Latest news with #patientdata
Medical News Today
3 days ago
- Business
- Medical News Today
HIPAA rights: What they are, who they apply to, and more
What are they? Who must follow them? Who does not? FAQ Summary The Health Insurance Portability and Accountability Act (HIPAA) protects patient health information and provides individuals with rights to control the use and disclosure of their health information. The United States enacted HIPAA in 1996. HIPAA applies to organizations, healthcare professionals, and insurers who handle patient data. This article looks at HIPAA rights, who must follow HIPAA regulations, and which information HIPAA protects. FreshSplash/Getty Images HIPAA rights are federal laws that protect a person's privacy and security in relation to their health information. The Right to Access allows people to access their protected health information (PHI). Healthcare professionals must provide individuals access to their PHI within 30 days of requesting it. People can also request an electronic or hard copy of the information. The Right to Access includes all health-related information, except information that a healthcare professional collects for legal purposes or psychotherapy notes. An individual can request a change to their PHI if they believe their health information is incomplete or inaccurate. The covered entity must respond to the request for amendment within 60 days of receiving the request. A covered entity refers to a healthcare professional or organization that handles patient data and is required to follow HIPAA regulations. An individual has the Right to Request Restrictions on the use and disclosure of their PHI. This includes: disclosure to people involved in an individual's healthcare or billing disclosure to notify others, such as family members, of a person's condition, location, or death If covered entities agree to the request, they must follow the restrictions, except when treating someone in a medical emergency. Covered entities have no obligation to agree to restriction requests. They have a right to request an alternative method of communication to the one that the covered entity may typically use. People can also request a certain address for receiving communication. Accounting of Disclosures is a record detailing why and when a covered entity disclosed a person's PHI, which people have a right to access. Covered entities do not need to account for disclosures for healthcare operations, treatment, or payment. Covered entities must keep accounting of disclosure records for six years. A covered entity must receive written authorization from the individual to use or disclose any PHI that is not for healthca re operations, treatment, or payment purposes. An individual has the right to revoke their authorization of the use or disclosure of their PHI at any time. People must make the request in writing, which becomes effective once the covered entity receives it. The HIPAA Privacy Rule requires covered entities to provide a Notice of Privacy Practices (NPP) and abide by the terms. These terms include: how the covered entity may use or disclose a person's PHI the duties of the covered entity to protect the privacy of the individual, and a description of their rights stating the right a person has to complain to the covered entity and the U.S. Department of Health and Human Services (HHS) if they believe there has been a violation of their privacy rights providing a point of contact for making complaints or requesting further information The following covered entities must follow HIPAA regulations: Health plans: This includes health insurance companies, company health plans, and government healthcare programs such as Medicare and Medicaid. This includes health insurance companies, company health plans, and government healthcare programs such as Medicare and Medicaid. Healthcare providers: This describes providers who carry out electronic transactions, such as sending a health bill electronically. This includes most providers such as hospitals, clinics, healthcare professionals, pharmacies, and nursing homes. This describes providers who carry out electronic transactions, such as sending a health bill electronically. This includes most providers such as hospitals, clinics, healthcare professionals, pharmacies, and nursing homes. Healthcare clearinghouses: A healthcare clearinghouse is a third-party organization that processes data between entities, such as between healthcare providers and insurance companies. A healthcare clearinghouse is a third-party organization that processes data between entities, such as between healthcare providers and insurance companies. Business associates: Business associates of covered entities must also follow HIPAA regulations. Business associates are people or companies outside of the covered entity who may need to access PHI, such as lawyers, IT specialists, or billing companies. In many cases, the following organizations do not have to follow HIPAA regulations: employers schools and school districts law enforcement agencies state agencies, such as child protective services municipal offices life insurers workers compensation carriers The following information is protected under HIPAA regulations: information in a person's medical record from healthcare professionals conversations between healthcare professionals about a person's healthcare and treatment, such as between a doctor and a nurse personal information stored in a health insurer's computer system a person's billing information at a clinic most health information that a covered entity holds about an individual Under HIPAA regulations, health information is protected in the following ways: safeguards that covered entities and business associates must put in place to protect PHI and prevent improper use or disclosure of PHI covered entities must only use, disclose, or request the 'minimum necessary' information to meet the intended purpose procedures that covered entities must put in place to limit who is able to access health information covered entities must carry out training programs for employees on protecting health information Under HIPAA regulations, health information can be looked at and received for the following reasons: coordinating a person's treatment and care healthcare payments other people involved in a person's healthcare or billing, unless the person objectsensuring cleanliness, safety, and proper care in healthcare facilities public health protection, such as reporting local flu outbreaks necessary police reports, such as gunshot wounds However, an individual's health information cannot be used or shared without their written permission unless this law allows it. For example, without authorization from the individual, a provider generally cannot: give an individual's information to their employer use or share their information for marketing or advertising purposes sell their information HIPAA rights help protect the privacy and use of an individual's health information. Examples of HIPAA rights include the Right to Access, the Right to Request Amendments, and the Right to Request Restrictions. Certain covered entities must comply with HIPAA rights, such as health plans, providers, and clearinghouses. People may want to contact a healthcare professional or the HHS for more information about HIPAA rights. Health Insurance / Medical Insurance Regulatory Affairs / Drug Approvals
Sky News
3 days ago
- Health
- Sky News
NHS trusts' data 'stolen' in cyberattack
NHS trusts had information stolen in the latest cyberattack on the UK health service, experts have told Sky News, with concerns raised that patient data might be vulnerable in such incidents. University College London Hospitals NHS Foundation Trust and University Hospital Southampton NHS Foundation Trust have been named as those exposed via a recently discovered exploit. NHS England told Sky News it is monitoring the situation - with the UK's top cybersecurity defence team at the National Cybersecurity Centre (NCSC). Cody Barrow is the chief executive of EclecticIQ and previously worked at the Pentagon, US Cyber Command and the NSA. The firm analyses cyberattacks and uncovered the extent of this incident. He told Sky News such attacks raise the "potential for unauthorised access to highly sensitive patient records". Analysts at EclecticIQ have identified victims of the hack spanning agencies and businesses across Scandinavia, the UK, US, Germany, Ireland, South Korea and Japan. Sky News has been shown evidence of the trusts in the UK being accessed maliciously. Rather than a ransomware attack, data was taken clandestinely after hackers exploited holes in software. In this case, the vulnerability was in a piece of software called Ivanti Endpoint Manager Mobile (EPMM) - a programme that helps businesses manage employee phones. The hole in Ivanti's software was first discovered on 15 May, and it has since been fixed - although there are warnings that systems previously exploited could still be vulnerable. The vulnerability in Ivanti's software allowed hackers to access, explore and run programmes on their target's systems. According to the experts at EclecticIQ, the kind of data accessed included staff phone numbers, IMEI numbers, and then technical data like authentication tokens. Such attacks can leave hackers able to access other data like patient records and further parts of the network via a process called remote code execution (RCE) - running programmes on compromised systems. The analysts said they have identified the hackers exploiting the Ivanti backdoor as having used an IP address based in China. Alongside this, the way the hackers operate is similar to how previous China-based actors behaved. Such attacks can occur when hackers use an automated scan of the internet to find examples of vulnerable software, rather than being targeted. Mr Barrow told Sky News: "This situation represents another urgent wake-up call for the NHS. With threat actors actively exploiting these vulnerabilities, we're not looking at a distant or theoretical risk. The targeting is happening now, and the consequences could be felt across the healthcare system. "The potential compromise scope goes well beyond data theft. We're looking at the potential for unauthorised access to highly sensitive patient records, the disruption of crucial appointment systems, and even interference with critical medical devices that are vital for daily patient care." "This strikes at the heart of patient safety and care delivery," Mr Barrow added. "The impact wouldn't be isolated, it could cause cascading effects cancelled surgeries, delays in urgent treatments, and medical devices failing when needed most. We've seen this before. "Past cyberattacks have shown the chaos that ensues, directly threatening patient outcomes, putting lives at risk and forcing frontline staff to work under extreme pressure. "Beyond immediate operational chaos, these vulnerabilities also profoundly erode public trust in the NHS's capacity to safeguard both their data and their health. "The immediate directive for NHS trusts to engage their cybersecurity teams underscores the severity. The response to this kind of cyber threat needs to be treated with the same urgency as a medical emergency." 👉 Listen to Sky News Daily on your podcast app 👈 A spokesperson for NHS England told Sky News: "We are currently investigating this potential incident with cybersecurity partners, including the National Cyber Security Centre, and the trusts mentioned. "NHS England provides 24/7 cyber monitoring and incident response across the NHS, and we have a high severity alert system that enables trusts to prioritise the most critical vulnerabilities and remediate them as soon as possible." A spokesperson for Ivanti said they had released a fix for the vulnerability in their software. A NCSC spokesperson said: "We are working to fully understand UK impact following reports that critical vulnerabilities in Ivanti Endpoint Manager Mobile are being actively exploited. "The NCSC strongly encourages organisations to follow vendor best practice to mitigate vulnerabilities and potential malicious activity. "Vulnerabilities are a common aspect of cyber security, and all organisations must consider how to most effectively manage potential security issues." "We remain committed to collaboration and transparency with our stakeholders and the broader security ecosystem," it added. "At the time of disclosure, we are aware of a very limited number of on-premise EPMM customers whose solution has been exploited."
CBC
09-05-2025
- Health
- CBC
Millions of Canadians' health data available for sale to pharmaceutical industry, study shows
Going to the doctor can involve sharing your most personal information, including details about your health, medical history and prescriptions. It all ends up in your medical record — but a new study by researchers at Women's College Hospital in Toronto found that in some cases, private companies are accessing parts of that data and selling it to pharmaceutical companies. "This is really an area where we need transparency," said the study's lead author, Dr. Sheryl Spithoff. The study, published in JAMA Network Open, examined how the medical record industry works in Canada and how patient data flows between different private entities. Through a series of 19 interviews, the researchers concluded "chains of for-profit primary care clinics, physicians, commercial data brokers and pharmaceutical companies ... work together to convert patient medical records into commercial assets." Those assets, the study said, are then used to "further the interests of the pharmaceutical companies." Spithoff and her colleagues identified two different models. In one, a private clinic sells data to an outside company, with personal information like names and birth dates removed. The company then offers to sell or analyze that de-identified information for its clients in the pharmaceutical industry. In the other model, the clinic is a subsidiary of the company collecting the data, giving that company even more direct access to patient information. The study said patients were not included in decisions about how their data was used. "We need oversight," Spithoff said in an interview. "What we know from other surveys and interviews with patients is that this is not how they want their data handled." Experts call for updated privacy laws The study's findings suggest these practices could give the pharmaceutical industry more influence over patient care in Canada. Matthew Herder, director of the Health Justice Institute at Dalhousie University in Halifax, said while there may be potential for this kind of data-sharing to help patients, there is also a risk these models will push patient care in a direction that benefits pharmaceutical companies and drives up costs for health-care systems. "All of these things are happening without any degree of transparency," Herder said. "That's why this paper is such an important paper. It's starting to bring to light what's really going on." The Office of the Privacy Commissioner of Canada declined to comment on the study itself, but said organizations subject to privacy laws must follow certain rules around safeguarding personal information. While most provinces and territories have privacy laws specifically related to health records, Lorian Hardcastle, an assistant law professor at the University of Calgary, said they are outdated and need strengthening. As the health-care system moves toward more electronic health records, often managed by private companies, Hardcastle said updates are needed to better protect patient information. "Data being managed not on paper but by third-party entities really demands that policymakers rethink this legislation that was created decades ago when it was still paper records sitting in a doctor's office." Some of the current laws do little to protect patient data from changing hands if personal identifiers have been removed, Hardcastle said. "If the data has been de-identified and it's not reasonable that re-identification would be possible, the law offers quite little protection," she said. "Unfortunately, though, what we thought 10 years ago was de-identified data, now we're realizing with big data with AI can be re-identified." In a statement, the office of the Ontario privacy commissioner said health information custodians have to take reasonable steps to ensure data is protected and secure, and acknowledged health data has become an increasingly valuable commodity. "There needs to be greater accountability around the use and sale of de-identified health data, and what happens to that data after it is sold," it said. The office is advocating for changes to Ontario's privacy legislation to add further guardrails like risk assessments when personal health information is involved. What you can do For patients wondering what might be happening with their health data, Hardcastle said start by asking your clinic for its privacy policy. Beyond that, she said any issues can be reported to a privacy commissioner and concerned patients can push legislators to update privacy laws. "If they're hearing from many members of the public that this is something they're concerned about, that may motivate them to look into this further," she said. Family doctor Dr. Danyaal Raza in Toronto said the study's "stark and dramatic" findings should encourage patients at private, for-profit clinics to ask some hard questions so they can be as informed as possible. As past chair of Canadian Doctors for Medicare, Raza sees this as another risk that comes with private companies delivering health care. Legislative changes are part of the solution, along with further attention paid to primary care, he said.
