Last week the Health Care Compliance Association hosted its annual “Compliance Institute.”  Iliana Peters, HHS Office for Civil Rights’ Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR’s current and future endeavors.

Continuing Enforcement Issues

Ms. Peters identified key ten enforcement issues that OCR continues to encounter through its enforcement of HIPAA. These issues include:

  1. Impermissible Disclosures. HIPAA’s Privacy Rule prohibits covered entities and business associates from disclosing PHI except as permitted or required under HIPAA. Impermissible disclosures identified by Ms. Peters all center on the need for authorization, and include:
    • Covered entities permitting news media to film individuals in their facilities prior to obtaining a patient’s authorization.
    • Covered entities publishing PHI on their website or on social media without an individual’s authorization.
    • Covered entities confirming that an individual is a patient and providing other PHI to reporters without an individual’s authorization.
    • Covered entities faxing PHI to an individual’s employer without the individual’s authorization.
  2. Lack of Business Associate Agreements. OCR continues to see covered entities failing to enter into business associate agreements.
  3. Incomplete or Inaccurate Risk Analysis. Under HIPAA’s Security Rule, covered entities are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI). According to Ms. Peters, organizations frequently underestimate the proliferation of ePHI throughout their environment, including into systems related to billing, faxing, backups, and medical devices, among others.
  4. Failure to manage identified risks. HIPAA requires regulated entities to put in place security measures to reduce risks and vulnerabilities. According to the presentation, several OCR breach investigations found that the causes of reported breaches were risks that had previously been identified in a risk analysis but were never mitigated. In some instances, encryption was included as part of the remediation plan, but was never implemented.
  5. Lack of transmission security. While not required in all cases, HIPAA does require that ePHI be encrypted whenever it is deemed appropriate. The presentation identified a number of applications in which encryption should be considered when transmitting ePHI, including email, texting, application sessions, file transmissions (e.g., FTP), remote backups, and remote access and support services (e.g., VPNs).
  6. Lack of Appropriate Auditing. HIPAA requires the implementation of mechanisms (whether hardware, software or procedural) that record and examine activity in systems containing ePHI. HIPAA-regulated entities are required to review audit records to determine if there should be additional investigation. The presentation highlighted certain activities that could warrant such additional investigation, including: access to PHI during non-business hours or during time off, access to an abnormally high number of records containing PHI, access to PHI of persons for which media interest exists, and access to PHI of employees.
  7. Patching of Software. The use of unpatched or unsupported software on systems which contain ePHI could introduce additional risk into an environment. Ms. Peters also pointed to other systems that should be monitored, including router and firewall firmware, anti-virus and anti-malware software, and multimedia and runtime environments (e.g., Adobe Flash, Java, etc.).
  8. Insider Threats. The presentation identifies insider threats as a continuing enforcement issue. Under HIPAA, organizations must implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining such access. Termination procedures should be put in place to ensure that access to PHI is revoked when a workforce member leaves.
  9. Disposal of PHI. HIPAA requires organizations to implement policies and procedures that ensure proper disposal of PHI. These procedures must guarantee that the media has been cleared, purged or destroyed consistent with NIST Special Publication 800-88: Guidelines for Media Sanitization.
  10. Insufficient Backup and Contingency Planning. Organizations are required to ensure that adequate contingency planning (including data backup and disaster recovery plans) is in place and would be effective when implemented in the event of an actual disaster or emergency situation. Organizations are required to periodically test their plans and revise as necessary.

Upcoming Guidance and FAQs

OCR also identified upcoming guidance and FAQs that it will use to address the following areas:

  • Privacy and security issues related to the Precision Medicine Initiative’s All of Us research program
  • Text messaging
  • Social media
  • Use of Certified EHR Technology (CEHRT) & compliance with HIPAA Security Rule (to be release with the Office of the National Coordinator for Health Information Technology (ONC))
  • The Resolution Agreement and Civil Monetary Penalty process
  • Updates of existing FAQs to account for the Omnibus Rule and other recent developments
  • The “minimum necessary” requirement

Long-term Regulatory Agenda

The presentation also identifies two long-term regulatory goals to implement certain provisions of the HITECH Act. One regulation will relate to providing individuals harmed by HIPAA violations with a percentage of any civil monetary penalties or settlements collected by OCR, while the second will implement a HITECH Act provision related to the accounting of disclosures of PHI.

Audit Program Status

The presentation discussed the current status of OCR’s audit program. As we have previously discussed, OCR is in the process of conducting desk audits of covered entities and business associates. These audits consist of a review of required HIPAA documentation that is submitted to OCR. According to Ms. Peters, OCR has conducted desk audits of 166 covered entities and 43 business associates. Ms. Peters also used the presentation to confirm that on-site audits of both covered entities and business associates will be conducted in 2017 after the desk audits are completed. We will continue to follow and report on developments in the audit program.

Commentary

The list of continuing enforcement issues provides covered entities and business associates with a helpful reminder of the compliance areas that are most likely to get them in compliance trouble. Some of the enforcement issues may require HIPAA-regulated entities to revisit decisions that they previously made as part of a risk analysis. Transmission security (#5, above) is an example of such an area that may warrant reexamination. In the past, encrypting data was often too expensive or too impracticable for many organizations. However the costs of encryption have decreased while it has become easier to implement. A covered entity or business associate that suffers a breach due to transmitting unencrypted PHI over the internet will likely garner little sympathy from OCR going forward. The presentation is also notable for the long list of guidance and FAQs that OCR will be publishing, as well as their plan to issue regulations to address changes ushered in by the HITECH Act that were not captured by the 2013 Omnibus Rule. These regulations, particularly the regulations related to accounting for disclosures of PHI, could have a far-reaching impact on how covered entities and business associates comply with HIPAA in the future.

On July 12, 2016, HHS’s Office for Civil Rights (OCR) distributed an e-mail discussing recent developments in Phase II of its HIPAA audit program.

For those looking to catch up on the Phase II audits, we provided readers with an overview of the audits back in March. In April, we discussed the HIPAA Audit Protocol that OCR is using to conduct the Phase II audits.  And in May, we alerted readers to the notifications that OCR was e-mailing to covered entities in an effort to verify their contact information.

In its latest e-mail, OCR confirms that notification letters were delivered on Monday, July 11, 2016, to 167 health plans, health care providers and health care clearinghouses notifying them of their inclusion in the desk audit portion of the audit program. The desk audits will examine the selected entities’ compliance with HIPAA’s Privacy, Security, and Breach Notification Rules by examining certain documentation that the entities are required to maintain under HIPAA. OCR provides the following table setting forth the subject matter of the documentation review:

HIPAA Desk AuditNotably, the three areas covered under the Privacy Rule relate to how patients are made aware of their rights under HIPAA and how they can access their own medical records.  The desk audit does not focus on policies related to uses and disclosure of PHI.  This emphasis dovetails with OCR recent efforts to educate patients and providers about patient access rights (which we previously covered here).

Entities have 10 business days, until July 22, 2016, to respond to the document requests.

OCR separately notes that desk audits of business associates will be occurring this fall. We will continue to follow developments in the Phase II audit program and bring you updates and analysis as they occurs.

On March 21st, the HHS Office for Civil Rights (“OCR”) officially launched Phase 2 of the HIPAA Audit Program. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails from OCR that will begin the audit process.

Why Audits? Why Now?

The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) requires OCR to periodically audit both Covered Entities and Business Associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012. The Phase 1 audits only examined Covered Entities and the results were generally disappointing. Only 11% of the entities audited had no findings or observations and many findings related to Security Rule compliance. After many delays, OCR is now proceeding with Phase 2.

What’s Happening This Time Around?

OCR will conduct both desk audit and on-site audits of Covered Entities and Business Associates. The first round of desk audits will be for Covered Entities with a second round for Business Associates. Desk audits are supposed to be completed by December 2016. Entities selected for audits will be notified via email and will have 10 business days to submit requested information to OCR through an online portal. Auditors will share draft audit reports with audited entities, allowing them 10 business days to review the draft report. A final report will be shared with the entity.

For those entities subject to on-site audits, auditors will spend between three and five days on-site with the organization. OCR describes the on-site audits as “more comprehensive” and “covering a wider range of requirements from the HIPAA Rules.” Since OCR recently released guidance on patient rights to access their health information and on the fees that providers may charge for such access (previously covered by our blog here), access issues appear ripe for a broader audit.

Finally, audits that uncover serious issues may trigger an OCR compliance review in addition to the audit. Continue Reading Ready or Not, It’s Time For Phase 2 HIPAA Audits

A tip from a local Denver news outlet lead to a compliance review, investigation and ultimately a resolution agreement between the Department of Health and Human Services’ Office for Civil Rights (“OCR”) and Denver-based Cornell Prescription Pharmacy (“CPP”). On January 11, 2012, 9 News, the Denver NBC news affiliate, reported to OCR that certain patient information was being disposed of in a dumpster that was accessible to the public. The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is the primary Federal regulation governing the security and privacy of certain personally identifiable health information or “PHI.”  Under HIPAA’s Privacy Rule, pharmacies such as CPP are required to implement appropriate administrative, technical and physical safeguards to protect the privacy of PHI, in any form. See 45 CFR 164.530(c). The disposal of paper records containing PHI in a publicly-accessible dumpster is, of course, unreasonable by any measure.

Just two days after receiving the report, OCR initiated a compliance review and investigation of CPP. OCR’s investigation found that CPP had failed to:

  1. reasonably safeguard their PHI, as required by the Privacy Rule;
  2. implement written policies and procedures to comply with the Privacy Rule;  and
  3. document and train its workforce on its Privacy Rule policies and procedures.

Under the terms of the resolution agreement (a copy of which can be found here), CPP is required to pay HHS $125,000 and agree to a corrective action plan (“CAP”). CPP will not be required to admit wrongdoing under the terms of the resolution agreement. Under the CAP, CPP is required to develop written policies and procedures to comply with HIPAA, provide those policies and procedures to HHS by May 22, 2015, and implement said procedures within 30 days of receiving HHS’ final approval.  CPP is also required to produce an implementation report as well as annual reports for the next two years.

“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” said OCR Director Jocelyn Samuels. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”

While not as easily transferable as its digital counterpart, the information in paper-based medical records remains extremely lucrative in the black market. It has been estimated that your medical data can fetch as much as 10 times the value of your credit card number. Understandably, health care providers and others covered by HIPAA will face increasing scrutiny given this lucrative black market as well as the recent high profile breaches at various health insurance companies across the United States. Notwithstanding a recent delay, OCR is planning to conduct a new round of audits to prevent the situations discussed above. “We are committed to implementing a robust audit program,” Samuels said. ” I can’t promise you the specific date, but it’s happening.” As OCR readies its Phase II audit program, regulated entities can be assured that NBC news and others, will be watching for evidence of non-compliance.

Written by: Samantha P. Kingsbury

On Wednesday January 28th, my colleague Dianne Bourque (a member in Mintz Levin’s Health Law practice), will be presenting a webinar on how to survive a HIPAA audit.  As luck would have it, January 28th is also international Data Privacy Day.

With the New Year in full swing, the HHS Office of Civil Rights (“OCR”) is resuming its random audit program to assess compliance with HIPAA privacy, security and breach notification rules.  While Phase I of the OCR audit program involved on-site visits, OCR will conduct Phase II audits by performing desk review of documentation.  Findings during a Phase II audit can lead to enforcement and failure to comply can lead to the imposition of civil monetary penalties.

During this webinar, Dianne will discuss lessons learned from Phase I of the audit program and how best to incorporate those lessons into Phase II preparations.  She will also discuss how to identify and eliminate compliance gaps, in case you are chosen for an audit.

 Phase II audits can happen to covered entities and business associates alike.  Learn more about how you should be preparing and register for this webinar by clicking here.

Written by:  Dianne Bourque

The Office for Civil Rights (OCR) is closing out 2013 with a reminder of the importance of an effective HIPAA compliance program.  On December 26, 2013, OCR announced a resolution agreement with a Massachusetts physician practice to settle violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security and breach notification rules. The practice, Adult and Pediatric Dermatology, P.C., of Concord Massachusetts (AP Derm) agreed to pay a $150,000 fine and enter into a corrective action plan to address deficiencies in its HIPAA compliance program. 

Continue Reading A New Year’s Resolution (and Corrective Action Plan) from OCR: Physician Practice Cited for HIPAA Violations

Written by Dianne Bourque

The HHS Office of Civil Rights has begun notifying the 150 covered entities chosen for its first round of audits under HITECH, and it has posted a sample audit notification letter.    

If your organization receives one of these letters, immediate attention is critical.  You may have as few as ten days to respond to documentation requests accompanying the audit notification.  Requested documentation will likely include policies and procedures, forms, evidence of HIPAA privacy and security program implementation (such as documentation of completed training), and other documentation required by the HIPAA privacy rule and security standards.  A site visit may occur as soon as thirty days following the audit notification letter.  During a site visit, auditors will interview key personnel and observe your business operations to evaluate compliance. 

Don’t wait until you receive an audit notification letter to evaluate your HIPAA compliance program. There is never a good time to have a gap in your program, but the stakes are even higher in the post-HITECH world.