Kusserow on Compliance: OCR has a record number of significant settlements so far in 2017

The HHS Office for Civil Rights (OCR) has posted about 2,000 major breaches and more than a quarter million small breaches since 2009. The common denominator for many of the cases in which there was a settlement was that the covered entity or business associate (BA) suffered one or more breaches affecting more than 500 individuals sometime between 2011 and 2013. The OCR has jumped off the 2017 year with a record number of significant settlements. The most recent is CardioNet, a wireless health services provider, who provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. The provider entered into a settlement for $2.5 million and implemented a corrective action plan for disclosure of unsecured ePHI on a laptop that was stolen from a parked car. CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft and their HIPAA Security Rule policies and procedures had not been implemented. The OCR has entered into a number of other significant settlements. Others who paid settlements for violating HIPAA requirements so far this year include Memorial Health Systems ($5.5 million); Children’s Medical Center in Dallas ($3.2 million); MAPFRE, a Puerto Rico life insurance company ($2.2 million); Presence Health in Chicago ($475,000); and Community Provider Network of Denver ($400,000). In all these cases, there was the requirement to take corrective actions.

2016 OCR Results

  • There were 329 Data Breaches greater than 500 Individuals (a new record).
  • 225 OCR Phase 2 of HIPAA compliance audits conducted of covered entities and BAs.
  • No onsite audits were conducted.
  • No findings or notifications from the audits have been made.
  • The OCR intends to use the results from these audits to prepare for a new and better tool in the future.
  • There was a large jump in fines imposed for HIPAA violations that totaled about $24 million (versus a little more than $6 and $8 million in for 2105 and 2014 respectively)

OCR in 2017

  • The OCR stated intention is to conduct only a few onsite audits in 2017.
  • To date the OCR has nearly achieved the level of 2016 in terms of penalties imposed.
  • To date about 100 data breaches impacting greater than 500 Individuals have been reported.
  • About a half million individuals have been impacted in reported data breaches so far this year.
  • Only a relatively few BAs were involved in any of the reported data breaches.

The enforcement actions most often come from the OCR when investigations into the root cause of the breach found systemic, often profound, failures of organizational programs to safeguard protected health information.  This includes the failure to perform an information security risk assessment or to have a risk management plan to address gaps in the safeguards for information systems, both required actions under the HIPAA Security Rule. Tied to this has been insufficient development of policies and procedures for HIPAA Compliance.  Other actionable problems that resulted in the OCR imposing HIPAA corrective action plans (CAP) included inappropriate delay in data breach reporting (reported after 60 days from the date of discovery); and inappropriate oversight into user set up and user management. There is also the continuing problem of organizations not implementing encryption technology on mobile devices.

Camella Boateng, a HIPAA consultant reminds everyone that the recently enacted 21st Century Cures Act amends the HITECH Act to extend an individual’s right to access their PHI to data held by business associates. As such, it is more important than ever that entities give a priority for engaging in a self-audit, so vulnerabilities can be detected and resolved before they come to the attention of the government. Furthermore, with a shifting focus toward BA, it is important to avoid any potential partner that will not commit to signing a BAA.

Strong HIPAA Compliance Program Evidence

  • HIPAA policies and procedures;
  • HIPAA requests forms for patient’s rights;
  • a complete notice of privacy practices;
  • established technical, physical, and administrative safeguards;
  • conducting a regular HIPAA risk analysis;
  • developed a risk management plan to address gaps in the safeguards for PHI;
  • strong workforce education;
  • effective user management and oversight into systems with PHI;
  • auditing practices for verification of compliance;
  • ongoing evaluation of current safeguards established by the organization;
  • strong oversight into user set up and user management;
  • implementing encryption technology on mobile devices; and
  • ensuring partners have signed BAAs.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: FBI on cybersecurity—advice and tips

The FBI recently made presentations on cyber security at the Boston Conference on Cyber Security and at the American Hospital Association annual meeting. Key points from these presentations included, underscoring that the FBI is the lead federal agency for investigating cyber-attacks by criminals, overseas adversaries, and terrorists. The FBI views cyber threats seriously, as a growing problem as cyber intrusions are becoming more commonplace, more dangerous, and more sophisticated. Both private and public sector networks are targeted by adversaries for trade secrets, sensitive business data, and privacy information. Universities are targeted for their research and development. Individuals are targeted by fraudsters and identity thieves. Children are targeted by online predators. The FBI has been gearing up to the challenges from these threats by enhancing its Cyber Division’s investigative capacity to sharpen its focus on intrusions into government and private computer networks. However, they are struggling against a number of challenges, including finding talented workers in competition with the private sector, and the fact that a majority of cyber-attacks are never reported because parties want to address the problem without getting entangled in an FBI investigation. This hampers their work. The FBI desires to encourage better reporting, emphasizing that the agency has an interest in protecting private information and data; any internal information received will not be used against a provider, as they will be treated as a victim. The FBI recognizes that health care organizations are major targets for cyber-criminals, because the sensitive data they collect in droves can be sold at a high price for use in fraud and identity theft. Medical devices are also increasingly becoming a target.

The FBI is encouraging health care companies to share some basic network information with their local FBI offices, before an attack occurs, and to join an information-sharing group with other companies in their industry. The following observations and advice came from the two FBI presentations:

FBI Advice and Tips

  1. People are “weak links” in cyber-attacks, so train them to recognize and prevent cybercrimes.
  2. Review if everyone with high-level access to a hospital’s database needs to have that access.
  3. It is important to update and patch systems regularly to prevent intrusion.
  4. More people with security access, the easier it is to breach.
  5. Conduct regular systems tests to help flag vulnerabilities before a hacker can gain access.
  6. Develop a business continuity plan to prevent down time.
  7. Establish real-time data backups to permit work to continue.
  8. Organizations should establish closer ties with the local FBI before there is any incident.
  9. Those harmed in a cyber-attack will be treated like victims of a crime.
  10. Called for building a relationship with the local FBI.
  11. Organizations should join information-sharing groups with others in their industry.
  12. Regular systems tests can also help flag vulnerabilities before a hacker can get in.
  13. Don’t assign responsibility for cyber security to someone at a low level in the organization.
  14. Cyber security is an enterprise risk and executive and board level interest is needed.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: New analysis of OCR reports found 1800 large breaches over 7 years

In presentation at the Health Care Compliance Association (HCCA) entitled “OCR Enforcement Update,” HHS Office for Civil Rights (OCR) Senior Adviser Iliana Peters reported that the OCR continues to receive and resolve complaints of Health Insurance Portability and Accountability Act (P.L. 104-191) (HIPAA) violations of an increasing number. To date, the OCR has received 150,507 complaints, with 24,879 being resolved with corrective action measures or technical assistance.  She estimated that the OCR will receive about 17,000 complaints in 2017.

A new study published in JAMA Internal Medicine found since 2009 that 1,798 “large data breaches” involving patient information since 2009 had been reported by health care providers to the OCR.  Out of that number, 216 hospitals reported 257 data breaches, while 33 hospitals were found to have experienced multiple data breaches.  Of 141 acute care hospitals reporting breaches, 52 were major academic medical centers.  These numbers are misleading in that they represent only a small fraction of the total number of breaches, as indicated by Peters.  The reason is that smaller breaches are not required to be reported, and many breaches may not have been voluntarily reported.  The need for increased vigilance and internal controls are needed.

Latest OCR resolution

The OCR announced a resolution agreement based on the lack of a security management process to safeguard electronic protected health information (ePHI). Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC), has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $400,000 and implementing a corrective action plan. MCPN filed a breach report with the OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident. As with many of the reported large breaches, the OCR found that prior to the breach incident, there was no risk analysis to assess the risks and vulnerabilities in its ePHI environment and a corresponding failure to implement any associated risk management plans to address the risks and vulnerabilities identified in a risk analysis.

Reminder tips on HIPAA compliance

As a reminder, entities should perform the following recommended steps in order to comply with HIPAA.

  1. Perform a complete a security risk analysis that addresses ePHI vulnerabilities.
  2. Engage an outside expert to independently verify that Privacy/Security Officers are meeting obligations.
  3. Properly address identified risks with corrective action measures.
  4. Follow the basics in reviewing compliance for information security risks and PHI breaches.
  5. Verify that the Code of Conduct covers reporting HIPAA violations.
  6. Ensure that policies and procedures govern receipt and removal of laptops containing ePHI.
  7. Train the workforce on HIPAA policies and procedures, including reporting violations
  8. Ensure that all business associates (BAs) have signed BA agreements (BAAs), with contact information on file.
  9. Verify that controls cover gaining access to ePHI by workforce members and users.
  10. Encrypt and password protect all laptops and mobile devices.
  11. Implement safeguards to restrict access to unauthorized users.
  12. Validate effectiveness of internal controls, policies, and procedures
  13. Review adequacy of security processes to address potential ePHI risks and vulnerabilities.
  14. Ensure that a hotline is set up to receive HIPAA-related calls.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

AMA preparing to tackle questions surrounding physician-patient texting

Regulators are serious about privacy and violations of the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191), and crackdowns keep providers on their toes. The evolution of technology provides innovative and efficient ways to practice medicine and communicate with patients, but this evolution brings with it new obstacles that can easily trip up a provider who is not paying close attention. At the end of a long day, a tired doctor might send a quick text to a mother who does not want to bring in her sick child if over-the-counter medicines will do the trick, trying to be as accommodating as possible and truly caring for the patient’s well-being. Both mother and doctor will be relieved that an unnecessary trip was avoided, but is this type of communication appropriate?

The American Medical Association (AMA) provides guidelines for providers on issues just like this one, and the AMA House of Delegates will consider expanding its advice on email communications to include text messaging at a June meeting. Although the AMA maintains that a face-to-face meeting is the foundation of a physician’s relationship with a patient, it recognizes that patients and physicians may prefer text message communications in various settings.

Considerations when texting

As expected, the AMA’s first basic standard of engagement to consider is HIPAA. The Board of Trustees (BOT) recommends discussing obligations under HIPAA’s Security Rule with both information technology (IT) staff and legal counsel. This rule requires that entities transmitting electronic protected health information (ePHI) ensure that these transmissions are confidential and secure. The AMA provides an educational tool to assist providers in achieving compliance with the rule, and HHS offers advice on protecting ePHI when using cell phones.

Providers should keep in mind potential differences in communication with patients, as opposed to colleagues. While doctors and nurses in the same office may think nothing of texting one another, a patient needs to consent to communication. Current guidance indicates that a patient’s initiation of a text conversation may serve as consent, but some providers might obtain written consent that acknowledges risks in such transmissions. Patients should be reminded that security is not guaranteed and that privacy can be breached as easily as someone they know using their phone and seeing a text.

Boundaries

In addition to consent and security issues, the AMA raises several points more along the lines of etiquette but that must be approached within the patient-physician relationship framework. A physician should establish boundaries with patients, such as establishing reasonable response times and appropriate times of day for texting. Additionally, extensive conversations are not recommended, and if a patient requests a lengthy explanation the physician should request that the patient come into the office.

When texting, the AMA recommends keeping a formal tone, cordial but refraining from using jokes, emoticons, or emotionally charged or sarcastic speech. The recommendations even extend to ending texts with the physician’s full name and business affiliation, accompanied by a request to acknowledge receipt of the message. Although it may seem obvious, the AMA also reiterates refraining using identifying information such as name or Social Security number and keeping text records.