At last week’s Health Care Compliance Association’s annual “Compliance Institute,”  Iliana Peters, HHS Office for Civil Rights’ Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR’s current and future endeavors.

Continuing Enforcement Issues

Ms. Peters identified key ten enforcement issues that OCR continues to encounter through its enforcement of HIPAA.  Do any of them look familiar to you? These issues include:

  1. Impermissible Disclosures. HIPAA’s Privacy Rule prohibits covered entities and business associates from disclosing PHI except as permitted or required under HIPAA. Impermissible disclosures identified by Ms. Peters all center on the need for authorization, and include:
    • Covered entities permitting news media to film individuals in their facilities prior to obtaining a patient’s authorization.
    • Covered entities publishing PHI on their website or on social media without an individual’s authorization.
    • Covered entities confirming that an individual is a patient and providing other PHI to reporters without an individual’s authorization.
    • Covered entities faxing PHI to an individual’s employer without the individual’s authorization.
  2. Lack of Business Associate Agreements. OCR continues to see covered entities failing to enter into business associate agreements.
  3. Incomplete or Inaccurate Risk Analysis. Under HIPAA’s Security Rule, covered entities are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI). According to Ms. Peters, organizations frequently underestimate the proliferation of ePHI throughout their environment, including into systems related to billing, faxing, backups, and medical devices, among others.
  4. Failure to manage identified risks. HIPAA requires regulated entities to put in place security measures to reduce risks and vulnerabilities. According to the presentation, several OCR breach investigations found that the causes of reported breaches were risks that had previously been identified in a risk analysis but were never mitigated. In some instances, encryption was included as part of the remediation plan, but was never implemented.
  5. Lack of transmission security. While not required in all cases, HIPAA does require that ePHI be encrypted whenever it is deemed appropriate. The presentation identified a number of applications in which encryption should be considered when transmitting ePHI, including email, texting, application sessions, file transmissions (e.g., FTP), remote backups, and remote access and support services (e.g., VPNs).
  6. Lack of Appropriate Auditing. HIPAA requires the implementation of mechanisms (whether hardware, software or procedural) that record and examine activity in systems containing ePHI. HIPAA-regulated entities are required to review audit records to determine if there should be additional investigation. The presentation highlighted certain activities that could warrant such additional investigation, including: access to PHI during non-business hours or during time off, access to an abnormally high number of records containing PHI, access to PHI of persons for which media interest exists, and access to PHI of employees.
  7. Patching of Software. The use of unpatched or unsupported software on systems which contain ePHI could introduce additional risk into an environment. Ms. Peters also pointed to other systems that should be monitored, including router and firewall firmware, anti-virus and anti-malware software, and multimedia and runtime environments (e.g., Adobe Flash, Java, etc.).
  8. Insider Threats. The presentation identifies insider threats as a continuing enforcement issue. Under HIPAA, organizations must implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining such access. Termination procedures should be put in place to ensure that access to PHI is revoked when a workforce member leaves.
  9. Disposal of PHI. HIPAA requires organizations to implement policies and procedures that ensure proper disposal of PHI. These procedures must guarantee that the media has been cleared, purged or destroyed consistent with NIST Special Publication 800-88: Guidelines for Media Sanitization.
  10. Insufficient Backup and Contingency Planning. Organizations are required to ensure that adequate contingency planning (including data backup and disaster recovery plans) is in place and would be effective when implemented in the event of an actual disaster or emergency situation. Organizations are required to periodically test their plans and revise as necessary.

Upcoming Guidance and FAQs

OCR also identified upcoming guidance and FAQs that it will use to address the following areas:

  • Privacy and security issues related to the Precision Medicine Initiative’s All of Us research program
  • Text messaging
  • Social media
  • Use of Certified EHR Technology (CEHRT) & compliance with HIPAA Security Rule (to be release with the Office of the National Coordinator for Health Information Technology (ONC))
  • The Resolution Agreement and Civil Monetary Penalty process
  • Updates of existing FAQs to account for the Omnibus Rule and other recent developments
  • The “minimum necessary” requirement

Long-term Regulatory Agenda

The presentation also identifies two long-term regulatory goals to implement certain provisions of the HITECH Act. One regulation will relate to providing individuals harmed by HIPAA violations with a percentage of any civil monetary penalties or settlements collected by OCR, while the second will implement a HITECH Act provision related to the accounting of disclosures of PHI.

Audit Program Status

The presentation discussed the current status of OCR’s audit program. As we have previously discussed, OCR is in the process of conducting desk audits of covered entities and business associates. These audits consist of a review of required HIPAA documentation that is submitted to OCR. According to Ms. Peters, OCR has conducted desk audits of 166 covered entities and 43 business associates. Ms. Peters also used the presentation to confirm that on-site audits of both covered entities and business associates will be conducted in 2017 after the desk audits are completed. We will continue to follow and report on developments in the audit program.

Commentary

The list of continuing enforcement issues provides covered entities and business associates with a helpful reminder of the compliance areas that are most likely to get them in compliance trouble. Some of the enforcement issues may require HIPAA-regulated entities to revisit decisions that they previously made as part of a risk analysis. Transmission security (#5, above) is an example of such an area that may warrant reexamination. In the past, encrypting data was often too expensive or too impracticable for many organizations. However the costs of encryption have decreased while it has become easier to implement. A covered entity or business associate that suffers a breach due to transmitting unencrypted PHI over the internet will likely garner little sympathy from OCR going forward. The presentation is also notable for the long list of guidance and FAQs that OCR will be publishing, as well as their plan to issue regulations to address changes ushered in by the HITECH Act that were not captured by the 2013 Omnibus Rule. These regulations, particularly the regulations related to accounting for disclosures of PHI, could have a far-reaching impact on how covered entities and business associates comply with HIPAA in the future.

(LONDON) Who is on the ICO’s radar these days?  August seems to be the month for getting new guidance documents out the door at the United Kingdom’s Information Commissioner’s Office.  The UK ICO has just published guidance as to when it is likely to take regulatory action.

The new guidance should be reassuring to companies that are making good faith efforts to comply with the UK’s data protection laws.  Companies that haven’t yet engaged fully with the data protection laws, on the other hand, would be well advised to review the regulatory action guidance, which (along with the ICO’s other guidance documents) puts the law into practical context.

The ICO’s guidance states that regulatory action is likely to be triggered by:

  1. Issues of public concern (including those in the media).
  2. The novel or intrusive nature of specific data processing activities.
  3. Complaints made by the public to the ICO.
  4. Issues that emerge from the ICO’s other activities (such as audits).

Interestingly, the ICO has said that it is less likely to take action where market forces are likely to put pressure on data processors to comply with the data protection laws.  This pro-market approach distinguishes the ICO from other EU data protection regulators, who typically take a more skeptical view of the effectiveness of the free market to incentivize companies to protect personal data.

By way of contrast, the ICO notes that the public sector may require more regulatory action since public sector data protection practices are less transparent, individuals have less choice as to their relationship with public sector data collection and processing, and the nature of the data being processed is frequently more sensitive (such as health data).

The ICO’s current priority areas are:

  • Health
  • Criminal justice
  • Local government
  • Online and mobile services

Three out of the four current priority areas are largely served by the public sector, but the for-profit sector should also stay alert:  The ICO’s enforcement notices page lists Glasgow City Council right next to Google.

Written by Dianne Bourque and Cynthia Larose

The University of California has paid $865,500 to the Office of Civil Rights (OCR) and agreed to a Corrective Action Plan to settle allegations that UCLA Health System (UCLAHS) employees repeatedly snooped in the electronic health records of celebrity patients. 

The OCR’s investigation was prompted by two separate complaints on behalf of celebrity victims.  The investigation revealed that from 2005-2008 employees repeatedly and without authorization accessed electronic health records of these patients. Settlement announcements did not identify either of the specific complaints, but in the past, UCLAHS has identified violations involving the records of Drew Barrymore, Arnold Schwarzenegger, Tom Hanks, Leonardo DiCaprio, Farrah Fawcett and others.   In June of 2010, a UCLA surgeon was sentenced to four months in jail for repeated, unauthorized access to the records of his supervisor and celebrity patients. 

UCLAHS’ corrective action plan requires UCLAHS to implement policies and procedures approved by OCR, to conduct “regular and robust” employee training, to sanction offending employees, and to designate an independent monitor who will assess compliance with the plan over 3 years. 

In the OCR’s press release (see link in last paragraph), one particular sentence highlights the need for covered entities to take all of the requirements of HIPAA/HITECH seriously:

Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections.   Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity.

Compliance policies are important.  But we often speak of “policies and procedures” as a complete term.  Written policies are meaningless without (a) procedures to implement those policies, (b) training and awareness to ensure that the policies & procedures actually are communicated to the workforce, and (c) consistent and meaningful follow up to reinforce all of the foregoing. 

More information, including a copy of the Resolution Agreement and Corrective Action Plan is available here.

If your company transfers personal data cross-border and you participate in the Safe Harbor program, it’s time to check the status of your certification. For the second time in a month, the Federal Trade Commission has announced enforcement actions against companies under Safe Harbor, the international privacy framework that provides a means for U.S. companies to transfer data from the European Union to the United States in keeping with EU and U.S. law.

In September, the first ever Safe Harbor enforcement action was announced against a California company, Balls of Kryptonite, which had falsely represented that it had self-certified to the Safe Harbor program, when apparently it never had. Yesterday, the FTC continued the trend by announcing six separate enforcement actions in one fell swoop.

According to the six separate complaints, the companies deceptively claimed they held current certifications under the Safe Harbor framework, when in fact the companies had allowed those certifications to expire. Under the proposed settlement agreements, which are subject to public comment, the companies are prohibited from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party. To participate in Safe Harbor, a company must self-certify annually to the Department of Commerce that it complies with a defined set of privacy principles. The proposed settlements do not include any monetary penalties nor any admission of guilt, but would require compliance monitoring for 20 years.

If you have put Safe Harbor (either compliance or certification) on the “back burner” because it appeared that the FTC was not enforcing the program, the time for change has come. You should check what representations are being made on public-facing websites and privacy policies regarding Safe Harbor certification and ensure that these representations are accurate and up-to-date. In the cases announced yesterday, the defendant companies had been certified, but had let those certifications lapse. The exhibits to the FTC’s complaints included pages from their websites (see links below), and their own words were used against them.

For more information:
To file a public comment in the FTC proceeding – http://www.ftc.gov/os/2009/10/sixcasespubliccomment.pdf and follow the instructions at that site.

FTC Complaints:
In the Matter of World Innovators, Inc.
In the Matter of ExpatEdge Partners, LLC
In the Matter of Onyx Graphics, Inc.
In the Matter of Directors Desk LLC
In the Matter of Progressive Gaitways LLC
In the Matter of Collectify LLC

Safe Harbor List
To check the status of your company’s Safe Harbor certification – Safe Harbor List

BREAKING NEWS:

The Federal Trade Commission has again extended the enforcement deadline for the Red Flags Rule, according to an agency press release. Creditors and financial institutions now have until November 1, 2009 to come into compliance with the rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003. Meanwhile, the commission will redouble efforts to educate businesses affected by the rule on what they must do to comply. The Red Flags Rule requires entities to implement programs for identifying, detecting and responding to harbingers of identity theft, or “red flags.”   Hospitals and retailers had been especially vocal about lack of knowledge as to whether they should be required to comply.  In addition, the American Bar Association had been threatening to take legal action if the FTC did not clarify that the rule should not apply to lawyers before August 1.

More coming.

There is increased activity at the Federal Trade Commission on the consumer protection front. David Vladeck, the FTC’s new director of the Bureau of Consumer Protection is wasting no time in getting down to business. With less than a month on the job, Vladeck announced two major enforcement actions: one involving a nationwide crackdown against scammers, and the other resulting in a $3.7 million penalty for CAN-SPAM violations.

Mintz Levin colleague Farrah Short writes that “Director Vladeck was named to the position in April and began his new role in June, after a handful of consumer watchdog groups called for the FTC Chairman to appoint someone with “a track record as a genuine champion of consumer rights.” If these early announcements are any indication, Director Vladeck may be on his way to fulfilling that wish.”

For more:

CAN-SPAM action
FTC scammer action