Kusserow on Compliance: New OCR Guidelines

The HHS Office for Civil Rights (OCR) issued a new guidance which points out a list of 10 violations where Business Associates (BAs) can be held directly liable. The guidance points out that where BAs may not be liable, the covered entity (CE) may be still on the hook for violations of those violations. As such CEs should carefully review their BA Agreements (BAAs) to ensure that they cover requirements that don’t directly apply to BAs but are still enforceable against CEs.

The OCR also notes that large data breaches also continue to dominate the press. The OCR recently cited among recent notable breaches that an EMR and software services provider allowed hackers access to 3.5 million patient records. Touchstone Medical Imaging (TMI), agreed to pay $3 million for a breach involving one of its FTP servers that contained PHI for over 300,000 patients. LabCorp received notice from American Medical Collection Agency (AMCA), a collection firm working on its behalf, regarding unauthorized access of 7.7 million patients’ PHI stored by AMCA. This announcement followed a similar one from Quest Diagnostics, in which they reported that AMCA’s breach affected 11.9 million of its patients.

Updates on OCR enforcement actions can be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OCR has a record number of significant settlements so far in 2017

The HHS Office for Civil Rights (OCR) has posted about 2,000 major breaches and more than a quarter million small breaches since 2009. The common denominator for many of the cases in which there was a settlement was that the covered entity or business associate (BA) suffered one or more breaches affecting more than 500 individuals sometime between 2011 and 2013. The OCR has jumped off the 2017 year with a record number of significant settlements. The most recent is CardioNet, a wireless health services provider, who provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. The provider entered into a settlement for $2.5 million and implemented a corrective action plan for disclosure of unsecured ePHI on a laptop that was stolen from a parked car. CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft and their HIPAA Security Rule policies and procedures had not been implemented. The OCR has entered into a number of other significant settlements. Others who paid settlements for violating HIPAA requirements so far this year include Memorial Health Systems ($5.5 million); Children’s Medical Center in Dallas ($3.2 million); MAPFRE, a Puerto Rico life insurance company ($2.2 million); Presence Health in Chicago ($475,000); and Community Provider Network of Denver ($400,000). In all these cases, there was the requirement to take corrective actions.

2016 OCR Results

  • There were 329 Data Breaches greater than 500 Individuals (a new record).
  • 225 OCR Phase 2 of HIPAA compliance audits conducted of covered entities and BAs.
  • No onsite audits were conducted.
  • No findings or notifications from the audits have been made.
  • The OCR intends to use the results from these audits to prepare for a new and better tool in the future.
  • There was a large jump in fines imposed for HIPAA violations that totaled about $24 million (versus a little more than $6 and $8 million in for 2105 and 2014 respectively)

OCR in 2017

  • The OCR stated intention is to conduct only a few onsite audits in 2017.
  • To date the OCR has nearly achieved the level of 2016 in terms of penalties imposed.
  • To date about 100 data breaches impacting greater than 500 Individuals have been reported.
  • About a half million individuals have been impacted in reported data breaches so far this year.
  • Only a relatively few BAs were involved in any of the reported data breaches.

The enforcement actions most often come from the OCR when investigations into the root cause of the breach found systemic, often profound, failures of organizational programs to safeguard protected health information.  This includes the failure to perform an information security risk assessment or to have a risk management plan to address gaps in the safeguards for information systems, both required actions under the HIPAA Security Rule. Tied to this has been insufficient development of policies and procedures for HIPAA Compliance.  Other actionable problems that resulted in the OCR imposing HIPAA corrective action plans (CAP) included inappropriate delay in data breach reporting (reported after 60 days from the date of discovery); and inappropriate oversight into user set up and user management. There is also the continuing problem of organizations not implementing encryption technology on mobile devices.

Camella Boateng, a HIPAA consultant reminds everyone that the recently enacted 21st Century Cures Act amends the HITECH Act to extend an individual’s right to access their PHI to data held by business associates. As such, it is more important than ever that entities give a priority for engaging in a self-audit, so vulnerabilities can be detected and resolved before they come to the attention of the government. Furthermore, with a shifting focus toward BA, it is important to avoid any potential partner that will not commit to signing a BAA.

Strong HIPAA Compliance Program Evidence

  • HIPAA policies and procedures;
  • HIPAA requests forms for patient’s rights;
  • a complete notice of privacy practices;
  • established technical, physical, and administrative safeguards;
  • conducting a regular HIPAA risk analysis;
  • developed a risk management plan to address gaps in the safeguards for PHI;
  • strong workforce education;
  • effective user management and oversight into systems with PHI;
  • auditing practices for verification of compliance;
  • ongoing evaluation of current safeguards established by the organization;
  • strong oversight into user set up and user management;
  • implementing encryption technology on mobile devices; and
  • ensuring partners have signed BAAs.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Webinar replay: Personal Health Information: Hospitals, Health Plans, and Human Resources

Event Date: Thursday, October 13, 2016

Headlines screaming about the mishandling of personal health information have become ubiquitous in the media. Employers handling health records are rightly concerned about their liability for the protection of such data. So where should an anxious employer begin?

This free webinar replay provides employers with an overview of their legal obligations, focusing significantly on health care providers, covered entities, and business associates under HIPAA, as well as the handling of health information from health insurance, medical leave, or disability, and covers GINA, the FMLA, and the ADA.

Replay this webinar to get real answers to questions like:

  • What obligations do organizations have to secure protected health information (PHI) under HIPAA?
  • What can HIPAA-covered entities and business associates expect from OCR audits and compliance investigations?
  • What other laws must employers consider when dealing with health information?

Kusserow on Compliance: New HIPAA risk analysis tool released

The HHS Office for Civil Rights (OCR) and Office of the National Coordinator of Health Information Technology (ONC) released a new jointly developed downloadable Security Risk Assessment (SRA) Tool to assist providers and professionals to perform HIPAA compliance risk assessments. It was designed primarily for small and medium-sized covered entities and business associates. The Tool is a self-contained, operating system (OS) independent application that is available at no cost, can be downloaded from Apple’s App Store. It guides users through each HIPAA requirement by presenting questions answerable as “yes” or “no” to indicate if there is a need for corrective action for any of the 156 question items. Guidance provides assistance in:

  • Understanding the context of the question
  • Considering the potential impacts to your PHI if the requirement is not met
  • Seeing the actual safeguard language of the HIPAA Security Rule

The Tool can serve as the local repository for the information and does not send your data anywhere else. At any time during the risk assessment process, you can pause to view your current results. The results are available in printable PDF and Excel formats. For details on how to use the tool, download the SRA Tool User Guide. A paper-based version of the tool is also available:

Camella Boateng, an experienced HIPAA consultant, makes the point that “Covered Entities and Business Associates are not mandated to use this tool; however they are required to conduct regular, organization-wide risk analyses for HIPAA compliance. Much of my work over the last year has been assisting clients in conducting a system-wide HIPAA compliance reviews. Using the tool greatly assists in doing this. If you monitor the OCR website, it is clear from the many recent HIPAA enforcement actions that many organizations have not performed such analyses properly.”

Suzanne Castaldo, JD, notes, “OCR can be counted upon to include review of risk analyses of organization during the Phase 2 HIPAA audits and that results from these reviews will result in many Business Associates being notified of having a desk audit before the end of this year. OCR plans following up with field audits for both Covered Entities and Business Associate beginning in 2017 that will have twin objectives of learning more about HIPAA compliance in general, as well as having some of the audits finding cases that warrant becoming enforcement investigations of HIPAA violations.”

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.