Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Size: px

Start display at page:

Download "Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D."

Lee Stokes
5 years ago
Views:

1 Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

2 HIPAA GENERAL RULE PHI may not be disclosed without patient authorization unless the disclosure is otherwise permitted under HIPAA or required by law. Failure to comply = breach Breach notification if unsecured PHI 2

3 TOP HIPAA ISSUES Business Associates BAs now directly liable under HIPAA for violations of the Security Rule and for impermissible uses and disclosures of PHI under the Privacy Rule Significant compliance obligations BAs subject to: HIPAA audits Civil monetary penalties Criminal sanctions 3

4 BUSINESS ASSOCIATES Business Associate Agreements no longer boilerplate most contain fee shifting provisions (costs related to breach, indemnification and cyber insurance requirements) May become an issue with Reps and Warranties if not compliant and company is being sold BAs were included in the recent Phase II HIPAA Audits Due to the enforcement and liability risks, BAs should take immediate steps to become HIPAA compliant 4

5 ALPHABET SOUP: FEDERAL AGENCIES NEW ENFORCERS OF CYBERSECURITY 5

6 FEDERAL INITIATIVES AND RESPONSE FTC is taking an active role with more than 50 enforcement actions to date FTC authority upheld by Third Circuit in August 2015 in Wyndham case; but authority challenged by LabMD SEC mandates disclosures about data protection measures and preparedness Data breaches of health information may be a violation of Health Insurance Portability and Accountability Act (HIPAA) Others: FDA, DHS, NSA, FBI, CIA 6

STATE ATTORNEYS GENERAL ENFORCEMENT State Attorneys General are exercising their authority granted by HITECH to bring civil actions on behalf of state

7 STATE ATTORNEYS GENERAL ENFORCEMENT State Attorneys General are exercising their authority granted by HITECH to bring civil actions on behalf of state residents for violations of HIPAA. State AGs are also bringing mini FTC investigations for privacy and security violations. Multi state coordination of investigations 7

8 OCR ENFORCEMENT OF HIPAA OCR enforcement has changed dramatically since 2011 as evidenced by some recent high profile and high penalty enforcement actions taken by OCR In 2016 OCR entered into 12 resolution agreements totaling approximately $24 million in penalties for alleged HIPAA violations In 2017 OCR entered into 10 resolution agreements totaling approximately $20 million dollars in fines. For 2018 OCR has announced 2 resolution agreements totaling $3.6 million dollars in fines ($3.5M for one facility) 8

9 FRESENIUS MEDICAL CARE HOLDINGS On February 4, 2018, OCR entered into a $3.5 million settlement agreement with Fresenius to resolve alleged HIPAA violations that occurred in five separate Fresenius facilities in five different states. Each breach involved stolen or missing equipment, the total amount of breaches across all five facilities impacted approximately 521 patients. Two stolen laptops containing the ephi of 200 patients A stolen, unencrypted USB drive containing the ephi of 245 patients A missing hard drive containing the ephi of 35 patients An unencrypted laptop stolen from a car containing the ephi of 10 patients A stolen desk top computer containing the EPHI of 31 patients 9

10 FRESENIUS MEDICAL CARE HOLDINGS OCR alleged that Fresenius failed to conduct an accurate and thorough Security Risk Analysis. The remainder of the allegations also related to Security Rule violations such as failing to implement appropriate policies and procedures to protect PHI. Takeaways: Make sure to conduct a thorough Security Risk Analysis on an annual basis and when you have made significant changes to your IT systems. Also OCR does read and review reports of breaches impacting less than 500 individuals. 10

11 PRESENCE HEALTH On January 9, 2017, notified OCR that, due to miscommunications between its workforce members, there was a delay in its provision of breach notifications. OCR s investigation into the October 22, 2013 breach indicated that (i) Presence Health did not notify affected individuals until 104 days after discovery of the breach, (ii) did not notify HHS until 101 days after the breach and (iii) did not notify the media until 106 days after discovery of the breach all beyond the 60 day time limit under the Breach Notification Rule. Settled at $475,000 Takeaways: Make sure that breach notifications are done without unreasonable delay and definitely no later than 60 days after discovery of the breach. 11

12 MEMORIAL HEALTHCARE SYSTEM On February 16, 2017, OCR entered into a $5.5 million settlement with MHS for alleged violations of the HIPAA Privacy and Security Rules and agreed to implement a robust corrective action plan. MHS reported to OCR that the PHI of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. This information included the affected individuals names, dates of birth, and social security numbers. The login credentials of a former employee of an affiliated physician s office had been used to access the ephi maintained by MHS on a daily basis without detection from April 2011 to April

13 MEMORIAL HEALTHCARE SYSTEM According to OCR, Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users right of access, as required by the HIPAA Rules. Further, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to Takeaways: Organizations must implement audit controls and review audit logs regularly. In addition, it is important to address problem areas identified in a risk analysis and assessment as well as immediately terminating the system access to former employees/contractors 13

14 THE CENTER FOR CHILDREN S DIGESTIVE HEALTH ( CCDH ): On April 20, 2017, OCR announced that CCDH paid $31,000 to settle claims that it violated the HIPAA Privacy Rule and entered into a CAP. OCR alleged that CCDH impermissibly disclosed the PHI of at least 10,728 individuals to FileFax, a third party vendor storing paper records, without obtaining a business associate agreement from FileFax. Of note is that numerous files containing medical records were allegedly discovered in a dumpster outside FileFax s office, resulting in a lawsuit by the Illinois Attorney General. 14

15 THE CENTER FOR CHILDREN S DIGESTIVE HEALTH ( CCDH ): Takeaways: Make sure that business associates agreements are in place with all vendors that handle PHI on behalf of your organization here the lack of a BAA cost the covered entity $31,000! Further, this case highlights that incidents involving business associates can have enforcement consequences for the covered entity. Also Don t forget about paper records!!!! 15

16 LESSONS LEARNED Security Risk Analysis. HIPAA covered entities and business associates must regularly conduct enterprise wide information security risk analyses in accordance with the Security Rule to assess risk and vulnerabilities. Develop a Risk Management Plan. While conducting a risk analysis is critical, a risk management plan can assure that reasonable safeguards are adopted as a result of the risks or vulnerabilities identified through the risk analysis BAAs: Have Business Associate Agreements with vendors that will have access to your PHI Encryption, Encryption, Encryption!!!! 16

17 HIPAA PHASE 2 AUDITS Completed in 2017 included 166 covered entities and 41 business associates Covered Privacy, Security and Breach Notification Rules OCR s Goals for the Phase 2 Audits [P]rimarily a compliance improvement activity to help OCR Better understand compliance efforts with particular aspects of the HIPAA Rules Determine what types of technical assistance OCR should develop Develop tools and guidance to assist the industry in compliance, self evaluations and in preventing breaches Significant non compliance could result in an OCR investigation or compliance review Back door reinforcement tool? 17

18 HIPAA PHASE 2 AUDITS Timeline March 21, 2016 OCR begins to send out verifications (again in May) April 4, 2016 OCR sends out pre screening questionnaires July 11, 2016 OCR sent out audit documentation requests to 167 covered entities Business Associate audits followed No on site audits YET as had been planned 18

19 HIPAA PHASE 2 AUDITS Security Rule Risk Analysis Current and most recent prior risk analysis Documentation from previous year showing that the risk analysis was available to those persons responsible for implementing Risk analysis policies going back 6 years Risk Management Documentation demonstrating security measures implemented as a result of risk analysis this year and prior Related policies going back 6 years 19

20 HIPAA PHASE 2 AUDITS Privacy Rule Notice of Privacy Practices ( NPP ) Copies of NPP Policies and procedures for electronic notice Patient Right of Access Documents related to first five access requests granted in previous year Policies and Procedures for individuals to request and access their PHI 20

21 HIPAA PHASE 2 AUDITS Breach Notification Rule Provide documentation of five breach incidents for the previous year affecting less than 500 individuals (including when breach discovered and when individuals notified) and same for breaches affecting more than 500 individuals looking at content and timing of breach notices Provide any breach notification templates 21

22 HIPAA PHASE 2 AUDITS Phase 2 Desk Audit Process The covered entity will either be audited on the Security Rule topics or on the Privacy Rule/Breach Notification Rule topics. Once document request are sent out, covered entities had 10 business days to submit their responses no credit for late documentation submissions. OCR sent a draft audit report to the covered entity Covered entity had 10 business days to respond Final OCR report issued within 30 days of receiving response 22

23 PREPARING FOR AN AUDIT Preparing for an Audit (at a minimum) Review online audit protocol (approximately 419 pages) Make sure that hhs.gov s (OSOCRAudit@hhs.gov) are not blocked by spam filters Make sure HIPAA policies and procedures are in place, including breach notification, and have retained policies for 6 years Have a current Notice of Privacy Practices Have conducted regular system wide risk analyses and have documentation on actions taken on results of the analyses Compile a centralized list of all business associates and make sure appropriate Business Associate Agreements are in place. Have designated Privacy and Security officers 23

24 Contact Information Gregory M. Fliszar, J.D. Ph.D. (Greg ) Cozen O Connor One Liberty Place 1650 Market Street, Suite 2800 Philadelphia, PA gfliszar@cozen.com 24

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,