Kusserow on Compliance: New analysis of OCR reports found 1800 large breaches over 7 years

In presentation at the Health Care Compliance Association (HCCA) entitled “OCR Enforcement Update,” HHS Office for Civil Rights (OCR) Senior Adviser Iliana Peters reported that the OCR continues to receive and resolve complaints of Health Insurance Portability and Accountability Act (P.L. 104-191) (HIPAA) violations of an increasing number. To date, the OCR has received 150,507 complaints, with 24,879 being resolved with corrective action measures or technical assistance.  She estimated that the OCR will receive about 17,000 complaints in 2017.

A new study published in JAMA Internal Medicine found since 2009 that 1,798 “large data breaches” involving patient information since 2009 had been reported by health care providers to the OCR.  Out of that number, 216 hospitals reported 257 data breaches, while 33 hospitals were found to have experienced multiple data breaches.  Of 141 acute care hospitals reporting breaches, 52 were major academic medical centers.  These numbers are misleading in that they represent only a small fraction of the total number of breaches, as indicated by Peters.  The reason is that smaller breaches are not required to be reported, and many breaches may not have been voluntarily reported.  The need for increased vigilance and internal controls are needed.

Latest OCR resolution

The OCR announced a resolution agreement based on the lack of a security management process to safeguard electronic protected health information (ePHI). Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC), has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $400,000 and implementing a corrective action plan. MCPN filed a breach report with the OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident. As with many of the reported large breaches, the OCR found that prior to the breach incident, there was no risk analysis to assess the risks and vulnerabilities in its ePHI environment and a corresponding failure to implement any associated risk management plans to address the risks and vulnerabilities identified in a risk analysis.

Reminder tips on HIPAA compliance

As a reminder, entities should perform the following recommended steps in order to comply with HIPAA.

  1. Perform a complete a security risk analysis that addresses ePHI vulnerabilities.
  2. Engage an outside expert to independently verify that Privacy/Security Officers are meeting obligations.
  3. Properly address identified risks with corrective action measures.
  4. Follow the basics in reviewing compliance for information security risks and PHI breaches.
  5. Verify that the Code of Conduct covers reporting HIPAA violations.
  6. Ensure that policies and procedures govern receipt and removal of laptops containing ePHI.
  7. Train the workforce on HIPAA policies and procedures, including reporting violations
  8. Ensure that all business associates (BAs) have signed BA agreements (BAAs), with contact information on file.
  9. Verify that controls cover gaining access to ePHI by workforce members and users.
  10. Encrypt and password protect all laptops and mobile devices.
  11. Implement safeguards to restrict access to unauthorized users.
  12. Validate effectiveness of internal controls, policies, and procedures
  13. Review adequacy of security processes to address potential ePHI risks and vulnerabilities.
  14. Ensure that a hotline is set up to receive HIPAA-related calls.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

AMA preparing to tackle questions surrounding physician-patient texting

Regulators are serious about privacy and violations of the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191), and crackdowns keep providers on their toes. The evolution of technology provides innovative and efficient ways to practice medicine and communicate with patients, but this evolution brings with it new obstacles that can easily trip up a provider who is not paying close attention. At the end of a long day, a tired doctor might send a quick text to a mother who does not want to bring in her sick child if over-the-counter medicines will do the trick, trying to be as accommodating as possible and truly caring for the patient’s well-being. Both mother and doctor will be relieved that an unnecessary trip was avoided, but is this type of communication appropriate?

The American Medical Association (AMA) provides guidelines for providers on issues just like this one, and the AMA House of Delegates will consider expanding its advice on email communications to include text messaging at a June meeting. Although the AMA maintains that a face-to-face meeting is the foundation of a physician’s relationship with a patient, it recognizes that patients and physicians may prefer text message communications in various settings.

Considerations when texting

As expected, the AMA’s first basic standard of engagement to consider is HIPAA. The Board of Trustees (BOT) recommends discussing obligations under HIPAA’s Security Rule with both information technology (IT) staff and legal counsel. This rule requires that entities transmitting electronic protected health information (ePHI) ensure that these transmissions are confidential and secure. The AMA provides an educational tool to assist providers in achieving compliance with the rule, and HHS offers advice on protecting ePHI when using cell phones.

Providers should keep in mind potential differences in communication with patients, as opposed to colleagues. While doctors and nurses in the same office may think nothing of texting one another, a patient needs to consent to communication. Current guidance indicates that a patient’s initiation of a text conversation may serve as consent, but some providers might obtain written consent that acknowledges risks in such transmissions. Patients should be reminded that security is not guaranteed and that privacy can be breached as easily as someone they know using their phone and seeing a text.

Boundaries

In addition to consent and security issues, the AMA raises several points more along the lines of etiquette but that must be approached within the patient-physician relationship framework. A physician should establish boundaries with patients, such as establishing reasonable response times and appropriate times of day for texting. Additionally, extensive conversations are not recommended, and if a patient requests a lengthy explanation the physician should request that the patient come into the office.

When texting, the AMA recommends keeping a formal tone, cordial but refraining from using jokes, emoticons, or emotionally charged or sarcastic speech. The recommendations even extend to ending texts with the physician’s full name and business affiliation, accompanied by a request to acknowledge receipt of the message. Although it may seem obvious, the AMA also reiterates refraining using identifying information such as name or Social Security number and keeping text records.

OIG reviews MassHealth and its Medicaid data and information system safeguards

MassHealth failed to adequately safeguard data and information systems through its Medicaid Management Information System (MMIS) according to an audit by the HHS’ Office of Inspector General (OIG) undertaken to determine whether Massachusetts safeguarded MMIS data as required under federal requirements.

What is MMIS?

The MMIS is “an integrated group of procedures and computer processing operations (subsystems) developed at the general design level to meet principal objectives” which are: Title XIX program control and administrative costs; service to recipients, providers and inquiries; operations of claims control and computer capabilities; and management reporting for planning and control. States receive 90 percent federal financial participation (FFP) for design, development, or installation of MMIS and 75 percent FFP for operation of state mechanized claims processing and information retrieval systems.

MassHealth MMIS

The Massachusetts Executive Office of Health and Human Services is responsible for administering the state Medicaid program, commonly known as MassHealth, and information technology architecture, maintenance, and support is provided by the Massachusetts Office of Information Technology. Application support is provided through a contract with Hewlett-Packard.

The audit

Audits of information security controls are performed routinely on states’ computer systems used to administer HHS-funded programs and states are required to implement computer system security requirements and review them biennially. The OIG’s audit of MassHealth’s MMIS included MassHealth’s websites, databases, and other supporting information systems. The review was limited to security control areas and controls in place at the time of the visit. Specifically, the OIG looked at MassHealth’s implementation of federal requirements and National Institute of Standards and Technology guidelines regarding: system security plan, risk assessment, data encryption, web applications, vulnerability management, and database applications. Preliminary findings were communicated directly to MassHealth prior to the report’s issuance.

OIG’s findings

The OIG found MassHealth did not safeguard MMIS data and supporting systems as required by federal requirements. Vulnerabilities were discovered related to security management, configuration management, system software controls, and website and database vulnerability scans. Should exploitation of the vulnerabilities have occurred (and there was no evidence that it had), sensitive information could have been accessed and disclosed and operations of MassHealth could have been disrupted. Sufficient controls must be implemented over MassHealth Medicaid data and information systems.

Specific vulnerabilities uncovered were not detailed in the report because of the sensitive nature of the information. However, specific details were provided to MassHealth so it may address the issues. In response to the report, MassHealth described corrective actions it had taken or planned to take in response to the vulnerabilities.

Kusserow on Compliance: OCR enforcement update at the HCCA Compliance Institute

“OCR Enforcement Update” was the topic of the presentation by Iliana Peters, HHS Office for Civil Rights (OCR) Senior Adviser for HIPAA Compliance and Enforcement at the Health Care Compliance Association (HCCA) Compliance Institute. She provided an update on enforcement, current trends, and breach reporting statistics.  Peters stated that the OCR continues to receive and resolve complaints of Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191)  violations of an increasing number.  She cited that OCR has received 150,507 complaints to date, with 24,879 being resolved with corrective action measures or technical assistance.  At the rate of reports being received, the OCR is estimating receiving 17,000 complaints in 2017.  She said that this year OCR has placed a major priority on privacy issues and will be issuing guidance on this, ranging from social media privacy, certification of electronic health record technology, and the rationale for penalty assessment. She spoke about OCR’s Phase 2 audits that are underway, involving 166 covered entities (CEs) and 43 business associates (BAs). These audits are to ensure CEs’ and BAs’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules that include mobile device compliance.  They address privacy, security, and breach notification audits. It is expected that among the results of this effort will be increases in  monetary penalties this year.  Phase 3 will follow the same general approach currently being used, which includes review of control rules for privacy protection, breach notification, and security management.

In her comments about what the OCR has learned from its audits and investigations, Peters made the point that most HIPAA breaches still commonly occur as a result of poor controls over systems containing protected health information (PHI). A particular vulnerability has been mobile devices, such as laptops computers, that failed to be properly protected with encryption and password.

OCR advice

 Peters provided in her slide presentation considerable advice as what CEs and BAs should do to prevent breaches and other HIPAA-related problems. CEs and BAs should:

  • ensure that changes in systems are updated or patched for HIPAA security;
  • determine what safeguards are in place;
  • review OCR guidance on ransomware and cloud computing;
  • conduct accurate and through assessments of potential PHI vulnerabilities;
  • review for proliferation of electronic PHI (ePHI) within an organization;
  • implement policies and procedures regarding appropriate access to ePHI;
  • establish controls to guard against unauthorized access;
  • implement policies concerning secure disposal of PHI and ePHI;
  • ensure disposal procedures for electronic devices or clearing, purging, or destruction;
  • screen appropriately everyone in the work area against the OIG’s List of Excluded Individuals and Entities (LEIE);
  • ensure departing employees’ access to PHI is revoked;
  • identify all ePHI created, maintained, received or transmitted by the organization;
  • review controls for PHI involving electronic health records (EHRs), billing systems, documents/spreadsheets, database systems, and all servers (web, fax, backup, Cloud, email, texting, etc.);
  • ensure security measures are sufficient to reduce risks and vulnerabilities;
  • investigate/resolve breaches or potential breaches identified in audits, evaluations, or reviews;
  • verify that corrective action measures were taken and controls are being followed;
  • ensure when transmitting ePHI that the information is encrypted;
  • ensure explicit policies and procedures for all controls implemented; and
  • review system patches, router and software, and anti-virus and malware software.

Expert tips to meet HIPAA compliance requirements

Carrie Kusserow, MA, CHC, CHPC, CCEP, is a HIPAA expert with over 20 years of compliance officer and consultant experience. She pointed out that the OCR finds that most HIPAA breaches still commonly occur as a result of poor or lapsed controls over systems with PHI.  She noted that Iliana Peters stated that the OCR often encounters situations where established internal controls were not followed; in many cases, discoveries of breaches within organizations were not promptly investigated.  Also, most of the breaches currently being reported involve mobile devices, specifically laptop computers, and a failure to properly encrypt and password protect PHI. Kusserow offered additional tips and suggestions to those offered in the OCR presentation, particularly as it relates to mobile devices.

  • Conduct a complete security risk analysis that addresses ePHI vulnerabilities.
  • Ensure the Code of Conduct covers reporting of HIPAA violations.
  • Validate effectiveness of internal controls, policies, and procedures.
  • Maintain an up-to-date list of BAs that includes contact information.
  • Ensure identified risks have been properly addressed with corrective action measures.
  • Develop corrective action plans to promptly address any weaknesses or breaches identified.
  • Follow the basics in prevention of information security risks and PHI breaches.
  • Ensure policies/procedures  govern receipt and removal of laptops containing ePHI.
  • Verify workforce member and user controls for gaining access to ePHI.
  • Verify laptops and other mobile devices are properly encrypted and password protected.
  • Implement safeguards to restrict access to unauthorized users.
  • Review adequacy of security processes to address potential ePHI risks and vulnerabilities.
  • Ensure the hotline is set up to receive HIPAA-related calls.
  • Verify that all BAs have signed business associate agreements.
  • Train the workforce on HIPAA policies/procedures, including reporting violations.
  • Investigate complaints, allegations, and reports of non-compliance promptly and thoroughly.
  • Engage outside experts to independently verify controls are adequate and being followed.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.