HIPAA Enforcement Update: Learning From Mistakes of Others to Improve Your Compliance

Size: px

Start display at page:

Download "HIPAA Enforcement Update: Learning From Mistakes of Others to Improve Your Compliance"

Vincent Leonard
6 years ago
Views:

1 2017 Annual Conference HIPAA Enforcement Update: Learning From Mistakes of Others to Improve Your Compliance Renee H. Martin, JD, RN, MSN Dilworth Paxson, LLP 1500 Market Street, Suite 3500 Philadelphia, PA Tel: (215) Fax: (215)

2 2016-A very good year for data breaches The Identity Theft Resource Center survey showed across the USA, a record high of 1,093 data breaches occurred with 377 in the health care industry. For the 8 th consecutive year, hacking, skimming, phishing attacks were the leading causes of data breaches more than 50% in health care With increased breaches-new record amount of fines paid by CEs and BAs for breach of unsecured PHI OCR entered into 13 settlements with CEs and BAsmore than 2xs number of settlements in

3 Details of breaches not often published HIPAA Complaint Investigations-- OCR determines if CE or BA has violated privacy or security rule, if there findings that CE or BA committed significant violation, a large number of individuals were affected, or OCR wants to send a message to other CEs or BAs. OCR will issue a press release and OCR closes the investigation and puts closure letter on OCR website. ProPublica created an app on its HIPAA Helper Tool-allows determination of repeat offenders. Largest offenders Dept. of Veteran Affairs and CVS Health. Offenses keep occurring despite technical assistance being provided by OCR. Top 5 complaints in 2014: impermissible uses and disclosures of PHI; lack of safeguards of PHI; lack of patient access to their PHI; use or disclosure of more than the minimum necessary PHI; lack of administrative safeguards of electronic protected health information. 3

4 Complaints Received and Cases Resolved Over 150,507 complaints received to date Over 24,879 cases resolved with corrective action and/or technical assistance Expect to receive 17,000 complaints this year 4

The OCR Enforcement Process Right to file a compliant. A person who believes a covered entity or business associate is not complying may file a complaint with Secretary.

5 The OCR Enforcement Process Right to file a compliant. A person who believes a covered entity or business associate is not complying may file a complaint with Secretary. - Disgruntled Employees - Patients Investigation. The Secretary will investigate any complaint filed when a preliminary review indicates possible violation due to willful neglect. Compliance Reviews. The Secretary will conduct a compliance review to determine whether a covered entity or business associate is complying when a preliminary review of the facts indicates a possible violation due to willful neglect or in any other circumstance. Audit Program (discuss later) Today s breach report could lead to tomorrow s OCR Compliance Review 5

6 Complaint Process 6

7 Enforcement Guidance: How OCR Closes Cases enforcement/data/index.html Cases that OCR closes fall into five categories: Resolved after intake & review (no investigation) Technical Assistance (no investigation) No Violation (investigated) Corrective Action Obtained (investigated; includes Resolution Agreements) OCR may decide not to investigate a case further if : The case is referred to the Department of Justice for prosecution, The case involved a natural disaster. The case was pursued, prosecuted, and resolved by state authorities. The covered entity or business associate has taken steps to comply with the HIPAA Rules and OCR determines enforcement resources are better/more effectively deployed in other cases. 7

8 Enforcement Process (continued) If the evidence indicates that the Covered Entity was not in compliance, OCR will attempt to resolve the case by obtaining: - Voluntary compliance; - Corrective action; and/or - Resolution Agreement. Civil Money Penalties are also possible always accompany a Resolution Agreement Possible referrals to the Department of Justice of criminal violations. Pennsylvania enforcement results for compliance reviews as of December 31, 2016: - 12% (No Violation) - 67% (Resolved after Intake and Review) - 21% (Corrective Action) 8

9 Enforcement by State Attorneys General OCR developed HIPAA enforcement training in 2011 to help State Attorneys General use their new authority under the HITECH Act to enforce the HIPAA Privacy and Security Rules. Videos and slides are available on the OCR website. - 8 modules, including Module 6: "Investigating and Prosecuting HIPAA Violations." - Includes examples of how OCR could impose civil money penalties to a given fact pattern State AGs have not made extensive use of their new enforcement power to date. No Pennsylvania AG enforcement actions to date. 9

10 OCR Audit Program Audit Purpose: Support Improved Compliance Identify best practices; uncover risks & vulnerabilities; detect areas for technical assistance; encourage consistent attention to compliance - Intended to be non-punitive, but OCR can open up compliance review (for example, if significant concerns are raised during an audit or an entity fails to respond) Learn from this next phase in structuring permanent audit program Develop tools and guidance for industry self-evaluation and breach prevention 10

11 Audit Program Status Second Audit Phase Underway Desk audits 166 Covered Entities 43 Business Associates Business Associate selection pool largely drawn from over 20,000 entities identified by audited CEs On-site audits of both CEs and BAs in 2017, after completion of the desk audit process, to evaluate against a comprehensive selection of controls in protocols A desk audit subject may be subject to on-site audit OCR beginning distribution of draft findings to audited CEs & BAs 11

12 Desk Audit Reporting: Process After review of submitted documentation: Draft findings shared with the entity Entity may respond in writing Final audit reports will: Describe how the audit was conducted Present any findings, and Contain any written entity responses to the draft OCR Website: 12

13 Investigative Perspectives of the Parties 13

14 OCR s Investigative Perspective Still conducting complaint investigations Can widen complaint investigation at any time if complaint investigation signals a potential larger compliance issue Red Flag for CE or BA-when OCR wants to move from paper review to employee interviews OCR looks at multiple "small breaches" which evidence a systematic problem, as well as large breaches put on wall of shame. Guaranteed OCR investigation with 500 or more individuals affected If the breach involves a security breach or successful incident, involving a laptop, or another device, OCR will send laptop to Washington for forensic team analysis to determine vulnerabilities of device and recommendations made encryption, log-on and off, remote swiping, etc. 14

15 OCR s Investigative Perspective OCR has been given significant leeway in fine negotiation and resolution actions OCR central works with local office to move case to Resolution Agreement-generally OCR wants Resolution Agreement entered into within one month. If not Resolution Agreement- CE or BA can move to Administrative Hearing-only one case to date, and was affirmed by ALJ. 15

16 OCR s Investigative Perspective What does OCR expect from CE or BA during process? Cooperation, Cooperation, Cooperation Keep your litigation attorney out of it! Timely responses to requests for information Evidence from CE or BA that it is willing to faithfully and seriously change systems, employee behavior, policies and procedures Don't wait until the end of the investigation 16

17 CE or BA Conduct Perspective Determine who has requisite information to respond to the OCR investigation or complaint Write all responses clearly, honestly If you do not believe there is a valid basis for the complaint, say so and give rationale If you are wrong and you need to conduct corrective action, start action right away and inform OCR as soon as possible of your corrective action 17

18 CE or BA Conduct Perspective Keep leadership informed-board of Directors doesn't like surprises Which begs the question of existence informational governance within your organization's compliance plan 18

19 What is at Stake? 19

20 Resolution Agreements What is a Resolution Agreement? A contract between HHS and a CE in which the CE agrees to perform certain obligations (such as staff training) and make reports to HHS, generally for a 3 year period. During this period, HHS monitors the CE s compliance with its obligations. Typically includes payment of a resolution amount. A resolution agreement is used to settle investigations with more serious outcomes. 20

21 Civil Monetary Penalties The four categories For CMPs used for the penalty structure are as follows: Category 1: A violation that the CE was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules) Category 3: A violation suffered as a direct result of "willful neglect of HIPAA Rules, in cases where an attempt has been made to correct the violation Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation 21

22 Civil Monetary Penalties Category 1: Minimum fine of $100 per violation up to $50,000 Category 2: Minimum fine of $1,000 per violation up to $50,000 Category 3: Minimum fine of $10,000 per violation up to $50,000 Category 4: Minimum fine of $50,000 per violation 22

23 Recent Enforcement Actions 2/16/2017: HIPAA settlement shines light on the importance of audit controls Memorial Healthcare System pays $5.5 million MHS third largest public health care system in U.S. 2/1/2017: Lack of timely action risks security and costs money- Blackberry lost, unencrypted & not password protected. Had consultant perform Risk Assessment found security gaps in system CE did not address. CMP $3,217,000 1/18/2017: HIPAA settlement demonstrates importance of implementing safeguards for ephi MAPFRE Life Insurance Company in Puerto Rico (also underwrites group and individual health insurance plans) reported lost USB device to ORC. No risk assessment, no risk plan. CMP - $2.2 million 23

24 Continuing Enforcement Issue: Affirmative Disclosures Not Permitted The HIPAA Privacy Rule provides that Covered Entities or Business Associates may not use or disclose PHI except as permitted or required. See 45 C.F.R (a). Examples of Potential Violations: Covered Entity permits news media to film individuals in its facility prior to obtaining their authorization. Covered Entity publishes PHI on its website or on social media without an authorization from the individual(s). Covered Entity confirms that an individual is a patient and provides other PHI to reporter(s) without authorization from the individual. Covered Entity faxes PHI to an individual's employer without authorization from the individual. 24

25 Continuing Enforcement Issue: Lack of Business Associate Agreements HIPAA generally requires that CEs and BAs enter into agreements with their BAs to ensure that the Bas will appropriately safeguard protected health information. See 45 C.F.R (b). Examples of Potential Business Associates: A collections agency providing debt collection services to a health care provider which involves access to protected health information. An independent medical transcriptionist that provides transcription services to a physician. A subcontractor providing remote backup services of PHI data for an IT contractor-business associate of a health care provider. 25

26 Continuing Enforcement Issue: Incomplete or Inaccurate Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]. See 45 C.F.R (a)(1)(ii)(A). Organizations frequently underestimate the proliferation of ephi within their environments. When conducting a risk analysis, an organization must identify all of the ephi created, maintained, received or transmitted by the organization. Examples: Applications like EHR, billing systems; documents and spreadsheets; database systems and web servers, fax servers, backup servers; etc.); Cloud based servers, Medical Devices, Messaging Apps ( , texting, ftp); other media 26

27 Risk Analysis Guidance strative/securi tyrule/rarinalguidance.html

28 Continuing Enforcement Issue: Failure to Manage Identified Risk The Risk Management Standard requires the "[implementation of] security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [the Security Rule]." See 45 C.F.R (a)(1)(ii)(B). Investigations conducted by OCR regarding several instances of breaches uncovered that risks attributable to a reported breach had been previously identified as part of a risk analysis, but that the breaching organization failed to act on its risk analysis and implement appropriate security measures. In some instances, encryption was included as part of a remediation plan; however, activities to implement encryption were not carried out or were not implemented within a reasonable timeframe as established in a remediation plan. 28

29 Mobile Device Security 29

30 Continuing Enforcement Issue: Lack of Transmission Security When electronically transmitting ephi, a mechanism to encrypt the ephi must be implemented whenever deemed appropriate. See 45 C.F.R (e)(2)(ii). Applications for which encryption should be considered when transmitting ephi may include: o o Texting o Application sessions o File transmissions (e.g., ftp) o Remote backups o Remote access and support sessions (e.g., VPN) 30

31 Continuing Enforcement Issue: Lack of Appropriate Auditing The HIPAA Rules require the "[implementation] of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information." See 45 C.F.R (b). Once audit mechanisms are put into place on appropriate information systems, procedures must be implemented to "regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports." See 45 C.F.R (a)(1)(ii)(D). Activities which could warrant additional investigation: o Access to PHI during non-business hours or during time off o Access to an abnormally high number of records containing PHI o Access to PHI of persons for which media interest exists o Access to PHI of employees 31

32 Continuing Enforcement Issue: Patching of Software The use of unpatched or unsupported software on systems which access ephi could introduce additional risk into an environment. Continued use of such systems must be included within an organization's risk analysis and appropriate mitigation strategies implemented to reduce risk to a reasonable and appropriate level. In addition to operating systems, EMR/PM systems, and office productivity software, software which should be monitored for patches and vendor end-of-life for support include: o Router and firewall firmware o o Anti-virus and anti-malware software Multimedia and runtime environments (e.g., Adobe Flash, Java, etc.) 32

33 Continuing Enforcement Issue: Insider Threat Organizations must "[i]mplement policies and procedures to ensure that all members of its workforce have appropriate access to ephi... and to prevent those workforce members who do not have access... from obtaining access to ephi," as part of its Workforce Security plan. See 45 C.F.R (a)(3). Appropriate workforce screening procedures should be included as part of an organization's Workforce Clearance process (e.g., background and OIG LEIE checks). See 45 C.F.R (a)(3)(ii)(B). Termination Procedures should be in place to ensure that access to PHI is revoked as part of an organization's workforce exit or separation process. See 45 C.F.R (a)(3)(ii)(c). 33

34 Continuing Enforcement Issue: Disposal of PHI When an organization disposes of electronic media which may contain ephi, it must implement policies and procedures to ensure that proper and secure disposal processes are used. See 45 C.F.R (d)(2)(i). The implemented disposal procedures must ensure that le]lectronic media have been cleared, purged, or destroyed consistent with NIST Special Publication : Guidelines for Media Sanitization, such that the PHI cannot be retrieved. Electronic media and devices identified for disposal should be disposed of in a timely manner to avoid accidental improper disposal. Organizations must ensure that all electronic devices and media containing PHI are disposed of securely; including non-computer devices such as copier systems and medical devices. 34

35 Continuing Enforcement Issue: Insufficient Backup and Contingency Planning Organizations must ensure that adequate contingency plans (including data backup and disaster recovery plans) are in place and would be effective when implemented in the event of an actual disaster or emergency situation. See 45 C.F.R (a)(7). Leveraging the resources of cloud vendors may aid an organization with its contingency planning regarding certain applications or computer systems, but may not encompass all that is required for an effective contingency plan. As reasonable and appropriate, organizations must periodically test their contingency plans and revise such plans as necessary when the results of the contingency exercise identify deficiencies. See (a)(7)(ii)(d). 35

36 What s Next? 36

37 Long-term Regulatory Agenda HITECH provision re: providing individuals harmed by violations of the HIPAA regulations with a percentage of any civil monetary penalties or settlements collected. HITECH provisions re: changes to HIPAA Accounting of Disclosure provisions. 37

38 Upcoming Guidance/FAQs Privacy and Security for "All of Us" (PMI) research program Text messaging Social Media Use of CEHRT & compliance with HIPAA Security Rule (w/onc) RA/CMP Process Update of existing FAQs to account for Omnibus and other recent developments Minimum necessary 38

39 Recent Guidance: Ransomware and Cloud Computing Ransomware: Cloud Computing: 39

40 Monthly Guidance: Cybersecurity Newsletters February 2016 Ransomware, "Tech Support" Scam, New BBB Scam Tracker June 2016 What's in Your Third-Party Application Software March 2016 Keeping PHI safe, Malware and Medical Devices April 2016 New Cyber Threats and Attacks on the Healthcare Sector May 2016 Is Your Business Associate Prepared for a Security Incident September 2016 Cyber Threat Information Sharing October 2016 Mining More than Gold (FTP) November 2016 December 2016 January 2017 February 2017 What Type of Authentication is Right for you? Understanding DoS and DDoS Attacks Audit Controls Reporting and Monitoring Cyber Threats 40

41 Don t let your program get Stale-presuming you have one. 41

42 What should a Privacy or Security officer be doing now? Keep up with (watch and listen): Current regulations ongoing check across the enterprise Watch/listen for pending changes or challenges in potential regulation NCVHS and HIT Privacy Workgroup Breach notices and stories NIST releases and sample security measures OCR audit information and other notices Monitor work force actions and activates Monitor contracts and business associate agreements 42

43 What should a Privacy or Security officer be doing now? Keep up with: Active participation in enterprise information governance Ongoing security auditing and risk analysis - all technology Planning: Breach strategic planning and workgroup - There will be a breach! Monitoring team Response team who will do what, when, and how? Back-ups for team Business Associate breach Workforce training 43

44 What should a Privacy or Security officer be doing now? Keep up with training and education: Workforce orientation New hire / volunteer orientation On-going reminders and annual retraining Security related training Specialty training and awareness Patient training related to: Patient portal access and use Other technology Consents and authorizations 44

45 What should a Privacy or Security officer be doing now? Keep up with new technology and exchange: Home-based technologies Entity based technologies Enterprise patient portal or sponsored PHR HIE within and external to the enterprise Keeping up with change: Physical plant Patient areas Data and information sites 45

46 Office of Civil Rights (OCR-HHS) Resources Office of the National Coordinator for Health Information Technology (ONC) Substance Abuse and Mental Health Services Administration Nation Institute for Standards and Technology - Healthcare Federal Register 46

47 Resources American Health Information Management Association American Records Management Association Health Care Compliance Association Health Information Management and Systems Society (HIMSS) 47

48 Resources OCR Security Resources OCR NIST Cross Walk urity%20rule%20cross walk% %20finatpdf OCR - Right to Access ONC - Treatment Exchange: treatment.pdf 48

49 Resources e-publications: EHR Intelligence Government Security Enews Healthcare Law Today (Foley & Lardner LLP Health HIT Smart Brief Health IT News 49

50 Resources e-publications (continued): Health Information Security HealthlT Security Information Management 50

51 Resources OCR Audit: Audit Protocol Audit Pre-Screening Questionnaire BA Pre-Screening Questionnaire: 51

52 Questions? 52

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017 Session 9, February 20, 2017 Deven McGraw, Deputy Director, Health Information Privacy HHS Office for Civil Rights 1 Speaker Introduction