Posts Tagged: HIPAA

EHR Patient Data Found for Sale Online, Browser Extensions Found to Be Source of Leak


The Washington Post recently posted an alarming story relating to EHR patient data being sold online. The culprit? Web browser extensions. The Post reports that as many as four million people have browser extensions that sell their every click.

The investigation prompted a notification to Google and Mozilla, which reported that they had closed these leaks immediately. However, many more could be out there.

Plug-Ins Make Life Easier

The beauty of integrating plug-ins into your web browser is that they should make your life online easier. Many of you probably use them to store passwords with a platform like 1Password.

The problem is that most users install these add-ons believing Chrome or Internet Explorer offer them, so they must be legitimate. While many are, some extensions are doing extra duty.

The Data Economy

Once these plug-ins have a window into your browsing, they can pass of information about where you spend your time. So much activity occurs in your browser. If you’re in the healthcare field, you are probably using your EHR within your browser, which means data brokers could be viewing protected information.

That’s exactly what the Washington Post reporter found. In his article, he shared that he found the names of patients, doctors, and even medications. With this data available and for sale on data broker sites, it’s clear that a data breach has occurred. And not one that many would have expected.

How Many Extensions Are Leaking Private and Sensitive Data?

ehr patient data google

While the  Washington Post only found a handful of extensions with nefarious dealings, a North Carolina State University study of the 180,000 Chrome extensions found that there were 3,800 problematic add-ons. Not all of these are extensions are doing something illegal. Many of them make it known to users that they are collecting data based on their search history. But of those 3,800 add-ons, the study found that at least 382 were in the data sales business. However, there is no regulation that prevents them from doing this.

What You Can Do to Protect Your Sensitive Data

EHR patient data is private and protected. Should it fall into the wrong hands, you could be liable and be found to be noncompliant with HIPAA. To prevent extension-related leaks, your organization should have security guidelines in place about what extensions a user can add. Your IT team may decide to whitelist some like password savers.

But this due diligence should extend to your vendors as well, especially if you are expected to initiate a data conversion in the future. In a data conversion, a data management company pulls data from an old EHR system and then formats and prepares it for loading into your new system. You should ask about their policy on browser extensions for added peace of mind.

Data leaks happen, but there are many things you can do to keep your EHR patient data safe. One of which is limited browser extension integrations. Be sure to update your policy immediately to protect your data.

Data Security Protocols and HIPAA Compliance

data security

As a healthcare data management company, we understand the robust data security protocols that must be in place. Additionally, since we’re handling protected health information (PHI), everything we do meets or exceeds HIPAA guidelines. 

How We Maintain Strong Security Protocols

We maintain the highest security and data protection with annual risk management assessments. We also always encrypt PHI data in transit or at rest. Further, we employ two-factor authentication for access to data. 

We have a rigorous culture of security and compliance. Our IT team ensures that all employees are well-versed in security protocols. Employees also receive yearly HIPAA compliance training. 

Our Business Associates Agreement (BAA) is also an integral part of our security process. The BAA outlines the obligations of all parties, identifying how we will adhere to HIPAA and Health Information Technology for Economic and Clinical Health (HITRUST).

We are dedicated to ensuring the security, privacy, and accessibility of your data. In our over two decades in business, we’ve never had a PHI breach.

HIPAA requires that we put into place administrative, physical, and technical safeguards. Our policies address all these areas. 

Trusted Data Center

We partner with Flexential to house all our servers. They are a top tier, national colocation provider that delivers reliable bandwidth and 99.9999% uptime along with 24-hour security. By partnering with Flexential, we have a solid plan in place regarding disaster recovery and business continuity. 

Flexential has over 20 years of experience and maintains 40 data centers, covering 3.1 million square feet. Their certifications include: 

  • HIPAA compliance
  • SOC 1, 2 & 3 Type 2
  • ISO 27001
  • NIST 800-53
  • EU-U.S. privacy shield framework
  • ITAR

Our commitment to security protocols and HIPAA compliance goes beyond just checking the box. There is no room for error in an atmosphere of data breaches, which hit healthcare more often than any other industry. 

If you have any questions about how we handle data security, we’re happy to help. Contact us today to learn more. 

What Is a HIPAA Business Associate Agreement?

As healthcare data continues to grow and needs to be portable accessible, many organizations seek out third parties to assist with these processes. These partnerships are known as a HIPAA business associate agreement (BAA). If your organization works with partners, a BAA must be in place.

What Is a BAA?

According to the U.S. Department of Health and Human Services (HHS), any individual or entity that accesses personal health information (PHI) on your behalf is considered a business associate. When working with InfoWerks for data management solutions, we require BAAs with all our customers. What this BAA ensures is that we will handle the PHI compliantly.

BAA Exceptions

A BAA is not always necessary. HHS does define some exceptions. Some of these exceptions include:

  • Disclosures by a covered entity to a healthcare provider for treatment of the individual
  • PHI collection and sharing by a health plan that is a public benefits program, such as Medicare
  • Disclosures to a health plan sponsor, by a group health plan, the health insurance issuer, or HMO that provides health insurance benefits or coverage for the group health plan
  • With individuals or organizations that are a conduit for PHI, like the U.S. Postal Service

PHI Security

HIPAA, of course, changed how healthcare organizations and their partners treat PHI. As a healthcare organization, you must ensure that your partner will safeguard PHI. Business associates can be liable under HIPAA if there is a PHI breach.

The BAA covers specifically each parties’ obligations when it comes to PHI. The contract describes the permitted and required PHI uses for the business associate. It also states that the business associate will not disclose PHI per HIPAA rules.

Cloud Services as Business Associates

When HIPAA was first enacted, the world of ePHI wasn’t a concept. Now, most healthcare entities and their partners hold ePHI in the cloud. HHS released additional context around cloud computing in 2016.

This update defines that ePHI must be handled in the same manner as PHI. Any third parties facilitating ePHI transmission must follow the business associate rules. Further, HHS notes that organizations that only store ePHI are also HIPAA business associates. Any type of ePHI stored or maintained must be encrypted.

BAA Violation Consequences

If you don’t have a BAA with your partners, you can be heavily fined. One of the largest fines related to not having a BAA was levied against North Memorial Health Care. They did not disclose or have a BAA with a partner. The partner was the cause of a breach due to the theft of an employee’s laptop. This breach exposed the ePHI of nearly 10,000 individuals. The health care system agreed to a $1.55M settlement for this violation.

Stay Compliant, Always Have a Business Associate Agreement with Partners

When you enter into a partnership that includes PHI, always insist on a BAA before sharing any data with them. Also, ensure that your business partners require HIPAA training of their employees. Safer, more secure data should be top of mind for all your business relationships.