Governance & Risk Management , Healthcare , HIPAA/HITECH
Feds Issue HIPAA Guidance on Employee Sanctions, Telehealth
HHS OCR Guides Spotlight Sanctions for Insiders; Telehealth Privacy, Security RisksHealthcare organizations have long realized that insider threats pose risks to patient privacy, either through employees carelessly handling HIPAA-regulated information or selling the information to cybercriminals.
See Also: OnDemand | CISO Leadership Blueprint to Managing Budgets, Third-Party Risks & Breaches
To combat these threats, healthcare firms need strong policies in place to sanction insiders for bad behavior and make sure the entire workplace knows the consequences for violating HIPAA rules, according to a new guidance document released by the Department of Health and Human Services' Office for Civil Rights. HHS also recently released two new resources for healthcare providers and patients on telehealth privacy and security risks.
The new guidance on sanction policies for employees who violate HIPAA follows another HHS unit - the Health Sector Cybersecurity Coordination Center - issuing an advisory last year warning about threats involving hackers gaining access to sensitive health information through social engineering schemes.
HHS OCR said sanction policies can be an important tool to increase accountability and improve data protection. "Sanction policies can be used to address the intentional actions of malicious insiders, such as the stealing of data by identity-theft rings, as well as workforce member failures to comply with policies and procedures, such as failing to secure data on a network server or investigate a potential security incident," the agency said.
Both the HIPAA Privacy Rule and the Security Rule require that covered entities and business associates have sanction policies for workforce members that violate the rules, but the regulations do not prescribe any specific penalty for individual offenses or particular sanction methodology.
"Imposing consequences on workforce members who violate a regulated entity’s policies or the HIPAA Rules can be effective in creating a culture of HIPAA compliance and improved cybersecurity because of the knowledge that there is a negative consequence to noncompliance enhances the likelihood of compliance,” HHS OCR said.
Additionally, training workforce members on the entity’s sanction policy "can also promote compliance and greater cybersecurity vigilance" by informing workforce members in advance which actions are prohibited and punishable, the agency said.
HHS OCR reminded entities that the agency has previously issued HIPAA enforcement actions in at least two breach cases involving organizations that potentially violated HIPAA by failing to sanction workforce members who impermissibly disclosed patients' protected health information.
Those cases led to a $2.4 million settlement in 2017 with Houston, Texas-based Memorial Hermann Health System and a $125,000 settlement in 2018 with Allergy Associates of Hartford.
"HIPAA is one of very many areas where companies need to make sure that employees know to follow the rules and know that there will be consequences if they do not follow the rules," said privacy attorney Kirk Nahra of the law firm WilmerHale.
"Most companies - quite appropriately in my mind - have simply referenced their broader HR sanctions policies, which apply across the board to all kinds of sanctions for failing to follow rules," Nahra added. But he suggested that HHS OCR should have focused its guidance on the importance of enhanced training rather than sanctions policies.
"Employees either make mistakes - where training and better security policies can help - or are bad actors, where the training isn’t the point and maybe they need to know there will be consequences," he said. "I’m not sure how expanding sanctions policies will make much of a difference here."
Telehealth Guidance
HHS OCR's two new telehealth guidance documents come after President Joe Biden in May lifted a three-year-long national public health emergency related to COVID, which also ended a limited waiver policy under which HHS OCR said it would exercise enforcement discretion for certain HIPAA violations during the pandemic. That enforcement discretion applied to certain potential violations involving telehealth.
But since those waivers have ended, the new HHS OCR telehealth guidance documents remind healthcare providers about the privacy and security risks around the use of telehealth and offer suggestions for how the entities can better educate their patients about the risks.
The new document, "Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth," provides suggestions to help healthcare providers discuss telehealth privacy and security risks with patients.
While HIPAA does not require covered entities to educate patients about how to reduce telehealth privacy and security risks to PHI, providing such information "can help promote more effective communication between the provider and patient, which is important for quality care," HHS OCR writes.
"Tell your patients that using video conferencing apps and other remote communication technologies for telehealth can come with risks to the privacy and security of their health information and how these risks can be mitigated," the document says. HHS OCR recommended several prevention and mitigation steps for patients who use telehealth applications and other remote communication with their healthcare providers, including applying anti-malware, software patches and updates, said.
The second new telehealth guidance, "Telehealth Privacy and Security Tips for Patients," provides more in-depth details about how patients can avoid privacy and security risks involving their health information when using a telehealth service, mobile app or patient portal. The recommendations include using multifactor authentication and encryption and avoiding the use of public Wi-Fi and USB ports as public charging stations.
"Healthcare providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices so patients are confident that their health information remains private," said HHS OCR Director Melanie Fontes Rainer in a statement.
HHS OCR did not immediately respond to Information Security Media Group's request for additional comment on the guidance documents, including whether the materials reflect an uptick in HIPAA breach reports or complaints involving telehealth or workforce incidents and if the guidance foreshadows pending enforcement actions by the agency in such cases.
Telehealth continues to create a great deal of confusion around HIPAA, Nahra said. "It’s a core question of balancing convenience to patients with appropriate security practices," he said.
"I hope that OCR will not take enforcement action in any remotely close calls. They should only be looking at really egregious situations," he said. "We are seeing some tendencies for OCR to be diving far down into the weeds of some programs that are generally well done. I hope they focus their attention on areas of real concern where the covered entities are not at all acting reasonably."