Hungry, Hungry HIPAA: Security, & More...Enforcement Trends Timely Notification of Breach Presence Health Network (January 9, 2017) Paper Surgery Scheduling Sheets Loss occurred in

1© Foulston Siefkin 2017

Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More

Brooke Bennett AziereOctober 18, 2017

Health Law Institute

Agenda Enforcement Trends Phase 2 HIPAA Audits Update Upcoming Initiatives


Enforcement 2016 Record Year for Resolution

Agreements and Civil Monetary Penalties 13 actions Nearly $25M in penalties So far in 2017

8 actions Over $17M in penalties

Enforcement Trends Timely Notification of Breach

Presence Health Network (January 9, 2017) Paper Surgery Scheduling Sheets

Loss occurred in 2013 836 patients 45 days late in notifying patients

$475,000 settlement Corrective Action Plan


Enforcement Trends Loss of Portable Devices

Children’s Medical Center of Dallas (February 1, 2017)

A series of lost blackberries and laptops stemming pre-Breach Rule to April 2013

$3.2M penalty (no voluntary settlement) Aware of the risks

Security Gap Analysis (2006/2007) PricewaterhouseCoopers (2008) But took no action and issued unencrypted

portable devices to staff

Enforcement Trends OCR requires CEs to act on identified risks

Children’s Medical Center of Dallas University of Mississippi Medical Center

(discussed at 2016 Health Law Institute)

Oregon Health and Science University (discussed at 2016 Health Law Institute)


Enforcement Trends Loss of Portable Devices

CardioNet (April 24, 2017) First case involving wireless healthcare

provider Stolen laptop $2.5M settlement Corrective Action Plan

Enforcement Trends Lack of Security Risk Analysis

Metro Community Provider Network (April 12, 2017) Federally-qualified health center (FQHC) Hacker and phishing emails 3,200 individuals No risk analysis completed until after the

incident $400,000 settlement Corrective Action Plan


Enforcement Trends Access and Audit Controls

Memorial Healthcare System (February 16, 2017) Former employee access not terminated Accessed daily without detection for 1 year 80,000 patients impacted $5.5M settlement Corrective Action Plan

Enforcement Trends Impermissible Disclosures

Memorial Hermann Health System (May 10, 2017)

Patient presented allegedly fraudulent identification card to staff Reported to law enforcement -- PERMITTED Issued press release $2.5M settlement Corrective Action Plan


Enforcement Trends Impermissible Disclosures

St. Luke’s-Roosevelt Hospital (May 23, 2017) Sensitive information faxed to employer

HIV status Sexually transmitted diseases Sexual orientation Mental health

$387,000 settlement Corrective Action Plan

Enforcement Trends Business Associate Agreements

Continuing enforcement issue Raleigh Orthopedic Clinic (discussed at 2016

Health Law Institute)

Care New England Health System (discussed at 2016 Health Law Institute)

OCR’s Message Have them Update them


Enforcement Trends Centers for Children’s Digestive Health

(April 20, 2017) Lack of BAA BA stored patient records $31,000 settlement Corrective Action Plan

Additional Trends* Lack of transmission security

“When electronically transmitting ePHI, a mechanism to encrypt the ePHI must be implemented whenever deemed appropriate. See 45 C.F.R. §164.312(e)(2)(ii).”

Applications for which encryption should be considered: Email Texting File transmission (e.g., ftp) Remote backups Remote access and support sessions (e.g., VPN)

*Identified by OCR at the recent OCR/NIST, Safeguarding Health Information: Building Assurance through HIPAA Security - 2017, Washington, D.C. (September 5 and 6, 2017)


Additional Trends* Lack of Auditing

“The HIPAA Rules require the ‘[implementation] of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.’ See 45 C.F.R. §614.312(b).”

Regular review of information systems activity is required Activities which could require additional investigation:

Access to ePHI during non-business hours or during PTO Access to an abnormally high number of records containing ePHI Access to ePHI of high profile individuals Access to PHI of employees


Additional Trends* Insufficient Backup/Contingency Planning

“Organizations must ensure that adequate contingency planning (including data backup and disaster recovery plans) are in place and would be effective when implemented in the event of an actual disaster or emergency situation. See 45 C.F.R. § 164.308(a)(7).” Periodic testing Revisions to address deficiencies

Important note from OCR on use of cloud vendors May aid with contingency planning, “but may not

encompass all that is required for an effective contingency plan”



Phase 2 HIPAA Audit Program Update Selected covered entities received

notification in July 2016 by email Desk audits complete

Identification of Business Associates Selection pool drawn from over 20,000 entities

identified by covered entities Desk audits underway

On-site audits of both covered entities and business associates after completion of desk audits Evaluate against a comprehensive selection of

controls in protocols

Phase 2 HIPAA Audit Program Update Covered Entity Audits (166 total)

Type Providers – 90% Health Plans – 8.7% Health Care Clearinghouses – 1%

By Region Midwest (includes Kansas and Missouri)

Covered Entities (38) Business Associates (15)

Privacy and Breach (103) Security (63)

Business Associate Audits (41 total) Breach and Security


Phase 2 HIPAA Audit Program Updateo Three-Step Process:

o Draft findingso Issuance of final audit reportso Compliance Reviews, BUT OCR has

represented that the Audit Program is not intended to be a “gotcha program” or “punitive program”

Phase 2 HIPAA Audit Program Update OCR’s Linda Sanchez represented at the

recent OCR/NIST, Safeguarding Health Information: Building Assurance through HIPAA Security – 2017 “Support Improved Compliance” “Identify best practices” “Uncover risks & vulnerabilities” “Detect areas for technical assistance” “Encourage consistent attention to compliance”


Phase 2 HIPAA Audit Program Updateo So what did OCR review?

o Covered Entity Desk Audit Controls

HHS Office for Civil Rights, 10th Annual HIPAA Security Conference, Washington, D.C., September 6, 2017, Presenter Linda Sanchez, Updates on Audits of Entity Compliance with the HIPAA Rules

Phase 2 HIPAA Audit Program Update Privacy Rule Controls

Notice of Privacy Practices Copies of all NPPS URL of NPP posted on website Electronic notice policy and procedures Right to Access Access requests Extensions Access forms Access policies and procedures


Phase 2 HIPAA Audit Program Update Breach Notification Rule Controls

Timeliness of notifications Content of notifications

Form letters

Phase 2 HIPAA Audit Program Update Security Rule Controls

Risk Analysis Current and prior RAs Documentation for previous year

demonstrating implementation of RA process Availability to individuals responsible for process Periodic review and updating

Policies/procedures Going back 6 years related to implementation of

RA


Phase 2 HIPAA Audit Program Update Security Rule Controls

Risk Management Documentation supporting implementation of security

measures to reduce risks identified in RA Documentation for previous year showing efforts to

manage risks Policies/procedures

Going back 6 years related to implementation of risk management

Documentation current and ongoing risks reviewed and updated

Documentation for previous year demonstrating implementation of risk management process Availability to individuals responsible for process Periodic review and updating

Phase 2 HIPAA Audit Program Update



Phase 2 HIPAA Audit Program Update


Phase 2 HIPAA Audit Program Update Takeaways

Breach Timeliness of Notification Most notifications were timely 65% of covered entities received a 1 rating 11% did not

No date on letter

Content Only 14% received a 1 rating 67% received a 3, 4, or 5 rating Not adequately describing

Specific types of PHI breached Mitigation


Phase 2 HIPAA Audit Program Update Takeaways

Privacy Access

“HUGE PROBLEM” Only 11/103 covered entities received a 1 or 2 rating Over half had a 4 or 5 rating

Communicating access rights to individuals Using authorization forms versus access forms

Content 48% received a 1 or 2 rating Notification of right to direct information to third party

eNotice 57% received a 1 rating 21% received a 4 or 5 rating

Difficult to find

Phase 2 HIPAA Audit Program Update Security

Risk Analysis NO 1 ratings “Lot of room for improvement”

Not conducting RA Not documenting RA Not clear conducted regularly Listing of risks but no ratings Incomplete forms Not identifying all information systems where ePHI located

Risk Management Majority received 4 or 5 rating “Lot of room for growth here”

No documentation of action on results of RA No documentation that risk management addressed

regularly


Phase 2 HIPAA Audit Program Update Preliminary Findings

Notice of Privacy Practices Right to Access

OCR Audit Protocol 180 HIPAA Requirements & Questions

89 privacy requirements 72 security requirements 19 breach notification requirements

Audit Protocol – Updated April 2016, HHS, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html


Upcoming Initiatives Accounting of Disclosures

2011 Notice of Proposed Rulemaking (NPRM) implementing accounting of disclosures provisions in the 2009 HITECH Act Access reports In July 2017, OCR Deputy Director for Health

Information Privacy, Deven McGraw announced OCR is starting over from scratch

Texting Guidance in the works For now, OCR refers providers to Access

Guidance

Upcoming Initiatives More on cybersecurity

https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html Cybersecurity checklists Newsletters


Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More

Brooke Bennett AziereOctober 18, 2017

Health Law Institute

Documents

Hungry, Hungry HIPAA: Security, & More...Enforcement Trends Timely Notification of Breach Presence Health Network (January 9, 2017) Paper Surgery Scheduling Sheets Loss occurred in