Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1© Foulston Siefkin 2017
Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More
Brooke Bennett AziereOctober 18, 2017
Health Law Institute
Agenda Enforcement Trends Phase 2 HIPAA Audits Update Upcoming Initiatives
2© Foulston Siefkin 2017
Enforcement 2016 Record Year for Resolution
Agreements and Civil Monetary Penalties 13 actions Nearly $25M in penalties So far in 2017
8 actions Over $17M in penalties
Enforcement Trends Timely Notification of Breach
Presence Health Network (January 9, 2017) Paper Surgery Scheduling Sheets
Loss occurred in 2013 836 patients 45 days late in notifying patients
$475,000 settlement Corrective Action Plan
3© Foulston Siefkin 2017
Enforcement Trends Loss of Portable Devices
Children’s Medical Center of Dallas (February 1, 2017)
A series of lost blackberries and laptops stemming pre-Breach Rule to April 2013
$3.2M penalty (no voluntary settlement) Aware of the risks
Security Gap Analysis (2006/2007) PricewaterhouseCoopers (2008) But took no action and issued unencrypted
portable devices to staff
Enforcement Trends OCR requires CEs to act on identified risks
Children’s Medical Center of Dallas University of Mississippi Medical Center
(discussed at 2016 Health Law Institute)
Oregon Health and Science University (discussed at 2016 Health Law Institute)
4© Foulston Siefkin 2017
Enforcement Trends Loss of Portable Devices
CardioNet (April 24, 2017) First case involving wireless healthcare
provider Stolen laptop $2.5M settlement Corrective Action Plan
Enforcement Trends Lack of Security Risk Analysis
Metro Community Provider Network (April 12, 2017) Federally-qualified health center (FQHC) Hacker and phishing emails 3,200 individuals No risk analysis completed until after the
incident $400,000 settlement Corrective Action Plan
5© Foulston Siefkin 2017
Enforcement Trends Access and Audit Controls
Memorial Healthcare System (February 16, 2017) Former employee access not terminated Accessed daily without detection for 1 year 80,000 patients impacted $5.5M settlement Corrective Action Plan
Enforcement Trends Impermissible Disclosures
Memorial Hermann Health System (May 10, 2017)
Patient presented allegedly fraudulent identification card to staff Reported to law enforcement -- PERMITTED Issued press release $2.5M settlement Corrective Action Plan
6© Foulston Siefkin 2017
Enforcement Trends Impermissible Disclosures
St. Luke’s-Roosevelt Hospital (May 23, 2017) Sensitive information faxed to employer
HIV status Sexually transmitted diseases Sexual orientation Mental health
$387,000 settlement Corrective Action Plan
Enforcement Trends Business Associate Agreements
Continuing enforcement issue Raleigh Orthopedic Clinic (discussed at 2016
Health Law Institute)
Care New England Health System (discussed at 2016 Health Law Institute)
OCR’s Message Have them Update them
7© Foulston Siefkin 2017
Enforcement Trends Centers for Children’s Digestive Health
(April 20, 2017) Lack of BAA BA stored patient records $31,000 settlement Corrective Action Plan
Additional Trends* Lack of transmission security
“When electronically transmitting ePHI, a mechanism to encrypt the ePHI must be implemented whenever deemed appropriate. See 45 C.F.R. §164.312(e)(2)(ii).”
Applications for which encryption should be considered: Email Texting File transmission (e.g., ftp) Remote backups Remote access and support sessions (e.g., VPN)
*Identified by OCR at the recent OCR/NIST, Safeguarding Health Information: Building Assurance through HIPAA Security - 2017, Washington, D.C. (September 5 and 6, 2017)
8© Foulston Siefkin 2017
Additional Trends* Lack of Auditing
“The HIPAA Rules require the ‘[implementation] of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.’ See 45 C.F.R. §614.312(b).”
Regular review of information systems activity is required Activities which could require additional investigation:
Access to ePHI during non-business hours or during PTO Access to an abnormally high number of records containing ePHI Access to ePHI of high profile individuals Access to PHI of employees
*Identified by OCR at the recent OCR/NIST, Safeguarding Health Information: Building Assurance through HIPAA Security - 2017, Washington, D.C. (September 5 and 6, 2017)
Additional Trends* Insufficient Backup/Contingency Planning
“Organizations must ensure that adequate contingency planning (including data backup and disaster recovery plans) are in place and would be effective when implemented in the event of an actual disaster or emergency situation. See 45 C.F.R. § 164.308(a)(7).” Periodic testing Revisions to address deficiencies
Important note from OCR on use of cloud vendors May aid with contingency planning, “but may not
encompass all that is required for an effective contingency plan”
*Identified by OCR at the recent OCR/NIST, Safeguarding Health Information: Building Assurance through HIPAA Security - 2017, Washington, D.C. (September 5 and 6, 2017)
9© Foulston Siefkin 2017
Phase 2 HIPAA Audit Program Update Selected covered entities received
notification in July 2016 by email Desk audits complete
Identification of Business Associates Selection pool drawn from over 20,000 entities
identified by covered entities Desk audits underway
On-site audits of both covered entities and business associates after completion of desk audits Evaluate against a comprehensive selection of
controls in protocols
Phase 2 HIPAA Audit Program Update Covered Entity Audits (166 total)
Type Providers – 90% Health Plans – 8.7% Health Care Clearinghouses – 1%
By Region Midwest (includes Kansas and Missouri)
Covered Entities (38) Business Associates (15)
Privacy and Breach (103) Security (63)
Business Associate Audits (41 total) Breach and Security
10© Foulston Siefkin 2017
Phase 2 HIPAA Audit Program Updateo Three-Step Process:
o Draft findingso Issuance of final audit reportso Compliance Reviews, BUT OCR has
represented that the Audit Program is not intended to be a “gotcha program” or “punitive program”
Phase 2 HIPAA Audit Program Update OCR’s Linda Sanchez represented at the
recent OCR/NIST, Safeguarding Health Information: Building Assurance through HIPAA Security – 2017 “Support Improved Compliance” “Identify best practices” “Uncover risks & vulnerabilities” “Detect areas for technical assistance” “Encourage consistent attention to compliance”
11© Foulston Siefkin 2017
Phase 2 HIPAA Audit Program Updateo So what did OCR review?
o Covered Entity Desk Audit Controls
HHS Office for Civil Rights, 10th Annual HIPAA Security Conference, Washington, D.C., September 6, 2017, Presenter Linda Sanchez, Updates on Audits of Entity Compliance with the HIPAA Rules
Phase 2 HIPAA Audit Program Update Privacy Rule Controls
Notice of Privacy Practices Copies of all NPPS URL of NPP posted on website Electronic notice policy and procedures Right to Access Access requests Extensions Access forms Access policies and procedures
12© Foulston Siefkin 2017
Phase 2 HIPAA Audit Program Update Breach Notification Rule Controls
Timeliness of notifications Content of notifications
Form letters
Phase 2 HIPAA Audit Program Update Security Rule Controls
Risk Analysis Current and prior RAs Documentation for previous year
demonstrating implementation of RA process Availability to individuals responsible for process Periodic review and updating
Policies/procedures Going back 6 years related to implementation of
RA
13© Foulston Siefkin 2017
Phase 2 HIPAA Audit Program Update Security Rule Controls
Risk Management Documentation supporting implementation of security
measures to reduce risks identified in RA Documentation for previous year showing efforts to
manage risks Policies/procedures
Going back 6 years related to implementation of risk management
Documentation current and ongoing risks reviewed and updated
Documentation for previous year demonstrating implementation of risk management process Availability to individuals responsible for process Periodic review and updating
Phase 2 HIPAA Audit Program Update
HHS Office for Civil Rights, 10th Annual HIPAA Security Conference, Washington, D.C., September 6, 2017, Presenter Linda Sanchez, Updates on Audits of Entity Compliance with the HIPAA Rules
14© Foulston Siefkin 2017
Phase 2 HIPAA Audit Program Update
HHS Office for Civil Rights, 10th Annual HIPAA Security Conference, Washington, D.C., September 6, 2017, Presenter Linda Sanchez, Updates on Audits of Entity Compliance with the HIPAA Rules
Phase 2 HIPAA Audit Program Update Takeaways
Breach Timeliness of Notification Most notifications were timely 65% of covered entities received a 1 rating 11% did not
No date on letter
Content Only 14% received a 1 rating 67% received a 3, 4, or 5 rating Not adequately describing
Specific types of PHI breached Mitigation
15© Foulston Siefkin 2017
Phase 2 HIPAA Audit Program Update Takeaways
Privacy Access
“HUGE PROBLEM” Only 11/103 covered entities received a 1 or 2 rating Over half had a 4 or 5 rating
Communicating access rights to individuals Using authorization forms versus access forms
Content 48% received a 1 or 2 rating Notification of right to direct information to third party
eNotice 57% received a 1 rating 21% received a 4 or 5 rating
Difficult to find
Phase 2 HIPAA Audit Program Update Security
Risk Analysis NO 1 ratings “Lot of room for improvement”
Not conducting RA Not documenting RA Not clear conducted regularly Listing of risks but no ratings Incomplete forms Not identifying all information systems where ePHI located
Risk Management Majority received 4 or 5 rating “Lot of room for growth here”
No documentation of action on results of RA No documentation that risk management addressed
regularly
16© Foulston Siefkin 2017
Phase 2 HIPAA Audit Program Update Preliminary Findings
Notice of Privacy Practices Right to Access
OCR Audit Protocol 180 HIPAA Requirements & Questions
89 privacy requirements 72 security requirements 19 breach notification requirements
Audit Protocol – Updated April 2016, HHS, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html
17© Foulston Siefkin 2017
Upcoming Initiatives Accounting of Disclosures
2011 Notice of Proposed Rulemaking (NPRM) implementing accounting of disclosures provisions in the 2009 HITECH Act Access reports In July 2017, OCR Deputy Director for Health
Information Privacy, Deven McGraw announced OCR is starting over from scratch
Texting Guidance in the works For now, OCR refers providers to Access
Guidance
Upcoming Initiatives More on cybersecurity
https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html Cybersecurity checklists Newsletters
18© Foulston Siefkin 2017
Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More
Brooke Bennett AziereOctober 18, 2017
Health Law Institute