Renee H. Martin, JD, RN, MSNDilworth Paxson, LLP

1500 Market Street, Suite 3500Philadelphia, PA 19102

Tel: (215) 575-7313 Fax: (215) 575-7200E-mail: rmartin@dilworthlaw.com

HIPAA Enforcement Update:Learning From Mistakes of Others to

Improve Your Compliance

2017 Annual Conference

1

2016-A very good year for data breaches

• The Identity Theft Resource Center survey showed across the USA, a record high of 1,093 data breaches occurred with 377 in the health care industry.

• For the 8th consecutive year, hacking, skimming, phishing attacks were the leading causes of data breaches –more than 50% in health care

• With increased breaches-new record amount of fines paid by CEs and BAs for breach of unsecured PHI

• OCR entered into 13 settlements with CEs and BAs-more than 2xs number of settlements in 2015

2

Details of breaches not often published

• HIPAA Complaint Investigations--– OCR determines if CE or BA has violated privacy or security rule, if there findings that CE

or BA committed significant violation, a large number of individuals were affected, or OCR wants to send a message to other CEs or BAs. OCR will issue a press release and OCR closes the investigation and puts closure letter on OCR website.

• ProPublica created an “app” on its HIPAA Helper Tool-allows determination of repeat offenders.

• Largest offenders Dept. of Veteran Affairs and CVS Health. Offenses keep occurring despite technical assistance being provided by OCR.

• Top 5 complaints in 2014: impermissible uses and disclosures of PHI; lack of safeguards of PHI; lack of patient access to their PHI; use or disclosure of more than the minimum necessary PHI; lack of administrative safeguards of electronic protected health information.

3

Complaints Received and Cases Resolved

• Over 150,507 complaints received to date

• Over 24,879 cases resolved with corrective action and/or technical assistance

• Expect to receive 17,000 complaints this year

4

The OCR Enforcement Process• Right to file a compliant. A person who believes a covered entity or

business associate is not complying may file a complaint with Secretary.

- Disgruntled Employees

- Patients

• Investigation. The Secretary will investigate any complaint filed when a preliminary review indicates possible violation due to willful neglect.

• Compliance Reviews. The Secretary will conduct a compliance review to determine whether a covered entity or business associate is complying when a preliminary review of the facts indicates a possible violation due to willful neglect or in any other circumstance.

• Audit Program (discuss later)

• Today’s breach report could lead to tomorrow’s OCR Compliance Review

5

Complaint Process

6https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html

Enforcement Guidance: How OCR Closes Cases

• https://www.hhs.gov/hipaa/for-professionals/compliance enforcement/data/index.html

• Cases that OCR closes fall into five categories: Resolved after intake & review (no investigation) Technical Assistance (no investigation) No Violation (investigated) Corrective Action Obtained (investigated; includes Resolution Agreements)

• OCR may decide not to investigate a case further if :• The case is referred to the Department of Justice for prosecution,• The case involved a natural disaster.• The case was pursued, prosecuted, and resolved by state authorities.• The covered entity or business associate has taken steps to comply with the HIPAA Rules

and OCR determines enforcement resources are better/more effectively deployed in other cases.

7

Enforcement Process (continued)• If the evidence indicates that the Covered Entity was not in

compliance, OCR will attempt to resolve the case by obtaining:

- Voluntary compliance;

- Corrective action; and/or

- Resolution Agreement.

• Civil Money Penalties are also possible – always accompany a Resolution Agreement

• Possible referrals to the Department of Justice of criminal violations.

• Pennsylvania enforcement results for compliance reviews as of December 31, 2016:

- 12% (No Violation)

- 67% (Resolved after Intake and Review)

- 21% (Corrective Action)8

Enforcement by State Attorneys General

• OCR developed HIPAA enforcement training in 2011 to help State Attorneys General use their new authority under the HITECH Act to enforce the HIPAA Privacy and Security Rules. Videos and slides are available on the OCR website.

- 8 modules, including Module 6: "Investigating and Prosecuting HIPAA Violations."

- Includes examples of how OCR could impose civil money penalties to a given fact pattern

• State AGs have not made extensive use of their new enforcement power to date.

• No Pennsylvania AG enforcement actions to date.

9

OCR Audit ProgramAudit Purpose:

Support Improved Compliance

• Identify best practices; uncover risks & vulnerabilities; detect areas for technical assistance; encourage consistent attention to compliance- Intended to be non-punitive, but OCR can open up

compliance review (for example, if significant concerns are raised during an audit or an entity fails to respond)

• Learn from this next phase in structuring permanentaudit program

• Develop tools and guidance for industry self-evaluation and breach prevention

10

Audit Program StatusSecond Audit Phase Underway

• Desk audits 166 Covered Entities 43 Business Associates

• Business Associate selection pool largely drawn from over 20,000 entities identified by audited CEs

• On-site audits of both CEs and BAs in 2017, after completion of the desk audit process, to evaluate against a comprehensive selection of controls in protocols

• A desk audit subject may be subject to on-site audit• OCR beginning distribution of draft findings to audited

CEs & BAs11

Desk Audit Reporting: ProcessAfter review of submitted documentation:• Draft findings shared with the entity• Entity may respond in writing

Final audit reports will:• Describe how the audit was conducted• Present any findings, and• Contain any written entity responses to the draft

OCR Website:https://www.hhs.gov/hipaaifor-professionals/compliance-

enforcement/audit/phase2announcement/index.html12

Investigative Perspectives of the Parties

13

OCR’s Investigative Perspective

• Still conducting complaint investigations• Can widen complaint investigation at any time if complaint

investigation signals a potential larger compliance issue—Red Flag for CE or BA-when OCR wants to move from paper review to employee interviews

• OCR looks at multiple "small breaches" which evidence a systematicproblem, as well as large breaches put on wall of shame.

• Guaranteed OCR investigation with 500 or more individuals affected• If the breach involves a security breach or successful incident,

involving a laptop, or another device, OCR will send laptop to Washington for forensic team analysis to determine vulnerabilities of device and recommendations made – encryption, log-on and off, remote swiping, etc.

14

OCR’s Investigative Perspective

• OCR has been given significant leeway in fine negotiation and resolution actions

• OCR central works with local office to move case to Resolution Agreement-generally OCR wants Resolution Agreement entered into within one month.

• If not Resolution Agreement- CE or BA can move to Administrative Hearing-only one case to date, and was affirmed by ALJ.

15

OCR’s Investigative Perspective

• What does OCR expect from CE or BA during process?

• Cooperation, Cooperation, Cooperation

• Keep your litigation attorney out of it!

• Timely responses to requests for information

• Evidence from CE or BA that it is willing to faithfully and seriously change systems, employee behavior, policies and procedures

• Don't wait until the end of the investigation16

CE or BA Conduct Perspective

• Determine who has requisite information to respond to the OCR investigation or complaint

• Write all responses clearly, honestly

• If you do not believe there is a valid basis for the complaint, say so and give rationale

• If you are wrong and you need to conduct corrective action, start action right away and inform OCR as soon as possible of your corrective action

17

CE or BA Conduct Perspective

• Keep leadership informed-Board of Directors doesn't like surprises

• Which begs the question of existence informational governance within your organization's compliance plan

18

What is at Stake?

19

Resolution Agreements

What is a Resolution Agreement?

A contract between HHS and a CE in which the CE agrees to perform certain obligations (such as staff training) and make reports to HHS, generally for a 3 year period. During this period, HHS monitors the CE’s compliance with its obligations.

Typically includes payment of a resolution amount. A resolution agreement is used to settle investigations with more serious outcomes.

20

Civil Monetary Penalties• The four categories For CMPs used for the penalty structure are as

follows:• Category 1: A violation that the CE was unaware of and could not

have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules

• Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)

• Category 3: A violation suffered as a direct result of "willful neglect“ of HIPAA Rules, in cases where an attempt has been made to correct the violation

• Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation

21

Civil Monetary Penalties

• Category 1: Minimum fine of $100 per violation up to $50,000

• Category 2: Minimum fine of $1,000 per violation up to $50,000

• Category 3: Minimum fine of $10,000 per violation up to $50,000

• Category 4: Minimum fine of $50,000 per violation

22

Recent Enforcement Actions• 2/16/2017: HIPAA settlement shines light on the importance

of audit controls – Memorial Healthcare System pays $5.5 million – MHS third largest public health care system in U.S.

• 2/1/2017: Lack of timely action risks security and costs money-Blackberry lost, unencrypted & not password protected. Had consultant perform Risk Assessment found security gaps in system CE did not address. CMP – $3,217,000

• 1/18/2017: HIPAA settlement demonstrates importance of implementing safeguards for ePHI – MAPFRE Life Insurance Company in Puerto Rico (also underwrites group and individual health insurance plans) reported lost USB device to ORC. No risk assessment, no risk plan. CMP - $2.2 million

23

Continuing Enforcement Issue: Affirmative Disclosures Not PermittedThe HIPAA Privacy Rule provides that Covered Entities or Business Associates may not use or disclose PHI except as permitted or required. See 45 C.F.R. § 164.502(a). Examples of Potential Violations:• Covered Entity permits news media to film individuals in its facility

prior to obtaining their authorization.• Covered Entity publishes PHI on its website or on social media

without an authorization from the individual(s).• Covered Entity confirms that an individual is a patient and

provides other PHI to reporter(s) without authorization from the individual.

• Covered Entity faxes PHI to an individual's employer without authorization from the individual.

24

Continuing Enforcement Issue:Lack of Business Associate AgreementsHIPAA generally requires that CEs and BAs enter into agreements with their BAs to ensure that the Bas will appropriately safeguard protected health information. See 45 C.F.R. § 164.308(b). Examples of Potential Business Associates:• A collections agency providing debt collection services to a health

care provider which involves access to protected health information.• An independent medical transcriptionist that provides transcription

services to a physician.• A subcontractor providing remote backup services of PHI data for an

IT contractor-business associate of a health care provider.

25

Continuing Enforcement Issue: Incomplete or Inaccurate Risk Analysis• Conduct an accurate and thorough assessment of the potential risks

and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]. See 45 C.F.R. § 164.308(a)(1)(ii)(A).

• Organizations frequently underestimate the proliferation of ePHIwithin their environments. When conducting a risk analysis, an organization must identify all of the ePHI created, maintained, received or transmitted by the organization.

• Examples: Applications like EHR, billing systems; documents and spreadsheets; database systems and web servers, fax servers, backup servers; etc.); Cloud based servers, Medical Devices, Messaging Apps (email, texting, ftp); other media

26

Risk Analysis Guidance

• http://www.hhs.gov/ocr/privacy/hipaa/administrative/securi tyrule/rarinalguidance.html

• http://scap.nist.gov/hipaa/

• http://www.hcalthit.gov/providers-professionals/security-risk-assessment

27

Continuing Enforcement Issue: Failure to Manage Identified Risk

• The Risk Management Standard requires the "[implementation of] security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [the Security Rule]." See 45 C.F.R. § 164.308(a)(1)(ii)(B).

• Investigations conducted by OCR regarding several instances of breaches uncovered that risks attributable to a reported breach had been previously identified as part of a risk analysis, but that the breaching organization failed to act on its risk analysis and implement appropriate security measures.

• In some instances, encryption was included as part of a remediation plan; however, activities to implement encryption were not carried out or were not implemented within a reasonable timeframe as established in a remediation plan.

28

Mobile Device Security

http://www.healthit.gov/mobiledevices

29

Continuing Enforcement Issue: Lack of Transmission Security

• When electronically transmitting ePHI, a mechanism to encrypt the ePHI must be implemented whenever deemed appropriate. See 45 C.F.R. § 164.312(e)(2)(ii).

• Applications for which encryption should be considered when transmitting ePHI may include:o Emailo Textingo Application sessionso File transmissions (e.g., ftp)o Remote backupso Remote access and support sessions (e.g., VPN)

30

Continuing Enforcement Issue: Lack of Appropriate Auditing

• The HIPAA Rules require the "[implementation] of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information." See 45 C.F.R. § 164.312(b).

• Once audit mechanisms are put into place on appropriate information systems, procedures must be implemented to "regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports." See 45 C.F.R. § 164.308(a)(1)(ii)(D).

• Activities which could warrant additional investigation:o Access to PHI during non-business hours or during time offo Access to an abnormally high number of records containing PHIo Access to PHI of persons for which media interest existso Access to PHI of employees

31

Continuing Enforcement Issue: Patching of Software

• The use of unpatched or unsupported software on systems which access ePHI could introduce additional risk into an environment.

• Continued use of such systems must be included within an organization's risk analysis and appropriate mitigation strategies implemented to reduce risk to a reasonable and appropriate level.

• In addition to operating systems, EMR/PM systems, and office productivity software, software which should be monitored for patches and vendor end-of-life for support include:o Router and firewall firmwareo Anti-virus and anti-malware softwareo Multimedia and runtime environments (e.g., Adobe Flash, Java,

etc.)

32

Continuing Enforcement Issue: Insider Threat

• Organizations must "[i]mplement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI... and to prevent those workforce members who do not have access ... from obtaining access to ePHI," as part of its Workforce Security plan. See 45 C.F.R. § 164.308 (a)(3).

• Appropriate workforce screening procedures should be included as part of an organization's Workforce Clearance process (e.g., background and OIG LEIE checks). See 45 C.F.R. §164.308(a)(3)(ii)(B).

• Termination Procedures should be in place to ensure that access to PHI is revoked as part of an organization's workforce exit or separation process. See 45 C.F.R. § 164.308 (a)(3)(ii)(C).

33

Continuing Enforcement Issue: Disposal of PHI

• When an organization disposes of electronic media which may contain ePHI, it must implement policies and procedures to ensure that proper and secure disposal processes are used. See 45 C.F.R. § 164.310 (d)(2)(i).

• The implemented disposal procedures must ensure that le]lectronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88: Guidelines for Media Sanitization, such that the PHI cannot be retrieved.“

• Electronic media and devices identified for disposal should be disposed of in a timely manner to avoid accidental improper disposal.

• Organizations must ensure that all electronic devices and media containing PHI are disposed of securely; including non-computer devices such as copier systems and medical devices.

34

Continuing Enforcement Issue:Insufficient Backup and Contingency

Planning• Organizations must ensure that adequate contingency plans (including

data backup and disaster recovery plans) are in place and would be effective when implemented in the event of an actual disaster or emergency situation. See 45 C.F.R. § 164.308 (a)(7).

• Leveraging the resources of cloud vendors may aid an organization with its contingency planning regarding certain applications or computer systems, but may not encompass all that is required for an effective contingency plan.

• As reasonable and appropriate, organizations must periodically test their contingency plans and revise such plans as necessary when the results of the contingency exercise identify deficiencies. See § 164.308 (a)(7)(ii)(D).

35

What’s Next?

36

Long-term Regulatory Agenda

• HITECH provision re: providing individuals harmed by violations of the HIPAA regulations with a percentage of any civil monetary penalties or settlements collected.

• HITECH provisions re: changes to HIPAAAccounting of Disclosure provisions.

37

Upcoming Guidance/FAQs• Privacy and Security for "All of Us" (PMI) research

program• Text messaging• Social Media• Use of CEHRT & compliance with HIPAA Security Rule

(w/ONC)• RA/CMP Process• Update of existing FAQs to account for Omnibus and

other recent developments• Minimum necessary

38

Recent Guidance:Ransomware and Cloud Computing

• Ransomware:http://www.hhs.gov/hipaa/for-professionals/securitv/guidance/index.html

• Cloud Computing:https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html

39

Monthly Guidance:Cybersecurity Newsletters

http://www.hhs.gov/hipadfor-professionalstsecurity/euidance/index.html

http://www.hhs.gov/hipadfor-professionalstsecurity/euidance/index.html

February 2016 March 2016 April 2016May 2016June 2016 September 2016 October 2016 November 2016 December 2016 January 2017 February 2017

Ransomware, "Tech Support" Scam, New BBB Scam TrackerKeeping PHI safe, Malware and Medical DevicesNew Cyber Threats and Attacks on the Healthcare SectorIs Your Business Associate Prepared for a Security IncidentWhat's in Your Third-Party Application SoftwareCyber Threat Information SharingMining More than Gold (FTP)What Type of Authentication is Right for you?Understanding DoS and DDoS AttacksAudit ControlsReporting and Monitoring Cyber Threats

40

Don’t let your program get

Stale-presuming you have

one.

41

What should a Privacy or Security officer be doing now?

Keep up with (watch and listen):

• Current regulations — ongoing check across the enterprise

• Watch/listen for pending changes or challenges in potential regulation

• NCVHS and HIT Privacy Workgroup

• Breach notices and stories

• NIST releases and sample security measures

• OCR audit information and other notices

• Monitor work force actions and activates

• Monitor contracts and business associate agreements42

What should a Privacy or Security officer be doing now?

Keep up with:

• Active participation in enterprise information governance

• Ongoing security auditing and risk analysis - all technology

• Planning:

• Breach strategic planning and workgroup - There will be a breach!

• Monitoring team

• Response team — who will do what, when, and how?

• Back-ups for team

• Business Associate breach

• Workforce training

43

What should a Privacy or Security officer be doing now?

Keep up with training and education:

• Workforce orientation• New hire / volunteer orientation• On-going reminders and annual retraining• Security related training• Specialty training and awareness

• Patient training related to:• Patient portal access and use• Other technology• Consents and authorizations

44

What should a Privacy or Security officer be doing now?

Keep up with new technology and exchange:

• Home-based technologies• Entity based technologies• Enterprise patient portal or sponsored PHR• HIE within and external to the enterprise

Keeping up with change:• Physical plant• Patient areas• Data and information sites

45

ResourcesOffice of Civil Rights (OCR-HHS) www.hhs.gov/ocr/privacy

Office of the National Coordinator for Health Information Technology (ONC) www.healthit.gov

Substance Abuse and Mental Health Services Administration www.samhsa.gov/

Nation Institute for Standards and Technology - Healthcare www.healthcare.nist.gov

Federal Registerwww.gpo.govfidsysibrowse/collection.action?collectionCode=FR

46

ResourcesAmerican Health Information Management Associationwww.ahima.org

American Records Management Associationwww.arma.org

Health Care Compliance Associationwww.hcca-info.org

Health Information Management and Systems Society (HIMSS)www.himss.org

47

ResourcesOCR Security Resourceswww.hhs.gov/hipaaffor-professionals/securitykuidance/index.html

OCR — NIST Cross Walkwww.hhs.govisitesidefaultifiles/NIST%20CSF%20to%2OHIPAA%20Security%20Rule%20Cross walk%2002-22-2016%20Finatpdf

OCR - Right to Accesswww.hhs.gov/hipaaifor-professionals/privacy/guidance/access/index.html

ONC - Treatment Exchange:www.hhs.gov/sites/default/files/exchange treatment.pdf

48

Resourcese-Publications:

EHR Intelligencewww.ehrintelligence.com

Government Security Enewswww.govinfosecurity.com

Healthcare Law Today (Foley & Lardner LLPwww.healthcarelawtoday.com

Health HIT Smart Briefwww.smartbrief.com

Health IT Newswww.digital.halldata.com

49

Resourcese-Publications (continued):

Health Information Security

www.healthcareinfosecurity.com

HealthlT Security

www.healthitsecurity.com

Information Management

www.information-management.com

50

ResourcesOCR Audit:

Audit Protocolwww.hhs.govihipaaifor-professionalsicompliance-enforcementiauditiprotocol-current/index.html

Audit Pre-Screening Questionnairewww.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/questionnaire/index.html

BA Pre-Screening Questionnaire:www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/batemplate/index.html

51

Questions?

52