Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Size: px

Start display at page:

Download "Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016"

Godwin Anthony
6 years ago
Views:

1 Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016

2 Updates Policy Development Breaches Enforcement Audit 2

3 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS, BUSINESS ASSOCIATES AND AVAILABILITY OF PHI, RANSOMWARE IN PROGRESS: CLOUD, SOCIAL MEDIA, TEXTING & MORE! 3

4 Access Guidance HIPAA Right of Access Guidance Issued in three phases in 2016 Comprehensive Fact Sheet Series of FAQs Scope Form and Format and Manner of Access Timeliness Fees Directing Copy to a Third Party, and Certain Other Topics Consumer video and infographic 4

5 Access Guidance Access Right to Direct PHI to 3 rd Party Individual has right to have entity transmit PHI to 3 rd party of individual s choice Same requirements for providing access directly to the individual apply 5

6 Availability of PHI Maintained by a Business Associate BA may not block or terminate access by the covered entity to the PHI maintained by the BA for or on behalf of the covered entity BA that denies a covered entity s access to the ephi it holds on behalf of the covered entity, is violating the Security Rule. BA may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if the covered entity needs the PHI to provide access to individuals. 6

7 Platform for users to influence guidance HIT Developer Portal OCR launched platform for mobile health developers in October 2015 Purpose is to understand concerns of developers new to health care industry and HIPAA standards Guidance issued in February 2016 about how HIPAA might apply to a range of health app use scenarios FTC/ONC/OCR/FDA Mobile Health Apps Interactive Tool on Which Laws Apply issued in April

8 October 2015 Platform for users to influence guidance

9 Ransomware Guidance

10 Ransomware Prevention Security awareness and training Risk analysis Risk management Access controls Business Associate Agreements Ransomware Recovery Security incident response Contingency plans 10

11 Ransomware and Breaches A breach under the HIPAA Rules is the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI. When ephi is encrypted as the result of a ransomware attack, a breach has occurred because the ephi encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a disclosure not permitted under the HIPAA Privacy Rule. 11

12 BREACH HIGHLIGHTS AND RECENT ENFORCEMENT ACTIVITY 12

13 Notification Requirements Covered entity must notify affected individuals, HHS, and in some cases, the media, of breach Business associate must notify covered entity of breach Notification to be provided without unreasonable delay (but no later than 60 calendar days) after discovery of breach

14 What is a Breach? Covered entities and business associates must provide notification of breaches of unsecured protected health information (PHI) HHS Breach Notification (safe harbor) Guidance: PHI is unsecured if it is NOT Encrypted Destroyed

15 Breach Risk Assessment Impermissible use/disclosure of (unsecured) PHI presumed to require notification, unless covered entity/business associate can demonstrate low probability that PHI has been compromised based on risk assessment of at least: Nature & extent of PHI involved Who received/accessed the information Potential that PHI was actually acquired or viewed Extent to which risk to the data has been mitigated

16 HIPAA Breach Highlights September 2009 through August 31, 2016 Approximately 1,652 reports involving a breach of PHI affecting 500 or more individuals Approximately 236,944 reports of breaches of PHI affecting fewer than 500 individuals 16

17 HIPAA Breach Highlights 500+ Breaches by Type of Breach as of August 31, 2016 Improper Disposal 3% Other 6% Unknown 1% Hacking/IT 12% Unauthorized Access/Disclosure 24% Theft 45% Loss 9% 17

18 HIPAA Breach Highlights 500+ Breaches by Location of Breach as of August 31, 2016 EMR 5% Other 10% 8% Paper Records 22% Network Server 14% Desktop Computer 11% Laptop 19% Portable Electronic Device 10% 18

19 What Happens When HHS/OCR Receives a Breach Report OCR posts breaches affecting 500+ individuals on OCR website (after verification of report) Public can search and sort posted breaches OCR opens investigations into breaches affecting 500+ individuals, and into number of smaller breaches Investigations involve looking at: Underlying cause of the breach Actions taken to respond to the breach and prevent future incidents Entity s compliance prior to breach 19

20 General Enforcement Highlights Over 139,864 complaints received to date Approximately 1,098 compliance reviews initiated Over 24,424 cases resolved with corrective action and/or technical assistance Expect to receive ~17,000 complaints this year As of 8/31/

21 General Enforcement Highlights In most cases, entities able to demonstrate satisfactory compliance through voluntary cooperation and corrective action In some cases though, nature or scope of indicated noncompliance warrants additional enforcement action Resolution Agreements/Corrective Action Plans 37 settlement agreements that include detailed corrective action plans and monetary settlement amounts 2 civil money penalties As of 9/30/

22 Recurring Compliance Issues Recurring Compliance Issues Business Associate Agreements Risk Analysis Failure to Manage Identified Risk, e.g. Encrypt Lack of Transmission Security Lack of Appropriate Auditing No Patching of Software Insider Threat Improper Disposal Insufficient Data Backup and Contingency Planning 22

23 Corrective Action Corrective Actions May Include: Updating risk analysis and risk management plans Updating policies and procedures Training of workforce Implementing specific technical or other safeguards Mitigation CAPs may include monitoring 23

24 Good Practices Some Good Practices: Review all vendor and contractor relationships to ensure BAAs are in place as appropriate and address breach/security incident obligations Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned Dispose of PHI on media and paper that has been identified for disposal in a timely manner Incorporate lessons learned from incidents into the overall security management process Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members critical role in protecting privacy and security 24

25 Audit Program AUDIT 25

26 Audit Program HITECH Audit Program Purpose: Identify best practices; uncover risks and vulnerabilities; encourage consistent attention to compliance Intended to be non-punitive, but OCR can open up compliance review Also hope to learn from this next phase in structuring permanent audit program 26

27 Audit Program Audit Program to Date Phase I completed On-site pilot audits of covered entities; comprehensive assessment of compliance with the Rules Formal evaluation findings helped shape Phase 2 Phase 2 launched in March 2016 Desk and onsite audits of covered entities and business associates Testing how desk audits work Also will be evaluated 27

28 Audit Program Desk Audits Underway For Covered Entities: Security Rule: risk analysis and risk management Breach Notification Rule: content and timeliness of notifications Privacy Rule: NPP and individual access right For Business Associates: Security Rule: risk analysis and risk management Breach Notification Rule: reporting to covered entity Next: On-site audits in

29 More Information Join us on 29

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Marissa Gordon-Nguyen Office for Civil Rights (OCR) U.S. Department of Health and Human Services June