Is HIPAA Applicable to Schools?

HIPAA is applicable to healthcare companies, health plans, healthcare clearinghouses, and business associates of entities but is HIPAA applicable to schools also? This post will explore the application of HIPAA to schools and how it intersects with the Family Educational Rights and Privacy Act (FERPA).

Is HIPAA Applicable to Schools?

In general, HIPAA doesn’t apply to schools since they are not HIPAA covered entities, however, in particular cases a school can be a covered entity when students are provided healthcare services. In such instances, HIPAA may still not be applicable since any student health data gathered would be contained in the students’ education records and education records are exempt from the HIPAA Privacy Rule but are covered by FERPA.

Increasingly more schools are providing healthcare services to their students. Medical experts are employed by certain schools, a few have on-site health clinics, and they frequently distribute medications and administer vaccines. When giving healthcare services, health information is gathered, stored, maintained, and transmitted. Even though a school employs nurses, physicians or psychologists, schools are not generally categorized as covered entities since they do not perform healthcare transactions electronically for which the Department of Health and Human Services has used standards. The majority of schools fall under this category as not covered entities therefore HIPAA does not apply.

Several schools hire a healthcare organization that conducts electronic transactions for which the HHS has implemented standards. In this instance, the school is categorized as a HIPAA covered entity. The HIPAA Transactions and Code Sets and Identifier Rules should be followed when there are electronic transactions, but it wouldn’t be mandatory to comply with the HIPAA Privacy Rule when healthcare data is saved in education records, which are covered by FERPA. When health information is kept in education records, it isn’t categorized as protected health information (PHI) and is consequently not covered by the HIPAA Privacy Rule. However, the school would need to comply with FERPA privacy requirements.

One circumstance where the HIPAA Privacy Rule would be applicable is when a healthcare specialist gives medical services such as vaccinations at the school yet he is not employed by the school. In this scenario, the healthcare expert must comply with HIPAA, the HIPAA would cover the data while it is kept by the healthcare expert, and that individual should get authorization before the disclosure of health information to the school. When those data are added to the student’s education records, FERPA would apply instead of HIPAA.

FERPA, HIPAA, and Private Schools

FERPA covers all educational institutions that get direct funding via programs administered by the Department of Education. FERPA consequently covers public schools. Private schools are not usually covered by FERPA since they receive no federal funding from the Department for Education. When the private school isn’t covered by FERPA, it may or may not be covered by HIPAA subject to whether or not it executes electronic transactions for which there are standards required by the HHS. If it does, it must adhere to HIPAA although if not, the HIPAA and FERPA would not apply.

Additional Information

To help clarify issues regarding health information disclosures under FERPA and HIPAA, the U.S. Department of Education and the HHS’ Office for Civil Rights made updates to their shared guidance in December 2019. The modified guidance is accessible on this link.

DHS Alerts of Revenge Cyberattacks Due to the U.S. Drone Attack

The U.S. Department of Homeland Security gave an alert with regards to retaliatory cyberattacks subsequent to the military strike in Iraq killed Major General Qasem Soleimani, Iran’s high ranking general.

The U.S. Department of Defense made a report that General Soleimani was positively making plans to strike American diplomats and service people based in Iraq and across the region. President Trump stated in a tweet after the strike that America’s action yesterday was meant to avoid a war and that it was not to launch a warfare.

Iran condemned the encounter and its highest-ranking leader, Ayatollah Ali Khamenei, promised they will have a “forceful revenge” on the U.S. The U.S. State Department has urged all Americans residing in Iraq to depart the country for their security. On Sunday, Iraqi MPs elected to do away with all US soldiers from the nation.

There are legitimate consternation that Iran will launch revenge attacks, which will come about in cyberspace and not just on the ground. US firms, government bureaus, and critical facilities might be targeted. Iran probably have somewhat restricted military power, yet Iran’s highly capable of undertaking dangerous cyberattacks.

Threat actors with connection to the Iranian administration have always been doing cyberattacks in America, however the nature of the attacks might be different. Iran has been creating a variety of offensive cyber applications and has executed damaging cyberattacks before. Particularly, threat actors associated to Iran utilized the wiper malware Shamoon to strike the Saudi Arabian oil icon Aramco in 2012. It is believed that they have developed more wiper malware variants that can be used against targets in the United States. Iran was furthermore associated to the SamSam ransomware attacks, which include the occurrence on the Atlanta City.

The DHS acting secretary, Chad Wolf, mentioned that no particular, legitimate threats against the U.S.A. have been proven thus far. The DHS will persist to keep an eye on the condition and will be collaborating with local, state, and federal associates to guarantee the protection of all U.S. citizens.

It’s unknown if or when to anticipate attacks, nevertheless local, state, and federal leaders have been prompted to have the essential safeguards. Director of the DHS’ Cybersecurity and Infrastructure Security Agency, Chris Krebs, mentioned that it is time to be aware of Iranian [Strategies, Techniques and Processes] and give careful attention to your vital systems, in particular ICS. Make certain to look at third party accesses too.

Krebs furthermore referenced a prior alert that he released in June that CISA is sure of a recent surge in malicious cyber activity aimed at United States establishments and government institutions by Iranian regime proxies and actors. The intelligence community and cybersecurity associates are following Iranian cyber activity, releasing facts, and taking action to preserve the protection of the U.S.A. and its allies.

Ransomware Attack on Hackensack Meridian Health

The latest cyberattack on New Jersey’s largest health network, Hackensack Meridian Health, deployed ransomware on its system and encrypted files forcing the shutdown of the network for two days.

Since the staff cannot access computer systems and medical records, Hackensack Meridian Health was forced to delay non-emergency healthcare procedures. Doctors and nurses used pen and paper to proceed with providing patient care.

Hackensack Meridian Health identified the attack instantly and informed law enforcement and data regulatory authorities. Cybersecurity professionals were consulted to find out what’s the best thing to do. The health network initially said it encountered external technical issues so the investigation won’t have any interference. Later, Hackensack confirmed the actuality of the ransomware attack.

Due to the ransomware attack, backup files had to be used to recover the encrypted files. This would need many weeks to accomplish. To prevent constant disruption to patient care services, the provider made the decision to give the ransom. Hackensack Meridian Health’s representative stated that it is their responsibility to secure the access of their communities to health care.

Hackensack Meridian Health didn’t divulge to the public how much was the ransom given. Nonetheless, it affirmed that its cybersecurity insurance coverage will take care of a percentage of the expenditure, which includes the ransom amount and repair work.

Hackensack Meridian Health has publicized the restoration of the primary clinical system. Nevertheless, other components of the system still need a couple of days more to be accessible over the internet.

Several healthcare companies and business associates likewise experienced ransomware attacks over the past couple of weeks. The Cancer Center of Hawaii claimed an attack resulted in the delay of giving patients their radiology treatments. A Colorado business associate additionally claimed that a ransomware attack impacted more than 100 dental practices.

The HHS’ Office for Civil Rights not too long ago mentioned the importance of HIPAA compliance in helping to prevent ransomware attacks and ensuring fast recovery of healthcare providers in case hackers breached the companies’ defenses.

DoE and OCR Issues Updated Guidance on Sharing Student Health Records As Per FERPA and HIPAA

The Department of Education and the Department of Health and Human Services’ Office for Civil Rights made updates to the guidance on the sharing of student health records as per the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA).

The original guidance document was first introduced in November 2008 to assist school administrators and healthcare specialists know the application of FERPA and HIPAA to student educational and medical documents. The guidance consists of a number of Q&As that cover both laws. More questions and answers were included to clear up possible areas of confusion regarding how to apply HIPAA and FERPA to student documents, including when it is allowed to share student data under FERPA and the HIPAA Privacy Rule with no need to first obtain written consent.

HIPAA covers healthcare providers, healthcare clearinghouses, health plans, and business associates of covered entities. HIPAA does not generally apply to schools, given that medical information gathered by an educational institution would often be considered as educational information under FERPA. The HIPAA Privacy Rule excludes educational information as per the definition of protected health information (PHI), however, there are cases where HIPAA and FERPA intersect.

The HIPAA Privacy Rule demands obtaining consent prior to sharing health information for purposes other than treatment, payment, or healthcare operations. The guidance points out that in emergencies and circumstances when a person’s health is in danger, educational establishments and healthcare providers may share a student’s health records to a person capable to stop or minimize harm, including to family members, friends, health caregivers, and authorities.

The guidance claims that healthcare providers can disclose PHI with anybody as required to avoid or reduce a serious and impending threat to the wellness or safety of n individual, another person, or the public – in line with applicable regulation (for instance state statutes, regulations or case law) and the provider’s specifications of ethical conduct. It is additionally permissible to share psychotherapy notes and data concerning mental health problems and substance abuse conditions in specific circumstances. The update specifies the circumstances when these disclosures are allowed.

OCR Director Roger Severino stated that this revised resource empowers school officers, healthcare providers, and mental health experts by dispelling the misconception that HIPAA does not allow the sharing of health data in emergency situations.

The update likewise consists of details on when PHI or personally identifiable information can be shared without endangering a student or others. Furthermore, disclosures of health information to law enforcement and the National Instant Criminal Background Check System are integrated into the guidance now.

U.S. Secretary of Education Betsy DeVos states that confusion on when data could be shared must not hinder the protection of students while they are in school. This update can provide necessary clarity and help make certain that students obtain the assistance they need, and school officials have the facts needed to protect the students.

Korunda Medical to Pay $85,000 Penalty for HIPAA Right of Access Failures

The Department of Health and Human Services’ Office for Civil Rights issued its second enforcement action according to its HIPAA Right of Access Initiative. Korunda Medical based in Florida made an agreement to settle potential HIPAA Right of Access violations, will undertake a corrective action plan and make its policies and procedures consistent with the demands of the HIPAA Privacy Regulation.

In March 2019, a patient submitted a complaint to OCR that Korunda Medical did not give her requested copy of medical records in the electronic format asked for even with repeated requests. Allegedly, Korunda Medical declined to give to a third party an electronic copy of her medical records and was charging the patients too much for the copies of their health records. According to HIPAA, covered entities can only charge a fair, cost-based fee for giving patients access to their protected health information (PHI).

The first complaint was submitted to OCR on March 6, 2019. OCR offered technical support to Korunda Medical regarding the HIPAA Right of Access on March 18, 2019 and closed the issue. After four days, OCR got another complaint which showed that Korunda Medical still did not comply with the HIPAA Right of Access. OCR notified Korunda Medical on May 8, 2019 about the start of a compliance investigation. Due to OCR’s intervention, the complaining patient got a copy of her medical records for free. Because of the continued noncompliance with the HIPAA Right of Access, Koruda Medical was issued an $85,000 financial penalty.

For a long time, healthcare companies have delayed in providing patients their health records due to sleepy bureaucratic inertia. It is hoped that as OCR shifts its enforcement of corrective actions and settlements according to the Right of Access Initiative, healthcare companies will finally arise to their responsibilities as required by law.

The HIPAA Right of Action Initiative is an enforcement drive by HIPAA to make sure that HIPAA-covered entities provide patients copies of their medical records promptly, in the file format they request, and without paying too much. In September 2019, the first enforcement action under this initiative was issued to Bayfront Health St Petersburg, which paid $85,000 in financial penalties to settle its HIPAA Right of Access failures.

This HIPAA enforcement action is the ninth this year. OCR has resolved 8 HIPAA violation cases in 2019 and has announced one civil monetary penalty. The financial penalties ranged from $10,000 to $3 million. To date, OCR received $12,209,000 in payments to settle HIPAA violations.

Audiology Hear For You, LLC Receives HIPAA Seal of Compliance Award

Compliancy Group has declared that Audiology Hear for You, LLC has exhibited full compliance with Health Insurance Portability and Accountability Act (HIPAA) Regulations, after successfully completing the 6-Stage HIPAA implementation program of Compliancy Group.

Audiology Hear For You is a provider of hearing testing and hearing aid services based in Johns Creek, Georgia. As a provider of those services, the company creates and maintains personal health information (PHI). The HIPAA Rules require such companies to implement appropriate safety measures, policies, and procedures to secure all patient data against unauthorized access.

Because of the need to secure patient privacy and minimize all risks to the integrity, confidentiality, and availability of PHI, Audiology Hear for You worked with Compliancy Group. Patients of Audiology Hear For You, LLC will be more comfortable in obtaining its hearing services knowing that the company is HIPAA compliant and that their personal data are safe.

Before Audiology Hear For You’s official launching on February 1, 2020, it used the exclusive software solution of Compliancy Group known as The Guard for tracking and monitoring its efforts to achieve HIPAA compliance. Compliancy Group’s HIPAA specialists assisted Audiology Hear For You to successfully finish Compliancy Group’s HIPAA risk analysis and remediation process. Hence, Audiology Hear For You has been confirmed to have met all the HIPAA Security, Privacy, Breach Notification, and Omnibus Rules requirements. Compliancy Group already granted the company its HIPAA Seal of Compliance.

With a HIPAA Seal of Compliance, the company has a proof validating its HIPAA compliance and its efficient compliance plan. This ensures the security and privacy of patient healthcare data.

Compliancy Group is often chosen by companies to work on their HIPAA compliance because of its simplified checklist of essential steps to attain HIPAA compliance. Their professionals are very helpful and proficient in guiding Audiology Hear For You to take the legal steps towards HIPAA compliance.

Malwarebytes Report Revealed Healthcare Threat Detections Increased by 45% in Q3 of 2019

A recently published Malwarebytes research revealed that the past year saw an increased occurrence and intensity of cyberattacks on healthcare organizations.

In the latest report entitled Cybercrime Tactics and Techniques: The 2019 State of Healthcare, Malwarebytes gives information about the major threats that have affected the healthcare sector last year and points out how cyber criminals penetrate the defenses of healthcare companies to access sensitive healthcare information.

The consequences of cyberattacks on healthcare companies can be severe. Several attacks this year have caused significant disruption to daily functions at hospitals usually causing delays in providing healthcare. In two cases, the cyberattacks resulted in permanent closure of the healthcare organizations. A recent study also showed the considerable harm that cyberattacks bring about on patients with the higher heart attack mortality rates.

Malwarebytes information indicated that the seventh most targeted industry field in the period of October 2018 to September 2019 is the healthcare industry. If the present attack trends keep going, it is probable that the healthcare industry would rank even higher next year.

Cybercriminals like to target healthcare companies because they keep a huge volume of priceless information in EHRs which oftentimes lack sophisticated security. Healthcare companies additionally have a sizeable attack surface to protect, including insecure networked devices. Considering the reasonably poor defenses and lucrative value of healthcare information on the black market, it is not surprising that cybercriminals heavily target the industry.

Identification of threats on healthcare endpoints increased from 14,000 detections in Q2 to 20,000 in Q3, a 45% in Q3 of 2019. Threat detections likewise went up by 60% in the first three quarters of 2019 in comparison to the year 2018.

Plenty of the threat detections in 2019 involved Trojans, particularly Emotet in the beginning 2019 and TrickBot in Q3. TrickBot is the major malware threat today in the healthcare sector. In general, Trojan detections increased by 82% in Q3 from Q2 of 2019. Attackers use Trojans to access sensitive information and install secondary malware payloads like the Ryuk ransomware. After stealing data, ransomware is typically deployed.

Trojan attacks often focus on industry areas having big numbers of endpoints and less advanced security models, for instance education, healthcare and the government. Trojans are mainly propagated by means of social engineering and phishing attacks, exploitation of vulnerabilities on unpatched systems and system setting errors. Trojans are undoubtedly the biggest menace, however detections of hijackers also increased by 98% in Q3, riskware detections went up by 85%, adware detections went up by 34%, and ransomware detections went up by 15%.

According to Malwarebytes, the three primary attack vectors that were taken advantage of in most of the attacks on the healthcare sector last year are phishing, third-party supplier vulnerabilities and negligence.

Because of the big number of email communications among healthcare companies, doctors, and employees, email is a major attack vector and common phishing attack target. Email accounts additionally consist of a sizeable amount of sensitive information, which could be accessed subsequent to phishing email response. These attacks are straightforward requiring no code or hacking expertise. Stopping phishing attacks is a major challenge confronting healthcare organizations.

The extended usage of legacy systems, which are normally unsupported, likewise make attacks way too easy. Sadly, upgrading those systems is complicated and costly and certain equipment and devices are not upgradable. The problem will probably worsen when support for Windows 7 ends in January 2020. Malwarebytes continues to detect WannaCry ransomware infections because of the slow rate of patching in the healthcare sector. A lot of organizations have not yet patched the SMB vulnerability of WannaCry exploits, even with the availability of a patch since March 2017.

Negligence is likewise a critical issue, often due to the inability to prioritize cybersecurity in all organization levels and give suitable employee training on cybersecurity. Malwarebytes remarks that investment in cybersecurity has increased, but it frequently doesn’t include getting new IT personnel and giving training on security awareness.

Cyberattacks will continue and the healthcare sector will encounter more data breaches if

  • unsupported legacy systems stay unpatched
  • IT departments do not have the proper resources to deal with vulnerabilities
  • end users do not receive cybersecurity training

The situation might become worse before things get better. Malwarebytes cautions that new improvements like cloud-based biometrics, breakthroughs in prosthetics, genetic research and a growth in the usage of IoT devices for gathering healthcare data will increase the attack surface further. That is going to make it even more difficult for healthcare organizations to stop cyberattacks. It is important to have security integrated into the design and implementation of cutting edge technologies or vulnerabilities will be identified and taken advantage of.

Salem Health Hospitals & Clinics Patients and Delta Dental of Arizona Plan Members Affected by Phishing Attacks

On July 31, 2019, Salem Health Hospitals & Clinics, Oregon encountered a phishing attack, which caused the unauthorized access of a number of employees’ email accounts by a person. Salem Health discovered the breach within the day of the attack and secured the compromised accounts quickly.

On September 27, patients got notification letters about the breach and were told about the review of affected accounts. Salem Health believes that the patient data contained in the compromised email accounts is minimal, which includes names, dates of birth, and information about the healthcare services received by the patients. When the notice was issued, the breach investigation was already in progress.

On November 7, 2019, Spokesman Elijah Penner of Salem Health said that the review of the incident showed no sign of patient data misuse. There was likewise no proof of the attacker accessing patient data contained in emails and file attachments.

Salem Health advised the affected patients to be careful and keep an eye on possible fraudulent transactions in their statement of accounts and explanation of benefits statements. Salem Health is improving email security and planning to give additional training to employees on identifying and avoiding malicious emails.

This breach incident is not yet posted on the HHS’ Office for Civil Rights breach portal. The number of affected patients is still unknown.

Delta Dental of Arizona’s July Phishing Attack

Delta Dental of Arizona suffered an email security breach, which exposed the data of plan members. On July 8, 2019, Delta Dental discovered the security breach because of suspicious activity in an employee’s email account.

The attacker used the employee’s credentials to access the email account. Delta Dental published a substitute breach notice on its webpage stating the lengthy and labor-intensive process of identifying which members’ information was compromised.

Delta Dental of Arizona issued a report on November 8, 2019 stating that no evidence was uncovered concerning the unauthorized data access, although its possibility cannot be eliminated. Hence, the breach notifications were sent to the affected members as a safety precaution.

The member’s information potentially compromised included names, birth dates, addresses, member ID numbers, Social Security numbers, driver’s license numbers, passport numbers, financial information, credit/debit card numbers, digital signatures, usernames/passwords, and dental insurance information.

The HHS’ Office for Civil Rights breach portal has not published the breach incident yet. For this reason, it is not yet certain how many members were affected.

Project Collaboration Gives Google Legit Access to the Health Records of Ascension Patients

Google has confirmed that it is working with one of the United States’ biggest healthcare systems, which allowed it access to a massive quantity of patient information.

Google has joined with Ascension, the biggest catholic health system in the world and the second biggest non-profit health system in the U.S.A. Ascension manages over 2,600 healthcare establishments in 21 states, which include more than 50 senior living facilities and 150 hospitals.

Through the collaboration, Google could access patient health information including names, birth dates, medical test results, diagnoses, treatment data, service dates, and other private and clinical data.

The project with code name Project Nightingale was kept a low profile until the Wall Street Journal report stated that around 150 Google employees allegedly had access to patient information because of the project. Patient data access was given without informing the patients or doctors. Google and Ascension announced Project Nightingale after the published WSJ story.

On November 11, Ascension stated in a press release that it is partnering with Google to enhance the health and wellness of people in communities, and give a complete portfolio of digital functions that could improve the healthcare experience of Ascension customers, patients and medical providers.

Google revealed in its statement that it had earlier talked about the venture in July 2019 in its second-quarter earnings call, where it mentioned that Google Cloud’s AI and ML solutions are assisting healthcare providers to better healthcare experience and outcomes.

Google mentioned in its November 11 blog post that its project with Ascension centered on

  • Changing Ascension’s infrastructure to the Google Cloud platform;
  • Assisting Ascension use G Suite productivity applications and;
  • Offering the tools to physicians and nurses to enhance care.

Google likewise mentioned that a few of the tools it is focusing on aren’t active yet in clinical advancement and are still in the beginning testing stage, consequently the Project Nightingale code name.

One more objective of the collaboration is using Google’s considerable computing capabilities to assess patient information and create software that controls its AI and machine learning technology to give more focused patient care.

Ascension stated it is going to explore artificial intelligence or machine learning apps that have the capability to improve patient safety, clinical quality and efficiency, and support for vulnerable populations, and also boost consumer and healthcare provider satisfaction.

As Ascension’s business associate, Google has affirmed that its access to patient information is legit and fully complies with the Health insurance Portability and Accountability Act (HIPAA) Rules. There is a signed BAA between Google and Ascension and required safety measures to secure patient information are in place, hence satisfying all HIPAA requirements.

Ascension additionally said that the collaboration is supported by strong data security and observance of Ascension’s rigid data handling requirements.

TennCare and Florida Blue Members Impacted by Phishing Attack on Magellan Health NIA

More healthcare companies have confirmed that the Magellan Health National Imaging Associates data breach has affected them. A number of HIPAA-covered entities have Magellan Health National Imaging Associates as a business associate providing managed pharmacy and radiology benefits services for them.

Geisinger Health Plan based in Danville, PA made an announcement last month that the breach affected 5,848 of its members. In the last few days, two more organizations, namely Florida Blue medical insurance firm and TennCare, Tennessee’s Medicaid program, made similar announcements.

Presbyterian Health Plan based in Albuquerque, NM likewise confirmed that 56,226 of its members were impacted by the breach.

The phishing attack on Magellan Health NIA happened on May 28, 2019, but the company became aware of the breach only on July 5, 2019 after the attacker used the compromised account to send lots of spam email. Magellan Health NIA already secured the affected email account.

According to the internal investigation findings, a person who is not from the U.S accessed the mailbox on a number of instances. The motive behind the attack seems to be just to send out spam using the email account. There is no evidence discovered that indicates the access or theft of PHI, but the possibility cannot be ruled out.

TennCare received breach notification on September 11, one day after Magellan Health knew it was affected. Magellan Health NIA informed Geisinger Health Plan concerning the breach on September 24, while Florida Blue was notified on September 25.

Florida Blue did not disclose yet how many members were affected but said that the PHI of less than 1% of its 5 million members were exposed. There was only limited information compromised in the phishing attack which included the names, birthdates, members’ ID number, name of health plan, name of provider, drug label, name of imaging processes done, benefit authorization result, and authorization number. Florida Blue is giving free credit monitoring services to impacted members.

TennCare confirmed that the breach impacted 43,847 of its members. The data potentially compromised included names, health plan details, member ID numbers, names of providers, prescribed drugs, and Social Security numbers. TennCare offered free credit monitoring services as protection against data misuse. to the members impacted by the breach