This past December, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. These proposed modifications to the rule would help support patient engagement and remove barriers to coordinated care as well as reduce regulatory burdens on the health care industry.

This news from HHS set the stage for a timely webinar co-sponsored by eFax Corporate and the Electronic Healthcare Network Accreditation Commission (EHNAC) titled HIPAA in 2021: HHS Proposed Changes to Modify Privacy Rule and its Impact on Covered Entities.

Hosted by ANSWERS Media, the virtual discussion was led by two leading privacy and security experts in the healthcare sphere – Brad Spannbauer, Consensus’s VP of software implementation, and professional services and Lee Barrett, executive director and CEO of EHNAC. Both participants each brought diverse knowledge and opinions on the proposed changes to the HIPAA Privacy Rule, the potential effects it might have on providers and the patients they care for, along with any provisions that may need to be implemented once the rule is finalized.

Experts discuss overview and ramifications of key provisions outlined in the rule

The current timeline of the Proposed Rule and the release of Final Rule. The Proposed Rule was officially issued on December 10, 2020 and was published by NPRM in the Federal Register on January 22, 2021. Comments are open until March 22, 2021, and Spannbauer encouraged listeners to take part and leave their thoughts. He went on to inform attendees that it takes approximately 90 days after comments close for a rule to catch, and covered entities will have 180 days to implement the results.

The impact of COVID-19. According to Barrett, some of what has happened with the Privacy Rule goes back to the beginning of the pandemic. The Office for Civil Rights established bulletins and guidance in February of 2020, the focus is trying to minimize the impact on fines and penalties that could be levied throughout by the OCR. Overall, Barrett believes the objective was to increase information sharing amongst a variety of entities while also focusing on good faith efforts of covered entities and business associates regarding how patient information would be shared.  

Telehealth. We saw an astounding rise in telehealth practice during the pandemic. Telehealth was a key component in healthcare because patients were not making appointments or visiting their primary care physicians. Smartphone applications became a link between various organizations, trying to make it easy for both patients and providers no matter the diagnosis or treatment plan. The OCR will not be imposing HIPAA penalties against healthcare providers for noncompliance in connection with the good faith provision of telehealth using these remote communication technologies. It has been outlined that covered providers can utilize apps such as FaceTime or Skype, but are unable to use Facebook Live, TikTok, or Twitch when providing telehealth.

Guidance on disclosures to law enforcement, first responders, public health authorities. This will identify existing HIPAA Privacy Rule permissions and provide examples for when a covered entity may disclose PHI about individuals without their HIPAA authorization. If an individual was in an emergency situation where treatment was needed, a first responder was potentially at risk for infection, or any information would prevent or lessen a serious threat then the absolute minimum bit of information would be necessary to disclose.

Modifications to the rules. These modifications protect covered entities from being subject to the minimum necessary requirement for uses by, disclosures to, or requests by a health plan or covered healthcare provider for care coordination and case management activities. Covered entities can disclose PHI to social services agencies, community-based organizations, or home and service providers. The modifications were proposed to encourage covered entities to use and disclose PHI more broadly in a variety of circumstances, which allows for the broad sharing of information in the midst of emergencies.

A new administration brings change

Each administration brings about new changes, and the Biden Administration will be no different. Barrett discussed the vast background in healthcare technology that the newly designated head of ONC Micky Tripathi, will bring to his post – including serving on The Sequoia Board of Directors and furthering FHIR initiatives in support of interoperability. He went on to note how there will also be changes to the CMS administration as many candidates are currently going through the nomination process. A select few industry experts are also going through the nomination process for the position of HHS Secretary. As leaders are selected and continue to drive efforts in the right direction, Barrett expressed how it has been stated that interoperability initiatives started under the Obama Administration will continue under the Biden Administration.

HIPAA Safe Harbor Law

The webinar also touched on the Safe Harbor Law, which amends the HIPAA HITECH Act and requires HHS to focus on incentivizing organizations to promulgate best practice security. According to Barrett, the goal of this law is to “not penalize those organizations that may have been impacted by a cyberattack, ransomware or other.” He went on to say how choosing not to seek third-party accreditation leaves the impacted organizations subject to an audit by OCR as well as certain fines and penalties due to their lack of proper cyber hygiene.

Now you know, but what should you do to prepare for the Final Rule?

Barrett first advised that all covered entities take time to review their current policies and procedures to determine what revisions need to be made ahead of the Final Rule approval. Covered entities shouldn’t wait to start making provisions on what those revisions might be. Second, all covered entities should begin to look at their organizations’ training processes. Should the Final Rule be approved, where do training tactics need to be amended to meet the new changes? For example, front office staff members should be aware of all forms that patients might have completed and submitted previously as patients could come in and ask to review their PHI on the spot. They might even ask for their records to be sent to another entity. If this Rule is implemented, the timing of these events will go from 30 to 15 days.

Spannbauer concluded the webinar by telling attendees how a majority of these changes will eliminate burdens for covered entities and should be embraced as they will not only make life a little easier for those they impact but, most importantly, because they support patient care.

Watch the complete webinar: HIPAA in 2021: HHS Proposed Changes to Modify Privacy Rule and its Impact on Covered Entities

Despite attempts to eliminate the fax machine in healthcare, it continues to be relied upon by many providers. Not only is faxing commonplace in many healthcare organizations throughout the country, but the use of traditional fax for data exchange continues to rise, according to the Office of the National Coordinator for Health Information Technology’s (ONC) State of Interoperability among U.S. Non-federal Acute Care Hospitals in 2018 Report, released in March 2020.

In a recent article published in Healthcare IT Today, Consensus’s John Nebergall discusses how, although many healthcare organizations still rely on fax machines as their primary way to send patient information to other providers external to their network, cloud fax technology is also on the rise:

According to the ONC, from 2017 to 2018, the use of eFax to send and receive care records increased 3% and 7%, respectively.

“eFax, or cloud faxing as it’s more commonly called, is one of the best protocols for rapid, reliable and scalable data transfer,” stated John Nebergall, Senior Vice President and General Manager of Cloud Faxing at Consensus. “Cloud faxing means having a fully electronic workflow. There is no paper, no physical fax machine, yet it uses tried-and-true fax protocols.”

With a traditional fax machine, patient information would need to be printed from the EHR, walked over to the fax machine and sent through, page by agonizing page. Once confirmation the fax was received properly, the paper record would need to be shredded in order to protect patient privacy. Babysitting this entire process is a tremendous waste of precious healthcare resources.

Cloud faxing eliminates all of this. With the click of a button, information from an EHR (and most other hospital systems) can be turned into a fax transmission and sent to the recipient via the Internet. “It’s quick, convenient and secure” said Nebergall.Read the full article in Healthcare IT Today.

In the last few years, HIPAA’s regulators and auditors have become more aggressive in finding and penalizing instances in which Covered Entities and their Business Associates fail to protect the electronic protected health information (ePHI) in their care. And chances are, you’ve gotten the message: It is your healthcare organization’s legal responsibility to safeguard at all times the private patient data under your charge.

But even if you have already taken many of the necessary steps to build a HIPAA compliant IT infrastructure, there are almost certainly several vulnerabilities in your organization’s ePHI-security processes, typical digital stops that your ePHI makes along its journey to recipients or to your long-term secure archiving and storage. Most IT teams forget to secure or scrub their ePHI from these hiding places.

Here are 8 of the top ePHI vulnerable spots where even at this very moment your data might be hiding — leaving you open to noncompliance with HIPAA, exposed to cyber criminals, in jeopardy of a reputation-damaging breach, and creating many other ongoing risks to your healthcare practice or organization.

ePHI Data Leakage, and 8 Places You’ve Forgotten to Secure

1.  USB Drives

Even for a disciplined and security-conscious healthcare IT team, it’s easy to forget the USB drive and other portable media-storage and transfer devices.

But your staff might be using them for faster and more convenient exchanging of ePHI documents between colleagues or to transfer them more easily from a device in the office to, say, a device at home. For your doctors or administrative staff, this might be completely innocent — just an easier way to work. But as far as HIPAA regulators are concerned, and for the cyber thief who steals the device and all of the data on it, these innocent intentions won’t protect your patients or your organization.

The preferred approach is to not allow files to be transferred to removable media, and systems can be implemented to automatically block such attempts to copy files.  But if your staff is going to use USB drives to share and transfer ePHI, you’ll need to either insist on only company-issued drives — which you’ll equip with encryption software — and require that your employees who do use them delete all of the contents after each use.

2.  Your Staff’s Texts

Because it’s such a convenient and immediate method of communication, doctors, nurses and other health professionals often use text messaging to communicate with colleagues and patients — and this often means transmitting ePHI in an unsecure way.

There are two problems here. First, under most circumstances texting ePHI is a HIPAA violation.  In fact, according to a 2016 Healthcare IT article, HIPAA’s auditors can fine your organization up to $50,000 for each text containing ePHI.

Second, and equally important, texting ePHI can leave the data exposed to hackers, in several ways. If your staff is texting ePHI over an unsecure network — such as a WiFi hotspot in a public place — hackers can grab the data digitally. Also, what if the doctor texting ePHI with her cell phone loses that phone or has it stolen? Finally, even if your doctor remains extremely careful about how and where she texts, the ePHI data she is sending and receiving over the cellular network still remains in storage on the cellular provider’s own cloud — and there is no way of knowing either that the data is secured on the carrier’s own servers or who at the carrier’s company will be able to see it.

3.  Your Staff’s Email Accounts

Your IT department has probably developed a secure email  system that satisfies HIPAA’s requirements — using secure transmission encryption protocols and other security measures to protect data on your network’s servers, etc.

But remember that your staff probably also sends and receives work-related email, including ePHI, on their personal email accounts— such as web accounts like Gmail and Yahoo! Mail.

Often your doctors or administrative staff will do this for convenience; perhaps they’re in a location where they can’t access their corporate email. Other times they might simply forget which email program they’re using when they send a new message from their smartphone.

Whatever the reason, you should assume your employees are using their personal email accounts, often outside of your network firewall, to send and receive messages containing ePHI. So your IT team’s job here — and it’s a difficult one — will be to implement policies and provide training to steer your staff away from emailing outside the corporate system you’ve developed for work-related messages, particularly messages with ePHI.

And even secure email is only as secure as the system of the person receiving the email.  If the recipient is on a non-secure personal email system, employees should be cautioned not to send email that contains protected information.

4.  The Hard Drives of Your Copiers, Scanners and Fax Machines

When your employees scan, copy or fax physical documents containing ePHI, digital copies of those documents are saved to the hard drives of the copiers, scanners and fax machines. This is an often overlooked security vulnerability because people, even seasoned IT professionals, forget that these standard pieces of office equipment even have hard drives.

But as the healthcare educational company 4MedApproved points out, one health insurance provider was forced to pay a $1.2 million HIPAA fine for returning leased office equipment that still had stored patient records and other ePHI on the devices’ hard drives.

5.  Your Voice Files

Let’s say a patient leaves a voicemail on your organization’s phone service, or on the smartphone issued to one of your doctors (or even to that doctor’s personal mobile phone). If the patient identifies herself and gives any personal information in that voicemail — almost a certainty in a message left for a medical office or doctor — that is considered ePHI.

Furthermore, let’s say your doctors use handheld dictation systems to record patient details during or immediately after patient appointments. And further imagine that the routine for many of your doctors is simply to keep the tapes of these recordings in an unlocked cabinet or even on an open shelf in their offices. Again, these voice recordings would qualify as ePHI — and need to be protected just as any fax server or network transmission containing patient records.

Your IT team’s task here — again, a difficult one — will be to train all staff on treating these voice recordings as the HIPAA-enforced protected data they are, and to implement processes to secure this ePHI at all times, whether digitally (in the case of patient voicemails) or physically (in the case of your doctors’ own patient recordings on dictation devices).

And it goes without saying that outside medical transcription services must be HIPAA compliant and willing to sign a BAA if they will be transcribing doctors notes that contain personally identifiable information.

6.  Your Previous Electronic Medical Records System

Here’s a very common scenario in healthcare organizations today — particularly as the Affordable Care Act rules force many medical and dental practices to reconsider the records systems they are using. A doctor’s office decides to switch its Electronic Medical Records (EMR) system from, say, to NexGen.

After training its staff on the NextGen system and migrating its records over the new platform, the company will then often maintain a computer server that contains copies of all of its old records originally generated on its Cerner system. But very few of these companies will also provide adequate security for that old EMR data — even though it is still ePHI, subject to the exact same HIPAA regulations as new patient records.

Here your IT team’s responsibility will be to treat this archived data and the hardware storing it with the same level of care and security as your office’s current ePHI. That means you’ll need to maintain current usernames and passwords for authorized personnel, equip the server (and any transmissions of the data to or from that server) with encryption and other security protocols, and maintain usage logs for any access to the ePHI contained on this old server.

It’s easy to forget this data is even there. But if HIPAA auditors come knocking, you’re just as much at risk of a noncompliance fine from the ePHI stored here as you are from any other type of  violation.

7.  Your Medical Equipment’s Hard Drives

This is often another innocent oversight, but one that still leaves the healthcare organization at risk from both a data breach from cyber attackers and from landing on the wrong side of a HIPAA investigation. The CT scanner, MRI machine, dental x-ray device and other medical equipment in your office also have hard drives — and virtually all of the images and data stored on these hard drives is, by definition, ePHI.

You need to implement a process for encrypting these storage drives and regularly offloading the data to a secure server — whether that’s a cloud storage plan or an on-premises secure server that your IT team manages.

8.  Your ePHI Held by Third-Party Vendors

To function as a healthcare organization today, you almost certainly need to work with third parties, such as an after-hours answering service and a cloud provider to back up and provide disaster recovery services for your data. But these are yet more examples of places where your ePHI is residing, and where they also need protecting at all times.

Any vendor that handles your ePHI should be able to demonstrate that they understand HIPAA’s requirements and their role in securing your ePHI, and that they have developed HIPAA compliant processes to secure your data at all times.

Make Your ePHI Faxes Secure and HIPAA Compliant

As we noted in ePHI vulnerability #4 above, your data is probably residing unsecured on the hard drives of your office’s copiers and fax machines. This is yet one more reason to upgrade your infrastructure from standard desktop fax machines or fax servers to a cloud fax model built specifically for businesses that need to transmit highly sensitive material by fax.

A pioneer in cloud faxing 20 years, eFax Corporate® is the world’s leading cloud fax partner for enterprises, and the most trusted provider of digital faxing services to the most heavily regulated industries — including healthcare.

Our HIPAA compliant fax solution employs the most advanced security and encryption protocols available for faxes in transit over the Internet. Additionally, we use the most sophisticated security protocols for a business’s faxes at rest — in storage online after they have been either sent or received. That is why eFax Corporate is the cloud faxing solution preferred by the majority of Fortune 500 corporations.

One reason the healthcare industry remains far from its goal of achieving ubiquitous interoperability is that many health organizations still find at least some of the technologies involved too costly or difficult to implement. If they haven’t already done so, a rural hospital or small physicians’ practice might view implementing an EHR as a time-consuming and resource-draining initiative. For larger providers, setting up APIs or moving to data-standardization protocols like FHIR 4 might also seem too disruptive to undertake. These organizations’ IT teams are busy dealing with today’s emergencies, after all.

But there is one technology that represents a significant step toward digital interoperability—and any healthcare organization can implement it almost immediately. In fact, it’s simply a modernized version of a data transmission protocol that health providers have been using for decades. It’s digital advantage of cloud faxing.

Here’s how cloud fax can provide a health organization with all of the benefits of faxing—including increased interoperability—while avoiding the many downsides of a traditional fax infrastructure.

3 ways cloud fax boosts interoperability… without the baggage of legacy faxing

1. It leverages the fact that everyone already has fax technology.

Even in 2020, faxing remains one of the most widely used methods of exchanging patient records and related documents. Nearly every practice, clinic, hospital, pharmacy, lab, payer, and other entity in the healthcare ecosystem has a fax machine and a dedicated fax number—and everyone is familiar with the technology. That’s why faxing still accounts for 75% of all patient data exchange.

The widespread use of faxing in healthcare should qualify it as a check mark on a provider’s digital interoperability to-do list. But the goal of interoperability is to make exchanging patient data faster and easier for any healthcare entity. And as anyone learns when they’re forced to use the traditional method—printing out documents, feeding them into a fax machine, dialing a phone number, waiting for all pages to feed through the machine, filing the pages and transmission receipt—paper faxing is one of the slowest and least efficient means of sending and receiving documents.

Cloud fax combines the fax’s interoperability with the efficiency of an online solution. With cloud faxing, by contrast, an organization uses a virtual fax number to send or receive patient documents digitally—via a highly secure email interface or website. There is no need for printing, scanning, dialing, waiting, filing, or taking any of the other manual steps required to complete an analog fax transmission. Even retrieving these documents later is far more efficient with cloud fax solution, which archives all fax data and lets users search for it anytime by date, name, tags, etc.

In other words, cloud fax leverages the ubiquity of faxing—the fact that every healthcare provider already has a fax number and uses faxing in its daily operations—while making the entire process faster, more secure, and more efficient.

2. It fills in the data-exchange gaps for organizations without an EHR.

Although most healthcare organizations have adopted EHR systems, many—particularly those in smaller, rural, and medically underserved communities—have not. This is partly due to the fact that many of these smaller providers fell through the cracks of the government’s Meaningful Use incentive programs to encourage electronic-records adoption. Additionally, these smaller entities simply have less of a budget to upgrade to newer technologies. But all of these budget-strapped healthcare organizations are familiar with faxing and likely use the protocol every day to send and receive patient documents.

Cloud fax helps fill this interoperability gap. With a cloud fax solution, these underrepresented healthcare entities can have the means to efficiently and affordably transmit a high volume of patient records and documents via fax. And unlike the purchase, implementation, and staff training of an entirely new technology like an EHR, rolling out a digital fax solution takes very little time or effort on the part of the company’s IT staff—and almost no time for the medical and administrative staff to learn to use.

3. It encourages data exchange by making the process more compliant with HIPAA.

Traditional faxing leaves a healthcare covered entity vulnerable to many compliance risks. Faxes sent to the wrong number, patient records left sitting on an office fax machine, failure to securely file ePHI faxes after receiving or sending the hardcopies—these can all constitute regulatory violations.

Cloud fax significantly increases a covered entity’s ability to meet HIPAA standards. With a cloud fax solution, a healthcare organization won’t face any of the HIPAA risks common in a legacy fax environment. In this way, cloud faxing encourages patient data exchange by making it safer for covered entities to engage in high-volume faxing of patient data without the concerns or additional precautions needed to safeguard the organization from regulatory violations.

An organization can implement cloud fax immediately

For a healthcare organization trying to move toward digital interoperability, one final advantage of cloud faxing is that it can be rolled out right away.

When the industry talks about digital maturity roadmaps, data standardization, and new interoperability applications, many healthcare providers envision costly projects that divert important resources and disrupt the organization’s normal operations. With cloud fax, though, there are no such expensive or disruptive implementations—just an easy rollout of an intuitive cloud technology that everyone in the organization will grasp almost immediately.