Consumers are increasingly turning to health apps for a variety of medical and wellness-related purposes. This has in turn caused greater amounts of data—including highly sensitive information—to flow through these apps. These data troves can trigger significant compliance responsibilities for the app developer, along with significant legal and contractual risk. This latest installment in our health app series will introduce some of these considerations, including approaches that developers can take to minimize their risk. Continue Reading Building a Health App? Part 6: HIPAA and Other Privacy and Security Considerations
Earlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam. The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals. In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA). Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.
In addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR. That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR. Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures. Continue Reading Gone Phishin’: Hack Leads to HIPAA Settlement
Last week the Health Care Compliance Association hosted its annual “Compliance Institute.” Iliana Peters, HHS Office for Civil Rights’ Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR’s current and future endeavors.
Continuing Enforcement Issues
Ms. Peters identified key ten enforcement issues that OCR continues to encounter through its enforcement of HIPAA. These issues include:
- Impermissible Disclosures. HIPAA’s Privacy Rule prohibits covered entities and business associates from disclosing PHI except as permitted or required under HIPAA. Impermissible disclosures identified by Ms. Peters all center on the need for authorization, and include:
- Covered entities permitting news media to film individuals in their facilities prior to obtaining a patient’s authorization.
- Covered entities publishing PHI on their website or on social media without an individual’s authorization.
- Covered entities confirming that an individual is a patient and providing other PHI to reporters without an individual’s authorization.
- Covered entities faxing PHI to an individual’s employer without the individual’s authorization.
- Lack of Business Associate Agreements. OCR continues to see covered entities failing to enter into business associate agreements.
- Incomplete or Inaccurate Risk Analysis. Under HIPAA’s Security Rule, covered entities are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI). According to Ms. Peters, organizations frequently underestimate the proliferation of ePHI throughout their environment, including into systems related to billing, faxing, backups, and medical devices, among others.
- Failure to manage identified risks. HIPAA requires regulated entities to put in place security measures to reduce risks and vulnerabilities. According to the presentation, several OCR breach investigations found that the causes of reported breaches were risks that had previously been identified in a risk analysis but were never mitigated. In some instances, encryption was included as part of the remediation plan, but was never implemented.
- Lack of transmission security. While not required in all cases, HIPAA does require that ePHI be encrypted whenever it is deemed appropriate. The presentation identified a number of applications in which encryption should be considered when transmitting ePHI, including email, texting, application sessions, file transmissions (e.g., FTP), remote backups, and remote access and support services (e.g., VPNs).
- Lack of Appropriate Auditing. HIPAA requires the implementation of mechanisms (whether hardware, software or procedural) that record and examine activity in systems containing ePHI. HIPAA-regulated entities are required to review audit records to determine if there should be additional investigation. The presentation highlighted certain activities that could warrant such additional investigation, including: access to PHI during non-business hours or during time off, access to an abnormally high number of records containing PHI, access to PHI of persons for which media interest exists, and access to PHI of employees.
- Patching of Software. The use of unpatched or unsupported software on systems which contain ePHI could introduce additional risk into an environment. Ms. Peters also pointed to other systems that should be monitored, including router and firewall firmware, anti-virus and anti-malware software, and multimedia and runtime environments (e.g., Adobe Flash, Java, etc.).
- Insider Threats. The presentation identifies insider threats as a continuing enforcement issue. Under HIPAA, organizations must implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining such access. Termination procedures should be put in place to ensure that access to PHI is revoked when a workforce member leaves.
- Disposal of PHI. HIPAA requires organizations to implement policies and procedures that ensure proper disposal of PHI. These procedures must guarantee that the media has been cleared, purged or destroyed consistent with NIST Special Publication 800-88: Guidelines for Media Sanitization.
- Insufficient Backup and Contingency Planning. Organizations are required to ensure that adequate contingency planning (including data backup and disaster recovery plans) is in place and would be effective when implemented in the event of an actual disaster or emergency situation. Organizations are required to periodically test their plans and revise as necessary.
Upcoming Guidance and FAQs
OCR also identified upcoming guidance and FAQs that it will use to address the following areas:
- Privacy and security issues related to the Precision Medicine Initiative’s All of Us research program
- Text messaging
- Social media
- Use of Certified EHR Technology (CEHRT) & compliance with HIPAA Security Rule (to be release with the Office of the National Coordinator for Health Information Technology (ONC))
- The Resolution Agreement and Civil Monetary Penalty process
- Updates of existing FAQs to account for the Omnibus Rule and other recent developments
- The “minimum necessary” requirement
Long-term Regulatory Agenda
The presentation also identifies two long-term regulatory goals to implement certain provisions of the HITECH Act. One regulation will relate to providing individuals harmed by HIPAA violations with a percentage of any civil monetary penalties or settlements collected by OCR, while the second will implement a HITECH Act provision related to the accounting of disclosures of PHI.
Audit Program Status
The presentation discussed the current status of OCR’s audit program. As we have previously discussed, OCR is in the process of conducting desk audits of covered entities and business associates. These audits consist of a review of required HIPAA documentation that is submitted to OCR. According to Ms. Peters, OCR has conducted desk audits of 166 covered entities and 43 business associates. Ms. Peters also used the presentation to confirm that on-site audits of both covered entities and business associates will be conducted in 2017 after the desk audits are completed. We will continue to follow and report on developments in the audit program.
The list of continuing enforcement issues provides covered entities and business associates with a helpful reminder of the compliance areas that are most likely to get them in compliance trouble. Some of the enforcement issues may require HIPAA-regulated entities to revisit decisions that they previously made as part of a risk analysis. Transmission security (#5, above) is an example of such an area that may warrant reexamination. In the past, encrypting data was often too expensive or too impracticable for many organizations. However the costs of encryption have decreased while it has become easier to implement. A covered entity or business associate that suffers a breach due to transmitting unencrypted PHI over the internet will likely garner little sympathy from OCR going forward. The presentation is also notable for the long list of guidance and FAQs that OCR will be publishing, as well as their plan to issue regulations to address changes ushered in by the HITECH Act that were not captured by the 2013 Omnibus Rule. These regulations, particularly the regulations related to accounting for disclosures of PHI, could have a far-reaching impact on how covered entities and business associates comply with HIPAA in the future.
As we’ve previously discussed on Health Law and Policy Matters, agencies within the Department of Health and Human Services (DHHS) pushed through several final rules towards the end of the Obama Administration (see here and here). However, since taking office, President Trump has followed through on his campaign promise to significantly roll back Federal regulations and has taken several actions aimed at slowing and reversing agency regulatory processes, including processes at the DHHS sub-agencies CMS and FDA. These executive actions are creating a climate of uncertainty for regulated industries and their stakeholders. Continue Reading Trump Executive Orders Create Uncertainty for Health Care & Pharmaceutical Industries
As we reported earlier this week, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights described a phishing campaign that is attempting to convince recipients of their inclusion in OCR’s Phase 2 audit program. The email, which was disguised as an official communication, suggests that recipients click on a link. This link takes recipients to a non-governmental website marketing cybersecurity services.
On Wednesday, OCR followed up their alert with additional details about the phishing campaign. According to OCR, the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. OCR points out the subtle difference from the official email address for its HIPAA audit program, OSOCRAudit@hhs.gov, noting that such subtlety is typical in phishing scams.
OCR also took the opportunity to confirm that it has notified select business associates of their inclusion in the Phase 2 HIPAA audits. For more information about the Phase 2 audit program please visit our earlier post.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published an alert on Monday describing a phishing campaign disguised as an email from OCR. The email is being circulated on mock HHS letterhead under the signature of OCR’s Director Jocelyn Samuels and is being sent to HIPAA covered entities and their business associates. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. When clicked, the link takes the recipient to a non-governmental website marketing a firm’s cybersecurity services. In its alert, HHS clarified that it is in no way associated with the firm.
Covered Entities and Business Associates should be aware of this email and should make their workforces aware of it. This can also serve as an important reminder of the importance of being vigilant about phishing campaigns and not clicking links in any email that seems suspicious or unexpected.
While the firm’s specific claims of inclusion in the audit program are not based in fact, OCR’s audit program is itself quite real. This past July we discussed the audit letters that were sent to health care providers and health care clearinghouses alerting them to their inclusion in the audit. We also described how OCR would be auditing businesses associates during the fall season. Given that fall is upon us, it is now more critical than ever for business associates to review their compliance efforts.
HHS Office for Civil Rights will cast a wider net and increase its investigations into smaller HIPAA privacy breaches starting this month. OCR announced a new initiative to increase its efforts examining breaches that affect fewer than 500 individuals. OCR Regional Offices already investigate every reported breach affecting 500 or more individuals, and will continue to do so, but now they will intensify efforts to scrutinize smaller breaches.
Investigations into the root cause of even a small breach can discover system- and enterprise-wide noncompliance and security and privacy shortcomings. An investigation into a single stolen laptop that held PHI of 80 individuals may uncover an entity’s failure to encrypt any of the data it stores and uses. And just as easily as a larger breach, a small breach can reveal that a covered entity has not completed a full risk assessment of its organization and its PHI protections. Continue Reading OCR to Increase Investigations of Smaller HIPAA Breaches
Last week, the Department of Health and Human Services (“HHS”) released new materials for covered entities to use to comply with Section 1557, the nondiscrimination provision of the Affordable Care Act. Section 1557 strengthens protections for populations that have been most vulnerable to discrimination in the health care setting by stating that individuals cannot be subject to discrimination based on race, color, national origin, sex, age, or disability.
On July 12, 2016, HHS’s Office for Civil Rights (OCR) distributed an e-mail discussing recent developments in Phase II of its HIPAA audit program.
For those looking to catch up on the Phase II audits, we provided readers with an overview of the audits back in March. In April, we discussed the HIPAA Audit Protocol that OCR is using to conduct the Phase II audits. And in May, we alerted readers to the notifications that OCR was e-mailing to covered entities in an effort to verify their contact information.
In its latest e-mail, OCR confirms that notification letters were delivered on Monday, July 11, 2016, to 167 health plans, health care providers and health care clearinghouses notifying them of their inclusion in the desk audit portion of the audit program. The desk audits will examine the selected entities’ compliance with HIPAA’s Privacy, Security, and Breach Notification Rules by examining certain documentation that the entities are required to maintain under HIPAA. OCR provides the following table setting forth the subject matter of the documentation review:
Notably, the three areas covered under the Privacy Rule relate to how patients are made aware of their rights under HIPAA and how they can access their own medical records. The desk audit does not focus on policies related to uses and disclosure of PHI. This emphasis dovetails with OCR recent efforts to educate patients and providers about patient access rights (which we previously covered here).
Entities have 10 business days, until July 22, 2016, to respond to the document requests.
OCR separately notes that desk audits of business associates will be occurring this fall. We will continue to follow developments in the Phase II audit program and bring you updates and analysis as they occurs.
Earlier this month, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced the release of three YouTube videos and an infographic on individuals’ rights to access health information. In contrast to guidance on the same topic published earlier this year, these videos are specifically geared toward consumers in an effort to increase individuals’ understanding of their rights under HIPAA. Each video focuses on a specific topic: the basics of an individual’s access rights; the fees that may be charges for such access; and the rights of third parties to access an individual’s health information. The infographic also provides an overview of these rights.
OCR explained that consumers’ understanding of their basic access rights is important in helping patients take more control over their healthcare decisions. OCR also noted that individuals who access their health information are more equipped to follow treatment plans, discover errors in their medical records, and share their information for research purposes. Even though this new guidance was developed for consumers, OCR’s repeated recent dissemination of information on this issue demonstrates its dedication to individual access rights. Healthcare entities must ensure that they have the proper policies, procedures, and training to comply.
Separately, in security-related news, OCR issued a warning on June 7 regarding vulnerabilities in third-party applications. While Covered Entities and Business Associates are more cognizant of vulnerabilities in operating systems and install updates and patches as needed, OCR reported that companies are less likely to do the same for third-party applications. To beef up security in these applications, OCR suggests that Covered Entities and Business Associates should:
- test third-party applications for security vulnerabilities prior to installation and on a regular basis afterward;
- install patches or updates to the software continuously; and
- carefully review end user license agreements to understand security risks in the applications.