On Wednesday, March 8, James B. Comey, Director of the FBI, was at Boston College to deliver the keynote address for the inaugural Boston Conference on Cyber Security (BCCS 2017). Director Comey addressed various industry, cyber security, FBI, law enforcement and military experts in attendance regarding current cyber threats to both industry and government assets and the FBI’s approach to confronting them. During his remarks, Director Comey was asked to opine on the biggest cyber threat to healthcare providers, to which Comey quickly responded, “ransomware.” Continue Reading Advice to Healthcare Providers on Ransomware from the Head of the FBI
Dianne Bourque is a Member in the firm and practices in the Boston office. She advises health care clients on issues including licensure, regulatory, contractual, risk management, and patient care matters as well as issues involving HIPAA and other medical privacy laws. Before joining Mintz Levin, Dianne was an associate staff attorney at the Lahey Clinic. She is also an adjunct professor at Stonehill College, where she teaches a course on health care law.
On January 18th, the U.S. Department of Health and Human Services (HHS) and 15 other federal agencies issued a final rule updating regulations for the protection of human research subjects, the so-called “Common Rule.” The original Common Rule had been in place for almost 30 years, with little change despite significant research and technology advances during that time. Further change is on the horizon for the Common Rule, as the 21st Century Cures Act (Cures) includes a mandate for HHS and the Food and Drug Administration (FDA) to harmonize long-standing differences between the Common Rule and FDA Human Subject Protection regulations. Continue Reading The Newly Updated Common Rule is Here – And On a Collision Course With the 21st Century Cures Act
On October 7, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published guidance to assist cloud service providers (CSPs) and their customers with HIPAA compliance. As discussed below, the guidance clarifies important questions about operating in the cloud, including the role of encryption when determining whether a cloud service provider is a business associate. Continue Reading HHS Publishes Guidance on HIPAA and Cloud Computing
Health care providers and other HIPAA-regulated entities should take note of the story on our companion blog, Employment Matters, regarding the augmented reality video game craze Pokémon Go. For those unfamiliar with the most downloaded smartphone video game ever, it involves players chasing adorable computer-generated characters that randomly appear in the player’s immediate surroundings. How could something as delightful as Pikachu present a security risk? When the game is played in camera mode, the player records the Pokémon character, as well as the player’s surroundings – think computer monitors, whiteboards, patients, providers, procedure suites . . .
As with all HIPAA security risks, the best approach is to learn about the risk and take proactive steps to mitigate harm. A great place to start is to read the Mintz Levin overview of Pokémon Go in the Workplace.
On Monday, the Office for Civil Rights (OCR) released important new guidance on ransomware for hospitals and other healthcare providers and finally addressed the question of whether electronic protected health information (ePHI) that has been encrypted on a covered entity’s systems, but potentially not accessed by the hacker, has been breached for HIPAA purposes. Back in March, OCR highlighted the threat of ransomware in its “OCR Cyber-Awareness Monthly Update.” Rather than just describing the threat, yesterday’s guidance ties the prevention of, detection of, and response to a ransomware attack to a Covered Entity’s obligations under HIPAA. A key component of the guidance provides a ransomware attack that encrypts a Covered Entity’s ePHI is presumed to be a breach. As ransomware can infect a Covered Entity’s entire system, this presumption may lead to enormous breach notification obligations. Continue Reading “Your Money or Your PHI”: OCR Releases Guidance on Ransomware
Federally-funded clinical trials conducted at multiple sites will move to a single Institutional Review Board (IRB) review scheme under a new National Institutes of Health (NIH) Policy. The NIH has finalized its policy to have a single IRB (sIRB) of record conduct the required ethics review for multi-site studies. The NIH cited “systemic inefficiencies” without any increased protection of human subjects under the current system in which a separate IRB conducts the ethics review for each site.
Who does this affect?
The sIRB policy covers NIH-funded non-exempt human subjects research, and applies to the domestic sites of multi-site studies conducting the same research protocol at each site. Foreign sites are not covered. Neither are career development, research training or fellowship awards. This policy does not necessarily apply to industry-sponsored trials or drug and device studies subject to FDA regulation only. Continue Reading NIH Signals “Paradigm Shift” with Policy on Multi-Site Studies
The Medicare Access and CHIP Reauthorization Act (MACRA) proposes a new approach, with new branding labels, to paying clinicians for the value and the quality of care that they provide by replacing a patchwork of existing quality-related programs, including the Electronic Health Records (EHRs) Incentive Programs, also known as “Meaningful Use.” Under MACRA’s Merit-Based Incentive Payment System (MIPS), Advancing Care Information is one of four performance measures. In our first blog on the proposed rule, CMS Releases Proposed Rule for MACRA Implementation and Merit Based Incentive Payment Systems (MIPS), we discussed MIPS more fully. Our final MACRA blog will discuss the Alternative Payment Models (APMs).
Advancing Care Information is a MIPS performance category focused on use of electronic health records (“EHR”). Clinicians will get to choose to report customizable measures that reflect how they use EHR technology in their day-to-day practice, with a particular emphasis on interoperability and information exchange. Clinicians would need to use technologies, standards, policies, and practices to assure that their EHR technology is interoperatble, compliant with Office of the National Coordinator for Health IT (ONC) standards (including allowing patients timely access to EHR information to view, download, and transmit) and that it allows for the exchange of structured health information with other health care providers (including unaffiliated providers) using different EHR vendors. Continue Reading CMS Proposes “Advancing Care Information” Program to Replace Meaningful Use
Earlier this month the Department of Health and Human Services Office for Civil Rights (OCR) released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule. OCR will be using the audit protocol for its impending Phase 2 audits of covered entities and business associates, which are set to begin next month.
The protocol covers the following subject areas:
- Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
- Security Rule requirements for administrative, physical, and technical safeguards.
- Breach Notification Rule requirements.
On March 21st, the HHS Office for Civil Rights (“OCR”) officially launched Phase 2 of the HIPAA Audit Program. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails from OCR that will begin the audit process.
Why Audits? Why Now?
The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) requires OCR to periodically audit both Covered Entities and Business Associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012. The Phase 1 audits only examined Covered Entities and the results were generally disappointing. Only 11% of the entities audited had no findings or observations and many findings related to Security Rule compliance. After many delays, OCR is now proceeding with Phase 2.
What’s Happening This Time Around?
OCR will conduct both desk audit and on-site audits of Covered Entities and Business Associates. The first round of desk audits will be for Covered Entities with a second round for Business Associates. Desk audits are supposed to be completed by December 2016. Entities selected for audits will be notified via email and will have 10 business days to submit requested information to OCR through an online portal. Auditors will share draft audit reports with audited entities, allowing them 10 business days to review the draft report. A final report will be shared with the entity.
For those entities subject to on-site audits, auditors will spend between three and five days on-site with the organization. OCR describes the on-site audits as “more comprehensive” and “covering a wider range of requirements from the HIPAA Rules.” Since OCR recently released guidance on patient rights to access their health information and on the fees that providers may charge for such access (previously covered by our blog here), access issues appear ripe for a broader audit.
Finally, audits that uncover serious issues may trigger an OCR compliance review in addition to the audit. Continue Reading Ready or Not, It’s Time For Phase 2 HIPAA Audits
As we have repeatedly emphasized on this blog, HIPAA Covered Entities must ensure that they have compliant business associate agreements (“BAAs”) in place with all of their business associates and must ensure that they have performed a comprehensive risk assessment. A $1.55 million settlement between North Memorial Health Care of Minnesota (“NMHC”) and the Office for Civil Rights (“OCR”) announced this week emphasizes the seriousness of these requirements.
NMHC came under investigation by OCR after a September 2011 breach involving the theft of an unencrypted laptop from a business associate’s employee’s car. The laptop contained the electronic protected health information of nearly 10,000 individuals. The investigation uncovered that NMHC had not entered into a BAA with the business associate, Accretive Health, when it engaged Accretive in March 2011 and did not enter into a BAA until October 2011. During this interim period, Accretive had access to the protected health information of more than 250,000 individuals. Additionally, OCR found that NMHC had not conducted an accurate and thorough enterprise-wide risk analysis. Continue Reading Don’t Neglect Your Business Associate Agreements!