HIPAA changes 2020 There is so much going on right now it is hard to keep up. I know there is a lot of activity when we can’t keep an eye on everything! There are several stories that I think we should all be aware of but the big headline one is about HIPAA changes coming in 2020.  However, it isn’t the only change that you should be aware of.



A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

HIPAA changes coming?  – Ep 272

Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

Another awareness month we almost missed

[12:27] We missed another big monthly celebration. At least I don’t feel bad when OCR just sent it out this week too. Apparently, September is National Insider Threat Awareness Month | CISA. I also did not know we had a National Insider Threat Task Force or NITTF. It is only the second annual one so we can give ourselves a pass. It has taken years for us to have podcasts planned in time for NCSAM. This may be the 5th year before we get it down. They do have some interesting resources. Check them out. Maybe there is something you can use.

Speaking of NCSAM, we will start next week doing our part to promote cybersecurity awareness. Each week we are going to cover the discussions you should be having with your team the following week. Listen in on Friday and use the information we give you to teach someone – anyone.

Vishing attacks are surging

[15:14] The FBI and CISA warn that hackers are increasingly using voice phishing, or vishing, to target employees who are working from home.

“Using vished credentials, cybercriminals mined the victim company databases for their customers’ personal information to leverage in other attacks,” according to the alert. “The monetizing method varied depending on the company but was highly aggressive, with a tight timeline between the initial breach and the disruptive cash out scheme.”

They set up a fake domain and make a page that looks like the company VPN login page. They use public information and social media to create a “dossier” of all the employees. They get it from social media platforms, recruiter and marketing tools and even use background check services to gather information about employees such as the victim’s name, home address, telephone number, position at company and length of employment.

Once they have a list of targets they start spoofing numbers and even include company numbers or mobile numbers of other employees.

They call up their targets and tell them they are working with IT and will be sending them a new link to log into the VPN. They are very nice and even politely talk them through the process to make sure they have no problems.  YEAH, RIGHT. At the point they login they also have the trust to ask for the 2FA codes and intercept the logins. Once they do that they are into the network. We just heard from Gary how quickly they take off then!

All the training about grammar issues and typos go out the door when someone is on the phone. If they speak English well enough to be understood most people start to fall for it pretty quickly. I think now IT will have to resort to using the military challenge word and password for phone calls. You will hear techs everyone whispering their codes. Paradise – toilet or something like that to make sure it is the right person on the phone.

HIPAA changes coming?  – Ep 272

[21:18] Last week the folks over at Information Security Media Group published this article:

Proposal for HIPAA Modifications Coming by Year’s End Interview: HHS OCR’s Timothy Noonan on Potential HIPAA Changes, Other Agency Initiatives with a great video interview you can check out. I encourage you to watch it because there is no way we can cover everything they touched on there. The big thing is that headline everyone noticed. What does it really mean? Well, we can share our understanding of what it means. I realized when I was watching it that a lot of the terms and points may not make sense to someone who doesn’t have a daily diet of HIPAA privacy and security.

At the end of 2019, OCR had an open comment period looking for input on various topics they had been evaluating. The comment period for that closed shortly before COVID drove all our plans off the cliff. The intention by OCR at the time was to compile the information from the comments and issue a notice of proposed rule-making  (NPRM for those in the know). These notices get published in the federal register announcing that this is what they intend to do and allows the public to respond with questions and comments before the “final rule” is announced. Yes, just like they did with the Omnibus Final Rule relating to the HITECH changes.

According to Noonan, they expect to release that NPRM before the end of the year. Sometimes, when these things are announced they are received fairly well and the process will go pretty smoothly but I just don’t see that happening this year at all! One point he made clear is they do not intend to divert attention from actual life and death situations surrounding the pandemic. That is a much more important part of our mission as healthcare professionals. Clearly, that could derail the release of the NPRM. Even if it comes out there is a required comment period allowed and that may need to be extended due to the pandemics drain on the system.

No matter what happens with this announcement there will likely be changes made to HIPAA based on the input from the end of the year. At that time, important points included getting rid of the requirement for patients to confirm receipt of the NPP. One less piece of paperwork for everyone to worry about. But, that means you will definitely need to have the rest of your NPP ducks in a row. Many do not. Trust me when I say that.

[29:12] An area I am very interested in seeing how it will be addressed relates to the accounting of disclosures requirements under HITECH. Honestly, I am not sure how all our systems could handle and reasonably report on every single access to a patient record including all access for TPO. That is definitely one I see as a burden our systems and databases just do not need to handle. We can now get most of the information from the logs of certified EHRs and as more people start to monitor those records with tools like SPHER we will see the desired results.

The request for information (RFI) may have opened the floodgates by asking for comments about “any provisions of the HIPAA rules that may present obstacles to these goals without meaningfully contributing to the privacy and security of protected health information and/or patients’ ability to exercise their rights with respect to their PHI.”

There were other items in the RFI relating to information sharing which was poised to be the big focus of 2020 between ONC and OCR with the release of the official ONC interoperability rules. Unfortunately, that was released in January or February. You know a decade ago.

Other notes from the Noonan interview

I made a few notes as I was listening to the interview that caught my attention. Things like:

He said several things that made me write down and draw a big circle around these words “audit your patient access”. We keep mentioning this because it is time for folks to get on board with this concept. Noonan reiterated it in his comments.

They are really looking into how well providers are doing when it comes to sharing information about patients. Some do it no questions asked while others do not necessarily make it easy. The pandemic has made that stand out apparently. If you are one of those groups who aren’t making information sharing a priority, get it on your list to review what you are doing, what you should be doing, and how you can improve.

[36:27] If you did a word cloud including all the HIPAA terms they discuss the one big huge one in the middle would be Risk Analysis. More messaging about the fact that you better stop playing check the box with these things.

They are evaluating the response to the telehealth discretion to see if there is any way they could learn from them. Unless they ditch the security rule all together I don’t know how they can keep them this lax. That may be why that is the convoluted answer he gave to what they planned to do with them.

He stressed the importance of training. I am as shocked as you are about this one!  LOL. One of the primary breach issues they continue to see is email compromises related to phishing. He specifically said we should be training and testing employees about phishing. Another email related problem that he mentioned was a lot of reported breaches when PHI is emailed to the wrong person. I am just not a fan of PHI in email for so many reasons.

In case you were wondering, he specifically stated that their commitment to enforcement had not changed. The enforcement initiatives they started last year will continue until they start to see change in the industry. That reference is to the patient access to medical records initiative launched in 2019. We are already seeing they are not backing down on this stuff.

[43:49] Enforcement case selection was pretty interesting how he put it. He pointed out that in 2019 alone they received over 500 major breach notifications PLUS around 28,000 complaints. That is just in 2019. That doesn’t count the backlog they already had! As he put it, they “have no shortage of cases to choose from” when it comes to enforcement. Oh and he did add that they do “pay attention to the news” which usually adds some interesting messes to the list I am sure.

The cases they choose to single out involve either egregious violations of privacy or systemic noncompliance failures that lets them know that leadership is not taking their obligations seriously. I think that pretty much makes the point doesn’t it. They want you to show you take it seriously. That is it.

Our privacy and security programs focus on doing more than just HIPAA compliance. But, we never forget that HIPAA must be a huge part of our programs.  Learning what is expected of you directly from OCR is the best way to make sure you are doing everything you can be doing to meet your legal obligations to protect patient privacy.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.