ED Coding and Reimbursement Alert

With the rise of telehealth and new technologies that help gastroenterologists provide digital healthcare comes more ways your systems and your patient’s protected health information (PHI) could be compromised.

Whether you’re a data security novice or have always prioritized cyber hygiene, the Department of Health and Human Services (HHS) created the Health Sector Cybersecurity Coordination Center (HC3) for you.

Keep reading for a terminology refresher, information about new digital threats, and how HC3 can help your practice stay cyber-safe.

What Is Cybersecurity?

Cybersecurity is a term used to describe the practice of protecting computers, servers, mobile devices, electronic systems, networks, and data from digital attacks, damage, or unauthorized access. It involves implementing measures to prevent and mitigate cyber threats, which can range from phishing and malware to more sophisticated attacks like ransomware.

What Is PHI?

PHI is best defined as “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral,” reminded the HHS Office for Civil Rights (OCR) in its HIPAA Privacy Rule guidance.

The HIPAA Privacy Rule identifies 18 items as “individually identifiable health information” that are considered PHI:

1. Name

2. Address

3. Birth date and other corresponding dates of admission, discharge, death, etc.

4. Landline and cellphone numbers

5. Fax numbers

6. Email addresses

7. Social Security number

8. Medical record number

9. Health plan beneficiary number (i.e. Medicare Beneficiary Identifier)

10. Account number

11. State identification or license number

12. Vehicle identifiers and serial numbers, including license plate numbers

13. Device identifiers and serial numbers

14. URLs

15. IP addresses

16. Biometric identifiers like finger or voice prints

17. Photo or image of patient, specifically the face

18. Any other unique code, characteristic, image, or number that identifies the individual

The HIPAA Security Rule also protects certain information covered by the Privacy Rule, which includes “all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form according to the U.S. Department of Health and Human Services (HHS) website.

Additionally, the Security Rule instructs covered entities (CEs), such as healthcare providers, health plans, or healthcare clearinghouses, to take the appropriate measures to protect ePHI through administrative, technical, and physical safeguards. You must never disclose PHI or ePHI to unauthorized persons, or you’ll be in violation of HIPAA’s Privacy and Security Rules.

Watch for New Threats to Patient Privacy

Offering digital healthcare comes with its advantages, but keeping PHI safe can be difficult when new types of threats continue to arise. For example, some apps are using tracking technology, which presents both a privacy and a security risk. Each person’s medical and financial data is incredibly valuable to hackers, which is “why healthcare organizations and devices are high-value targets for cyber criminals,” says Peter Newton, senior director of product and solutions at Fortinet in Sunnyvale, California.

Details: On July 20, 2023, the HHS Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) issued a joint letter to CEs, business associates, and third-party vendors warning them about using Meta/Facebook pixel and Google Analytics, which can track an individual’s online activities. “These tracking technologies gather identifiable information about users as they interact with a website or mobile app, often in ways which are not avoidable by and largely unknown to users,” the joint letter said.

OCR further warned CEs about these dangers with an updated bulletin. In the bulletin, OCR “significantly expanded its interpretation of the definition of PHI to include, in some instances, identifiable information gathered by tracking technologies where a user visits a website and does not interact with the entity in any other way,” noted attorneys Kathryn F. Edgerton, Lara D. Compton, and Kate F. Stewart with law firm Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. in online legal analysis.

The letter also acts as a follow-up to a September 2021 announcement reminding entities about enforcement under the FTC Breach Notification Rule.

Bottom line: CEs and their vendors should be on the same page with privacy, strengthen their IT controls, and ensure patients’ protected health information (PHI) is safe and secure.

See How HC3 Can Help

It can seem impossible to keep up with new threats and ways to combat them. That’s where HC3 comes in.

HHS created HC3 to better implement provisions outlined in the Cybersecurity Information Sharing Act of 2015. HC3 addresses threats in the healthcare sector, with significant focus on cybersecurity and data sharing. HHS regularly updates the HC3 webpage with new products, initiatives, and alerts that can help you manage these things in your practice.

HC3 is broken down into three areas. Here is an overview with the definition for each category:

Threat briefs: In this section, HHS “highlights relevant cybersecurity topics and raises the [healthcare and public health] HPH sector’s situational awareness of current cyber threats, threat actors, best practices, and mitigation tactics.”

Sector alerts: Here, the agency gives “high-level” updates on threats with the information targeted specifically for a technical audience. The resources provide defensive advice to combat current large-scale threats and vulnerabilities.

Other products: HHS offers concise analysis and education on hot cybersecurity topics with alerts and white papers in this section. Recent deep dives include a white paper on artificial intelligence and phishing; analysis and fixes for issues with SolarWinds software; and a white paper on the intersection of QR codes and phishing.

Learn more by going to the HC3 site: www.hhs.gov/about/agencies/asa/ocio/hc3/index.html.