At last week’s Health Care Compliance Association’s annual “Compliance Institute,”  Iliana Peters, HHS Office for Civil Rights’ Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR’s current and future endeavors.

Continuing Enforcement Issues

Ms. Peters identified key ten enforcement issues that OCR continues to encounter through its enforcement of HIPAA.  Do any of them look familiar to you? These issues include:

  1. Impermissible Disclosures. HIPAA’s Privacy Rule prohibits covered entities and business associates from disclosing PHI except as permitted or required under HIPAA. Impermissible disclosures identified by Ms. Peters all center on the need for authorization, and include:
    • Covered entities permitting news media to film individuals in their facilities prior to obtaining a patient’s authorization.
    • Covered entities publishing PHI on their website or on social media without an individual’s authorization.
    • Covered entities confirming that an individual is a patient and providing other PHI to reporters without an individual’s authorization.
    • Covered entities faxing PHI to an individual’s employer without the individual’s authorization.
  2. Lack of Business Associate Agreements. OCR continues to see covered entities failing to enter into business associate agreements.
  3. Incomplete or Inaccurate Risk Analysis. Under HIPAA’s Security Rule, covered entities are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI). According to Ms. Peters, organizations frequently underestimate the proliferation of ePHI throughout their environment, including into systems related to billing, faxing, backups, and medical devices, among others.
  4. Failure to manage identified risks. HIPAA requires regulated entities to put in place security measures to reduce risks and vulnerabilities. According to the presentation, several OCR breach investigations found that the causes of reported breaches were risks that had previously been identified in a risk analysis but were never mitigated. In some instances, encryption was included as part of the remediation plan, but was never implemented.
  5. Lack of transmission security. While not required in all cases, HIPAA does require that ePHI be encrypted whenever it is deemed appropriate. The presentation identified a number of applications in which encryption should be considered when transmitting ePHI, including email, texting, application sessions, file transmissions (e.g., FTP), remote backups, and remote access and support services (e.g., VPNs).
  6. Lack of Appropriate Auditing. HIPAA requires the implementation of mechanisms (whether hardware, software or procedural) that record and examine activity in systems containing ePHI. HIPAA-regulated entities are required to review audit records to determine if there should be additional investigation. The presentation highlighted certain activities that could warrant such additional investigation, including: access to PHI during non-business hours or during time off, access to an abnormally high number of records containing PHI, access to PHI of persons for which media interest exists, and access to PHI of employees.
  7. Patching of Software. The use of unpatched or unsupported software on systems which contain ePHI could introduce additional risk into an environment. Ms. Peters also pointed to other systems that should be monitored, including router and firewall firmware, anti-virus and anti-malware software, and multimedia and runtime environments (e.g., Adobe Flash, Java, etc.).
  8. Insider Threats. The presentation identifies insider threats as a continuing enforcement issue. Under HIPAA, organizations must implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining such access. Termination procedures should be put in place to ensure that access to PHI is revoked when a workforce member leaves.
  9. Disposal of PHI. HIPAA requires organizations to implement policies and procedures that ensure proper disposal of PHI. These procedures must guarantee that the media has been cleared, purged or destroyed consistent with NIST Special Publication 800-88: Guidelines for Media Sanitization.
  10. Insufficient Backup and Contingency Planning. Organizations are required to ensure that adequate contingency planning (including data backup and disaster recovery plans) is in place and would be effective when implemented in the event of an actual disaster or emergency situation. Organizations are required to periodically test their plans and revise as necessary.

Upcoming Guidance and FAQs

OCR also identified upcoming guidance and FAQs that it will use to address the following areas:

  • Privacy and security issues related to the Precision Medicine Initiative’s All of Us research program
  • Text messaging
  • Social media
  • Use of Certified EHR Technology (CEHRT) & compliance with HIPAA Security Rule (to be release with the Office of the National Coordinator for Health Information Technology (ONC))
  • The Resolution Agreement and Civil Monetary Penalty process
  • Updates of existing FAQs to account for the Omnibus Rule and other recent developments
  • The “minimum necessary” requirement

Long-term Regulatory Agenda

The presentation also identifies two long-term regulatory goals to implement certain provisions of the HITECH Act. One regulation will relate to providing individuals harmed by HIPAA violations with a percentage of any civil monetary penalties or settlements collected by OCR, while the second will implement a HITECH Act provision related to the accounting of disclosures of PHI.

Audit Program Status

The presentation discussed the current status of OCR’s audit program. As we have previously discussed, OCR is in the process of conducting desk audits of covered entities and business associates. These audits consist of a review of required HIPAA documentation that is submitted to OCR. According to Ms. Peters, OCR has conducted desk audits of 166 covered entities and 43 business associates. Ms. Peters also used the presentation to confirm that on-site audits of both covered entities and business associates will be conducted in 2017 after the desk audits are completed. We will continue to follow and report on developments in the audit program.

Commentary

The list of continuing enforcement issues provides covered entities and business associates with a helpful reminder of the compliance areas that are most likely to get them in compliance trouble. Some of the enforcement issues may require HIPAA-regulated entities to revisit decisions that they previously made as part of a risk analysis. Transmission security (#5, above) is an example of such an area that may warrant reexamination. In the past, encrypting data was often too expensive or too impracticable for many organizations. However the costs of encryption have decreased while it has become easier to implement. A covered entity or business associate that suffers a breach due to transmitting unencrypted PHI over the internet will likely garner little sympathy from OCR going forward. The presentation is also notable for the long list of guidance and FAQs that OCR will be publishing, as well as their plan to issue regulations to address changes ushered in by the HITECH Act that were not captured by the 2013 Omnibus Rule. These regulations, particularly the regulations related to accounting for disclosures of PHI, could have a far-reaching impact on how covered entities and business associates comply with HIPAA in the future.

Our 2015 monthly Privacy Issues Wednesday webinar series continued this month with Jennifer Rubin and Gauri Punjabi’s Privacy in the Workplace presentation. Jen and Gauri discussed the latest statutory and common law developments concerning employer monitoring of employee email, access to employee social media accounts, social media policies, and bring your own device (“BYOD”) policies.  We were pleased to host over 125 participants for this webinar.

For those who missed the webinar, some of the key takeaways for employers include the following:

  • While there is not much federal or state statutory authority on employer monitoring of employee email access, employers are advised to provide employees with prior notice of such monitoring and obtain their consent to do so.
  • Many states now prohibit employers from requesting access to their employees’ or job applicants’ social media accounts. This trend, along with the number of other states that have considered passing similar legislation, suggests that Congress may soon weigh in on this issue.
  • The National Labor Relations Act applies to all employers, regardless of whether the workplace is unionized, and protects employees who use social media to discuss their wages, hours, and other terms and conditions of employment (i.e., concerted activity).  Employers cannot prohibit employees from using work email accounts to have such discussions during non-working time.  Employees will lose the protection of the Act when their actions disparage the employer’s products or services and/or create a risk of harm to the employer or to others.
  • Social media policies should specify the nature of conduct that is permitted and prohibited and should not utilize broad language that could encompass the right of employees to engage in protected concerted activity.  Social media policies should also take into account an employer’s need to protect trade secrets, comply with industry regulations and applicable federal and state employment statutes, and preserve information relevant to litigation.
  • BYOD policies often result in lower employer costs related to device overhead (purchase/maintenance), improve employee productivity, and result in greater employee job satisfaction.  Prior to implementation, however, employers should consider the process for monitoring compliance with other company policies, keeping track of wages owed to non-exempt employees who use their personal devices to work outside of the office, and maintaining the security of company information that ends up on an employee’s personal device and ensuring its removal once the employee leaves the company.

For a recording of the webinar,  click here.   To download the presentation slides, click here.

The next webinar in the Privacy series — Responding to Insider Theft and Data Disclosure — will take place on Wednesday, March 25, 2015.  This webinar will offer practical advice about responding to data theft and disclosures by employees and former employees. We will cover such topics as conducting a proper investigation, utilizing state and local civil court processes to deter, halt, and remediate data thefts, and when and how to engage local and/or federal law enforcement. This webinar will be presented by members of Mintz Levin’s privacy and data security and white collar crime practice groups.

Sign up here to attend.

Written by Amy Malone

At the end of 2013,  the Federal Financial Institutions Examination Council (FFIEC) became the latest regulator to weigh in on social media and offered their final social media guidance.  The proposed regulation was released last January (mentioned in our post here.) The final guidance is much like the original proposal with the resounding message being that financial institutions need to manage the risks posed by social media.  Actions taken on social media are not exempt from laws and regulations that apply to other communications channels. Financial institutions are not expected to monitor all internet communications for complaints, but they are expected to monitor their own social media and respond as appropriate.

In addition, financial institutions are not required to monitor social media pages of employees, but should develop and train employees on proper social media use (developing employee social media policies comes with its own hurdles – see our blog posts here and here.)

During the December 19 interagency teleconference discussing the final guidance, FFEIC representatives explained what type of due diligence institutions should conduct on third party social media sites (such as Twitter and Facebook).  The representatives said institutions should consider the type of information that is shared on the site, the site’s reputation and the type of control the institution has over the site (the teleconference slides are available here.)  Representatives noted that they have not developed examination procedures specific to social media, but will review social media activities using the current examination process.

Although specific to financial institutions, this guidance is helpful for companies in any industry.  If you haven’t considered the risks social media imposes to your company and customers – now is the time!  Contact one of Mintz Levin’s Privacy Attorneys for assistance.

 

By David M. Katz

There is no denying that the NLRB has recently devoted significant attention to employee’s use of social media.  Since August 2011, the Board’s Acting General Counsel, Lafe Solomon, issued three reports outlining his view of how the NLRA applies to employers’ social media policies and employees’ social media postings.  Click here and here for our commentary on those GC reports and for links to the reports themselves.  Until earlier this month, however, the Board itself had not weighed in on social media policies.

On September 7, the NLRB issued a Decision and Order (which you can access here) invalidating Costco Wholesale Corporation’s electronic posting rule, found in its employee handbook, that prohibited employees from making statements that “damage the Company, defame any individual or damage any person’s reputation.”  With little analysis, the Board found Costco’s policy overly broad, concluding that “the rule would reasonably tend to chill employees in the exercise of their [NLRA] Section 7 rights,” as employees would “reasonably construe the language to prohibit Section 7 activity.”  Section 7 of the NLRA provides to all employees—unionized and non-unionized—the right to engage in protected “concerted activities for the purpose of collective bargaining or other mutual aid or protection.”  Such protected concerted activity includes, for example, the right to protest an employer’s treatment of its employees or other working conditions.

The Costco decision adopts the legal reasoning set forth in the three GC reports, much of which is based upon traditional principles developed prior to the advent of social media as we know it.  And, similar to the three GC reports, the Board’s decision in Costco fails to articulate any social media-specific criteria to assist employers in crafting policies that do not inhibit employee rights under the NLRA,  although it does offer a couple of hints.

First, the Board distinguished prior cases addressing rules prohibiting employee “conduct that is malicious, abusive or unlawful,” including rules concerning employees’ “verbal abuse,” “profane language,” “harassment,” and “conduct which is injurious, offensive, threatening, intimidating, coercing, or interfering with” other employees. Criticizing Costco’s electronic posting rule, the Board stated that its social media policy “does not present accompanying language that would tend to restrict its application.”  If Costco had been more specific, then, by providing examples of prohibited conduct, its policy may have passed muster.  .  In doing so, employers should focus on the types of electronic postings that they truly seek to prohibit, such as defamatory, harassing or other egregious comments, or disclosure of employer trade secrets, proprietary information, or co-workers’ private information.

The second hint dropped by the Board in Costco is the suggestion that an employer’s inclusion of a savings clause or disclaimer may protect the employer from allegations that a social media policy inhibits employees’ protected concerted activities.  The Board concluded that Costco’s “broad” prohibition against making statements that “damage the Company” or “damage any person’s reputation” “clearly encompasses concerted communications,” but continued by noting that “there is nothing in the rule that even arguably suggests that protected communications are excluded from the broad parameters of the rule.”  This statement signals that the Board may have found Costco’s electronic posting rule acceptable had the rule included language specifically exempting protected concerted activities under the NLRA, which is in contrast to the GC’s position on such savings clauses.

As we noted in our previous postings on the subject, in light of the Board’s clear stance on social media policies (now confirmed in its Costco decision), and its application to both unionized and non-unionized employers, we recommend that all employers rigorously review their social media policies to ensure that they do not contain “broad” prohibitions that would not survive NLRB scrutiny.

Recently, the National Labor Relations Board Acting General Counsel Lafe E. Solomon issued his third and latest report on social media cases, providing specific guidance on how to construct a lawful social media policy.  In the report, Solomon takes a narrow view of what types of policy provisions are acceptable and instructs, for example, that certain confidentiality provisions, rules against “friending” co-workers, and blanket prohibitions of disparaging remarks are unlawful because they unduly restrict employees’ rights to discuss working conditions and terms and conditions of employment under the National Labor Relations Act.

Our Mintz Levin colleagues over at the Employment Matters blog have posted an analysis of the report and if your company is struggling with social media issues (who isn’t?)  – click here.