Hipaa regulations for selling pharmaceuticals to physicians

From the Hippocratic Oath of ancient Greece to modern Washington’s Health Insurance Portability and Accountability Act (HIPAA), patient privacy has been a foundation of medicine and is etched into the AMA Code of Medical Ethics.

“Protecting information gathered in association with the care of the patient is a core value in health care,” states opinion 3.1.1 of the Code. “However, respecting patient privacy in other forms is also fundamental, as an expression of respect for patient autonomy and a prerequisite for trust.”

The AMA describes HIPAA as establishing “guardrails for the sharing and use of patient health information” between health care providers. The AMA notes that HIPAA regulations are mainly “permissive” in that they allow, but don’t require, the sharing of health information. And, generally, physicians and hospitals may share patient information without explicit patient consent for treatment, payment, and business operations reasons.

Crossing the lines established by HIPAA can result in civil penalties ranging from $100 for an “unknowing” violation to $1.5 million for “willful neglect.” The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is responsible for enforcing compliance with HIPAA privacy rules.

For more than 15 years, the OCR has tracked the most-often alleged compliance issues included in HIPAA complaints.

According to the OCR, they are:

• Impermissible uses and disclosures of protected health information.
• Lack of safeguards of protected health information.
• Lack of patient access to their protected health information.
• Lack of administrative safeguards of electronic protected health information.
• Use or disclosure of more than the minimum necessary protected health information.

Physicians and private practices are alleged to be the second-most common violator of HIPAA privacy regulations, coming in behind hospitals and ahead of outpatient facilities, pharmacies and health plans, the OCR says.

Last year, the OCR launched its HIPAA Right of Access Initiative promising to “vigorously enforce the rights of patients to get access to their medical records promptly without being overcharged, and in the readily producible format of their choice.”

So far, the initiative has settled 15 investigations.

The AMA has released a patient access playbook to help physicians better understand their obligations under HIPAA to provide patients with access to their information.

Feds seek voluntary compliance

Feds seek voluntary compliance

The OCR typically tries to resolve cases by obtaining voluntary compliance, through a corrective action, or with a resolution agreement.

The HHS website describes a case in which a patient's HIV status was disclosed after an employee at a doctor's office mistakenly faxed medical records to the patient's workplace instead of to the patient's new health care provider.

“The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient,” the website states. “To resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient.”

No fine is mentioned in that case. Civil penalties for violations have totaled almost $112 million since 2003. The OCR has referred 824 criminal violations to the Department of Justice to investigate.

Entities that knowingly obtain or disclose individually identifiable health information in ways not permitted by HIPAA may face a fine of up to $50,000, as well as imprisonment up to one year, according to AMA HIPAA resources.

Offenses committed under false pretenses allow penalties to be raised to a $100,000 fine, with up to five years in prison. Intending to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm can result in fines of $250,000 and imprisonment up to 10 years.

Cyber thieves see data as commodity

Cyber thieves see data as commodity

Patients’ digital medical records are 50 times more valuable than financial information, according to cybersecurity experts. And the AMA believes that keeping the patient at the center of care requires steadfast adherence to their rights to privacy.

“Without appropriate safeguards, patients’ data could become a commodity, the AMA health data privacy framework states. “Health data can provide a wealth of information for marketers or be sold and exchanged by data brokers—impacting insurance coverage, access to care, or resulting in employment discrimination.”

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.

The HIPAA Act is a federal law signed by President Bill Clinton in 1996 which required the creation of national standards in order to protect sensitive patient health information or PHI from being disclosed without the patient’s consent or knowledge. 

So, what is HIPAA and why is it important? In 2020, data breaches affected 26.4 million records in the U.S. alone which cost the healthcare industry over $13 billion.

When you think about the amount of personal information stolen at the hands of eager cybercriminal entrepreneurs, it makes HIPAA easy to understand as HIPAA safeguards against cyber attacks. 

HIPAA provides data privacy and security in healthcare in order to protect patients’ medical information. This is especially important for healthcare providers or organizations that use electronic means such as EHR which stands for Electronic Health Record.

An EHR stores digital records of patient health information such as diagnoses, medications, radiology images, and billing data.

It is commonly used in hospitals and other healthcare facilities and must adhere to the highest level of HIPAA standards.

As defined by HIPAA rules, covered entities include healthcare providers, healthcare clearinghouses (public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements), and health plans, as a health plan is considered a covered entity (CE).

These entities are responsible for dealing with transactions that involve payment and or billing, and insurance.   

Other covered entities include:

• Physicians
• Nurses
• Hospitals
• Dentists 
• Chiropractors 
• Nursing Homes
• Pharmacies

Under the HIPAA Department of Health and Human Services (HHS), HIPAA requires that all covered entities designate a privacy official, as the job of a privacy official is to be responsible for developing and implementing privacy policies and procedures.

A privacy official is a contact person responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.

Business associates which are defined as entities or persons that perform or assist in an activity involving PII such as claims processing, quality assurance reviews, data analysis, or any other function regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule.

Pharmaceutical suppliers are considered business associates and must follow strict HIPAA regulations in relevance to selling pharmaceuticals to physicians.

Other examples of business associates include:

• Accountants
• Consultants 
• Suppliers (medical devices)
• Legal 
• Data Aggregation
• Administrative/Management
• Financial Services

The HIPAA Omnibus Rule states who is required to protect ePHI and was finalized by the OCR (Office Civil Rights).

The Omnibus Rule relates to business associates under HHS OCR HIPAA compliance standards. The HIPAA Omnibus Rule requires healthcare providers to update their Business Associate Agreements and lasts 50 years after an individual’s death.

A covered entity (CE) must have an established complaint process to meet the HHS privacy rule. That is the HIPAA privacy rule summary for covered entities.

Protected health information (PHI) as defined in the 2003 Privacy Rule encompasses all information that can be used to identify a patient. HIPAA Security Rule safeguard categories of PHI information, which include eighteen specific identifiers such as: 

• Name
• Address
• Telephone
• Social Security 
• Email 
• Medical Records
• Fax Numbers
• IP Addresses
• URLs
• Biometric identifiers such as fingerprints 
• Account Numbers 
• Photos
• Vehicle License Plates

Only authorized individuals may process the information listed above as HIPAA security rule safeguards against unauthorized access. 

ePHI is defined as any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media. ePHI stands for Electronic Protected Health Information and is governed by the HIPAA Security Rule. 

ePHI HIPAA best practices and safeguards include:

• Strong passwords and the use of Multi-Factor Authentication (2FA)
• Unique accounts for each user
• Providing each user the minimum ePHI access required to work
• Record all changes to ePHI (change of patient address, telephone, email, etc.) 

How Does HIPAA Address Employees’ Access to ePHI?

Healthcare providers must have access to ePHI on a “need to know” limited basis. ePHI must be protected by providers regardless of where they are.

One method of protecting patient information is through end-to-end encryption which can only be deciphered with a decryption key, otherwise, the data appears scrambled and unreadable.

Medical records, for instance, must have this added layer of security to defend against malicious hackers.  

Other ePHI examples include: 

• Emailed lab results or blood test reports 
• E-prescriptions, stored X-rays, MRIs, or other digital photos of a patient
• Patient notes stored in a mobile device
• Appointments and procedures stored on an e-calendar

HIPAA Compliance PHI refers to the protected health information of patients and is mandatory for the majority of healthcare facilities in the United States.

HIPAA does permit PHI email sending, however, all emails must be fully encrypted and have a high level of PHI security. The HIPAA Security Rule establishes national standards for protecting PHI.

PHI Policies and Procedures

PHI policies are the job of a privacy official under the HIPAA Act. Privacy officials are responsible for mitigating risks and handling business-related complaints.

PHI procedures place strict emphasis on access to confidential information and should be given only to authorized personnel.

Healthcare data security standards protect patient confidentiality and must comply with HIPAA regulations.

It is also crucial to update HIPAA medical software routinely to avoid potential vulnerabilities which cybercriminals can easily expose.

The exploits open a door to malicious actors that can quickly steal patient information and sell it for as little as $5.40 on the black market. 

HIPAA compliant medical software protects against some of the most common risk factors:

• Outdated legacy systems (which should be replaced with a HIPAA compliant VPN)
• Unsecured network security
• Malicious emails such as Phishing scams
• Weak passwords (i.g 12346, Qwerty, and even astonishingly the word “password” itself)
• Lack of training among employees and other third-party providers

Healthcare professionals must abide by stringent medical HIPAA laws, in addition to an ethical code and moral obligations. All healthcare facilities are required to appoint a privacy officer to ensure that HIPAA rules and regulations are being enforced.

Physicians should follow strict HIPAA regulations for medical records storage and remain in HIPAA ICD-10 compliance for all transactions as covered by the Health Insurance Portability and Accountability Act of 1996.

1. Train Your Staff on HIPAA Policies and Procedures – Employees should be very well familiar with the HIPAA Policies & Procedures Desk Reference which can be purchased online via Amazon. Although there are regular updates, this book acts as a starting point and is highly recommended. 
2. Set Up a HIPAA Policy for The Medical Office – Develop a manual with written policies and step-by-step procedures for everyone to follow. Don’t be afraid to quiz staff every once in a while to make sure everyone is up to date.
3. Maintain Privacy – Never disclose any patient information or leave patient files unattended as not to disclose HIPAA compliance patient names. Always knock before entering any room and avoid noisy places when speaking with patients. 

HIPAA Compliance Software –This not only includes installing the latest security updates but also staying current with new HIPAA regulations on electronic medical recordsandHIPAA medical record storage requirements.

1. Right to Obtain a Copy of Your Health Data – Every patient has the right to either view or obtain a copy of their health data. A copy of your medical records will be provided within 30 days. A small fee might be applied. 
2. Right to Find Out Who Has Received Your Health Data – Covered entities must provide information on a patient’s health data over the past six years.  
3. Right to Restrict Sharing of Your Health Data – Patients can choose who to share their PHI with. HIPAA covered entities are not permitted to sell health data or use it for marketing, advertising, or research, without first obtaining written authorization.
4. Right to File a Complaint for a Privacy Violation – A patient may file a complaint if they feel that any PHI has been accessed by unauthorized individuals. 
5. Right to Correct Errors in Your Health Records – HIPAA provides patients with the right to make any needed changes to their health information to correct mistakes. Requests must be submitted in writing. 
6. Notification of Privacy Practices – All HIPAA covered entities are required by law to notify you about how your medical data will be used. 

One popular question physicians research is “are sign-in sheets required by law?” The answer is that, yes, covered entities may use sign-in sheets as long as the information disclosed is limited, according to the Department of Health and Human Services.

A compliance breach is a result of not complying with HIPAA breach notification rules, guidelines, and policies. Breaches can also occur due to human error, but proper investigations into the incident will help determine the cause and whether or not it is a HIPAA violation.

Breaches must be reported 60 days after discovery, known as “reasonable diligence” to a privacy or security officer.

Failure to report the incident within 60 days may result in a massive penalty from the OCR or a lawsuit. This process should be part of an OCR HIPAA audit checklist. All breaches should be reported, regardless of scope.

What’s a HIPAA violation? A HIPAA violation is the failure to comply with any HIPAA aspect or provision. The penalties for these violations start from $25,000 per violation category issued by State Attorneys and upwards of $1.5 million from the Office of Civil Rights HIPAA violation. 

HIPAA violation penalties are divided into 4 tiers.

Some of the most common HIPAA security rule violations are:

• Medical Identity Theft – This is when another person steals and utilizes your personal information to obtain money through fraudulent claims or purchase prescription drugs. What’s even more shocking is that 30% of victims were not even aware when the identity theft occurred. One way to prevent identity theft is to thoroughly read your EOB (explanation of benefits) and get a copy of your medical records just in case. 
  
• Malicious Attacks on Networks – One of the most common attacks on healthcare institutions is Ransomware. In fact, just a couple of years ago in 2017, the infamous Ryuk Ransomware attackon Universal Health Services (UHS), which had over 400 locations took place. The attack disrupted over 80 medical facilities and cost approximately $67 million in lost revenue. Having a secure Business VPN can help alleviate this type of headache.  
  

• Downloading PHI Onto Unauthorized Devices – Employees must be trained properly when it comes to the handling and transmitting of PHI. Specific permissions and least privilege access must be granted by IT in order to prevent any PHI from leaking out. 
  

• Employees Snooping on Medical Records – Snooping on healthcare records is one of the most common HIPAA violations committed by employees. Once again, proper training should be provided to all new employees and an annual review for existing employees just to be on the safe side. 

HIPAA violations are mainly discovered by HIPAA covered entities through internal audits. Employees involved in such violations can face severe penalties and even prison time if caught and convicted. 

HIPAA laws are designed to protect the privacy and security of patients’ health information. The HHS law enforces federal civil rights laws that protect the rights of individuals and entities from unlawful discrimination on the basis of race, color, national origin, disability, age, or sex in health and human services.

The HIPAA law can be broken down into five titles. Each title or section provides different rules and provisions. 

• Title I – HIPAA Health Insurance Reform
• Title II – HIPAA Administrative Simplification 
• Title III – HIPAA Tax Related Health Provisions
• Title IV – Application and Enforcement of Group Health Plan Requirements
• Title V – Revenue Offsets

In HIPAA Title II, organizations must implement safe electronic access to PHI under the United States Department Of Health and Human Services (HHS).

The HIPAA privacy law states that covered entities may disclose the protected health information of an individual who has been infected with or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities without consent from the individual. 

The other exceptions of HIPAA laws and COVID include:

• When first responders may be at risk of infection
• When disclosure is needed to provide treatment
• When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual
• When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public
• When such notification is required by law

1. The Privacy Rule – establishes national standards to protect PHI and applies to health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically.

1. The Security Rule – requires physicians to protect patients’ ePHI by using appropriate administrative, physical and technical safeguards.

1. The Breach Notification Rule – requires covered entities to notify patients when their unsecured PHI is impermissibly used or breached in a way that compromises the privacy and security of the PHI.

The 90/10 Rule establishes good security standards which state that: 

• 10% of security safeguards are technical 
• 90% of security safeguards rely on the computer user to adhere to good computing practices

HIPAA is a federal law which is enforced by the HHS’ Office for Civil Rights. The federal law began in 2003 and is stated in the HIPAA Privacy Rule which sets limits on who can view and receive your health information, and the Security Rule, which requires health information in electronic form.

EHR stands for Electronic Health Records and it is a digital version of a patient’s paper chart, containing medical history, diagnoses, lab and test results, treatment plans, and medications. The Security Rule was established to protect patients’ security of electronic health information under HIPAA. Healthcare practices should also implement an effective EHR Audit Checklist as required by HIPAA Federal laws and regulations.

Many healthcare practitioners discuss how HIPAA requirements could affect working from home and thus, all covered entities must abide by HIPAA rules regardless if they are working from home or at the office. 

Although there are great advantages such as reduced costs and time saved traveling, there are also drawbacks if proper security measures are not in place. 

One way to prevent this type of concern is through a HIPAA Compliant VPN, which protects against outside threats and malicious actors and encrypts all sensitive PHI data.  

• AWS HIPAA compliance allows their customers to build HIPAA compliant apps that process, transmit and store PHI. 
• Azure HIPAA compliance allows organizations to store, analyze and interact with regulated health data while maintaining security privacy and compliance all on the cloud. 
• Salesforce HIPAA compliance allows HIPAA compliant emails to be sent
• Google Workspace allows for HIPAA compliance on the Google Cloud platform. PHI is protected under HIPAA in accordance with HIPAA guidelines. 

HIPAA scanning requirements are put in place as the HIPAA Security Rule requires that covered entities perform security risk analyses. Vulnerability scans may take place to find known vulnerabilities in apps, networks, as well as firewalls. Vulnerability scans identify weaknesses and flaws in IT systems. 

Some of the most common flaws revealed are:

Flaws in hardware: Outdated legacy hardware systems present major problems. Two such vulnerabilities are Meltdown and Spectre which can wreak havoc on your hardware systems and can create golden opportunities for anxious hackers. 

Flaws in software: These flaws can be found in the form of bugs that have not been addressed properly and Cross-site scripting (XSS), commonly found in applications.

Additional vulnerabilities exist on operating systems such as old versions of Windows or via browsers such as Google Chrome or Mozilla.

The first step towards Security Rule compliance is the assignment of a security responsibility or HIPAA Security Officer.

HIPAA rules and regulations give guidance for the correct uses and disclosures of PHI, how to secure PHI, and the measures that need to be taken should there be a PHI breach.

There are also HIPAA firewall rules, where outbound connections that are from networks containing PHI access have to be explicitly authorized. 

When it comes to the application of the HIPAA privacy rules to religious organizations, it’s important to know that many religious entities, such as ministries, are not subject to the HIPAA privacy rule. 

HIPAA documentation requirements are a lengthy process but absolutely essential, as a HIPAA document organizes all levels of security efforts taking place covering all HIPAA requirements and compliance rules.

The privacy and security rules require workforce training that every new member must undergo as part of their HIPAA training.

There are rules and procedures which all healthcare organizations must follow. Implementing a HIPAA compliance checklist for reference is crucial to thwart cybercriminals from exposing sensitive information. 

The most common HIPAA guidelines include:

• Ensuring proper HIPAA training for all members of staff 
• Appointing a HIPAA compliance Privacy or Security officer 
• Reviewing all third-party BAA (Business Associate Agreements) to make sure they meet HIPAA compliance standards
• Regularly reviewing policies and procedures with staff to make sure everyone remains up-to-date

The HIPAA technology checklist consists of:

• Access Control – where centrally controlled individual credentials for every single user are implemented.
• Integrity Controls – where policies and procedures are put in place to ensure that ePHI stays unaltered and safe from harm. 
• Network Security – where all devices must be able to encrypt messages sent beyond internal firewalled servers and be able to decrypt them once received.

Audit Controls – where ePHI must be recorded and examined in information systems.

There are certain HIPAA compliant web conferencing tools such as Zoom and GoToMeeting. These HIPAA compliant video tools are especially important during COVID-19, where most health meetings must take place online.

Sensitive information can easily leak into the wrong hands with a click of a button, causing a major breach and costing healthcare organizations a lot of money, over $13.2 billion in 2020 alone.

Zoom, is in fact, HIPAA compliant. The Zoom business associate agreement protects personal health information (PHI) in accordance with HIPAA guidelines.

Zoom privacy features allow you to control session attendee admittance with either individuals or groups. Secure video conferencing HIPAA takes place with this platform that is trusted by millions of healthcare professionals worldwide.

Yes, GoToMeeting is HIPAA compliant. The GoToMeeting Business Associate Agreement (BAA) is a contract that is legal which mandates that GoToMeeting contains the essential safeguards that secure all PHI transmitted through their platform.

The BAA also mentions that every signing party has its own responsibility with regards to maintaining its own compliance.

There are many great and reliable websites that can guide you on how to get HIPAA certified. A HIPAA certification on resume demonstrates that a covered entity or business associates such as a medical device company or pharma sales rep fully complies with all HIPAA rules and regulations.

A HIPAA compliant certification should be updated as often as possible in order to avoid hefty fines and provide your employees with proper training. 

If you are working with any sort of data related to a patient through your website, such as a PHI email, your organization must follow stringent HIPAA website laws.

There are no official rules that govern HIPAA cloud storage with regards to PHI. Cloud storage providers such as Dropbox, do not have any HIPAA or HITECH certifications.

That means that you are responsible for taking appropriate security measures with protected healthcare information.

Regardless of your organization’s size, it is absolutely crucial to have a VPN for HIPAA compliance in place. A HIPAA compliant VPN will help encrypt all ePHI and minimize the chance of a breach by granting limited privilege access to employees and third-party providers. And that is HIPAA in a nutshell.

Perimeter 81 offers the most secure HIPAA compliant VPN for healthcare professionals which meets the highest HIPAA encryption compliance requirements and HIPAA security software standards.

Curious to see if your organization meets our HIPAA Compliance Checklist? Find out how Perimeter 81 secures healthcare organizations and maintains the highest levels of HIPAA compliance for remote employees with Zero Trust.

Encrypt Transmitted Data: Perimeter 81 helps encrypt all sensitive information such as Electronic protected health information or ePHI, making the data unreadable and indecipherable.

Secure Remote Access: Perimeter 81 leverages always-on encryption and 2FA of all traffic, as well as traffic firewalling, and device posture checks to ensure that stored and transmitted data remains private.

Centralized Cloud Platform: Grant employee and business associates limited access via least access privilege. Ensure that PHI remains confidential by establishing user roles, significantly minimizing the potential of a data breach.

What does it mean to be in compliance with HIPAA?

Being HIPAA Compliant means that your organization must follow all HIPAA rules and regulations.

What are the three rules of HIPAA?

1. The Privacy Rule
2. The Security Rule
3. The Breach and Notification Rule

What are the guidelines for HIPAA compliance?

-Ensure that patients’ Protected Health Information (PHI) remains secure and confidential
-Limit access of patient information on a need to know basis
-Inform patients of their rights
-Ensure full compliance in the workforce with policies and procedures in place
-Train your staff accordingly 

What is the HIPAA compliance checklist?

The OSI Model Protocol includes 7 layers:

-Implement written policies, procedures, and standards of conduct
-Conduct the required annual audits and office assessments 
-Designate a HIPAA Compliance Officer to conduct annual HIPAA training for all members of staff
-Review policies and procedures with employees and staff to report breaches
-Enforce HIPAA standards through policies and guidelines

What are common HIPAA violations?

-Malware incidents
-Lost or stolen devices (laptop, USB, smartphone)
-Social media posts 
-EHR breach
-Mishandling of medical records 
-Misuse of PHI (discussing confidential information outside the office, sending it to the wrong patient, selling it to outside providers, etc.) 
-Lack of employee training 

What are the 5 most common violations to the Hipaa Privacy Rule?

What is the most common Hipaa violation among healthcare workers?

Are pharmaceutical companies covered entities?

Does Hipaa allow marketing?