Office for Civil Rights/OCR

On December 12, 2018, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) released a Request for Information (“RFI”) “to assist OCR in identifying provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy and security regulations that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities (including hospitals, physicians, and other providers, payors, and insurers), without meaningfully contributing to the protection of the privacy or security of individuals’ protected health information.” Through this RFI, OCR seeks public comment regarding whether and how the HIPAA Privacy and Security Rules could be revised to promote value-based care and care coordination without jeopardizing individuals’ rights to privacy. OCR will accept comments through February 12, 2019.

Specifically, OCR has requested comments regarding the following four topics: Continue Reading OCR Seeks Public Comment on HIPAA Reform

The Upper San Juan Health Service District d/b/a Pagosa Springs Medical Center (“PSMC”), a critical access hospital in Colorado, has agreed to a $111,400 settlement with the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) to resolve a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar because PSMC failed to deactivate the former employee’s username and password following termination of employment. OCR investigated the complaint and discovered that PSMC impermissibly disclosed the protected health information (“PHI”) of 557 patients to the former employee. Moreover, OCR determined that PSMC did not have a Business Associate agreement in place with the vendor of the web-based scheduling calendar.

The Resolution Agreement also includes a two-year Corrective Action Plan. Under the Corrective Action Plan, PSMC must: (i) revise its policies and procedures relating to Business Associates and uses and disclosures of PHI; (ii) submit proposed training materials on the revised policies and procedures for OCR’s review and train workforce members in accordance with the approved training materials; (iii) develop a current Risk Analysis and submit such analysis to OCR for review; and (iv) upon OCR’s approval of the Risk Analysis, provide OCR with a risk management plan that addresses and mitigates the security risks and vulnerabilities identified in the Risk Analysis and documentation that the risk management plan is being implemented.

The Resolution Agreement and Corrective Action Plan are available here.

Our take:

HIPAA requires covered entities and business associates to terminate a workforce member’s access to all systems and databases containing PHI upon the date the workforce member’s employment, or other arrangement with the entity, ends. The PSMC settlement serves as a reminder that the electronic health record is not the only database for which access must be terminated. HIPAA entities should develop a checklist that identifies all systems and databases containing PHI to ensure all access to PHI is terminated upon a workforce member’s separation from the entity.

A few months ago we posted an update on the California Consumer Privacy Act, a mini-GDPR that contains serious privacy ramifications for the U.S. privacy landscape. Likely in response to the upcoming 2020 go-live for the California law, various groups have noticed an uptick in lobbying directed at the passage of a federal privacy law that would pre-empt the California law and help harmonize the various state laws. Pushing to the front of that effort is a new draft federal privacy law proposed by Intel.

The Intel law looks to be written specifically to pre-empt the California law, as it contains language that would pre-empt any State law with civil provisions designed to reduce privacy risk through the regulation of personal data. This pre-emption contains limited exceptions for state-data-breach, contract, consumer protection, and various other laws, but it would drive a hole through California’s law. Furthermore, Intel’s proposed law could pre-empt various specific laws such as Illinois biometric data protection law, and because it does not include any notice provision — it would be reliant on the state-breach-notification statutes to find violations in the first place.

Beyond frustrating state attempts at personal information regulation, the law creates penalty caps that result in disproportionate punishments for smaller and mid-size security incidents and allow larger incidents, typical of a larger company, to operate on an eat-the-fine basis. For example: The Equifax breach from earlier this year affected 143 million Americans. If regulators chose to bring an action, the maximum penalties for the action could be up to $16,500 per violation — that means a maximum penalty of 2.3 trillion dollars. The penalty cap however was set at 1 billion dollars, meaning the largest data breaches will face the lowest penalty-per-impacted individual.

Our take

This proposed national privacy law would primarily serve the interests of the largest players in the tech and data industry, while providing harsher relative penalties to smaller and mid-size players. This law or something similar is likely to see serious political debate in the next few years as lobbying efforts intensify. Expect the heat to turn up as we near January 1, 2020.

Last week, four different settlement agreements were announced with four different Massachusetts hospitals to settle claims that they had violated HIPAA and state consumer protection and data security laws, by either not obtaining proper patient authorizations before allowing a television documentary to be filmed in the hospital or failing to investigate reports of inappropriate access to medical records by employees. Three hospitals entered settlement agreements and agreed to corrective action plans with the Department of Health and Human Services Office for Civil Rights (“OCR”), while the fourth hospital and an associated medical group entered into a settlement agreement with the Massachusetts Attorney General. OCR initiated its review of the three hospitals it settled with after reading news stories about the hospitals allowing a TV documentary to film inside those hospitals. In one instance, the news story OCR cited as launching its investigation was actually posted on one of the hospital’s websites by the hospital itself. OCR’s investigation revealed that while the hospitals had taken some precautions by, for example, conducting a HIPAA training with the filming crew, the hospitals nevertheless failed to obtain proper authorizations from patients. Collectively, the three hospitals settled with OCR for $999,000.

The settlement with the Massachusetts AG stemmed from two employees of the hospital and medical group inappropriately accessing information on more than 15,000 Massachusetts residents while employed with the settling organizations, ultimately opening cell phone and credit card accounts with the information they improperly obtained. Although the AG alleges that the hospital and medical group were informed of these employees’ misconduct by an inside informant, its complaint further alleged that the hospital and group failed to properly investigate those complaints, verify its information was safeguarded, or discipline the employees in question. The providers did eventually perform a sufficient investigation, but not until after a deceased patient’s widow complained that her husband’s information had been fraudulently used. The AG’s office alleged violations of the Massachusetts consumer Protection Act, Data Security Law, and HIPAA in its complaint filed simultaneously with the consent decree, which included a payment of $230,000.

Our take

Despite what any of us might be feeling or inclined to think to the contrary, HIPAA enforcement is alive and well, both at the federal and state levels. Although there is some indication that OCR has been selective in its enforcement, and is focusing on pursuing large dollar value settlements, the Massachusetts AG settlement demonstrates that state attorneys general can and do enforce HIPAA violations of all sizes, either standing alone or as part of an enforcement action for a state data privacy or data breach law, the latter of which all 50 states now have. These settlements also show on the one hand how regulators will bring enforcement actions and levy fines even in the absence of a patient complaint or when a provider believes it is doing everything right, and how regulated entities need to take reports of unauthorized access or use of PHI seriously, including investigating and reprimanding employees involved, subject to whistleblower protections.

As the lazy days of summer wind down slowly at first, and then all at once, now is a good time for a reminder that your own employees returning to work full steam may pose the biggest threat to your cybersecurity. According to the U.S. Department of Health and Human Services Office for Civil Rights, July was the worst month this year for healthcare data breaches. So far in 2018, more individual records have been exposed than for all of 2017, including 1.4 million individual records exposed in the biggest breach from July, which was attributed to a phishing attack. These statistics back up a Verizon report on PHI data breaches that came out earlier this year and found that 58% of PHI data breaches involved insiders, and that healthcare is the only industry in which internal actors post the biggest threat to organizations.

But that doesn’t mean healthcare alone is vulnerable to insider threats, as a Department of Justice criminal complaint filed in June and released earlier this month demonstrates. That complaint alleges that an $81 million bank heist suffered by a Bangladesh bank was carried out by North Korean cybercriminals and started with the criminals sending spearphishing emails to targeted individuals. In those emails, a purported job applicant would ask for a personal interview and attach a .zip file that the applicant claimed was a resume. When opened, the .zip file automatically downloaded malware to the recipient’s computer, which ultimately made its way to the bank’s IT system. This allowed the hackers to allegedly impersonate bank employees, access the SWIFT network, and transfer funds from the bank’s account to an account in the Philippines. Additional malware was used to cover their tracks.

Our take

While certain manipulation of a network as seen in the Bangladesh bank heist may take some skill and expertise, phishing and its targeted variant of spearphising are straightforward exploitations of human error. They demonstrate that allocating budget to pay for cybersecurity technology may not be enough, and resources also need to be spent on employee training and culture shifting. Certainly, layered technology solutions that address different weak points, including two-factor authentication, are important and helpful, but organizations need to take a wider view of cybersecurity and risk reduction to both account for, and attempt to correct, human error.

In its August Cyber Security Newsletter, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued “Considerations for Securing Electronic Media and Devices.” In this guidance document, OCR reminds HIPAA covered entities and business associates that they are required, under the HIPAA Security Rule, to implement policies and procedures that: (1) limit physical access to the organization’s electronic information systems and the facilities in which they are housed and (2) govern the receipt and removal of hardware and electronic media containing electronic PHI (“ePHI”) into and out of an organization’s facility and their movement within a facility.

OCR sets forth the following considerations for covered entities and business associates to take into account when developing policies and procedures regarding device and media controls:

  • “Is there a record that tracks the location, movement, modifications or repairs, and disposition of devices and media throughout their lifecycles?”
  • “Does the organization’s record of device and media movement include the person(s) responsible for such devices and media?”
  • “Are workforce members (including management) trained on the proper use and handling of devices and media to safeguard ePHI?”
  • “Are appropriate technical controls, for example, access controls, audit controls, and encryption, in use?”

OCR explains that an organization should use its risk analysis and risk management processes to identify and implement appropriate electronic device and media controls. Moreover, an organization should consider the following factors when determining what security measures to implement: (1) “[i]ts size, complexity, and capabilities;” (2) “[i]ts technical infrastructure, hardware, and software security capabilities;” (3) “[t]he costs of security measures;” and (4) “[t]he probability and criticality of potential risks to ePHI.”

Finally, OCR notes that an organization that has implemented an electronic asset inventory and tracking system will be better positioned to identify and manage risks associated with such devices and media and to respond to and recover from security incidents and breaches.

OCR’s August Cyber Security Newsletter can be found here.

Our take

Healthcare organizations use a variety of different electronic devices and media, including laptops, tablets, smartphones, and USB drives, in their day-to-day activities. Without appropriate processes in place to track and safeguard these devices, organizations are at greater risk of experiencing loss, theft, and the potential breach of PHI. Therefore, such organizations should review their existing electronic devices and media security policies and procedures while taking into account the various considerations set forth above.

On August 30, 2018, in honor of the 22nd anniversary of the introduction of HIPAA, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) and the Office of the National Coordinator for Health Information Technology (“ONC”) released a blog post entitled “HIPAA & Health Information Portability: A Foundation for Interoperability.” This blog post outlines the initiatives HHS and its components, including the Centers for Medicare & Medicaid Services (“CMS”) and the National Institutes for Health (“NIH”), have recently taken to improve individual access to health information and to promote the secure portability of health information. For example, OCR and ONC have initiated a campaign to encourage individuals to “get, check, and use” their health information and to take advantage of their right to access their health information as a means of taking greater control over their health care decisions. These resources for individuals are available here. Moreover, OCR and ONC have issued guidance and training resources about the HIPAA right of access for health care providers. The training module for health care providers about patients’ right of access is available here.

Additionally, CMS has asked for comment on whether CMS should make interoperability a requirement for providers that participate in the Medicare program. See “Speech: Medicare Remarks by CMS Administrator Seema Verma at the Commonwealth Club of California” available here. Furthermore, NIH has established a research program that will require the portability of health information.

The HHS blog post is available here.

Our take

This guidance suggests that HHS is cracking down on violations of the HIPAA individual right of access. Therefore, health care organizations must be cognizant of the importance of providing individuals with access to their health information within 30 days (and no later than 60 days) of the individual’s request.

In its July Cybersecurity Newsletter, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued “Guidance on Disposing of Electronic Devices and Media,” which reminds HIPAA covered entities and business associates that they are required under the HIPAA Security Rule to dispose of electronic devices and media in a secure manner.  Specifically, OCR highlighted the important role an organization’s risk analysis plays in identifying “how best to protect data stored on electronic devices and media that has reached the end of its useful life” and encouraged organizations to review their existing data storage and disposal policies and to consider, among other things, the “logistics and security controls in moving the equipment” prior to destruction or disposal.  In addition, OCR emphasized that organizations should not only be concerned about the actual disposal of electronic devices, but that they should also review their decommissioning processes (i.e., “the process of taking hardware or media out of service prior to the final disposition of such hardware or media”).  OCR explained that, in order to ensure electronic devices are properly decommissioned, organizations should ensure: that (i) their electronic devices and media are securely erased before being securely destroyed or recycled; (ii) their inventories are regularly updated to reflect the status of decommissioned devices and those designated to be decommissioned; and (iii) the data is protected “via proper migration to another system or total destruction of the data.”

Finally, OCR set forth the following considerations for covered entities and business associates to take into account when developing policies and procedures for the final disposition of electronic devices and media containing ePHI:

  • “Determine and document the appropriate methods to dispose of hardware, software, and the data itself.
  • Ensure that ePHI is properly destroyed and cannot be recreated.
  • Ensure that ePHI previously stored on hardware or electronic media is securely removed such that it cannot be accessed and reused.
  • Identify removable media and their use (tapes, CDs/DVDs, USB thumb drives).
  • Ensure that ePHI is removed from reusable media before they are used to record new information.”

OCR’s July Cybersecurity Newsletter can be found here.

Our take

HIPAA covered entities and business associates should be wary of the risks emanating from the improper disposal of electronic devices and media, as improper disposal of PHI has been one of the leading causes of data breaches over the years.  Therefore, such organizations should review their existing disposal policies and procedures, as well as relevant vendor contracts, taking into account the various considerations set forth above.