hipaa privacy 2017 - what should my organization be...
TRANSCRIPT
HIPAA Privacy 2017 - What Should My
Organization Be Doing?
Presented by:
Melissa M. Zambri80 State Street
Albany, New York 12207(518) 429-4229 (Phone)
(518) 427-3463 (Fax) [email protected]
Agenda
• Introductions
• HIPAA Investigations – OCR Audits
• 2016 OCR Audit Tools
• Audit Issues to Consider
• Penalties
• Malware/Ransomware
• Questions
HIPAA Investigations
• OCR enforces the HIPAA Privacy and Security Rules
• OCR investigates complaints and conducts compliance reviews.– If the OCR investigates a complaint, the OCR will notify the
person who filed the complaint and the covered entity in the complaint.
– If the complaint includes facts that could violate the criminal provision of HIPAA, then the OCR may refer the case to the DOJ.
– The OCR will try to resolve the case through,• Voluntary compliance;
• Corrective action; and/or
• Resolution agreement.
– The OCR may also impose civil money penalties if the covered entity does not resolve the matter in a satisfactory manner.
HIPAA Investigation Flowchart
Government Audits: Who Does
OCR Interview• President, CEO or Director
• HIPAA Privacy Compliance Officer
• IT Director
• Security Officer
• Computer Hardware Specialist
• Person in Charge of Data Back-Up
• Person in Charge of Physical Security
• Human Resources Representative
• Director of Training
• Incident Response Team Leader
OCR HIPAA Audits: Phase 1 &
Phase 2
• Phase 1: (2011-2012): OCR implemented a pilot audit program and assessed 115 covered entities’ HIPAA compliance.
• Phase 2: Building on Phase 1 with enhanced protocols and adding business entities to the audit program.– OCR will review the policies and procedures adopted
and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.
– Between 200-250 audits in total.
OCR Audits Cont.
• When did Phase 2 start?• Covered entities received notification letters on July 11, 2016;
Business associate audits starting now.
• Who can be audited?– Every covered entity and business associate may be audited.
• How will providers be selected?– Covered entities and business associates were sent a request
for contact information.
– Covered entities and business associates got a pre-audit questionnaire to assist OCR in creating a potential audit subject pool.
• Ignoring requests for this information is a bad idea.
– Auditees selected through a random sampling process from the developed audit pool and notified of their participation.
OCR Audits Cont.• How does the audit program work?
– Common audit techniques employed
• Selected entitles will be sent an email notification and will be asked to provide documents
electronically.
• Auditors will review documentation and share draft findings with the entity.
– After receiving the draft report, auditees have 10 business days to send comments.
– Final audits will be completed 30 business days after the auditee’s response.
– Most of the audits will be desk audits.
• Covered entities and business associates
• These audits were expected to be completed by December 2016.
– A third set of audits may occur onsite, where a broader scope of HIPAA requirements
will be examined.
• After the audit
– In the event of serious compliance issues, OCR may investigate further with a
compliance review.
– OCR will not post a listing of audited entities or the findings in a way that identifies the
audited entity, but OCR may be required to release certain material under the Freedom
of Information Act (e.g., notification letters).
What Covered Entities Should Do
• Consider internal audits.
― Security risk audit tool released March 2014.
• Document internal audit results and efforts
towards compliance.
• Coordinate privacy and security staff, policies
and procedures.
Remember: If OCR audits or investigates a
covered entity, they will ask what steps were
taken. Covered entities should do the easy stuff
and document each step.
OCR 2016 HIPAA Desk Audit Guidance on
Selected Protocol Elements
Overview
• Selected Protocol Elements
– Privacy
– Security
– Breach Notification
HIPAA Desk Audit Guidance: Privacy
• Notice of Privacy Practices Content Requirements– Does the CE:
• Have a notice of privacy practices?
• Include in its notice a description of permitted uses and disclosures?
• Notify individuals of its legal duties with respect to their PHI?
• Provision of Notice – Electronic Notice– Does a CE that maintains a website prominently post its notice?
– Does the CE implement a P&P, if any, to provide the notice electronically, consistent with the standard?
• Right to Access– How does the CE entity enable the access rights of an individual?
HIPAA Desk Audit Guidance:
Security • Security Management Process:
– Risk Analysis• Does the entity (CE or BA) have a P&P in place to conduct an accurate
and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI it creates, receives, maintains or transmits?
• Has the entity (CE or BA) conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI it creates, receives, maintains, or transmits?
– Risk Management• Does the entity (CE or BA) have P&Ps in place regarding a risk
management process sufficient to reduce risk and vulnerabilities to a reasonable and appropriate level?
• Has the entity (CE or BA) implemented security measures sufficient to reduce risk and vulnerabilities to a reasonable and appropriate level?
HIPAA Desk Audit Guidance:
Breach Notification
• Timeliness of Notification
– Were individuals notified of breaches within the required time period?
• Content of Notification
– Inquire of management whether the CE has used a standard template or form letter for notification to individuals for all breaches or for specific types of breaches.
• Does it include the required elements?
– Obtain and review a list of breaches.
Privacy OCR Audit Protocols
• Privacy
– Confidential communications:
• How does the entity provide for and accommodate requests
by individuals for confidential communications?
– Disclosures by whistleblowers:
• Are whistleblower policies and procedures consistent with the
requirements of this performance criterion?
– Business associate contracts:
• Does the covered entity enter into business associate
contracts as required?
• Do these contracts contain all required elements?
Privacy OCR Audit Protocols Cont.
• Prohibited uses and disclosures
• Permitted uses and disclosures
• Personal representatives
• Requirements for group health plans
• Authorizations for uses and disclosures required
• Uses and Disclosures . . .
– E.g., the individual present, disaster relief purposes, required by law
Security OCR Audit Protocols
• Security
– Facility Access Controls: • Does the entity have policies and procedures in place regarding
access to and use of facilities and equipment that house ePHI?
– Workstation Use: • Obtain and review an inventory of the locations and types of
workstations;
• Obtain and review documentation demonstrating workstation use policies and procedures implemented.
– Device and Media Controls -- Data Backup and Storage Procedures:
• Does the entity create a retrievable, exact copy of ePHI when needed, before movement of equipment?
Security OCR Audit Protocols Cont.
• Assigned Security Responsibility
• Workforce Security
• Information Access Management
• Security Awareness and Training
• Security Incident Procedures
• Contingency Plan
• Evaluation
• Business Associate Contracts and Other Arrangements
• Workstation Security
Breach Notification OCR Audit
Protocols• Breach Notification
– Notice to Individuals:
• Does the covered entity have policies and procedures for notifying individuals of a breach of their protected health information?
– Methods of Notification:
• Does the covered entity have policies and procedures for notifying an individual, an individual's next of kin, or a personal representative of a breach?
• More Areas– Administrative Requirements
– Training
– Complaints
– Sanctions
– Refraining from Retaliatory Acts
– Policies and Procedures
– Notice to Individuals
HIPAA Desk Audit Guidance:
Recommendations• Review the document request list and question/answer
for each protocol.
• Entities must only provide the specified documents, not compendiums of all P&Ps.
• Workforce members include employees, on-site contractors, students, and volunteers.
• If documents of implementation are not available, the entity must provide instances from equivalent previous time periods to complete the sample.
• Use the most up-to-date documents.– Document requests refer to versions in use as of the date
of the audit notification and document request, unless otherwise specified.
Audit Issues to Consider
What I do when I conduct a HIPAA audit.
Audit Issues To Consider – Security
Management• Risk Analysis (most recent)
– Formal or informal, documentation, criteria, periodic, know where
information is?
– Inventory of all information systems to include network diagrams
listing hardware and software used to store, transmit or maintain
EPHI
– List of all Primary Domain Controllers (PDC) and servers
– Inventory log recording the owner and movement of media and
devices that contain EPHI
• Risk Management Plan (addressing risks identified in the Risk Analysis)
– Consideration of security when purchasing software and equipment
• Audit Logs, Access Reports, Security Incident Tracking – formal or
informal process, implementation, periodic updates
• Security Officer Job Description
Audit Issues To Consider – Workforce
Security
• Formal levels of access policy based on criteria, approval
and communication, coordinated with job descriptions.
• Supervision of personnel – will ask for organizational chart.
• Do staff have knowledge, skills, training necessary?
Background checks and confidentiality agreements.
• Is there a policy on how access is granted?
• Termination of access – voluntary and involuntary; recover
devices, deactivate access, timely done.
• Does IT system have capacity to set access controls? Are
they utilized and if not why?
• List of individuals and contractors with access to EPHI
including copies of pertinent business associate
agreements.
Audit Issues To Consider – Security
Awareness and Training
• Is training provided – what is included?
• OCR will ask for materials.
• Is staff trained on the vulnerabilities of
malicious software?
• Can you show all staff received training?
• Is training updated periodically to coordinate
with changes in technology?
Audit Issues To Consider – Security Incident
Procedures
• Policies on security incidents?
• Communicated to staff?
• Documentation and maintenance of records of
security incidents?
• Could you show the documentation and
records?
Audit Issues To Consider – Contingency,
Data Back-Up, Disaster Recovery Plans
• Formal contingency plan exist?
• Disaster recovery plan exist?
• Data back-up plan exist?
• Could operations continue in the event of an
emergency?
• Periodic testing and revision of plans?
• Preventive measures identified and addressed?
• Restore data?
• Back-up copies exist?
Audit Issues To Consider – Evaluation
• Internal or external evaluation of your security
systems?
• If external consultants, qualifications?
• Remediation options and recommendations
considered?
• Decisions documented?
• Reevaluated when systems/security changes?
Audit Issues To Consider – Facility Access
Control
• Formal controls on use of facility and equipment
• Prevention measures to safeguard against
unauthorized physical access, tampering and theft
• How do you control access by staff, contractors,
visitors and probationary employees?
• Is access addressed in Disaster Recovery Plan?
Emergency Operations Plan?
• Are repairs and modifications to physical components
of facility documented?
Audit Issues To Consider – Workstation Use
• Are all workstations identified?
• Secure workstations - onsite, laptop, and home system usage
• Are allowable activities known?
• Unauthorized access prevented?
– Unattended workstations
– Limit view
– Dispose of information
• Inventory list exists, process for updating?
• Workstations in secure areas?
• Locked doors, cameras, security?
• System timeouts?
• Passwords?
Audit Issues To Consider – Device and
Media Controls
• How is hardware and software disposed?
• How is EPHI disposed? Media? Equipment? Do you
know where all the information is?
• Could you prove disposal policies are being carried
out?
• How is the movement of hardware and media tracked?
• How is it stored onsite?
• Offsite?
• Protection from elements?
• Removal of EPHI before reuse of media?
Audit Issues To Consider – Access Controls
• Encryption – type, keys protected, ability to modify or create keys
restricted, management of keys.
• Access needs of users considered (read only, modify, full access).
• How are IDs established and assigned?
• They will look at new hires to see what process they went through to get
an access ID.
• Do you have generic or system IDs – how are these maintained and
protected?
• Who has the ability to add, delete or modify user access?
• Systems reviewed on a periodic basis?
• Emergency policy?
• Automatic logoff?
• They will look at list of terminated employees and job transfers to see how
access was handled.
Audit Issues To Consider – Audit Controls
• Audit controls in place?
• Upgrades needed?
• Communicated to workforce?
• Which systems and applications are
audited?
Audit Issues To Consider – Integrity/Person or
Entity Authentication/Transmission Security
• Ensure policies exist to ensure access controls prevent
improper alteration and destruction.
• Could you show that information was not altered
improperly?
• How do your systems authenticate a user (password, smart
card, biometric, combination)? Used appropriately? Tested
and upgraded? Other methods considered?
• Formal policies?
• List of software used to manage and control access to the
Internet
• Mechanisms to ensure integrity of data during transmission
- including portable media transmission (i.e. laptops, cell
phones, thumb drives)
Audit Issues To Consider – Breach
• Formal policy – will review carefully
• Procedure to notify individuals
• Can request letters
• Will ask if there have been breaches where
notification of media was required
• Will check notices to HHS OCR
• Will ask if a BA has ever informed you of a breach
• Will ask how one assesses whether information
was compromised
Audit Issues To Consider – Privacy
• Will ask how deceased individual information is
handled
• Will ask about personal representatives
• Will review notice of privacy practices and inquire
as to whether it was followed
• Will ask for whistleblower policies
• Will ask about process and policies for confidential
communications
• Will review business associate agreement and ask
about whether signed agreements exist
Audit Issues To Consider – Privacy
• Will ask about consent and authorization policies
• Will ask for sample consents/authorizations used
• Will ask about policies regarding requests for
information by friends and family and others involved in
care when person is present and not
• Will ask about responding to court orders and other
litigation matters – may ask for samples
• Will ask about disclosures for public health activities –
may ask for samples
• Will ask about disclosures related to child abuse
Audit Issues To Consider – Privacy
• Will ask about disclosures to health oversight agencies
– may ask for samples
• Will ask about disclosures to law enforcement – may
ask for samples
• Will ask about disclosures regarding decedents – may
ask for samples
• Will ask about disclosures for specialized government
functions (correctional institutions, etc.) – may ask for
samples
• May ask how workers’ compensation requests are
handled
Audit Issues To Consider – Privacy
• Will ask about minimum necessary and workforce
access – will compare access to job functions
• Will ask about minimum necessary and disclosures of
information
• Will look at any policies and procedures related to use
of information in fundraising and whether policies are
followed – will look at a disclosure of a list to the
fundraising unit
• Will look at verification procedures and will ask about
recent requests and how verification was performed
• Will ask for data use agreements if used
Audit Issues To Consider – Privacy
• Will look at de-identification policies and
practices
• Will look at Notice of Privacy Practices
• Will look at recent acknowledgements to see if
dates correspond to first date of service
• Will look at how one can receive a Notice
• Will review website to see if Notice is posted
• Will look to see if records maintained for six
years
Audit Issues To Consider – Privacy
• Will review policies on receiving communications by
alternative means or at alternative locations – will ask
for examples of requests made and accommodated
• Will review policies on requesting restrictions – will ask
for examples of requests made and whether
accommodated
• Will ask about access to individuals served
– Will ask about policies, forms
– Will ask for examples
– Will look at any fee charged
– Will look at timeliness
– Will look at any denials of access
Audit Issues To Consider – Privacy
• Will look for policies on amendment
– Will look at requests
– Will look at timeliness of response
– Will look at denials
• Will look for policies on accounting
– Will look at procedures for requests
– Timeliness
– Documentation
Audit Issues To Consider – Privacy
• Will look for training
– For everyone
– For new staff
• Will look for complaint policy
– Receipt, processing, documented
– Will review complaints made over period of time and
ask for documentation
– Will ask for resolution and proof of sanctions,
including analysis of reasonableness
• Will look for written policies and procedures
Audit Issues To Consider – Privacy
• Will look for reasonable safeguards– Electronic, written, oral
• Is all PHI stored in locked file cabinets, desk drawers, or
rooms to which only appropriate individuals have physical
and administrative access?
• Are all files locked when employees leave the office
premises?
• Do employees clear their desks of PHI when leaving their
desks?
• How is mail handled?
• What are the procedures regarding the shredding of
records?
• How are fax and copy machines secured to ensure that
PHI is only viewable and retrievable by appropriate
employees?
Audit Issues To Consider – Privacy
– Are employees allowed to remove paper or electronic files containing
PHI from the premises, laptops, etc.? Is a sign out log used? Are
there policies and procedures related thereto? Training on
safeguarding?
– What steps have been taken to ensure that oral communications
involving PHI cannot be inappropriately overheard?
– How are voice mail boxes secured from inappropriate access?
– Are offices locked during non-business hours? Are forms or
documents containing PHI left after business hours placed in a locked
box outside of the office or in a secure mail slot?
– Do individuals use portable devices to transmit or store protected
health information? Are there policies regarding employee use of
their own technology in this regard (home computer, phone)?
– Were the policies and procedures distributed to relevant staff? How
are they available?
Audit Issues To Consider – Privacy
• Will look for mitigation
techniques
• Will look for non-intimidation and
non-retaliation policies
Audit Issues To Consider – EHR
Fraud Vulnerabilities
• Copying and Pasting
–Checking for accuracy?
–Policies and training?
–Audit logs?
• False/Irrelevant Documentation
Audit Issues To Consider – EHR Fraud
Vulnerabilities• Original documents should be maintained and
modifications tracked as amendments.
• Auditors should have read only rights.
• Do you know who prints or e-mails
documents?
• Do you know who disables the audit log?
• What data is recorded? Date, time, user
identification, access type (creating, editing,
viewing data).
• Do you delete audit logs?
Tiered Increase in Monetary Penalties
Did Not Know & Would Not Have Known with Reasonable Diligence:
– As low as $100 for each violation, up to $25,000 in a calendar
year.
Reasonable Cause & No Willful Neglect:
– As low as $1,000 for each violation, up to $100,000 in a
calendar year.
Willful Neglect:
– $10,000 for each violation, up to $250,000 in a calendar year.
Where No Correction:
– As high as $50,000 for each violation, up to $1,500,000 in a
calendar year.
Social Media: It is Everywhere
Improper Social Media Posting
• Posting a medical record displaying a patient name
• Photo of a patient
• Posting identifiable patient information
• Comments about patients– E.g., “Robert De Niro is here for a physical!”
Security Rule: Secure electronic protected health information (“e-PHI”)
• Email NOT expressly prohibited for sending e-PHI
• Must implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access of e-PHI sent and received
• Encryption is addressable, but hard to argue it is not best practice
• The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected
E-Mail Tips
• Musts:
– Double check email addresses
– Be careful of autofilled addresses
– Minimal amount of information necessary
• Other clients included
– Be careful of cc’s
– No PHI to personal email
– Use of personal phones
– Danger of pictures
– Encryption only as good as use.
• Musts:
– Double check email addresses
– Be careful of autofilled addresses
– Minimal amount of information necessary
• Other clients included
– Be careful of cc’s
– No PHI to personal email
– Use of personal phones
– Danger of pictures
– Encryption only as good as use.
E-Mail Tips
Must you reply all? Beware of groups
Before forwarding, CHECK WHAT IS AT THE BOTTOM OF
THE CHAIN!
Write for publicationShould that be in
writing?
Don’t forward privileged
communication too far
HIPAA Developments
Affinity Health Plan—Photocopier Memory
• HIPAA Violation: Affinity Health Plan returned multiple photocopiers to
leasing company without erasing confidential medical information
contained on copier hard drives. CBS then purchased a photocopier
previously leased by Affinity. CBS informed Affinity that the copier that
Affinity had used contained confidential medical information on the hard
drive.
– Affinity estimated breach affected up to 344,579 individuals.
– Affinity filed a breach report with OCR.
• OCR Investigation Indicated Affinity:
– Impermissibly disclosed individuals’ PHI by failing to implement proper
policies and procedures when returning the leased photocopiers.
– Failed to incorporate the electronic protected health information (ePHI)
stored on photocopier hard drives in its risks and vulnerabilities
analysis required by the Security Rule.
• Penalty: Settled potential HIPAA violations for $1,215,780.
HIPAA Developments
WellPoint—Internet Accessible ePHI
• HIPAA Violation: WellPoint on-line application database left individuals’ electronic
protected health information (ePHI) accessible to unauthorized users.
– WellPoint reported breach affected 612,402 individuals
• OCR Investigation Indicated WellPoint Did Not:
– Implement required Security Rule administrative and technical safeguards.
– Implement adequate policies and procedures for authorizing access to the on-line
application database.
– Perform appropriate technical evaluations when upgrading information systems’
software.
– Have technical safeguards maintained in its application database necessary to
verify the person or entity seeking access to ePHI.
• Penalty: Paid HHS $1.7 million.
Note: HIPAA-covered entities should take caution when implementing changes to
information systems, especially when changes involve updating Web-based applications
or portals used to provide consumer access to electronic health data.
HIPAA Developments
APDerm, P.C.—Stolen Thumb Drive
• HIPAA Violation: Adult & Pediatric Dermatology, P.C., of Concord, MA,
reported to OCR after an unencrypted thumb drive containing
electronic protected health information (ePHI) was stolen from an
APDerm staff member’s vehicle.
– Stolen thumb drive contained the ePHI of approximately 2,200
individuals.
– The thumb drive was never recovered.
• OCR Investigation Indicated APDerm Did Not:
– Conduct an accurate or thorough analysis of potential risks and
vulnerabilities to the confidentiality of ePHI as part of its security
management process.
– Comply with requirements of the Breach Notification Rule requiring
written policies and procedures and training workforce members.
• Penalty: Settled potential HIPAA violations with OCR for $150,000.
HIPAA Developments
Skagit County, Washington—Public Website
• HIPAA Violation: Skagit County inadvertently moved electronic
protected health information (ePHI), containing infectious
disease testing and treatment records for 1581 individuals to a
County maintained publicly accessible server.
• OCR Investigation Indicated:
– General and widespread non-compliance.
– Skagit County violated:
• HIPAA Privacy Rules
• Security Rules
• Breach Notification Rules
• Penalty: Settled potential HIPAA violations for $215,000.
– Settlement included Skagit County commitment to work
closely with HHS to correct HIPAA compliance deficiencies.
HIPAA Developments
Concentra Health Services—Stolen Laptop
• HIPAA Violation: Compliance review of Concentra Health Services (Concentra)
after OCR received breach report that an unencrypted laptop was stolen from one
of its facilities.
• OCR Investigation Indicated Concentra:
– Completed multiple risk analyses that revealed failing to encrypt laptops,
desktop computers, medical equipment, tablets and other devices containing
electronic protected health information (ePHI) created a critical risk.
– Began steps to implement proper encryption, but efforts remained incomplete
and inconsistent leaving patient ePHI vulnerable throughout the organization.
– Maintained insufficient security management processes to safeguard patient
information.
• Penalty: Settled potential HIPAA violations with OCR for $1,725,220.
– Settlement included Concentra agreement to adopt a corrective action plan to
remedy non-compliance.
HIPAA Developments
More Stolen Laptops
• HIPAA Violation: The University of Mississippi Medical Center (UMMC) notified OCR of a breach after a password-protected laptop went missing. It was later concluded that the laptop was stolen by a visitor. The investigation revealed that an active directory, with 67,000 files, was accessible due to inadequate username/password safeguards.
• OCR Investigation Indicated UMMC Failed to:
– Implement proper physical safeguards at work stations.
– Assign unique user names.
– Notify the appropriate individuals after the breach.
– Manage risks and vulnerabilities to its systems.
– Implement polices and procedures to prevent, detect, contain and correct security violations.
• Penalty: Settled alleged HIPAA violations with OCR for $2,750,000.
– Required to adopt a corrective action plan to help ensure future HIPAA compliance.
HIPAA Developments
Stolen Laptop—Corrected Too Late
• HIPAA Violation: Unencrypted laptop computer was stolen from a workforce member’s car.
– Laptop contained the ePHI of 148 individuals.
– Following discovery of this breach, Provider encrypted all devices.
• OCR Investigation Indicated:
– Provider violated Security Rule despite immediate correction.
• Penalty: Settled potential HIPAA violations for $250,000.
– Settlement required Provider to:
• Provide HHS with an updated risk analysis and corresponding risk management plan including specific security measures to reduce the risks to and vulnerabilities of ePHI.
• Retrain workforce and document ongoing compliance efforts.
HIPAA Developments
NY Presbyterian Hosp. & Columbia Univ.—
Shared Network . . . • NYP & CU: New York Presbyterian Hospital (NYP) and Columbia University (CU)
operate a shared data network and shared network firewall administered by
employees of both entities.
– The shared network links to NYP patient information systems containing ePHI.
• HIPAA Violation: NYP and CU filed a joint breach report following the disclosure of
ePHI including NYP patients’ status, vital signs, medications, and laboratory
results.
– Breach made publicly accessible the ePHI of 6,800 NYP patients.
– Breach occurred when a CU physician who developed applications for both
NYP and CU attempted to deactivate a personally-owned computer server on
the network containing NYP patient ePHI.
– Because of a lack of technical safeguards, deactivation of the server resulted in
ePHI being accessible on internet search engines.
– NYP & CU learned of the breach after receiving a complaint when the surviving
partner of a former NYP patient found his or her deceased partner’s ePHI on
the internet.
. . . NY Presbyterian Hosp. & Columbia Univ.
• OCR Investigation Indicated:
– NYP & CU impermissibly disclosed NYP patients’ ePHI on the internet.
– Neither NYP nor CU made efforts prior to the breach to assure the server
security or confirm the server contained appropriate software protections.
– Neither entity conducted accurate or thorough risk analyses identifying all
the systems that access NYP patients’ ePHI.
– Neither entity developed adequate risk management plans addressing the
potential threats and hazards to the security of ePHI.
– NYP failed to implement appropriate policies and procedures for
authorizing access to its databases and failed to comply with its own
policies on information access management.
• Penalty: NYP settled potential HIPAA violations with OCR for $3,300,000.
CU settled potential HIPAA violations with OCR for $1,500,000.
– Both entities agreed to a substantive corrective action plan, including
undertaking a risk analysis, developing a risk management plan, revising
policies and procedures, training staff, and providing progress reports.
HIPAA Developments
Parkview Health System• OCR Investigation Indicated:
– Parkview is a nonprofit health care system that provides community-based health
care services to individuals in northeast Indiana and northwest Ohio.
– OCR received complaint from a retiring physician.
– Parkview took custody of medical records pertaining to approximately 5,000 to
8,000 patients while assisting the retiring physician to transition her patients to
new providers, and while considering the possibility of purchasing some of the
physician’s practice.
– Parkview employees, with notice that the physician was not at home, left 71
cardboard boxes of these medical records unattended and accessible to
unauthorized persons on the driveway of the physician’s home, within 20 feet of
the public road and a short distance away from a heavily trafficked public
shopping venue.
– Parkview cooperated with OCR throughout its investigation.
• Penalty: $800,000.
– Corrective action plan to revise policies and procedures, train staff, and provide
an implementation report to OCR.
HIPAA Developments
Employee Access to ePHI
• HIPAA Violation: Memorial Healthcare System (MHS) reported to OCR that employees impermissibly accessed and disclosed to affiliated physician office staff the PHI of 115,143 individuals. It was discovered that the login information of a former employee of an affiliated physician's office was used from April 2011 to April 2012, without detection. This affected 80,000 individuals, despite the existence of workforce access polices and procedures.
• OCR Investigation Indicated MHS Failed To:
– Implement procedures for reviewing, modifying and/or terminating user’s right of access.
– Review records of information system activity by workforce users and users at affiliated physician practices even though previous risk analyses showed risk in these areas.
• Penalty: Settled potential HIPAA violations for $5.5 Million.
– Implement a corrective action plan.
– Agreed to complete a risk analysis and risk management plan.
– Revise Polices and Procedures.
HIPAA Developments
Report breaches in a timely fashion
• HIPAA Violation: Presence Health, one of the largest health care networks serving Illinois, failed to report a breach within time limits of the HIPAA Breach Notification Rule. After discovering missing paper-based documentation, Presence Health failed to notify each of the 836 individuals affected by the breach within the 60 days, as required by law.
• OCR Investigation Indicated:
– The breach occurred on October 22, 2013 and Presence sent a breach notification to OCR on January 31, 2014.
– Presence Health failed to notify affected individuals, prominent media outlets, and OCR without unreasonable delay.
• Penalty: Presence Health agreed to settle potential HIPAA violations by paying $475,000.
– Presence Health was also required to implement a corrective action plan.
– This is the first HIPAA enforcement action for lack of timely breach notification.
Other HIPAA Developments
• CVS and Rite Aid— Pay Millions for Failure to Dispose of Information Properly
• Cignet Health—Civil Monetary Penalty of $4.3 Million for Failure to Provide
Access to Patient Records and Failure to Cooperate with Investigation
• Mass. General—Pays $1,000,000 for PHI Left on Subway
• Alaska Medicaid– $1,700,000 to Settle Possible Violations of Security Rule
• Massachusetts Eye and Ear Infirmary & Associates Inc.–$1.5 Million to Settle
Potential Violations of Security Rule
• The Hospice of North Idaho–$50,000 to Settle Potential Violations of the
Security Rule.
― Involved Unencrypted Laptop Computer Containing the EPHI of 441
Patients.
― Laptops Containing E-PHI Were Regularly Used by the Organization as
Part of Their Field Work.
• Home Care Provider – settled related to employee bringing information home
and its inappropriate viewing
Malware:
OCR and HHS Guidance
Beware of Malware: OCR Investigation
• HIPAA Violation: The University of Massachusetts Amherst (UMass) reported a
breach to the OCR when a workstation in its Center for Language, Speech, and
Hearing (“Center”) was infected with a malware program. The malware caused
the disclosure of 1,670 individuals’ ePHI.
• OCR Investigation Indicated UMass Failed to:
– Designate the Center as a health care component.
– Implement Policies and Procedures at the Center to ensure HIPAA
compliance.
– Provide technical security measures at the Center, such as a firewall.
• Penalty: UMass agreed to settle potential HIPAA violations by paying $650,000.
– UMass was also required to implement a corrective action plan.
– The corrective action plan required a comprehensive and thorough risk
analysis, as well as a review of Polices and Procedures.
Malware – Ransomware: Overview
• What is it? – Ransomware is a type of malicious software that attempts to deny access to a user’s data until a
ransom is paid.
• How to prevent it?– Backups
– Risk analysis
– Staff training
– Incident response
– Penetration testing • Hacking into your own system to test security
• How to respond?– Implement a security incident response.
– Have a business continuity plan.
– Contact law enforcement immediately:• Local FBI field office
• Secret Service, Electronic Crimes Tasks Force
– Paying the ransom is NOT encouraged.• Paying does not guarantee an organization will regain access to their data.
• Victims can be targeted again or asked to pay more money.
• Paying can inadvertently encourage the use of ransomware.
Malware – Ransomware: Prevention
Be Prepared: Follow the HIPAA Security Rule
• Implement security measures
– Security management process
» Conduct risk analyses
• Identify threats and vulnerabilities
» Implement procedures to guard against and detect malicious software
» Train users on detecting and reporting malicious software
» Use access controls to limit access to ePHI
• Have contingency plans
– Maintain frequent backups
» Consider offline backups
– Be able to recover data from backups
– Disaster and emergency plans
• Security incident procedures should include a plan for ransomware attacks
– E.g., isolate infected computer systems
Malware – Ransomware: Response
Responding to a ransomware attack -
make a fact specific determination.
• Is it a security incident?
• Was there a breach of PHI?
Malware – Ransomware:
Response Cont.
• What if the ePHI encrypted by the ransomware was already
encrypted to comply with HIPAA, is this a reportable
breach?
– Again, this requires a fact specific determination.
• A breach notification may not be required if the ePHI
is encrypted in a manner consistent with HHS
guidance.
• This may require an additional analysis to ensure that
the encryption by the entity has rendered the affected
PHI unreadable, unusable and indecipherable to
unauthorized persons.
Most Common Calls
• Lost laptop, etc.
• Items stolen from car.
• Employee or ex-employee divulging
information to those outside provider.
• Curiosity looks.
• Misfired e-mail or wrong mail.
• No shredding or incinerating.
• Encryption debate.
What To Do Now
• Go over your notes from today.
• Consider an internal audit with relevant staff.
• Perform an unannounced walkthrough of the
Agency’s sites.
• Document it and your efforts.
• Make small changes.
• If OCR comes, remember, they will ask what
you did.
Thank you for your time.
Questions?