Kusserow on Compliance: New analysis of OCR reports found 1800 large breaches over 7 years

In presentation at the Health Care Compliance Association (HCCA) entitled “OCR Enforcement Update,” HHS Office for Civil Rights (OCR) Senior Adviser Iliana Peters reported that the OCR continues to receive and resolve complaints of Health Insurance Portability and Accountability Act (P.L. 104-191) (HIPAA) violations of an increasing number. To date, the OCR has received 150,507 complaints, with 24,879 being resolved with corrective action measures or technical assistance.  She estimated that the OCR will receive about 17,000 complaints in 2017.

A new study published in JAMA Internal Medicine found since 2009 that 1,798 “large data breaches” involving patient information since 2009 had been reported by health care providers to the OCR.  Out of that number, 216 hospitals reported 257 data breaches, while 33 hospitals were found to have experienced multiple data breaches.  Of 141 acute care hospitals reporting breaches, 52 were major academic medical centers.  These numbers are misleading in that they represent only a small fraction of the total number of breaches, as indicated by Peters.  The reason is that smaller breaches are not required to be reported, and many breaches may not have been voluntarily reported.  The need for increased vigilance and internal controls are needed.

Latest OCR resolution

The OCR announced a resolution agreement based on the lack of a security management process to safeguard electronic protected health information (ePHI). Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC), has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $400,000 and implementing a corrective action plan. MCPN filed a breach report with the OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident. As with many of the reported large breaches, the OCR found that prior to the breach incident, there was no risk analysis to assess the risks and vulnerabilities in its ePHI environment and a corresponding failure to implement any associated risk management plans to address the risks and vulnerabilities identified in a risk analysis.

Reminder tips on HIPAA compliance

As a reminder, entities should perform the following recommended steps in order to comply with HIPAA.

  1. Perform a complete a security risk analysis that addresses ePHI vulnerabilities.
  2. Engage an outside expert to independently verify that Privacy/Security Officers are meeting obligations.
  3. Properly address identified risks with corrective action measures.
  4. Follow the basics in reviewing compliance for information security risks and PHI breaches.
  5. Verify that the Code of Conduct covers reporting HIPAA violations.
  6. Ensure that policies and procedures govern receipt and removal of laptops containing ePHI.
  7. Train the workforce on HIPAA policies and procedures, including reporting violations
  8. Ensure that all business associates (BAs) have signed BA agreements (BAAs), with contact information on file.
  9. Verify that controls cover gaining access to ePHI by workforce members and users.
  10. Encrypt and password protect all laptops and mobile devices.
  11. Implement safeguards to restrict access to unauthorized users.
  12. Validate effectiveness of internal controls, policies, and procedures
  13. Review adequacy of security processes to address potential ePHI risks and vulnerabilities.
  14. Ensure that a hotline is set up to receive HIPAA-related calls.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Highlight on New York: Insurers subject to first-in-nation cybersecurity regulations affecting financial institutions

The nation’s first cybersecurity regulations governing financial institutions–including insurers–take effect March 1, 2017 in New York state. Noting that  “New York is the financial capital of the world,” Governor Andrew Cuomo (D) stressed the necessity of protecting consumers and financial systems from cyberattacks. The regulations require institutions to implement a cybersecurity program that includes regular assessments of information systems and the use of effective controls, requires compliance by third party vendors, and includes more stringent governmental reporting requirements than the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191).

The regulations apply to anyone operating under the Banking Law, Insurance Law, or Financial Services Law and specifically pertain to “nonpublic information.” Only electronic information qualifies as nonpublic information, which can be protected health information (PHI) as it is understood under HIPAA; business-related information that could materially and adversely impact the entity’s business, operations, or security; or any information concerning an individual that, when combined with specific data elements, including but not limited to Social Security and drivers’ license numbers, could identify the individual.

The regulations require covered entities to maintain a cybersecurity program based upon a required risk assessment. Risk assessments must be conducted on a “periodic” basis and “updated as reasonably necessary.” Entities must implement and maintain written cybersecurity policies, including policies governing vendor and third party service provider management and recurrent assessments and policies that allow for secure and periodic disposal of nonpublic information that is no longer necessary for business operations or other legitimate business purposes. They must also designate a chief information security officer (CISO) who is employed by the entity, an affiliate, or a third party service provider, and who will provide a written report to the covered entity’s board of directors at least annually.

While HIPAA does not require penetration testing, the New York regulations require annual testing and biannual vulnerability assessments, unless covered entities have in effect some other type of continuous monitoring or other system to detect changes in information systems that could create or suggest vulnerabilities. The regulations specifically require entities to limit user access privileges to nonpublic information and to periodically review those privileges. They also require multi-factor authentication whenever an individual accesses the entity’s internal network from an external network, unless the CISO has approved controls in writing that are at least reasonably equivalent. Encryption is required for all nonpublic information held or transmitted by the entity; if encryption is not feasible, the CISO must review and approve “alternative compensating controls” and review them at least annually.

Certain requirements do not apply to entities with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations, or less than $10 million in year-end total assets.

The regulations define a “cybersecurity event” as an act or attempt, successful or not, to gain unauthorized access to, or to disrupt or misuse an information system or the information stored in the system. Written incident response plans to cybersecurity events must detail the response process and its goals, including “the definition of clear roles, responsibilities and levels of decision-making authority.” Requirements for reporting to government entities are much stricter than those under HIPAA Breach Notification Rule, which requires entities to report breaches affecting 500 or more individuals to the HHS Secretary “without unreasonable delay,” but no more than 60 days since discovery of a breach, or, if affecting fewer than 500 individuals, within 60 days of the end of the calendar year in which the breach occurred.  The New York regulations, in contrast, require entities that are otherwise required to provide notice to the government or other self-regulatory agency or supervisory body, or who believe that a cybersecurity event is reasonably likely to materially harm the entity’s normal operations, to notify the Superintendent of the New York Department of Financial Services as soon as possible, but no more than 72 hours after determining that the event occurred.