HIPAA Privacy, Security & Breach No5ﬁcaon Rule Compliance · 23/09/2016 · agreement with Care New England, its corporate parent, post HIPAA Omnibus Final Rule which including

HIPAAComplianceAuditsPhase2

LindaSanchesSeniorAdvisorDivisionofHealthInforma5onPrivacy

HIPAAEnforcementProgram

SusanRhodesRegionalManagerNewEnglandRegion

HIPAAPrivacy,Security&BreachNo5fica5onRuleCompliance

Privacy & Security Forum HIMSS 1

December 7, 2016

Topics


q  Phase II HIPAA Audit Program q  Status q  Random Selection Processes q  Desk Audits &. On-site Audits

q  Desk Audit Mechanics

q  What to Expect q  Document Request – Receipt and Response q  Final Reports

q  Standards Selected

q  Compliance Issues

q  Enforcement

q  Available Guidance

HIPAACOMPLIANCEAUDITSPHASE2

Update


•  Iden5fybestprac5ces;uncoverrisks&vulnerabili5es;detectareasfortechnicalassistance;encourageconsistentaMen5ontocompliance–  Intendedtobenon-puni5ve,butOCRcanopenupcompliancereview(forexample,ifsignificantconcernsareraisedduringanauditoranen5tyfailstorespond)

•  Learnfromthisnextphaseinstructuringpermanentauditprogram

•  Developtoolsandguidanceforindustryself-evalua5onandbreachpreven5on

Audit Program Purpose

Purpose—SupportImprovedCompliance


HITECHlegislaDon:HHS(OCR)shallprovideforperiodicauditstoensurethatcovereden55esandbusinessassociatescomplywithHIPAAregula5ons.(Sec5on13411)

Pilotphase(2011-2012)–

comprehensive,on-siteauditsof115covered

en55es.

2013–issuanceofformalevaluaDon

report

2016–Phase2(ongoing)–between

200-250“desk”auditsofcovered

en55esandbusinessassociates

Background

AuditProgramHistory


Audit Program Status

6

v Desk audits underway. Total 214

v  166 Covered Entities

v  48 Business Associates—documents due 12/13

v Business Associate selection pool largely drawn from over 20,000 entities identified by audited CEs

v On-site audits of both CEs and BAs in 2017 to evaluate against comprehensive selection of controls in protocols

v A desk audit subject may be subject to on-site audit

Privacy & Security Forum HIMSS

CE Selection Process


Selectedauditeescheckedforconflictofinterestswiththecontractor,aswellassubjectsofongoinginves5ga5ons.

Conflic5ngauditeeswerereplacedinkind

Ranarandomizedselec5onalgorithmthatdrewfromeachofthecategories,resul5ngin166CEs.

Iden5fiedpoolsofwiderangeofCEsSamplingcriteriaincludedsize,affilia5ons,loca5on,publicor

private,etc.

Healthplansweredividedintogroupplansandissuers

Providerscategorizedbytype• Hospital,prac55oner,eldercare/SNF,healthsystem,pharmacy

Types of Business Associates


Non-ClinicalG&S

Claims&Billing Professional Clinical EHR&IT Insuranc

e Other

Admin Claims Legal Providers EHRsystem Salesbroker Accredita5on

Collec5ons Billing Consultant Labservice ITsolu5ons Agency Educa5on

DMESales TPA Accoun5ng Pharmacy ITsupport Provider Registry

Staffing Sogware Benefits Research

Answerservice Staffing

Document Requests & Responses


DocumentrequestssenttoselectedCE&BAauditeesviaemail

Forspecificpolicies,procedures,otherevidenceofimplementa5onItemsmustbesubmiMedusingsecureonlineportallinkinno5fica5onemail

CEsonlywereaskedtosubmit,viaemail,listofalltheCE’sBAs• Over20,000submiMed

Desk Expectations


En55eshave10businessdaystoprovideresponses

• Responsesshouldcontainthespecifieddocumenta5on--applicablepolicies,procedures,evidenceofimplementa5on

• Providecompleteandrelevantmaterials• Refrainfromsubmikngsuperfluousdocumenta5on!10MBfilesizelimita5on

Desk Audit Reporting: Process


AgerreviewofsubmiMeddocumenta5on• dragfindingssharedwiththeen5ty,• En5tymayrespondinwri5ng

Finalauditreportswill• describehowtheauditwasconducted,

• presentanyfindings,and• containanywriMenen5tyresponsestothedrag

UnderOCR’sseparate,broadauthoritytoopencompliance

reviews,OCRcoulddecidetoopenaseparatecompliancereviewinacircumstancewheresignificant

threatstotheprivacyandsecurityofPHIarerevealedthroughtheaudit

Covered Entity Desk Audit Controls


Privacy Rule Controls

Notice of Privacy Practices & Content Requirements [§164.520(a)(1) & (b)(1)]

Provision of Notice – Electronic Notice [§164.520(c)(3)]

Right to Access [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]

Breach Notification Rule Controls

Timeliness of Notification [§164.404(b)]

Content of Notification [§164.404(c)(1)]

Security Rule Controls

Security Management Process -- Risk Analysis [§164.308(a)(1)(ii)(A)]

Security Management Process -- Risk Management [§164.308(a)(1)(ii)(B)]

Business Associate Desk Audit Controls


Breach Notification Rule Controls

Notification by a Business Associate [§164.410, with reference to Content of Notification §164.404(c)(1)]

Security Rule Controls

Security Management Process -- Risk Analysis [§164.308(a)(1)(ii)(A)]

Security Management Process -- Risk Management [§164.308(a)(1)(ii)(B)]

COMPLIANCEISSUESANDENFORCEMENT


Regional Operations

NEWENGLAND(BOSTON)

EASTERNANDCARIBBEAN(NEWYORK)

MID-ATLANTIC(PHILADELPHIA)

SOUTHEAST(ATLANTA)

MIDWEST(CHICAGOANDKANSASCITY)

SOUTHWEST(DALLAS)

ROCKYMOUNTAIN(DENVER)

PACIFIC(SANFRANCISCO,

LOSANGELESANDSEATTLE)

MISSION of 8 REGIONAL OFFICES:

ENFORCEMENT, TECHNICAL ASSISTANCE, OUTREACH

•  BusinessAssociateAgreements

•  RiskAnalysis•  FailuretoManageIden5fiedRisk,e.g.Encrypt

•  LackofTransmissionSecurity

•  LackofAppropriateAudi5ng

•  NoPatchingofSogware•  InsiderThreat•  ImproperDisposal

•  InsufficientDataBackupandCon5ngencyPlanning

Recurring Compliance Issues

RecurringComplianceIssues

16Privacy & Security Forum HIMSS

Corrective Action

CorrecDveAcDonsMayInclude:

•  Upda5ngriskanalysisandriskmanagementplans

•  Upda5ngpoliciesandprocedures•  Trainingofworkforce•  Implemen5ngspecifictechnicalorothersafeguards

•  Mi5ga5on

•  CAPsmayincludemonitoring


Good Practices

SomeGoodPracDces:•  Reviewallvendorandcontractorrela5onshipstoensureBAAs

areinplaceasappropriateandaddressbreach/securityincidentobliga5ons

•  Riskanalysisandriskmanagementshouldbeintegratedintobusinessprocesses;conductedregularlyandwhennewtechnologiesandbusinessopera5onsareplanned

•  DisposeofPHIonmediaandpaperthathasbeeniden5fiedfordisposalina5melymanner

•  Incorporatelessonslearnedfromincidentsintotheoverallsecuritymanagementprocess

•  Providetrainingspecifictoorganiza5onandjobresponsibili5esandonregularbasis;reinforceworkforcemembers’cri5calroleinprotec5ngprivacyandsecurity


•  Worksta5onsassociatedwithmedicaldevicesLaheyHospitalandMedicalCenter(Lahey)agreedtopay$850,000andwilladoptarobustcorrec5veac5onplantocorrectdeficienciesinitsHIPAAcomplianceprogram.Lahey(MA)isanonprofitteachinghospitalaffiliatedwithTugsMedicalSchool,providingprimaryandspecialtycare.Itsriskanalysisfailedtoiden5fywhereallePHIwasheld,resul5nginimpermissibledisclosureswhenalaptopassociatedwithamedicaldevicewasstolen.

•  EnterpriseRiskAnalysisSt.JosephHealth(SJH)(largesystemonTXandNM)agreedpayaresolu5onamountof$2,140,500andadoptacomprehensivecorrec5veac5onplan.SJHfailedtoconductanenterprise-wideriskanalysissystemwideandriskmanagementplanresul5nginpublicaccessto31,800individuals’ePHI

Risk Analysis

SecurityRule:riskanalysisandriskmanagement


•  CatholicHealthCareServicesoftheArchdioceseofPhiladelphia(CHCS)hasagreedtoaresolu5onpaymentof$650,000andacorrec5veac5onplanagerthethegofaCHCSmobiledevicecompromisedtheprotectedhealthinforma5on(PHI)ofhundredsofnursinghomeresidents.CHCSprovidedmanagementandinforma5ontechnologyservicesasabusinessassociatetosixskillednursingfacili5es.Thetotalnumberofindividualsaffectedbythecombinedbreacheswas412.

RA & RM

SecurityRule:riskanalysisandriskmanagement


•  RelatedtoOCR’sseMlementagainstCareNewEnglandwhereWomenandInfantsHospital,anaffiliatedcovereden5ty,failedtoupdateitsbusinessassociateagreementwiththeparentcompany(resolu5onamountof$4OOkandacomprehensivecorrec5veac5onplan),theMAAMorneyGeneral’sOfficeseMledonotherissuesincluding“failingtoprovide5melyno5ceofthelossofPHIinviola5onof45C.F.R.§164.404and45C.F.R.§164.408.”TheMAAMorneyGeneralseMledtheircasefor$150kandacorrec5veac5onplan.

Breach Notification

BreachNoDficaDonRule:content&Dmeliness


•  Througharegionalinves5ga5onandtechnicalassistance,OCRrequiredacovereden5tytoceaseusingapa5entagreementthatcondi5onedtheen5ty’scompliancewiththePrivacyRule.Addi5onally,OCRrequiredthecovereden5tytoreviseitsNo5ceofPrivacyPrac5ces.Priortotheresolu5on,thecovereden5tyrequestedthatpa5entssignanagreementen5tled“ConsentandMutualAgreementtoMaintainPrivacy.”Theagreementprohibitedthepa5entfromdirectlyorindirectlypublishingorairingcommentaryaboutthephysician,hisexper5se,and/ortreatmentinexchangeforthephysician’scompliancewiththePrivacyRule.Apa5ent’srightsunderthePrivacyRulearenotcon5ngentonthepa5ent’sagreementwithacovereden5ty.Acovereden5ty’sobliga5ontocomplywithallrequirementsofthePrivacyRulecannotbecondi5onedonthepa5ent’ssilence.

NPP and Access

PrivacyRule:NPPandindividualaccessright


•  CareNewEnglandresolu5onagreementwith$400kresolu5onamountandcomprehensivecorrec5veac5onplan.HIPAAseMlementillustratestheimportanceofreviewingandupda5ng,asnecessary,businessassociateagreements–September23,2016Covereden5tyWomenandInfantsfailedtoupdateitsbusinessassociateagreementwithCareNewEngland,itscorporateparent,postHIPAAOmnibusFinalRulewhichincludingupdatestobusinessassociaterepor5ngrequirement.“Thiscaseillustratesthevitalimportanceofreviewingandupda5ng,asnecessary,businessassociateagreements,especiallyinlightofrequiredrevisionsundertheOmnibusFinalRule,saidOCRDirectorJocelynSamuels

BAA & Breach Reporting

BreachNoDficaDonRule:reporDngtocoveredenDty


•  $650,000UMassseMlespoten5alHIPAAviola5onsfollowingmalwareinfec5on–November22,2016

•  $2.14millionHIPAAseMlementunderscoresimportanceofmanagingsecurityrisk–October17,2016HIPAAseMlementillustratestheimportanceofreviewingandupda5ng,asnecessary,businessassociateagreements–September23,2016

•  AdvocateHealthCareSeMlesPoten5alHIPAAPenal5esfor$5.55Million-August4,2016

•  Mul5pleallegedHIPAAviola5onsresultin$2.75millionseMlementwithUniversityofMississippiMedicalCenter(UMMC)-July21,2016

•  WidespreadHIPAAvulnerabili5esresultin$2.7millionseMlementwithOregonHealth&ScienceUniversity-July18,2016

•  BusinessAssociate’sFailuretoSafeguardNursingHomeResidents’PHILeadsto$650,000HIPAASeMlement–June29,2016

2016 Enforcement Actions (1)


2016 Enforcement Actions (2)

•  UnauthorizedFilmingfor“NYMed”Resultsin$2.2MillionSeMlementwithNewYorkPresbyterianHospital-April21,2016

•  $750,000seMlementhighlightstheneedforHIPAAbusinessassociateagreements

•  Improperdisclosureofresearchpar5cipants’protectedhealthinforma5onresultsin$3.9millionHIPAAseMlement-March17,2016

•  $1.55millionseMlement

underscorestheimportanceofexecu5ngHIPAAbusinessassociateagreements-March16,2016

•  PhysicaltherapyproviderseMlesviola5onsthatitimpermissiblydisclosedpa5entinforma5on-February16,2016

•  Administra5veLawJudgerulesinfavorofOCRenforcement,requiringLincare,Inc.topay$239,800-February3,2016


SelectedprotocolelementswithassociateddocumentsubmissionrequestsandrelatedQ&As

Slidesfromauditeden5tywebinarheldJuly13,2016

Comprehensiveques5onandanswerlis5ng

Audit Guidance

PostedGuidancefor2016DeskAudits


OCR Website: http://www.hhs.gov/hipaa/for-professionals/compliance-

enforcement/audit/index.html

Protocol Guidance


Protocol Guidance


•  OCRreleasedguidanceclarifyingthataCSPisabusinessassociate–andthereforerequiredtocomplywithapplicableHIPAAregula5ons–whentheCSPcreates,receives,maintainsortransmitsiden5fiablehealthinforma5on(referredtoinHIPAAaselectronicprotectedhealthinforma5onorePHI)onbehalfofacovereden5tyorbusinessassociate.

•  WhenaCSPstoresand/orprocessesePHIforacovereden5tyorbusinessassociate,thatCSPisabusinessassociateunderHIPAA,eveniftheCSPstorestheePHIinencryptedformanddoesnothavethekey.

•  CSPsarenotlikelytobeconsidered“conduits,”becausetheirservicestypicallyinvolvestorageofePHIonmorethanatemporarybasis.

–  hMp://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-compu5ng/index.html–  hMp://www.hhs.gov/hipaa/for-professionals/faq/2074/may-a-business-associate-of-a-hipaa-covered-en5ty-block-or-

terminate-access/index.html

Cloud

CloudCompuDngGuidance


New BA Access FAQ

MayabusinessassociateofaHIPAAcovereden5tyblockorterminateaccessbythecovereden5tytotheprotectedhealthinforma5on(PHI)maintainedbythebusinessassociatefororonbehalfofthecovereden5ty?

No

FAQaddresses

PrivacyRulerequirementsforpermissibleusesanddisclosuresofPHI

SecurityRuleconsidera5onsforensuringePHIconfiden5ality,integrity,&availability

FulfillingPRindividualaccessright

Specialservices&CEresponsibili5es


Cybersecurity Newsletters

•  February2,2016(Ransomware,“TechSupport”Scam,NewBBBScamTracker)

•  March3,2016(TipsforkeepingPHIsafe,NSA’slessonslearned,MalwareandMedicalDevices)

•  March30,2016(NewCyberThreatsandAMacksontheHealthcareSector)

•  May3,2016(IsYourBusinessAssociatePreparedforaSecurityIncident)

•  June2016(What’sinYourThird-PartyApplica5onSogware)

•  September2016(CyberThreatInforma5onSharing)

•  October2016(MiningMorethanGold(FTP))hMp://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html


•  OCRprovidedguidanceonindividuals’accesstotheirprotectedhealthinforma5onunderthePrivacyRule:hMp://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

•  Scope•  FormandFormatandMannerofAccess•  Timeliness•  Fees•  Direc5ngCopytoaThirdParty,andCertainOtherTopics

Access Guidance

PrivacyRuleAccessGuidance


•  OCRlaunchedplayormformobilehealthdevelopersinOctober2015;purposeistounderstandconcernsofdevelopersnewtohealthcareindustryandHIPAAstandards

•  Userscansubmitques5ons,commentonothersubmissions,voteonrelevancyoftopic

•  OCRwillconsidercommentsaswedevelopourpriori5esforaddi5onalguidanceandtechnicalassistance–  GuidanceissuedinFebruary2016abouthowHIPAAmightapplytoarange

ofhealthappusescenarios–  FTC/ONC/OCR/FDAMobileHealthAppsInterac5veToolonWhichLaws

ApplyissuedinApril2016

HITDeveloperPortalhSp://hipaaQsportal.hhs.gov

33

Platform for users to influence guidance /

Privacy & Security Forum HIMSS

•  OCRreleasedguidanceclarifyingthataCSPisabusinessassociate–andthereforerequiredtocomplywithapplicableHIPAAregula5ons–whentheCSPcreates,receives,maintainsortransmitsiden5fiablehealthinforma5on(referredtoinHIPAAaselectronicprotectedhealthinforma5onorePHI)onbehalfofacovereden5tyorbusinessassociate.

•  WhenaCSPstoresand/orprocessesePHIforacovereden5tyorbusinessassociate,thatCSPisabusinessassociateunderHIPAA,eveniftheCSPstorestheePHIinencryptedformanddoesnothavethekey.

•  CSPsarenotlikelytobeconsidered“conduits,”becausetheirservicestypicallyinvolvestorageofePHIonmorethanatemporarybasis.–  hMp://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-compu5ng/

index.html–  hMp://www.hhs.gov/hipaa/for-professionals/faq/2074/may-a-business-associate-

of-a-hipaa-covered-en5ty-block-or-terminate-access/index.html

Cloud Guidance

CloudCompuDngGuidance


•  http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidance.html

•  http://scap.nist.gov/hipaa/

•  http://www.healthit.gov/providers-professionals/security-risk-assessment

Risk Analysis Guidance


Documents

HIPAA Privacy, Security & Breach No5ﬁcaon Rule Compliance · 23/09/2016 · agreement with Care New England, its corporate parent, post HIPAA Omnibus Final Rule which including