OCR Enforcement Update: Under 500 Breach Investigations and Inner
Workings of an OCR Settlement
Lisa Acevedo - Shareholder, Polsinelli PC Rebecca Romine - Shareholder, Polsinelli PC
Katie Kenney - Attorney, Polsinelli PC Abby Bonjean - Attorney, Polsinelli PC
Agenda
Current HIPAA Enforcement Landscape
OCR’s Under 500 Breach Initiative
The Anatomy of an OCR Investigation and Settlement
Quick Tips and Lessons Learned in the Settlement Process
Current Government Enforcement Landscape
Enforcement continues to increase!!
– In 2017, OCR has already settled 2 cases and successfully imposed civil monetary penalties in 1 case ranging from $475,000 to $3.2 million
– In 2016, OCR settled 12 cases and successfully imposed civil monetary penalties in 1 case ranging from $25,000 to $5.55 million
Recent Settlement/ Enforcement Actions
Children’s Medical Center of Dallas – February 2017
– Only the third case involving a civil monetary penalty – $3.2 million
– Children’s submitted two breach reports involving a lost unencrypted, non-password protected mobile device, and a stolen unencrypted laptop
– OCR noted that Children’s was aware of the risk of maintaining unencrypted ePHI on its devices as far back as 2007, but no significant risk management plan was implemented
MAPFRE Life Insurance Company – January 2017
– Agreed to settle with OCR for $2.2 million
– Involved multiple violations of HIPAA that OCR uncovered while investigating a breach involving a stolen USB drive
– OCR noted that during the investigation the agency discovered that MAPFRE failed to implement or delayed implementing corrective action it informed OCR it would take
Recent Settlement/ Enforcement Actions
Presence Health – January 2017
– First settlement involving untimely breach notification – $475,000
– Involved missing paper-based operating room schedules that contained the ePHI of 836 individuals
– Presence failed to timely notify individuals, the media, and OCR
– OCR noted that Presence also failed to timely notify individuals with respect to several under 500 breach reports submitted during 2015 and 2016
Recent Settlement/ Enforcement Actions
University of Massachusetts Amherst – November 2016
– Agreed to settle with OCR for $650,000
– Involved malware that infiltrated UMass’ system due to lack of firewalls
– OCR found that UMass failed to conduct an accurate and thorough risk analysis until September 2015 and failed to comply with the transmission security standard
– OCR also noted that UMass failed to properly designate its healthcare components when hybridizing
Recent Settlement/ Enforcement Actions
Care New England – September 2016
– Agreed to settle with OCR for $400,000 on behalf of the covered entities under its common ownership or control
– Stemmed from breach report filed by Women & Infants Hospital of Rhode Island involving the loss of unencrypted backup tapes
– WIH failed to enter into a BAA with CNE prior to disclosing PHI
Recent Settlement/ Enforcement Actions
Under 500 Breach Investigations
Push to investigate more under 500 breaches
Factors OCR will consider:
– Number of individuals affected
– Amount and type of PHI involved
– Cause of breach
– Entities that have filed numerous reports involving the same issues
Sweat the Small Stuff
OCR is following through on less than 500 breach investigations
Annual reporting is approaching – ensure you are documenting less than 500 breach like you would a 500+
Compliance history matters – see Presence case
Use small incidents as opportunity to train
Status of HIPAA Audit Program
Phase 2 Audits:
– 167 covered entity desk audits well underway
– Business Associate desk audits started Fall 2016
– Desk audit scope limited to seven areas of the Security, Privacy, Breach Notification Rule Protocols
– Covered Entity focus on: Security Rule or Privacy Rule and Breach Notification Rule
– Business Associate focus on: Security Rule and Breach Notification Rule
– On-site audit update
Recent OCR Guidance
Cloud guidance
Guidance on disclosures to friends and family
Ransomware guidance
Cyber Awareness Newsletter series
Fact sheet on permitted disclosures for public health
Overview of Investigative Process
Notification and data Request
Covered entity/business associate response
– 45 C.F.R. § 160.310 outlines responsibilities
On-site investigation
Case resolution
– No violation or voluntary compliance
– Resolution Agreement (RA) and Corrective Action Plan (CAP)
– Civil Monetary Penalty (CMP)
Information OCR Requests
Name and contact information of individual designated to work with OCR
Position statement
Business Associate Agreement (if applicable)
Policies and procedures
Evidence of workforce training
– Training materials
– Workforce attendance
Evidence of sanctions (if applicable)
Information OCR Requests
Security rule cases
– Risk analysis (be prepared to go 6 years back)
– Risk management plan
• Evidence of implemented security measures
– Security incident report
Breach cases
– Notices to individuals and media
– Evidence of corrective action
Preparing the Response
Do not leave room for OCR to follow up with questions anticipate questions in advance
Be transparent if you revised a policy after a breach, produce it
Review OCR corrective action plans ask yourself, what could they ask me to do in a CAP and voluntarily do it
Bridge the gap with IT – if you don’t understand your documentation, an investigator won’t either
Signs Formal Settlement May Be Near
Varies region to region but key indicators may include:
– Request to provide financial information about your organization
– On-site visit/interviews
– Interviewing former employees (if applicable)
*Keep in mind – time passing or slow movement does not necessarily mean your case will close out without more
Settlement Process – Key Questions to Examine
Covered Conduct is the timeframe accurate? Do you have evidence of compliance prior to date listed in Resolution Agreement?
How did OCR calculate the amount?
How long is the corrective action plan? Can I negotiate timeframe?
Is a monitor required?
Are there terms in corrective action plan that do not tie back to covered conduct?
Negotiating a Settlement
Review resolution agreements and corrective plans on OCR website understand where other entities may have scaled back
Be cooperative each enforcement agency is different – understand OCR’s big picture goal and proceed accordingly
Demonstrate how your organization has invested in its privacy and security program since the triggering event
Be realistic know your weaknesses and emphasize your strengths (e.g., lost unencrypted laptop but encrypted everything within year in response to incident)
Quick Tips and Lessons Learned
Setting the tone
– Collaboration is key
Additional documentation
– Don’t be afraid to submit it
In-person meeting
– Personalizing the process
Quick Tips and Lessons Learned
Corrective action plan considerations
– Carefully review corrective action plan be mindful of what is feasible for your organization
– Take advantage of time with OCR to ensure you understand where you went wrong so you can get it right
– When looking at enterprise risks and potential costs; calculate corrective action plan into the equation
Key Tips for Avoiding Settlement Stage
Encrypt! safe harbor = no breach reporting obligation
Take each incident (small or large) seriously document corrective action
Conduct a risk analysis and mitigate identified risks on an ongoing basis
Proactively prepare
– Cyber attacks
– Breach response
Questions?
Feel free to contact us for more information:
– Lisa Acevedo: [email protected]
– Rebecca Frigy Romine: [email protected]
– Katie Kenney: [email protected]
– Abby Bonjean: [email protected]
Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements. © 2017 Polsinelli PC. In California, Polsinelli LLP. Polsinelli is a registered mark of Polsinelli PC