3 Tricky Places HIPAA Applied – Ep 353 

Recently, we’ve had a couple things come up which involved tricky places that HIPAA has applied that most people might not think of. So, we thought we’d throw them out there and have a little bit of fun discussing them.

In this episode:

3 Tricky Places HIPAA Applied – Ep 353

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

405(d) Tip of the Week

[08:29] 10 Best Practices: #2 Endpoint Protections

What are endpoints? It’s everything that can connect to your network or data.

405d: Endpoint Protection Systems poster

For Small Organizations:

• Remove administrative accounts as most users in an organization do not need to be authorized as system administrators with expanded system access and capabilities. Removing this access can mitigate the potential damage caused by an attacker who compromises that endpoint.
• Patching (i.e., regularly updating) systems removes vulnerabilities that can be exploited by attackers. Each patch modifies a software application, rendering it more difficult for hackers to gain access.
• Implement Basic Endpoint Protection Controls such as antivirus software, full disk encryption and patching. Each endpoint in your organization should be equipped with these controls and configured to update automatically.

For Medium/Large Organizations:

• Automate the provisioning of endpoints. When using value-added resellers (VARs), ensure they preconfigure endpoints before delivering them to your enterprise.
• Use Mobile Device Management (MDM) technologies. MDM technologies manage the configuration of devices connected to the MDM system.
• Implement Endpoint Detection and Response technologies. These technologies allow cybersecurity departments to query large fleets of endpoints for suspicious activity.

HIPAA Say What!?!

1 – Protected Health Information is not just what is included in the medical records.

Many people believe that the only place PHI (or ePHI) exists on their network is in the EHR. This is simply not true. We haven’t come across one client who can prove that the PHI entrusted to them is ONLY in their EHR system. PHI can be found on servers, individual staff computers, copiers and scanners, backup devices, USB drives, medical devices, trash cans, shred bins, inside staff members’ desks and many, many more places within an organization.

Here is a story from a client who is having trouble getting the VOIP phone service provider to understand they have PHI in the form of recorded phone calls and voicemails from patients and others. This practice vets their vendors before they sign a contract with them.

From a client: Please review the answers and let us know what you think. This is a response from a VOIP vendor.

• Does your company understand you are eligible for a HIPAA audit as a Business Associate (BA) and are subject to HIPAA civil and criminal penalties in the event an investigation is initiated that finds serious compliance issues in the same manner as a Covered Entity (CE)? Partial
• Have you assigned a HIPAA Privacy / Security Officer? No
• Do you have a written Breach/Incident Response Plan? Yes
• When was the most recent complete SRA performed? Not applicable
• Have you developed an associated mitigation plan for your last Risk Analysis? Yes
• When did you last complete an audit of your written HIPAA policies and procedures? Never
• Do you have a formal HIPAA training plan for your entire workforce including new hires? No
• Why has your entire workforce not had training?
  • As a communications service provider. None of our client’s data (or that of their patients) touches our network and we don’t touch their network to the extent that patient data could be accessed. Call recordings that contain PHI would be stored on our network, as they are stored on the PBXs.
• Does your organization store any of our ePHI on your devices at any time or in any format? Partial
• Do you have a Business Associate Agreement (BAA) in place with any vendors that store or maintain devices where our PHI will be stored? Not applicable
• Do you understand that your Business Associate Agreement (BAA) with us requires time limits for reporting security incidents and breaches of PHI? Not applicable

These are just a few examples of the answers. Clearly, there are issues here. If you will be storing PHI in any way, you fall under HIPAA. We said, ummmm, you’re gonna need to try this again.

Their response:

The questions are “being reviewed by an Executive committee, and they are taking a long term view to this issue to see what policy and procedures changes we should or might consider.”

Takeaway: This is another situation where there may have been assumptions in place that seemed to have worked for a long time. These VOIP vendors that host the voicemails from patients to their providers should double check how that is being handled. If you use a VOIP solution that is storing PHI check that too. Oh, and make sure you take into consideration that your on-premise server covers most things but does your VOIP company have admin access to the device storing PHI to provide support whenever they need it?

Do not assume your vendors have it covered. Some don’t even realize they fall under HIPAA or the implications of what that really means even if they think they need to sign a BAA. It is your responsibility and your reputation at risk for every vendor that you have in your “downstream”.

Three Defendants Charged in Multi-Million Dollar Medicare Fraud Scheme | USAO-MA | Department of Justice

Two FL residents, Nathan & Talia, sold Medicare patient’s personal and medical records to another guy named Juan. Juan used that information to file false claims collecting $109 million and providing those two with kickbacks over $1.6 million.

They got the patient information by working with foreign call centers to call Medicare patients offering them some DME gadget for their knees or back, etc. “at little to no cost.” Of course, that meant they needed all the demographic information and insurance policy details to file with Medicare.

So, where did HIPAA come into play? Interesting how committed they were to making sure their claims were paid. Nathan and Juan brought in Stefanie Hirsch, 51, of Los Angeles, CA to help them out with checking eligibility.

They were able to check Medicare patients’ insurance eligibility with a patient eligibility tool provided that Hirsch had access to as part of her business. Hirsch owned EI Medical, Inc., a Medicare-enrolled wheelchair and scooter repair company, that qualified for access to a clearinghouse to do these kinds of checks. Stefanie gave Nathan and Juan access to that clearinghouse login and charged them $0.25 per patient eligibility check. So, Nathan accessed the data of more than 350,000 patients using her login and Juan added another 150,000. NOW THAT IS HIPAA RELATED.

Stephanie pleaded guilty to HIPAA violations. She was sentenced to 3 years probation and a $2,500 fine. At a quarter a pop, she still made out better. Oh but wait, she has definitely gone through those funds with lawyers and much more. I doubt the business is doing well if she even still owns it.

Takeaway: Durable medical equipment is often used for Medicare fraud. If your staff has access to these kinds of tools, just think about what they could be offered to participate in a similar scam. This is why it is crucial that logs are being reviewed from all systems users access so that things like this and any other inappropriate access or use can be found.

Partners Healthcare System Data Privacy $18.4M Class Action Settlement

Here is a case of a massive class action settlement included “all Massachusetts residents and U.S. residents who received medical care at Partners Healthcare System — now Mass General Brigham — in MA who visited the following websites between May 23, 2016, and July 31, 2021: massgeneralbrigham.org, massgeneral.org, brighamandwomens.org, and dana-farber.org.”

It is all about their use of cookies, pixels, website analytics tools, and “associated technologies” on several websites without first obtaining the consent of website visitors.

The healthcare system insists they didn’t do anything wrong and that no PHI was exposed. This case will likely bounce around for a while and many others will get this same debate.

There was a case in the past where a group sued because a website was sending PHI to Facebook. When you went to their website about cancer details, you started seeing cancer ads on the Book.

Takeaway: This is what can happen when you get marketing people involved who don’t understand what it is that a business does or how what they do could involve PHI and HIPAA. They just track pixels and use cookie tracking and Google Analytics on your site to help get your practice’s name out there and at the top of search lists, etc. Again, don’t just assume a marketing company doesn’t fall under HIPAA or that they have HIPAA covered. Understand what they are doing and if it could be a violation of HIPAA rules. Just because they can do it, it doesn’t mean they should.

Vet your vendors folks… preferably before you sign a contract with them. And anytime one tells you “we’ve got the Privacy and HIPAA thing covered, so we don’t worry about it”. Assume they don’t until they can prove to you they do! And don’t stop there. The supply chain is becoming a bigger and bigger problem. Make sure your vendors are vetting their downstream vendors, especially those that are using third party tools or services that affect your business.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.