OCR released a simple checklist and infographic last week to assist Covered Entities and Business Associates with responding to potential cyber attacks. As cybersecurity remains a pressing concern for health care entities, these guidance documents are a useful reminder of best practices that health care entities should have in place in case of a cybersecurity incident.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced the first ever settlement related to a Covered Entity’s untimely breach notification in violation of HIPAA. Presence Health, a health care network in Illinois, discovered a breach of unsecured personal health information (PHI) on October 22, 2013. After reporting the breach to OCR over three months later on January 31, 2014, OCR determined that Presence Health failed to notify OCR, each of the affected individuals, and prominent media outlets of the breach without unreasonable delay and within 60 days of learning of the breach, as required of Covered Entities under HIPAA. The violation resulted in a $475,000 settlement between OCR and Presence Health.
HHS Office for Civil Rights will cast a wider net and increase its investigations into smaller HIPAA privacy breaches starting this month. OCR announced a new initiative to increase its efforts examining breaches that affect fewer than 500 individuals. OCR Regional Offices already investigate every reported breach affecting 500 or more individuals, and will continue to do so, but now they will intensify efforts to scrutinize smaller breaches.
Investigations into the root cause of even a small breach can discover system- and enterprise-wide noncompliance and security and privacy shortcomings. An investigation into a single stolen laptop that held PHI of 80 individuals may uncover an entity’s failure to encrypt any of the data it stores and uses. And just as easily as a larger breach, a small breach can reveal that a covered entity has not completed a full risk assessment of its organization and its PHI protections. Continue Reading OCR to Increase Investigations of Smaller HIPAA Breaches
On July 12, 2016, HHS’s Office for Civil Rights (OCR) distributed an e-mail discussing recent developments in Phase II of its HIPAA audit program.
For those looking to catch up on the Phase II audits, we provided readers with an overview of the audits back in March. In April, we discussed the HIPAA Audit Protocol that OCR is using to conduct the Phase II audits. And in May, we alerted readers to the notifications that OCR was e-mailing to covered entities in an effort to verify their contact information.
In its latest e-mail, OCR confirms that notification letters were delivered on Monday, July 11, 2016, to 167 health plans, health care providers and health care clearinghouses notifying them of their inclusion in the desk audit portion of the audit program. The desk audits will examine the selected entities’ compliance with HIPAA’s Privacy, Security, and Breach Notification Rules by examining certain documentation that the entities are required to maintain under HIPAA. OCR provides the following table setting forth the subject matter of the documentation review:
Notably, the three areas covered under the Privacy Rule relate to how patients are made aware of their rights under HIPAA and how they can access their own medical records. The desk audit does not focus on policies related to uses and disclosure of PHI. This emphasis dovetails with OCR recent efforts to educate patients and providers about patient access rights (which we previously covered here).
Entities have 10 business days, until July 22, 2016, to respond to the document requests.
OCR separately notes that desk audits of business associates will be occurring this fall. We will continue to follow developments in the Phase II audit program and bring you updates and analysis as they occurs.
On Monday, the Office for Civil Rights (OCR) released important new guidance on ransomware for hospitals and other healthcare providers and finally addressed the question of whether electronic protected health information (ePHI) that has been encrypted on a covered entity’s systems, but potentially not accessed by the hacker, has been breached for HIPAA purposes. Back in March, OCR highlighted the threat of ransomware in its “OCR Cyber-Awareness Monthly Update.” Rather than just describing the threat, yesterday’s guidance ties the prevention of, detection of, and response to a ransomware attack to a Covered Entity’s obligations under HIPAA. A key component of the guidance provides a ransomware attack that encrypts a Covered Entity’s ePHI is presumed to be a breach. As ransomware can infect a Covered Entity’s entire system, this presumption may lead to enormous breach notification obligations. Continue Reading “Your Money or Your PHI”: OCR Releases Guidance on Ransomware
On March 21st, the HHS Office for Civil Rights (“OCR”) officially launched Phase 2 of the HIPAA Audit Program. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails from OCR that will begin the audit process.
Why Audits? Why Now?
The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) requires OCR to periodically audit both Covered Entities and Business Associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012. The Phase 1 audits only examined Covered Entities and the results were generally disappointing. Only 11% of the entities audited had no findings or observations and many findings related to Security Rule compliance. After many delays, OCR is now proceeding with Phase 2.
What’s Happening This Time Around?
OCR will conduct both desk audit and on-site audits of Covered Entities and Business Associates. The first round of desk audits will be for Covered Entities with a second round for Business Associates. Desk audits are supposed to be completed by December 2016. Entities selected for audits will be notified via email and will have 10 business days to submit requested information to OCR through an online portal. Auditors will share draft audit reports with audited entities, allowing them 10 business days to review the draft report. A final report will be shared with the entity.
For those entities subject to on-site audits, auditors will spend between three and five days on-site with the organization. OCR describes the on-site audits as “more comprehensive” and “covering a wider range of requirements from the HIPAA Rules.” Since OCR recently released guidance on patient rights to access their health information and on the fees that providers may charge for such access (previously covered by our blog here), access issues appear ripe for a broader audit.
Finally, audits that uncover serious issues may trigger an OCR compliance review in addition to the audit. Continue Reading Ready or Not, It’s Time For Phase 2 HIPAA Audits
The American Bar Association Health Law Section’s July 2014 eSource publication includes an article by Dianne Bourque, Kimberly Gold, and me that provides examples of how risk assessments under the Breach Notification Rule have changed since the HIPAA Omnibus Rule went into effect in September 2013. The examples analyzed in this article involve two situations that often stymie health care providers: 1) appropriate disclosures to law enforcement and 2) sending appointment reminders to patients.
Covered entities and business associates having difficulty distinguishing the old “harm standard” and the new Omnibus Rule analysis should understand that the latter clearly imposes a rebuttable presumption that a breach of protected health information will require notification to affected individuals and the government, except under narrow circumstances. As the article concludes, “striking a balance between an inquiry that meets the risk assessment’s requirements but that minimizes the over-reporting of breaches will be a challenge that covered entities and business associates will need to address” for years to come.
Our firm consistently monitors the HHS Office of Civil Rights’ enforcement and monitoring activities and writes posts noting trends in the area of HIPAA compliance, so keep checking the blog for current health care privacy and security news.
Since 2009, the HHS Office for Civil Rights (“OCR”) has posted all large data breaches – those that involve 500 or more individuals – online on its so-called “Wall of Shame.” In 2013, 160 large data breaches were reported to OCR and posted on the Wall of Shame. Taken together, these breaches involved the unsecured protected health information (“PHI”) of nearly 6.85 million individuals.
The following top five breaches of 2013 accounted for over 88% of all individuals affected by large data breaches in that year:
- Advocate Health and Hospitals Corp. (4,029,530);
- Horizon Healthcare Services, Inc. d/b/a Horizon Blue Cross Blue Shield of New Jersey and its affiliates (839,711);
- AMHC Healthcare Inc. (729,000);
- Texas Health Harris Methodist Hospital Fort Worth (277,014); and
- Indiana Family & Social Services Administration (187,533).
Of these five breaches, one breach involved the PHI of over four million individuals; the other four breaches each affected over 150,000 individuals. Three out of these five breaches resulted from the theft of equipment or electronic files with unencrypted PHI. The two remaining breaches were due to errors by business associates: one that failed to destroy microfiches containing PHI that ultimately ended up in several local parks; and one that made a computer programming error and transmitted records to an unintended party. Interestingly, the first incident involved the PHI of patients seen by the facility between 1980 and 1990, demonstrating that older PHI is no safer from improper disclosure than newly generated PHI.
These incidents from 2013 should alert covered entities, business associates, vendors and other agents handling PHI to the following lessons:
- Encrypt, encrypt, and encrypt again – in one of the breaches, the hospital system had focused on encrypting their laptops, but had not yet completed encrypting the desktops that contained PHI;
- Monitor where PHI is going– if (or when) PHI gets inadvertently transmitted to the wrong party, knowing where it went will help the breaching party to perform an adequate risk assessment under 45 C.F.R. 164.402(2); and
- Follow up (and follow through) on the destruction of PHI – having policies on how to properly protect or destroy older PHI records and following up with entities entrusted with completing those tasks will lessen the risk that these records will cause a future breach down the road.
Earlier this week we attended the National Institute of Standards and Technology (NIST) and HHS Office for Civil Rights (OCR) 6th Annual Safeguarding Health Information Conference in Washington, D.C. (the NIST-OCR Conference). The agenda focused on recent amendments to the privacy and security laws, including changes under the HIPAA Omnibus Rule, as well as technological developments aimed at improving quality of care while maintaining the integrity of patient information. The NIST-OCR Conference also provided a forum for participants to discuss new requirements with regulators. The agenda includes links to all of the presentations. Continue Reading Highlights of the Joint NIST and OCR Safeguarding Health Information Conference
The HIPAA Omnibus Rule goes into effect today, which officially starts the clock for covered entities, business associates, and their subcontractors to begin updating their agreements, forms, policies, procedures, and practices to meet approaching compliance deadlines.
Business Associate Agreement (BAA) and Data Use Agreement (DUA) compliance deadlines depend on whether there is a current agreement in place that meets regulatory requirements. New BAAs and DUAs must comply with Omnibus Rule requirements by September 23, 2013; otherwise, BAAs and DUAs that only became non-compliant after the Office for Civil Rights (OCR) released the Omnibus Rule may remain in effect until September 22, 2014 (or until the applicable agreement renewal date). All parties must still comply with the Breach Notification interim final rule requirements under the HITECH Act during the 180-day transition period between March 26th and September 23rd of this year.
In the meantime, covered entities and business associates should be at least planning, if not undertaking, the following tasks:
- Preparing new, Omnibus Rule-compliant BAAs and DUAs in advance of contract renewal dates or the compliance deadline;
- Updating HIPAA policies and procedures and training materials;
- (Re)educating staff on their duties and responsibilities regarding protected health information and breach notification requirements; and
- Remaining alert for additional guidance from OCR.