PHI Breaches and Breach Reporting

What is a breach of Protected Health Information (PHI)?  A breach means the impermissible acquisition, access, use, or disclosure of PHI as defined under the Health Information Portability and Accountability Act (HIPAA) Privacy Rule that compromises the security or privacy of PHI.

Whenever a breach of PHI occurs, the residents impacted must be notified along with the secretary of the United States Department of Health and Human Services (HHS).  Residents must be notified as soon as possible but no later than 60 days from discovery of the breach.  This notification deadline to the Secretary of HHS varies depending on the number of residents impacted.  If less than 500 residents are impacted, the deadline for notification to the Secretary is 60 days after the end of the calendar year in which the breach occurred.  If 500 or more residents are impacted, the deadline for notification to the Secretary is no later than 60 days from the discovery of the breach. 

Covered entities are required to report breaches to the Office of Civil Rights Breach reporting portal. The United States Department of Health and Human Services, in accordance with section 13402(e)(4) of the Health Information Technology for Economic and Clinical Health Act (HITECH), posts online a list of breaches impacting 500 or more individuals.  This breach portal is unofficially labeled the “Wall of Shame”.  CLICK HERE to visit the portal.

OCR Alert – Phishing Scam Targeting Compliance Officers

The Office of Civil Rights (OCR) issued an alert on August 6, 2020 reporting postcards are being sent impersonating the OCR to coerce compliance officers into visiting a website regarding HIPAA risk assessments.  This is a marketing ploy to trick the victim into engaging in services under the guise of a directive from OCR.  A risk assessment is a requirement of HIPAA as defined in §164.308(a)(1); however, it does not specifically state how often it is needed or how it is to be done.  Best practice is to conduct risk assessments annually or when significant changes or threats occur within or to the environment.

It is recommended by OCR that all covered entities alert their workforce about this misleading communication.  For more information and an example of the postcard, CLICK HERE.

Fax Phishing

Alexander Bain invented the “Electric Printing Telegraph” in 1843 which became the world’s first faxing device.  One hundred seventy-seven years later, we still use fax, and so do hackers.  Faxing is so commonly used in our industry that we sometimes forget to be cautious.  Hackers use it to send phishing emails which entice users to click on links that download malicious codes.  In some instances, you are required to enter your credentials, giving the hacker the opportunity to steal them. 

To avoid becoming a victim of fax phishing, see the example email below with tips to stay safe.

A Picture is Worth a Thousand Words: Photos, Videos, & HIPAA

It has been said “a picture is worth a thousand words.”  That quote is so true in this COVID-19 era where friends and family must keep their distance from loved ones in nursing homes. The compassion and care that nursing home staff provide includes, now more than ever, the social wellbeing of residents and patients.  Sharing photographs and videos is a wonderful way to keep connected.  However, don’t forget Health Insurance Portability and Accountability Act (HIPAA) compliance still is required.

Photos or videos containing any portion of a resident’s or patient’s face are considered Protected Health Information (PHI). That doesn’t mean you cannot take and share photos or videos.  HIPAA allows use and disclosure of photos or videos when proper authorization is provided by the resident, patient, or responsible party.

To be HIPAA compliant, authorization documentation must include the following:

  • The purpose for using and disclosing photos or videos; for example, “to share with her daughter/son” 
  • The timeframe the authorization applies; for example, “to send to daughter/son while the facility is on lockdown”
  • Explanation that the resident, patient, or responsible party have the right to revoke the authorization at any time
  • Explanation that the health care provider will not condition treatment, payment, or enrollment or eligibility for benefits on the resident, patient, or responsible party signing the authorization
  • Signature of the resident, patient or responsible party

Thanks to all for keeping residents and patients safe and connected while remaining HIPAA compliant.

Connection Through Video Chat

As the country continues to take a proactive, preventative approach to reduce the spread of COVID-19, social distancing and visitor restrictions in long-term care challenge us to use alternative means for connecting patients, family members/responsible parties, and long-term care staff.  On March 13, 2020, the Centers for Medicare & Medicaid Services (CMS) issued Guidance for Infection Control and Prevention of Coronavirus Disease 2019 (COVID-19) in Nursing Homes (Revised) stating:

“In lieu of visits, facilities should consider offering alternative means of communication for people who would otherwise visit, such as virtual communications (phone, video-communication, etc.)”1

When choosing to use video communication, the US Department of Health and Human Services provides guidance regarding which video communication platforms are safe to use and which are not. For example, FaceTime and Skype* are classified as non-public facing remote communication products while TikTok, Facebook Live, and Twitch are public-facing products.  Public-facing products are not acceptable to use. 

When video chatting, be mindful of the following:

  • Obtain proper authorization for use or disclosure from the resident/patient/responsible party.
  • Make reasonable efforts to ensure others, not authorized to participate in the video chat, cannot hear the discussions.
  • Ensure other patients are not in the background of the video chat to prevent unauthorized use or disclosure of that individual.
  • Confirm the party answering the video chat is the appropriate party before proceeding with discussions.
  • Be sure when ending video chat that it successfully ends so that other conversations or videos are not accidentally seen or overheard.

*FaceTime and Skype means of communication are not supported by HIPAA regulations outside of the current healthcare emergency. The Office of Civil Rights states:

“Health care providers may use popular applications that allow for video chats, such as FaceTime and Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” 

1 https://www.cms.gov/files/document/qso-20-14-nh-revised.pdf

2https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html

Coronavirus Scams

There are increasing reports of scams and phishing attempts referencing COVID-19. These attacks many times appear as innocent emails looking for assistance or providing information regarding the COVID-19 crisis. Bad Actors are taking advantage of this crisis to prosper or do damage.  Their criminal actions are becoming more and more sophisticated and look very official as though coming from government agencies and health organizations.

It is critical to remain vigilant with all email correspondence and websites, but particularly those referencing COVID-19 updates, maps, donations, notifications etc.

To avoid becoming a victim, follow the guidelines below:

  • Never click on links or open attachments within unexpected emails.
  • If you receive a suspicious email appearing to come from a legitimate organization such as CDC, WHO, FEMA etc., confirm its legitimacy.  Make sure links direct you to the official site by hovering over the link.  Report suspicious email to your company’s Information Security Department.
  • If you visit a website or receive a pop-up window directing you to a phone number for support desk assistance, DO NOT call the number, instead contact your company’s Information Security Department.
  • Never share your password with anyone.

Trends noted to date include:

  • Malicious Websites – sites referencing coronavirus or COVID-19 in the URL. Thousands of new websites have recently been registered to distribute malware when the user accesses the site.
  • Spam – emails trying to grab your attention to sell information or goods now in high demand such as masks, hand sanitizers, COVID-19 drugs, etc.
  • Phishing – emails posing to be from legitimate organizations such as Center for Disease Control (CDC), the World Health Organization (WHO), Federal Emergency Management Agency (FEMA), etc. These emails contain malicious links, and some are collecting personal information.
  • Fake Charities – emails and websites asking for donations for studies, healthcare professionals, victims, or other activities related to COVID-19
  • Fake internal HR or IT communications such as coronavirus surveys pretending to be from your company’s HR or IT department – these sites are attempting to obtain your User ID and password or other personal information.
  • Fake notification of infection – beware of emails reporting you have been exposed to an infected individual, particularly ones asking for personal information to proceed.

 Always Think Before You Click.

HIPAA Privacy & COVID-19

In this unprecedented time with worldwide infection of COVID-19, there are provisions within the HIPAA Privacy Rule to address use and disclosure of patient information in a public health emergency to aid in prevention and control of the spread of disease. While this provision addresses use and disclosure to authorized public health authorities, Covered Entities and Business Associates must continue to safeguard patient information from impermissible uses and disclosures.

Refer to the bulletin released by the Office of Civil Rights (OCR) in February 2020 at this link OCR HIPAA Privacy and COVID-19 for more information regarding HIPAA Privacy Rule relating to infectious disease control.

HIPAA Privacy Rule Refresher

Refresh your memory with some of the Privacy Rule points below:

  • HIPAA’s Privacy Rule goal is to protect the confidentiality of patient/resident healthcare information.
  • Protected Health Information (PHI) is individually identifiable health information collected from an individual and created or received by a health care provider, health plan, or health care clearing house relating to past, present, or future physical or mental health conditions of an individual.
  • Information is “individually identifiable” when any of the 18 types of identifiers can be used to identify an individual (e.g. name, address, dates such as birth date, account number etc.).
  • The HIPAA Privacy Rule applies to healthcare organizations, healthcare plans, healthcare clearinghouses, and business associates with access to PHI.
  • PHI can be in paper or electronic form, as well as in verbal communications. 
  • Photos and videos of patients/residents are PHI and require documented authorization to take and use.
  • Access to PHI must be restricted to the minimum access needed to accomplish the intended objective.
  • PHI cannot be used or disclosed without documented patient authorization unless it is for any of the following purposes or situations:
    • Use or disclosure to the patient
    • Use or disclosure for treatment, payment, or general healthcare operations
    • Use or disclosure if the individual can agree or object to a disclosure such as a patient bringing a family with them when discussing care with a physician
  • Covered Entities (CE) are required to provide residents/patients with a Notice of Privacy Practices (NPP) to tell how the CE may use and share their health information.
  • Disposal of documents containing PHI must be rendered unreadable.  Shredding is the most common method of disposal.  Before disposal, be sure to follow your organization’s data retention policies.

For more information regarding HIPAA Privacy, visit www.hhs.gov.

Email and Protected Health Information

Business Email Compromise (BEC) is a type of attack on company email systems where the hacker’s goal is to gain access to an email system and search for data that can be used to commit fraud.

In the healthcare industry, fraudsters are committing BEC to steal protected health information (PHI). Why? Because PHI has many use cases unlike credit card and account data which is only useful until the victim cancels the credit cards and accounts. PHI such as a “Face Sheet” typically contains a treasure trove of information that can be used to commit medical services theft, Medicare/Medicaid fraud, fraudulent insurance billing, and income tax fraud to name a few.

Healthcare companies and their employees are required by HIPAA to protect PHI. You can do your part to protect PHI from BEC by taking the following actions:
• deleting emails containing PHI as soon as they are no longer necessary to retain,
• never sharing your password with anyone,
• changing your password regularly using strong passwords, and
• before clicking any link – STOP. LOOK. THINK.

Ten Simple HIPAA Tips

  1. Ensure discussion of PHI (protected health information) is where you cannot be easily overheard. 
  2. ePHI should not be saved on unencrypted devices such as laptops, desktops, servers, USB drives, etc.
  3. When leaving your workstation unattended, logoff or manually lock your workstation.
  4. Computer equipment should not be left unsecured such as in an unattended vehicle or hotel room.
  5. PHI should not be left on a copier or scanner unattended.
  6. Paper PHI should be disposed of properly by shredding.
  7. Keep passwords safe. Do not write down or share your password.
  8. Double check fax numbers and email addresses to ensure you have the correct information before faxing or emailing PHI.
  9. Patient photos or stories require a signed authorization prior to taking or using. Authorization forms can be obtained on the Reliant portal.  
  10. Report suspected HIPAA violations to your supervisor or the company privacy officer.  Reliant employees may contact their Privacy and Information Security Officer at privacy@reliant-rehab.com.

HIPAA Happenings: Holiday Phishing

Cyber criminals take advantage of the holidays to disguise their phishing campaigns and malware as seasonally accepted email. Requests for donations to fraudulent organizations, bogus holiday advertisements, and posing as package delivery services are common this time of year.
Click here to view a real example of a phishing email impersonating Federal Express.

What to Do If You Suspect You Are a Victim of Phishing:

  • Change your password immediately.
  • Contact your IT Department.
  • For Reliant employees contact support@reliant-rehab.com or call 225-767-7670.

Common HIPAA Violations Employees May Not Realize

Have you ever or do you routinely email Protected Health Information (PHI) to your personal email account so you can catch up on work outside of the facility?  With the many demands of the job to get the work done, it can be tempting.  This commonly results in a HIPAA violation as the information is not properly protected and more easily breached!  Although your intentions may be good, this is not an appropriate practice. Your company may have a policy directly relating to PHI. Reliant employees should refer to Policy 8.3 – Use of E-Mail and Text Messaging for full policy information.

The same caution applies to taking paper patient information outside of the facility.   Removing protected health information from a healthcare facility places that information at risk of exposure.  Without appropriate measures in place to safeguard this information in transport and outside of the facility, it is in violation of HIPAA Rules.  Reliant employees should refer to Policy 3.14 – IT Equipment Protection & Physical Access Controls for full policy information.

Indictment of Anthem Breach Hackers

Do you remember hearing about the Anthem breach in 2015? Hackers infiltrated Anthem’s network and breached the personal health information of 78.8 million patients. This was one of the worst data breaches in US history if not the worst. There is some good news being reported. The Department of Justice has indicted two China-based hackers for the Anthem hack and breach.

How did the hackers do it?

The hackers allegedly used methods to hack including spear-phishing emails sent to employees embedded with links. After the employee clicked on the link, the malicious malware was installed to infect and compromise the system. Once inside the system, the hackers installed what is called a “backdoor” which in this case was undetected by the organization infected. This “backdoor” allows the hackers to come and go as they please. Although the hack was discovered in 2015, it began in 2014 with the hackers coming through the back door and conducting reconnaissance to identify information of interest.

What is the Lesson Learned?

Be on the lookout for “phishy” emails. Here are a few tips to assist in identifying Phishing emails.

  1. Does the email invoke a sense of urgency, fear, or curiosity?
  2. Does it ask you to click a link, open an attachment or provide your user Id/password or other sensitive information?
  3. Do you know the person that sent the message and were you expecting it? Hackers can “spoof” messages meaning they make it look like it is coming from a known sender when it is not. If you know the sender but were not expecting it, contact the sender by a means other than email to confirm.

What to do when you suspect a phishing email?

For Reliant employees who use Reliant’s email, a “Phish Alert Button” was recently implemented within the email system. This button is easily accessible within the user’s email and allows the suspicious email to be reported at the click of a button. After clicking this button, it alerts the Reliant support team and allows security measures to be quickly added to prevent others from clicking on similar malicious e-mails.

Customers who don’t have a similar “Phish Alert Button” in place, should report suspicious emails to their support team through established reporting processes.

March 2019 Healthcare Data Breaches

The Health and Human Services Office of Civil Rights (OCR) is responsible for enforcing civil right laws. Covered Entities such as Skilled Nursing Facilities and Business Associates must comply with HIPAA regulations which includes reporting breaches of Protected Health Information (PHI). Breaches affecting 500 or more individuals are posted by OCR on a public website. Breaches affecting less than 500 individuals are also required to be reported but are not posted for public viewing.

To give you an idea of the information available on the public site using March 2019 data, there were 32 breaches reported with 500 or more individuals involving 951,252 individuals. Of these 32 breaches, there were 22 Healthcare Providers, 4 Health Plans, and 6 Business Associates involved.

The types of breaches consisted of

  • 20 – Hacking/IT Incidents
  • 8 – Unauthorized Access/Disclosure
  • 4 – Thefts

Breaches involving email and network servers accounted for 893,502 of the impacted individuals (see chart below). This is why security awareness training, good password management practices, and virus protection are so important.

For a list of the names of companies impacted and other information, visit the OCR portal at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Guide to Personally Identifiable Information (PHI)

Whether at work, at home, or on the go, data that is often the top target of
cybercriminals is all around us. Protecting that data isn’t a highly technical process, but
rather one that requires common sense and a strong commitment to privacy in every
aspect our lives!


What is PII?
PII, or personally identifiable information, is sensitive data that
could be used to identify, contact, or locate an individual.


What are some examples of PII?
PII includes (but is not limited to) home addresses, personal email addresses,
national ID numbers, credit card numbers, and personal phone numbers.


What are some examples of non-PII?
Info such as business phone numbers and email addresses, race, religion,
gender, workplace, and job titles are typically not considered PII. But they
should still be treated as sensitive, linkable info because they could identify
an individual when combined with other data.


Why is PII so important?
On a personal level, our PII is necessary to acquire some goods and services, such
as medical care and utilities. But in the wrong hands, PII leads to identity theft
and other forms of fraud. On a professional level, you may store PII of customers,
clients, vendors, contractors, employees, and partners. If left unprotected, your
organization could face steep fines and your reputation could be severely damaged.


How do you protect PII at work?
Protecting PII begins and ends with following your organization’s security
policies, which were created to ensure that the data remains
private. Treat all requests for sensitive info with a high degree of scrutiny, stay
alert, think before you click, and if you have any questions, ask them!


How do you protect PII at home?
Develop a home security policy similar to those at work, which calls for common
sense practices, such as not clicking on random links and attachments, guarding
personal info online and in real life, destroying sensitive documents beyond
recognition and setting social media profiles to fully private.

“Protect” Protected Health Information (PHI)

Phishing attacks are non-stop year-round, and attackers take advantage of holidays and other seasonal events, like tax time, to trick you into clicking links to provide User IDs and passwords. When a phishing attempt is successful, the “Bad Actor” obtains your email login information, and can use your email account to obtain data. Do you have resident information such as face sheets in your emails? If so, there is a wealth of PHI that criminals can use to commit fraud and identity theft. Stay vigilant with these tips.

HIPAA Privacy Rule Refresher

Refresh your memory with some of the Privacy Rule points below.

• HIPAA’s Privacy Rule goal is to protect the confidentiality of patient/resident healthcare information.

• Protected Health Information (PHI) is individually identifiable health information collected from an individual and created or received by a health care provider, health plan, or health care clearing house relating to past, present, or future physical or mental health conditions of an individual.

• Information is “individually identifiable” when any one or more of 18 types of identifiers can be used to identify an individual (e.g. name, address, dates such as birth date, account number etc.)

• The HIPAA Privacy Rule applies to healthcare organizations, healthcare plans, healthcare clearinghouses, and Business Associates with access to Protected Health Information (PHI).

• PHI can be in paper form, electronic as well as in verbal communications.

• Photos and videos of patients/residents are PHI and require documented authorization to take and use. • Access to PHI must be restricted to the minimum access needed to accomplish the intended objective.

• PHI cannot be used or disclosed without documented patient authorization unless it is for any of the following purposes or situations:

o Use or disclosure to the patient

o Use or disclosure for treatment, payment, or general healthcare operations

o Use or disclosure if the individual has the opportunity to agree or object to a disclosure such as a patient bringing a family with them when discussing care with a physician

• Covered Entities (CE) are required to provide residents/patients with a Notice of Privacy Practices (NPP) to tell how the CE may use and share their health information.

• Disposal of documents containing PHI must be rendered unreadable. Shredding is the most common method of disposal. Before disposal, be sure to follow your organization’s data retention policies.

For more information regarding HIPAA Privacy, visit www.hhs.gov.

Keep Information Safe with Good Password Practices

These days we’re all overloaded with the number of accounts that require credentials and remembering them is impossible. Using the same password for different accounts is tempting—like having one handy key that opens every lock you use. But reusing passwords is not the solution.

Compromised passwords are one of the leading causes of data breaches, and reusing passwords can increase the damage done by what would otherwise be a relatively small incident. Cybercriminals know that people reuse credentials and often test compromised passwords on commonly used sites in order to expand the number of accounts they can access.

For instance, if you use the same password for your work email as for Amazon or your gym membership, a breach at one of those companies puts your work emails at risk. Reusing credentials is like giving away copies of the key that opens all your locks. Before reusing a password for different accounts, especially across work and personal ones, think of all the data that someone could get into if they got that credential.

Here are some tips to help you avoid falling in this trap:

• Use completely separate passwords for work and personal accounts.

• Avoid words that can easily be guessed by attackers, like “password” or “September2017,” or predictable keyboard combinations like “1234567,” “qwerty,” or “1q2w3e4r5t.”

• Add some complexity with capitalization or special characters if required. “Fido!sAnAwesomeDog” is a stronger password than your pet’s name.

• Just adding numbers or special characters at the end of a word doesn’t increase security much, because they’re easy for software to guess.

• Avoid words like your kids’ names that could easily be guessed by coworkers or revealed by a few minutes of online research.

• Answers to security questions are often easily found— your mother’s maiden name is public record—so pick another word for whenever that question comes up.