hipaa enforcement update: learning from …renee h. martin, jd, rn, msn dilworth paxson, llp 1500...
TRANSCRIPT
Renee H. Martin, JD, RN, MSNDilworth Paxson, LLP
1500 Market Street, Suite 3500Philadelphia, PA 19102
Tel: (215) 575-7313 Fax: (215) 575-7200E-mail: [email protected]
HIPAA Enforcement Update:Learning From Mistakes of Others to
Improve Your Compliance
2017 Annual Conference
1
2016-A very good year for data breaches
• The Identity Theft Resource Center survey showed across the USA, a record high of 1,093 data breaches occurred with 377 in the health care industry.
• For the 8th consecutive year, hacking, skimming, phishing attacks were the leading causes of data breaches –more than 50% in health care
• With increased breaches-new record amount of fines paid by CEs and BAs for breach of unsecured PHI
• OCR entered into 13 settlements with CEs and BAs-more than 2xs number of settlements in 2015
2
Details of breaches not often published
• HIPAA Complaint Investigations--– OCR determines if CE or BA has violated privacy or security rule, if there findings that CE
or BA committed significant violation, a large number of individuals were affected, or OCR wants to send a message to other CEs or BAs. OCR will issue a press release and OCR closes the investigation and puts closure letter on OCR website.
• ProPublica created an “app” on its HIPAA Helper Tool-allows determination of repeat offenders.
• Largest offenders Dept. of Veteran Affairs and CVS Health. Offenses keep occurring despite technical assistance being provided by OCR.
• Top 5 complaints in 2014: impermissible uses and disclosures of PHI; lack of safeguards of PHI; lack of patient access to their PHI; use or disclosure of more than the minimum necessary PHI; lack of administrative safeguards of electronic protected health information.
3
Complaints Received and Cases Resolved
• Over 150,507 complaints received to date
• Over 24,879 cases resolved with corrective action and/or technical assistance
• Expect to receive 17,000 complaints this year
4
The OCR Enforcement Process• Right to file a compliant. A person who believes a covered entity or
business associate is not complying may file a complaint with Secretary.
- Disgruntled Employees
- Patients
• Investigation. The Secretary will investigate any complaint filed when a preliminary review indicates possible violation due to willful neglect.
• Compliance Reviews. The Secretary will conduct a compliance review to determine whether a covered entity or business associate is complying when a preliminary review of the facts indicates a possible violation due to willful neglect or in any other circumstance.
• Audit Program (discuss later)
• Today’s breach report could lead to tomorrow’s OCR Compliance Review
5
Complaint Process
6https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html
Enforcement Guidance: How OCR Closes Cases
• https://www.hhs.gov/hipaa/for-professionals/compliance enforcement/data/index.html
• Cases that OCR closes fall into five categories: Resolved after intake & review (no investigation) Technical Assistance (no investigation) No Violation (investigated) Corrective Action Obtained (investigated; includes Resolution Agreements)
• OCR may decide not to investigate a case further if :• The case is referred to the Department of Justice for prosecution,• The case involved a natural disaster.• The case was pursued, prosecuted, and resolved by state authorities.• The covered entity or business associate has taken steps to comply with the HIPAA Rules
and OCR determines enforcement resources are better/more effectively deployed in other cases.
7
Enforcement Process (continued)• If the evidence indicates that the Covered Entity was not in
compliance, OCR will attempt to resolve the case by obtaining:
- Voluntary compliance;
- Corrective action; and/or
- Resolution Agreement.
• Civil Money Penalties are also possible – always accompany a Resolution Agreement
• Possible referrals to the Department of Justice of criminal violations.
• Pennsylvania enforcement results for compliance reviews as of December 31, 2016:
- 12% (No Violation)
- 67% (Resolved after Intake and Review)
- 21% (Corrective Action)8
Enforcement by State Attorneys General
• OCR developed HIPAA enforcement training in 2011 to help State Attorneys General use their new authority under the HITECH Act to enforce the HIPAA Privacy and Security Rules. Videos and slides are available on the OCR website.
- 8 modules, including Module 6: "Investigating and Prosecuting HIPAA Violations."
- Includes examples of how OCR could impose civil money penalties to a given fact pattern
• State AGs have not made extensive use of their new enforcement power to date.
• No Pennsylvania AG enforcement actions to date.
9
OCR Audit ProgramAudit Purpose:
Support Improved Compliance
• Identify best practices; uncover risks & vulnerabilities; detect areas for technical assistance; encourage consistent attention to compliance- Intended to be non-punitive, but OCR can open up
compliance review (for example, if significant concerns are raised during an audit or an entity fails to respond)
• Learn from this next phase in structuring permanentaudit program
• Develop tools and guidance for industry self-evaluation and breach prevention
10
Audit Program StatusSecond Audit Phase Underway
• Desk audits 166 Covered Entities 43 Business Associates
• Business Associate selection pool largely drawn from over 20,000 entities identified by audited CEs
• On-site audits of both CEs and BAs in 2017, after completion of the desk audit process, to evaluate against a comprehensive selection of controls in protocols
• A desk audit subject may be subject to on-site audit• OCR beginning distribution of draft findings to audited
CEs & BAs11
Desk Audit Reporting: ProcessAfter review of submitted documentation:• Draft findings shared with the entity• Entity may respond in writing
Final audit reports will:• Describe how the audit was conducted• Present any findings, and• Contain any written entity responses to the draft
OCR Website:https://www.hhs.gov/hipaaifor-professionals/compliance-
enforcement/audit/phase2announcement/index.html12
Investigative Perspectives of the Parties
13
OCR’s Investigative Perspective
• Still conducting complaint investigations• Can widen complaint investigation at any time if complaint
investigation signals a potential larger compliance issue—Red Flag for CE or BA-when OCR wants to move from paper review to employee interviews
• OCR looks at multiple "small breaches" which evidence a systematicproblem, as well as large breaches put on wall of shame.
• Guaranteed OCR investigation with 500 or more individuals affected• If the breach involves a security breach or successful incident,
involving a laptop, or another device, OCR will send laptop to Washington for forensic team analysis to determine vulnerabilities of device and recommendations made – encryption, log-on and off, remote swiping, etc.
14
OCR’s Investigative Perspective
• OCR has been given significant leeway in fine negotiation and resolution actions
• OCR central works with local office to move case to Resolution Agreement-generally OCR wants Resolution Agreement entered into within one month.
• If not Resolution Agreement- CE or BA can move to Administrative Hearing-only one case to date, and was affirmed by ALJ.
15
OCR’s Investigative Perspective
• What does OCR expect from CE or BA during process?
• Cooperation, Cooperation, Cooperation
• Keep your litigation attorney out of it!
• Timely responses to requests for information
• Evidence from CE or BA that it is willing to faithfully and seriously change systems, employee behavior, policies and procedures
• Don't wait until the end of the investigation16
CE or BA Conduct Perspective
• Determine who has requisite information to respond to the OCR investigation or complaint
• Write all responses clearly, honestly
• If you do not believe there is a valid basis for the complaint, say so and give rationale
• If you are wrong and you need to conduct corrective action, start action right away and inform OCR as soon as possible of your corrective action
17
CE or BA Conduct Perspective
• Keep leadership informed-Board of Directors doesn't like surprises
• Which begs the question of existence informational governance within your organization's compliance plan
18
What is at Stake?
19
Resolution Agreements
What is a Resolution Agreement?
A contract between HHS and a CE in which the CE agrees to perform certain obligations (such as staff training) and make reports to HHS, generally for a 3 year period. During this period, HHS monitors the CE’s compliance with its obligations.
Typically includes payment of a resolution amount. A resolution agreement is used to settle investigations with more serious outcomes.
20
Civil Monetary Penalties• The four categories For CMPs used for the penalty structure are as
follows:• Category 1: A violation that the CE was unaware of and could not
have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
• Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
• Category 3: A violation suffered as a direct result of "willful neglect“ of HIPAA Rules, in cases where an attempt has been made to correct the violation
• Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
21
Civil Monetary Penalties
• Category 1: Minimum fine of $100 per violation up to $50,000
• Category 2: Minimum fine of $1,000 per violation up to $50,000
• Category 3: Minimum fine of $10,000 per violation up to $50,000
• Category 4: Minimum fine of $50,000 per violation
22
Recent Enforcement Actions• 2/16/2017: HIPAA settlement shines light on the importance
of audit controls – Memorial Healthcare System pays $5.5 million – MHS third largest public health care system in U.S.
• 2/1/2017: Lack of timely action risks security and costs money-Blackberry lost, unencrypted & not password protected. Had consultant perform Risk Assessment found security gaps in system CE did not address. CMP – $3,217,000
• 1/18/2017: HIPAA settlement demonstrates importance of implementing safeguards for ePHI – MAPFRE Life Insurance Company in Puerto Rico (also underwrites group and individual health insurance plans) reported lost USB device to ORC. No risk assessment, no risk plan. CMP - $2.2 million
23
Continuing Enforcement Issue: Affirmative Disclosures Not PermittedThe HIPAA Privacy Rule provides that Covered Entities or Business Associates may not use or disclose PHI except as permitted or required. See 45 C.F.R. § 164.502(a). Examples of Potential Violations:• Covered Entity permits news media to film individuals in its facility
prior to obtaining their authorization.• Covered Entity publishes PHI on its website or on social media
without an authorization from the individual(s).• Covered Entity confirms that an individual is a patient and
provides other PHI to reporter(s) without authorization from the individual.
• Covered Entity faxes PHI to an individual's employer without authorization from the individual.
24
Continuing Enforcement Issue:Lack of Business Associate AgreementsHIPAA generally requires that CEs and BAs enter into agreements with their BAs to ensure that the Bas will appropriately safeguard protected health information. See 45 C.F.R. § 164.308(b). Examples of Potential Business Associates:• A collections agency providing debt collection services to a health
care provider which involves access to protected health information.• An independent medical transcriptionist that provides transcription
services to a physician.• A subcontractor providing remote backup services of PHI data for an
IT contractor-business associate of a health care provider.
25
Continuing Enforcement Issue: Incomplete or Inaccurate Risk Analysis• Conduct an accurate and thorough assessment of the potential risks
and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]. See 45 C.F.R. § 164.308(a)(1)(ii)(A).
• Organizations frequently underestimate the proliferation of ePHIwithin their environments. When conducting a risk analysis, an organization must identify all of the ePHI created, maintained, received or transmitted by the organization.
• Examples: Applications like EHR, billing systems; documents and spreadsheets; database systems and web servers, fax servers, backup servers; etc.); Cloud based servers, Medical Devices, Messaging Apps (email, texting, ftp); other media
26
Risk Analysis Guidance
• http://www.hhs.gov/ocr/privacy/hipaa/administrative/securi tyrule/rarinalguidance.html
• http://scap.nist.gov/hipaa/
• http://www.hcalthit.gov/providers-professionals/security-risk-assessment
27
Continuing Enforcement Issue: Failure to Manage Identified Risk
• The Risk Management Standard requires the "[implementation of] security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [the Security Rule]." See 45 C.F.R. § 164.308(a)(1)(ii)(B).
• Investigations conducted by OCR regarding several instances of breaches uncovered that risks attributable to a reported breach had been previously identified as part of a risk analysis, but that the breaching organization failed to act on its risk analysis and implement appropriate security measures.
• In some instances, encryption was included as part of a remediation plan; however, activities to implement encryption were not carried out or were not implemented within a reasonable timeframe as established in a remediation plan.
28
Mobile Device Security
http://www.healthit.gov/mobiledevices
29
Continuing Enforcement Issue: Lack of Transmission Security
• When electronically transmitting ePHI, a mechanism to encrypt the ePHI must be implemented whenever deemed appropriate. See 45 C.F.R. § 164.312(e)(2)(ii).
• Applications for which encryption should be considered when transmitting ePHI may include:o Emailo Textingo Application sessionso File transmissions (e.g., ftp)o Remote backupso Remote access and support sessions (e.g., VPN)
30
Continuing Enforcement Issue: Lack of Appropriate Auditing
• The HIPAA Rules require the "[implementation] of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information." See 45 C.F.R. § 164.312(b).
• Once audit mechanisms are put into place on appropriate information systems, procedures must be implemented to "regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports." See 45 C.F.R. § 164.308(a)(1)(ii)(D).
• Activities which could warrant additional investigation:o Access to PHI during non-business hours or during time offo Access to an abnormally high number of records containing PHIo Access to PHI of persons for which media interest existso Access to PHI of employees
31
Continuing Enforcement Issue: Patching of Software
• The use of unpatched or unsupported software on systems which access ePHI could introduce additional risk into an environment.
• Continued use of such systems must be included within an organization's risk analysis and appropriate mitigation strategies implemented to reduce risk to a reasonable and appropriate level.
• In addition to operating systems, EMR/PM systems, and office productivity software, software which should be monitored for patches and vendor end-of-life for support include:o Router and firewall firmwareo Anti-virus and anti-malware softwareo Multimedia and runtime environments (e.g., Adobe Flash, Java,
etc.)
32
Continuing Enforcement Issue: Insider Threat
• Organizations must "[i]mplement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI... and to prevent those workforce members who do not have access ... from obtaining access to ePHI," as part of its Workforce Security plan. See 45 C.F.R. § 164.308 (a)(3).
• Appropriate workforce screening procedures should be included as part of an organization's Workforce Clearance process (e.g., background and OIG LEIE checks). See 45 C.F.R. §164.308(a)(3)(ii)(B).
• Termination Procedures should be in place to ensure that access to PHI is revoked as part of an organization's workforce exit or separation process. See 45 C.F.R. § 164.308 (a)(3)(ii)(C).
33
Continuing Enforcement Issue: Disposal of PHI
• When an organization disposes of electronic media which may contain ePHI, it must implement policies and procedures to ensure that proper and secure disposal processes are used. See 45 C.F.R. § 164.310 (d)(2)(i).
• The implemented disposal procedures must ensure that le]lectronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88: Guidelines for Media Sanitization, such that the PHI cannot be retrieved.“
• Electronic media and devices identified for disposal should be disposed of in a timely manner to avoid accidental improper disposal.
• Organizations must ensure that all electronic devices and media containing PHI are disposed of securely; including non-computer devices such as copier systems and medical devices.
34
Continuing Enforcement Issue:Insufficient Backup and Contingency
Planning• Organizations must ensure that adequate contingency plans (including
data backup and disaster recovery plans) are in place and would be effective when implemented in the event of an actual disaster or emergency situation. See 45 C.F.R. § 164.308 (a)(7).
• Leveraging the resources of cloud vendors may aid an organization with its contingency planning regarding certain applications or computer systems, but may not encompass all that is required for an effective contingency plan.
• As reasonable and appropriate, organizations must periodically test their contingency plans and revise such plans as necessary when the results of the contingency exercise identify deficiencies. See § 164.308 (a)(7)(ii)(D).
35
What’s Next?
36
Long-term Regulatory Agenda
• HITECH provision re: providing individuals harmed by violations of the HIPAA regulations with a percentage of any civil monetary penalties or settlements collected.
• HITECH provisions re: changes to HIPAAAccounting of Disclosure provisions.
37
Upcoming Guidance/FAQs• Privacy and Security for "All of Us" (PMI) research
program• Text messaging• Social Media• Use of CEHRT & compliance with HIPAA Security Rule
(w/ONC)• RA/CMP Process• Update of existing FAQs to account for Omnibus and
other recent developments• Minimum necessary
38
Recent Guidance:Ransomware and Cloud Computing
• Ransomware:http://www.hhs.gov/hipaa/for-professionals/securitv/guidance/index.html
• Cloud Computing:https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html
39
Monthly Guidance:Cybersecurity Newsletters
http://www.hhs.gov/hipadfor-professionalstsecurity/euidance/index.html
http://www.hhs.gov/hipadfor-professionalstsecurity/euidance/index.html
February 2016 March 2016 April 2016May 2016June 2016 September 2016 October 2016 November 2016 December 2016 January 2017 February 2017
Ransomware, "Tech Support" Scam, New BBB Scam TrackerKeeping PHI safe, Malware and Medical DevicesNew Cyber Threats and Attacks on the Healthcare SectorIs Your Business Associate Prepared for a Security IncidentWhat's in Your Third-Party Application SoftwareCyber Threat Information SharingMining More than Gold (FTP)What Type of Authentication is Right for you?Understanding DoS and DDoS AttacksAudit ControlsReporting and Monitoring Cyber Threats
40
Don’t let your program get
Stale-presuming you have
one.
41
What should a Privacy or Security officer be doing now?
Keep up with (watch and listen):
• Current regulations — ongoing check across the enterprise
• Watch/listen for pending changes or challenges in potential regulation
• NCVHS and HIT Privacy Workgroup
• Breach notices and stories
• NIST releases and sample security measures
• OCR audit information and other notices
• Monitor work force actions and activates
• Monitor contracts and business associate agreements42
What should a Privacy or Security officer be doing now?
Keep up with:
• Active participation in enterprise information governance
• Ongoing security auditing and risk analysis - all technology
• Planning:
• Breach strategic planning and workgroup - There will be a breach!
• Monitoring team
• Response team — who will do what, when, and how?
• Back-ups for team
• Business Associate breach
• Workforce training
43
What should a Privacy or Security officer be doing now?
Keep up with training and education:
• Workforce orientation• New hire / volunteer orientation• On-going reminders and annual retraining• Security related training• Specialty training and awareness
• Patient training related to:• Patient portal access and use• Other technology• Consents and authorizations
44
What should a Privacy or Security officer be doing now?
Keep up with new technology and exchange:
• Home-based technologies• Entity based technologies• Enterprise patient portal or sponsored PHR• HIE within and external to the enterprise
Keeping up with change:• Physical plant• Patient areas• Data and information sites
45
ResourcesOffice of Civil Rights (OCR-HHS) www.hhs.gov/ocr/privacy
Office of the National Coordinator for Health Information Technology (ONC) www.healthit.gov
Substance Abuse and Mental Health Services Administration www.samhsa.gov/
Nation Institute for Standards and Technology - Healthcare www.healthcare.nist.gov
Federal Registerwww.gpo.govfidsysibrowse/collection.action?collectionCode=FR
46
ResourcesAmerican Health Information Management Associationwww.ahima.org
American Records Management Associationwww.arma.org
Health Care Compliance Associationwww.hcca-info.org
Health Information Management and Systems Society (HIMSS)www.himss.org
47
ResourcesOCR Security Resourceswww.hhs.gov/hipaaffor-professionals/securitykuidance/index.html
OCR — NIST Cross Walkwww.hhs.govisitesidefaultifiles/NIST%20CSF%20to%2OHIPAA%20Security%20Rule%20Cross walk%2002-22-2016%20Finatpdf
OCR - Right to Accesswww.hhs.gov/hipaaifor-professionals/privacy/guidance/access/index.html
ONC - Treatment Exchange:www.hhs.gov/sites/default/files/exchange treatment.pdf
48
Resourcese-Publications:
EHR Intelligencewww.ehrintelligence.com
Government Security Enewswww.govinfosecurity.com
Healthcare Law Today (Foley & Lardner LLPwww.healthcarelawtoday.com
Health HIT Smart Briefwww.smartbrief.com
Health IT Newswww.digital.halldata.com
49
Resourcese-Publications (continued):
Health Information Security
www.healthcareinfosecurity.com
HealthlT Security
www.healthitsecurity.com
Information Management
www.information-management.com
50
ResourcesOCR Audit:
Audit Protocolwww.hhs.govihipaaifor-professionalsicompliance-enforcementiauditiprotocol-current/index.html
Audit Pre-Screening Questionnairewww.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/questionnaire/index.html
BA Pre-Screening Questionnaire:www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/batemplate/index.html
51
Questions?
52