HIPAA Enforcement. Avoiding Others Mistakes and Preparing for Audits JULY 13, 2017

Size: px

Start display at page:

Download "HIPAA Enforcement. Avoiding Others Mistakes and Preparing for Audits JULY 13, 2017"

Bathsheba Moore
5 years ago
Views:

1 HIPAA Enforcement Avoiding Others Mistakes and Preparing for Audits JULY 13, 2017 Elizabeth Johnson Partner, Head Privacy Data Security PracMce (919)

2 HIPAA Enforcement Avenues Enforcement body = U.S. Department of Health and Human Services Office for Civil Rights (aka OCR ) Two major enforcement paths 1. Audits Required for OCR to conduct per HITECH Act Random selecnon 2. Compliance Reviews Two typical triggers: individual complaint or self-reported data breach AutomaNc when repornng a breach > 500

3 ResoluMon No further acnon Best Voluntary compliance Directed correcnve acnon ResoluNon agreement ResoluNon Payment CorrecNve AcNon Plan Civil Monetary Penalty Worst

4 Audits Phase 1 conducted primarily in 2012 Phase 2 started last year Desk audits complete Focus areas: Ø NoNce of Privacy PracNces content and delivery Ø Right to access PHI Ø Risk analysis and risk management Ø Breach nonce Nmeliness and content On-site audits expected, unclear if they have started Business associate audits also expected imminently

5 ELIZABETH JOHNSON * WYRICK ROBBINS * * EJOHNSON@WYRICK.COM

7 Audit Protocol hhps:// audit/protocol/index.html Revealing of auditors line of inquiry Many items beyond mere policies, such as: Evidence of reviews and updates Log of complaints Training logs SancNons log List of all breach risk assessments Samples of disclosures made in response to legal requests, including the subpoena, order, etc.

8 Compliance Reviews Format/process Leher outlining issue and jurisdicnon Data request, typically 5-10 pages and quesnons Typical day deadline to reply All documentanon Possible follow-up AddiNonal data requests Discussion

11 Compliance Review QuesMons Common requests ExplanaNon of incident Steps taken to address it (minganon / correcnve acnon) Risk analysis somenmes mulnple Security evaluanon Evidence of training Compliance policies BAAs Assess exposure IMMEDIATELY ajer any incident Re-train employees immediately ajer breach, complaint, etc. PotenNally update risk analysis Address policy gaps Update/execute BAA if needed

12 Most Common Problems in Significant Enforcement AcMons Cause of breach/incident Lost/stolen electronic media (36%) Inappropriate use (17%) Improper/inadequate disposal (12%) Data available via Internet search (12%) Underlying compliance issues Lack of / inadequate risk analysis (40%) Lack of encrypnon = (36% or more?)

13 Risk Analyses Do Conduct a comprehensive analysis at least once per year (documented) Follow OCR guidance Make a threat list Apply controls Apply vulnerabilines (known and suspected) Consider environment Score / rank each threat based on likelihood and impact Include your past mistakes and other s in your threat list Consider past results improving or no progress? Understand that risk may increase even with minganon

14 Do Risk Analyses Don t Rely solely on a third party to produce it Rate the risk of gaps, instead of the risk of threats Ø Gap: Lack of encrypnon = High Risk Consider your Ø Threat 1 = Thej of laptop environment Relevant? No, if PHI not stored on laptops If yes, are laptops encrypted? Apply vulnerability If no, then thej of laptop is a HIGH RISK Ø Threat 2 = Thej of server Not encrypted Apply vulnerability But physical security makes physical thej unlikely Thej of server is a MEDIUM RISK Beneficial control

15 Emerging Issues Malware OperaNonalizing risk analysis results Refining organizanonal approach VicNmhood is no defense Repeat offenses Business Associates

16 Malware Emerging root cause for enforcement (2-3 year enforcement delay) Ransomware a parncular interest Ransomware = breach; data integrity = harm? DILBERT 2005 Scoh Adams. Used By permission of ANDREWS MCMEEL SYNDICATION. All rights reserved.

17 Emerging Issues OperaNonalizing Risk Analysis Children s Medical Center Dallas - $3.2M Univ Mississippi Medical Center - $2.75M Refining OrganizaNonal Approach Failure to update BAAs: Woman & Infant Hospital of RI - $400,000 Incomplete hybrid ennty designanon: Univ Mass Amherst - $650,000 VicNmhood Is No / Not Much Defense Memorial Health (FL): Employees steal data and commit fraud; failure to audit access exacerbates access - $5.5M Memorial Hermann Health System: PaNent ahempts fraud; health system subsequently IDs panent in press releases, posts info on website, and holds meenng with gov t reps and advocacy group - $2.4M

18 Emerging Issues Repeat Offenders Triple-S - $3.5M - Seven reported breaches, including employees taking data to a compentor, vendor twice prinnng PHI on outside of mailers, twice misdirected mailings including PHI, former employee downloaded PHI Advocate Health - $5.5M - Thej of unencrypted desktops, business associate was hacked, thej of unencrypted laptop BAAs Triple-S (among other issues) - $3.5M Oregon Health & Science University - $2.7M Raleigh Orthopaedic - $750,000 Center for Children s DigesNve Health - $31,000

19 PenalMes Viola(on category Each viola(on Viola(ons of iden(cal provision in calendar year Did not know of violanon $100-50,000 $1,500,000 Reasonable cause for violanon $1,000-50,000 $1,500,000 Willful neglect, but corrected $10,000-50,000 $1,500,000 Willful neglect, but not corrected $50,000 $1,500,000 Ability to pay drives sehlement Number of people affected does not

$6,000,000.00 Recent Resolu(on Payments Rela(ve to Number of People Affected by Incident $5,000,000.00 80,000 $4,000,000.00 13,000 $3,000,000.

20 $6,000, Recent Resolu(on Payments Rela(ve to Number of People Affected by Incident $5,000, ,000 $4,000, ,000 $3,000, ,800 10,000 4, , ,391 2,209 $2,000, $1,000, $0.00 1,670 17,300 14, ,200 Data: OCR s announced HIPAA sehlements: 1/1/2016-6/30/2017 (4 acnons excluded) 836

21 OCR Math Lack of security implementanon (Children s Medical Center Dallas) Lack of safeguard number of days = individual violanons Lack of policy number of days = individual violanons Impermissible disclosure Number of people affected = individual violanons Breach nonficanon failure (Presence Health Network) Each individual nonce leher every day late = individual violanons Media nonce every day late = individual violanons HHS nonce every day late = individual violanon AggravaNng factors (Children s Medical Center Dallas) Failure to address idennfied risks (repeatedly?) History of non-compliance (mulnple reported breaches)

22 Tips for Success Keeping your house in order GREATLY decreases LOE Take correcnve acnon immediately Re-train all employees involved, or ennre department, and log it Document correcnve measures and follow through If longer-term, mark progress over Nme and FOLLOW UP (e.g., encrypnon, logging, other tech solunons) Include past incidents in next comprehensive risk analysis Demonstrate that you are learning from your mistakes and then demonstrate that you undertook minganon Consider a full assessment But be mindful of non-privileged, third-party-authored reports

23 Tips for Success Answer the quesnons Avoid defensiveness / over-explaining Don t hide issues if quesnons are on the nose be transparent OCR wants reasonableness, good faith Be responsive (e.g., ask proacnvely for more Nme if needed, but not more than once; ask if response was received successfully) Produce as many solid, responsive documents as possible Invoke FOIA as applicable Ask about method of receipt Last-minute glitches Security

24 QuesMons?

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute Health Law Institute Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More Brooke Bennett Aziere October 18, 2017 Agenda Enforcement Trends Phase 2 HIPAA Audits Upcoming Initiatives 1 Enforcement