While your business may indeed be a “victim” when hit by a phishing attack, your enterprise can also be responsible for violations of law associated with the incident.   Earlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam. The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals. In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA). Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.

In addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR. That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR. Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures.

The MCPH settlement underscores the importance of risk analyses and workforce training to avoid phishing scams. Additionally, it is crucial that entities regulated by HIPAA conduct an enterprise-wide HIPAA risk analysis, update that analysis to address new threats, and implement policies and training based on identified risks. Failure to comply with these essential HIPAA requirements can turn a relatively routine breach investigation into a $400,000 settlement.

A copy of the MCPN resolution agreement and corrective action plan is available here. OCR’s press release on the settlement is available here. General Security Rule guidance from OCR is available here.

At last week’s Health Care Compliance Association’s annual “Compliance Institute,”  Iliana Peters, HHS Office for Civil Rights’ Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR’s current and future endeavors.

Continuing Enforcement Issues

Ms. Peters identified key ten enforcement issues that OCR continues to encounter through its enforcement of HIPAA.  Do any of them look familiar to you? These issues include:

  1. Impermissible Disclosures. HIPAA’s Privacy Rule prohibits covered entities and business associates from disclosing PHI except as permitted or required under HIPAA. Impermissible disclosures identified by Ms. Peters all center on the need for authorization, and include:
    • Covered entities permitting news media to film individuals in their facilities prior to obtaining a patient’s authorization.
    • Covered entities publishing PHI on their website or on social media without an individual’s authorization.
    • Covered entities confirming that an individual is a patient and providing other PHI to reporters without an individual’s authorization.
    • Covered entities faxing PHI to an individual’s employer without the individual’s authorization.
  2. Lack of Business Associate Agreements. OCR continues to see covered entities failing to enter into business associate agreements.
  3. Incomplete or Inaccurate Risk Analysis. Under HIPAA’s Security Rule, covered entities are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI). According to Ms. Peters, organizations frequently underestimate the proliferation of ePHI throughout their environment, including into systems related to billing, faxing, backups, and medical devices, among others.
  4. Failure to manage identified risks. HIPAA requires regulated entities to put in place security measures to reduce risks and vulnerabilities. According to the presentation, several OCR breach investigations found that the causes of reported breaches were risks that had previously been identified in a risk analysis but were never mitigated. In some instances, encryption was included as part of the remediation plan, but was never implemented.
  5. Lack of transmission security. While not required in all cases, HIPAA does require that ePHI be encrypted whenever it is deemed appropriate. The presentation identified a number of applications in which encryption should be considered when transmitting ePHI, including email, texting, application sessions, file transmissions (e.g., FTP), remote backups, and remote access and support services (e.g., VPNs).
  6. Lack of Appropriate Auditing. HIPAA requires the implementation of mechanisms (whether hardware, software or procedural) that record and examine activity in systems containing ePHI. HIPAA-regulated entities are required to review audit records to determine if there should be additional investigation. The presentation highlighted certain activities that could warrant such additional investigation, including: access to PHI during non-business hours or during time off, access to an abnormally high number of records containing PHI, access to PHI of persons for which media interest exists, and access to PHI of employees.
  7. Patching of Software. The use of unpatched or unsupported software on systems which contain ePHI could introduce additional risk into an environment. Ms. Peters also pointed to other systems that should be monitored, including router and firewall firmware, anti-virus and anti-malware software, and multimedia and runtime environments (e.g., Adobe Flash, Java, etc.).
  8. Insider Threats. The presentation identifies insider threats as a continuing enforcement issue. Under HIPAA, organizations must implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining such access. Termination procedures should be put in place to ensure that access to PHI is revoked when a workforce member leaves.
  9. Disposal of PHI. HIPAA requires organizations to implement policies and procedures that ensure proper disposal of PHI. These procedures must guarantee that the media has been cleared, purged or destroyed consistent with NIST Special Publication 800-88: Guidelines for Media Sanitization.
  10. Insufficient Backup and Contingency Planning. Organizations are required to ensure that adequate contingency planning (including data backup and disaster recovery plans) is in place and would be effective when implemented in the event of an actual disaster or emergency situation. Organizations are required to periodically test their plans and revise as necessary.

Upcoming Guidance and FAQs

OCR also identified upcoming guidance and FAQs that it will use to address the following areas:

  • Privacy and security issues related to the Precision Medicine Initiative’s All of Us research program
  • Text messaging
  • Social media
  • Use of Certified EHR Technology (CEHRT) & compliance with HIPAA Security Rule (to be release with the Office of the National Coordinator for Health Information Technology (ONC))
  • The Resolution Agreement and Civil Monetary Penalty process
  • Updates of existing FAQs to account for the Omnibus Rule and other recent developments
  • The “minimum necessary” requirement

Long-term Regulatory Agenda

The presentation also identifies two long-term regulatory goals to implement certain provisions of the HITECH Act. One regulation will relate to providing individuals harmed by HIPAA violations with a percentage of any civil monetary penalties or settlements collected by OCR, while the second will implement a HITECH Act provision related to the accounting of disclosures of PHI.

Audit Program Status

The presentation discussed the current status of OCR’s audit program. As we have previously discussed, OCR is in the process of conducting desk audits of covered entities and business associates. These audits consist of a review of required HIPAA documentation that is submitted to OCR. According to Ms. Peters, OCR has conducted desk audits of 166 covered entities and 43 business associates. Ms. Peters also used the presentation to confirm that on-site audits of both covered entities and business associates will be conducted in 2017 after the desk audits are completed. We will continue to follow and report on developments in the audit program.

Commentary

The list of continuing enforcement issues provides covered entities and business associates with a helpful reminder of the compliance areas that are most likely to get them in compliance trouble. Some of the enforcement issues may require HIPAA-regulated entities to revisit decisions that they previously made as part of a risk analysis. Transmission security (#5, above) is an example of such an area that may warrant reexamination. In the past, encrypting data was often too expensive or too impracticable for many organizations. However the costs of encryption have decreased while it has become easier to implement. A covered entity or business associate that suffers a breach due to transmitting unencrypted PHI over the internet will likely garner little sympathy from OCR going forward. The presentation is also notable for the long list of guidance and FAQs that OCR will be publishing, as well as their plan to issue regulations to address changes ushered in by the HITECH Act that were not captured by the 2013 Omnibus Rule. These regulations, particularly the regulations related to accounting for disclosures of PHI, could have a far-reaching impact on how covered entities and business associates comply with HIPAA in the future.

Last week, the HHS Office for Civil Rights (OCR) disclosed a $5.5 million settlement with Memorial Healthcare Systems (MHS) for HIPAA violations affecting the protected health information (PHI) of 115,143 individuals. The Resolution Agreement, which can be found here, also contains a detailed corrective action plan (CAP).

The Florida-based health system reported to OCR that the PHI had been impermissibly accessed by MHS employees and impermissibly disclosed to affiliated physician office staff. The PHI consisted of names, dates of birth, and social security numbers.

According to OCR, the login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by HIPAA. The health system also failed to regularly review records of information system activity for its applications that maintain electronic PHI and which are accessed by workforce users and users at affiliated physician practices. To make matters worse, the health system failed to review the audit information despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.

“Access to ePHI must be provided only to authorized users, including affiliated physician office staff” said Robinsue Frohboese, Acting Director, HHS Office for Civil Rights. “Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

While hacking incidents typically garner more media coverage, this case highlights the increasing threat posed by those inside a HIPAA-regulated organization. According to a Protenus report, nearly 60% of the breaches that occurred this past January involved insiders. Organizations would be well-served by reviewing recent OCR guidance on the importance of audit controls.

Originally posted in Mintz Levin’s Health Law Policy Matters

The U.S. Department of Health and Human Services Office for Civil Rights (OCR)  recently issued a warning regarding vulnerabilities in third-party applications used by entities covered by HIPAA.  The OCR warning applies generally to HIPAA Covered Entities and Business Associates.  While Covered Entities and Business Associates are more cognizant of vulnerabilities in operating systems (like Windows) and install updates and patches as needed (we hope), OCR reported that companies are less likely to do the same for third-party applications (like Adobe’s Acrobat or others). Continue Reading OCR Warns of HIPAA Risks in Third-Party Apps

At long last, the Department of Health and Human Services Office for Civil Rights (OCR) has released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule. OCR will be using the audit protocol for its impending Phase 2 audits of covered entities and business associates, which are set to begin next month.

The protocol covers the following subject areas:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • Security Rule requirements for administrative, physical, and technical safeguards.
  • Breach Notification Rule requirements.

OCR has also released other materials that shed light on the logistics of the audit process, including a copy of the Audit Pre-Screening Questionnaire that it will use to collect demographic information about covered entities and business associates. OCR will use this information to create a pool of potential auditees.

Entities selected for audit will be required by OCR to identify and provide detailed information regarding their business associates.  The information collected by OCR will be used to help identify business associates for the Phase 2 audits. OCR has released a template with the information that covered entities will have to provide, including the business associate’s name, contact information, type of services, and website.

Covered entities and business associates should be working to ensure that they have the required compliance documents and materials ready, especially given OCR’s aggressive timetable: if selected for an audit, an auditee will have only 10 days to respond to OCR.

As we have discussed previously on this blog, the audit protocol is an excellent HIPAA compliance tool, especially for audit readiness assessment.  Unfortunately, the version of the tool on the OCR website can be unwieldy to use in practice.   In order to assist covered entities and business associates with their HIPAA compliance efforts, we have repackaged the audit protocol into a more user-friendly format that can be downloaded here.

 

Originally posted to Mintz Levin’s Health Law & Policy Matters Blog on 4/20/16

The HHS Office for Civil Rights (“OCR”) officially launched  the long-awaited (and dreaded) Phase 2 of the HIPAA Audits Program on March 21st. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails (check your spam filter!) from OCR that will begin the audit process.

Why Audits? Why Now?

The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) requires OCR to periodically audit both Covered Entities and Business Associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012. The Phase 1 audits only examined Covered Entities and the results were generally disappointing. Only 11% of the entities audited had no findings or observations and many findings related to Security Rule compliance. After many delays, OCR is now proceeding with Phase 2. Continue Reading Phase 2 HIPAA Audits Coming to You: Check Your Spam Filter!

Written by Kate Stewart

Recent enforcement actions by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) have highlighted that, not surprisingly, Covered Entities should not leave medical records in a physician’s driveway and should not dispose of protected health information (“PHI”) in a dumpster. From an action against a home health care provider announced yesterday, we can now add to that list the fact that PHI should not be stored under an employee’s bed or in a kitchen drawer. Continue Reading Latest OCR Enforcement Action: Underbed Storage is Not Appropriate for PHI

The First Rule of How to Survive a HIPAA Audit:  Be Prepared

2015 is bringing along with it the start of the HHS Office for Civil Rights random audit program to assess compliance with the HIPAA privacy, security and breach notification rules.   It is anticipated that 300-400 business associates will be the subject of a desk audit and an undisclosed number of lucky business associates and covered entities will be chosen for intensive, on-site audits.  Remember, if your business provides services to a healthcare entity covered by HIPAA, you are likely a business associate.

So, here’s the question:  are you audit-ready?  

In a free webinar, Mintz Levin’s Dianne Bourque will walk you through how to prepare now in the event that you are one of the chosen.

Save the date:   Wednesday, January 28, 2015   1:00 PM ET/10:00 AM PT

Registration information will follow!

 

 

……………..a cumbersome C-A-P

Written by Dianne Bourque 

The U.S Department of Health and Human Services Office for Civil Rights has received tremendous publicity in recent years for its upward-trending fines and aggressive enforcement of HIPAA violations.  Seven-figure fines are becoming the norm for serious violations, for example, in May of this year, OCR fined a hospital and university a combined total of $4.8 million dollars for their separate HIPAA violations.  While the risk of steep fines and bad publicity should be sufficient motivation for regulated entities to maintain a robust HIPAA compliance program, there is another aspect of HIPAA enforcement that receives far less media attention but can be just as onerous: the corrective action plan, or “CAP.”  

Much like a year-long membership in the Jelly of the Month Club, the CAP is the gift that keeps on giving – the whole year.  Actually, most CAPS spread the cheer for at least three years following an initial OCR settlement.  For the 10th Day of Privacy, we take a closer look at the CAP.   Continue Reading On the Tenth Day of Privacy, OCR Gave to Me…..

Written by Stephanie Willis  

This week, the HHS Office of Civil Rights (OCR) issued a bulletin (Bulletin) to remind covered entities and business associates that “the protections of the Privacy Rule are not set aside during an emergency.” 

The Bulletin’s information on appropriate disclosures and protections under emergency circumstances is especially timely in the wake of the United States’ recent experience with disclosing information about patients diagnosed with and treated for Ebola and enterovirus-d68.  Because the HIPAA Privacy Rule only provides a very limited waiver of sanctions and penalties against a covered hospital for acts during a public health or other emergency under the Project Bioshield Act and section 1135(b)(7) of the Social Security Act (and only if the U.S. President declares a public health emergency or disaster and the Secretary of HHS declares a public health emergency), covered entities and business associates cannot afford to abandon HIPAA’s privacy and security mandates. Continue Reading OCR Issues New Bulletin on Ensuring Privacy in Public Health Emergencies