Health Law Institute Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More Brooke Bennett Aziere October 18, 2017 Agenda Enforcement Trends Phase 2 HIPAA Audits Upcoming Initiatives 1
Enforcement 2016 Record Year for Resolution Agreements and Civil Monetary Penalties 13 actions Nearly $25M in penalties So far in 2017 8actions Over $17M in penalties Enforcement Trends Timely Notification of Breach Presence Health Network (January 9, 2017) Paper Surgery Scheduling Sheets Loss occurred in 2013 836 patients 45 days late in notifying patients $475,000 settlement Corrective Action Plan 2
Enforcement Trends Loss of Portable Devices Children s Medical Center of Dallas (February 1, 2017) A series of lost blackberries and laptops stemming pre-breach Rule to April 2013 $3.2M penalty (no voluntary settlement) Aware of the risks Security Gap Analysis (2006/2007) PricewaterhouseCoopers (2008) But took no action and issued unencrypted portable devices to staff Enforcement Trends OCR requires CEs to act on identified risks Children s Medical Center of Dallas University of Mississippi Medical Center (discussed at 2016 Health Law Institute) Oregon Health and Science University (discussed at 2016 Health Law Institute) 3
Enforcement Trends Loss of Portable Devices CardioNet (April 24, 2017) First case involving wireless healthcare provider Stolen laptop $2.5M settlement Corrective Action Plan Enforcement Trends Lack of Security Risk Analysis Metro Community Provider Network (April 12, 2017) Federally-qualified health center (FQHC) Hacker and phishing emails 3,200 individuals No risk analysis completed until after the incident $400,000 settlement Corrective Action Plan 4
Enforcement Trends Access and Audit Controls Memorial Healthcare System (February 16, 2017) Former employee access not terminated Accessed daily without detection for 1 year 80,000 patients impacted $5.5M settlement Corrective Action Plan Enforcement Trends Impermissible Disclosures Memorial Hermann Health System (May 10, 2017) Patient presented allegedly fraudulent identification card to staff Reported to law enforcement -- PERMITTED Issued press release $2.5M settlement Corrective Action Plan 5
Enforcement Trends Impermissible Disclosures St. Luke s-roosevelt Hospital (May 23, 2017) Sensitive information faxed to employer HIV status Sexually transmitted diseases Sexual orientation Mental health $387,000 settlement Corrective Action Plan Enforcement Trends Business Associate Agreements Continuing enforcement issue Raleigh Orthopedic Clinic (discussed at 2016 Health Law Institute) Care New England Health System (discussed at 2016 Health Law Institute) OCR s Message Have them them 6
Enforcement Trends Centers for Children s Digestive Health (April 20, 2017) Lack of BAA BA stored patient records $31,000 settlement Corrective Action Plan Additional Trends* Lack of transmission security When electronically transmitting ephi, a mechanism to encrypt the ephi must be implemented whenever deemed appropriate. See 45 C.F.R. 164.312(e)(2)(ii). Applications for which encryption should be considered: Email Texting File transmission (e.g., ftp) Remote backups Remote access and support sessions (e.g., VPN) *Identified by OCR at the recent OCR/NIST, Safeguarding Health Information: Building Assurance through HIPAA Security - 2017, Washington, D.C. (September 5 and 6, 2017) 7
Additional Trends* Lack of Auditing The HIPAA Rules require the [implementation] of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. See 45 C.F.R. 614.312(b). Regular review of information systems activity is required Activities which could require additional investigation: Access to ephi during non-business hours or during PTO Access to an abnormally high number of records containing ephi Access to ephi of high profile individuals Access to PHI of employees *Identified by OCR at the recent OCR/NIST, Safeguarding Health Information: Building Assurance through HIPAA Security - 2017, Washington, D.C. (September 5 and 6, 2017) Additional Trends* Insufficient Backup/Contingency Planning Organizations must ensure that adequate contingency planning (including data backup and disaster recovery plans) are in place and would be effective when implemented in the event of an actual disaster or emergency situation. See 45 C.F.R. 164.308(a)(7). Periodic testing Revisions to address deficiencies Important note from OCR on use of cloud vendors May aid with contingency planning, but may not encompass all that is required for an effective contingency plan *Identified by OCR at the recent OCR/NIST, Safeguarding Health Information: Building Assurance through HIPAA Security - 2017, Washington, D.C. (September 5 and 6, 2017) 8
Phase 2 HIPAA Audit Program Selected covered entities received notification in July 2016 by email Desk audits complete Identification of Business Associates Selection pool drawn from over 20,000 entities identified by covered entities Desk audits underway On-site audits of both covered entities and business associates after completion of desk audits Evaluate against a comprehensive selection of controls in protocols Phase 2 HIPAA Audit Program Covered Entity Audits (166 total) Type Providers 90% Health Plans 8.7% Health Care Clearinghouses 1% By Region Midwest (includes Kansas and Missouri) Covered Entities (38) Business Associates (15) Privacy and Breach (103) Security (63) Business Associate Audits (41 total) Breach and Security 9
Phase 2 HIPAA Audit Program o Three-Step Process: o Draft findings o Issuance of final audit reports o Compliance Reviews, BUT OCR has represented that the Audit Program is not intended to be a gotcha program or punitive program Phase 2 HIPAA Audit Program OCR s Linda Sanchez represented at the recent OCR/NIST, Safeguarding Health Information: Building Assurance through HIPAA Security 2017 Support Improved Compliance Identify best practices Uncover risks & vulnerabilities Detect areas for technical assistance Encourage consistent attention to compliance 10
Phase 2 HIPAA Audit Program o So what did OCR review? o Covered Entity Desk Audit Controls HHS Office for Civil Rights, 10 th Annual HIPAA Security Conference, Washington, D.C., September 6, 2017, Presenter Linda Sanchez, s on Audits of Entity Compliance with the HIPAA Rules Phase 2 HIPAA Audit Program Privacy Rule Controls Notice of Privacy Practices Copies of all NPPS URL of NPP posted on website Electronic notice policy and procedures Right to Access Access requests Extensions Access forms Access policies and procedures 11
Phase 2 HIPAA Audit Program Breach Notification Rule Controls Timeliness of notifications Content of notifications Form letters Phase 2 HIPAA Audit Program Security Rule Controls Risk Analysis Current and prior RAs Documentation for previous year demonstrating implementation of RA process Availability to individuals responsible for process Periodic review and updating Policies/procedures Going back 6 years related to implementation of RA 12
Phase 2 HIPAA Audit Program Security Rule Controls Risk Management Documentation supporting implementation of security measures to reduce risks identified in RA Documentation for previous year showing efforts to manage risks Policies/procedures Going back 6 years related to implementation of risk management Documentation current and ongoing risks reviewed and updated Documentation for previous year demonstrating implementation of risk management process Availability to individuals responsible for process Periodic review and updating Phase 2 HIPAA Audit Program HHS Office for Civil Rights, 10th Annual HIPAA Security Conference, Washington, D.C., September 6, 2017, Presenter Linda Sanchez, s on Audits of Entity Compliance with the HIPAA Rules 13
Phase 2 HIPAA Audit Program HHS Office for Civil Rights, 10th Annual HIPAA Security Conference, Washington, D.C., September 6, 2017, Presenter Linda Sanchez, s on Audits of Entity Compliance with the HIPAA Rules Phase 2 HIPAA Audit Program Takeaways Breach Timeliness of Notification Most notifications were timely 65% of covered entities received a 1 rating 11% did not No date on letter Content Only 14% received a 1 rating 67% received a 3, 4, or 5 rating Not adequately describing Specific types of PHI breached Mitigation 14
Phase 2 HIPAA Audit Program Takeaways Privacy Access HUGE PROBLEM Only 11/103 covered entities received a 1 or 2 rating Over half had a 4 or 5 rating Communicating access rights to individuals Using authorization forms versus access forms Content 48% received a 1 or 2 rating Notification of right to direct information to third party enotice 57% received a 1 rating 21% received a 4 or 5 rating Difficult to find Phase 2 HIPAA Audit Program Security Risk Analysis NO 1 ratings Lot of room for improvement Not conducting RA Not documenting RA Not clear conducted regularly Listing of risks but no ratings Incomplete forms Not identifying all information systems where ephi located Risk Management Majority received 4 or 5 rating Lot of room for growth here No documentation of action on results of RA No documentation that risk management addressed regularly 15
Phase 2 HIPAA Audit Program Preliminary Findings Notice of Privacy Practices Right to Access OCR Audit Protocol 180 HIPAA Requirements & Questions 89 privacy requirements 72 security requirements 19 breach notification requirements Audit Protocol d April 2016, HHS, https://www.hhs.gov/hipaa/forprofessionals/complianceenforcement/audit/index.html 16
Upcoming Initiatives Accounting of Disclosures 2011 Notice of Proposed Rulemaking (NPRM) implementing accounting of disclosures provisions in the 2009 HITECH Act Access reports In July 2017, OCR Deputy Director for Health Information Privacy, Deven McGraw announced OCR is starting over from scratch Texting Guidance in the works For now, OCR refers providers to Access Guidance Upcoming Initiatives More on cybersecurity https://www.hhs.gov/hipaa/forprofessionals/security/guidance/cybersecur ity/index.html Cybersecurity checklists Newsletters 17
Health Law Institute Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More Brooke Bennett Aziere October 18, 2017 18