HIPAA data with 3rd party vendor without BAA. 

Allowing sales representatives access to phi to identify patients to market to. Jail time avoided in plea agreement and settlement.

Office closed over $6,500 ransomware.

80,000 exposed in marketing breach

X