OCR shows no signs of slowing HIPAA enforcement

The HHS Office for Civil Rights (OCR) is on pace to have another record-breaking year for enforcement actions against covered entities (CEs) and business associates (BAs) accused of Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) violations. As of February 13, 2017, it had already entered into two resolution agreements with CEs and imposed civil monetary penalties (CMPs) on another for only the third time in its history. Prior to 2016, the OCR had not entered into more than six resolution agreements with CEs or BAs in single year. As of December 2016, the OCR had entered into twice that number. As of February 13, 2016, the OCR had just imposed its second CMP, but had not yet entered into any resolution agreements.

The agency kicked off the year by entering into a $475,000 resolution agreement with Presence Health. Unlike past agreements that settled potential violations of the HIPAA Privacy and Security Rules, the Present Health resolution represented the OCR’s first agreement to resolve potential violations of the HIPAA Breach Notification Rule. Presence failed to notify the OCR, affected individuals, and the media that paper-based operating schedules containing the protected health information (PHI) of 836 individuals had gone missing in the statutorily-required 60-day timeline for breaches affecting more than 500 individuals; instead, it waited more than 100 days.

Eight days later, the OCR announced a $2.2 million resolution agreement with MAPFRE Life Insurance Company of Puerto Rico for Security Rule violations affecting the data of 2,209 individuals. The OCR determined that MAPFRE failed to perform a risk analysis, implement risk management plans, and encrypt data stored in removable storage media led to a breach caused when a thief stole a USB data storage device containing electronic PHI (ePHI).

In early February, the OCR announced that it had issued a final determination and imposed a $3.2 million CMP on Children’s Medical Center of Dallas due to a pattern of noncompliance with the Security rule. Children’s suffered a breach in 2010 due to the loss of an unencrypted, non-password-protected BlackBerry device containing the ePHI of 3,800 individuals.  It suffered a second breach in 2013; despite the first breach, Children’s had failed to encrypt a laptop containing the ePHI of 2,462 individuals that was later stolen. The agency determined that the CMP was merited based on Children’s failure to implement risk management plans, in contravention of prior recommendations to do so, and its failure to encrypt mobile devices, storage media, and workstations. The OCR also imposed CMPs against Lincare, Inc., a home health company, in 2016 and against Cignet Health in Prince George’s County, Maryland, in 2011.

The agency stepped up enforcement efforts in 2016, in part due to negative reports regarding its performance from the HHS OIG and the Government Accountability Office (GAO). It began the Phase 2 audit process, targeting both CEs and BAs, and announced its intention to allocate resources for the first time to investigate complaints of breaches affecting 500 individuals or fewer. It appears geared to continue, if not ramp up, its enforcement efforts, but the impact of newly appointed HHS Secretary Thomas E. Price, M.D.–who will appoint a new OCR director–remains to be seen. Price, a physician and former Congressional representative has historically opposed government regulatory activity of physicians. However, Adam H. Greene, Partner at Davis Wright Tremaine, suggests that, although Price the physician may dislike HIPAA, “his personal views will [not] necessarily lead to a significant change in enforcement.”


Kusserow on Compliance: 2016 ransomware and HIPAA data breaches

The HHS Office for Civil Rights (OCR) continues to report most reported Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) Privacy Rule violations were due to unauthorized access or disclosure, but cyber attacks are now a close second. Cyber attacks have been very significant in the last couple of years with the number of such breaches rising to dramatic levels during 2016. The OCR reported at the end of November that scammers were using fake OCR emails to advance their schemes. No one knows for sure how many data breaches occur, but from what is known, the number may average more than one per day. The broad category of data breaches include actions by those inside the organization, as well as external attacks including phishing, hacking, and ransomware. The most disturbing trend involves ransomware, which typically involves a sophisticated computer virus introduced into a victim’s system that encrypts the system’s data. The attackers threaten to delete the private key needed to decrypt the files unless the owners of the information pay a ransom, typically in an untraceable digital currency such as Bitcoin. Health care industry stakeholders, particularly hospitals, have proven to be soft targets, as they need to have immediate access to their patient information, and many have paid the ransom to regain control over it.  There have been some major payouts by health care organizations to regain control over their data and information.

Dr. Cornelia Dorfschmid, a national expert on the subject of ransomware attacks, notes they have been growing as an internet threat for more than a decade, but have only recently become prominent in health care. The health care sector is considered a soft target, particularly hospitals, which are the perfect mark for this kind of extortion in that they provide critical care and rely on up-to-date information from patient records. Without quick access to drug histories, surgery directives, and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.

Tom Herrmann, J.D., explained that both the OCR and CMS found that many questioned whether ransomware attacks were even reportable HIPAA breaches. The reasoning was the attackers don’t have interest in accessing, copying, exfiltrating, or exporting the files they capture. They just want to hold it out of their target’s control, until they are paid.  Both CMS and the OCR disagreed and took the position that attack is also likely a data breach which must be reported like any HIPAA violation.  In July, the OCR then released guidance that made it clear that a ransomware attack is a reportable security incident and must be publicly reported in a timely manner or an covered entity or business associate will face severe penalties. Since the release of the OCR guidance, there has been a continued increase in the number of reported attacks.  Some of that increase may be a result of some health care organizations just considering the payment of ransom as the price of doing business.  They no longer can do that without risking severe penalties and the OCR has been entering into very large settlements, many of which have been over $1 million.  A recent example of this enforcement effort is the University of Massachusetts’ $650,000 HIPAA settlement after a breach of unsecured protected health information (PHI) in which the OCR found a number of security and compliance gaps, including the absence of firewalls, as well as failure to meet basic HIPAA security requirements, including conducting thorough organization-wide risk analyses, proper training of staff, and the implementation of applicable policies and procedures.

OCR guidance to prevent data breaches and ransomware attacks

The OCR guidance discusses:

  • conducting a risk analysis to identify threats and vulnerabilities to electronic PHI (ePHI);
  • establishing ways to mitigate or remediate these identified risks;
  • implementing procedures to take precautions against malware;
  • training users to detect malware and report such detections;
  • limiting access to PHI to people and software requiring such access;
  • maintaining disaster recovery, emergency operations, frequent data backups, and practice restorations.

The fact is that organizations have tools available that can strengthen security and may just need to address a basic lack of security measures.


To protect against ransomware, organizations should:

  • train employees to understand breaches often occur when opening an email link or attachment, or respond to “phishing” inquiries
  • conduct an ePHI vulnerabilities assessment and mitigate or remediate identified risks;
  • address any lack of security technology protecting data and information, including firewalls, email, or web traffic filters;
  • focus security efforts on those files that are most critical patient records;
  • consider using passphrases rather than passwords;
  • develop and implement policies and procedures on how to take precautions against malware;
  • limit access to PHI to people and software requiring such access;
  • maintain disaster recovery, emergency operations, and frequent data backups to permit restoration of lost data in case of an attack;
  • configure email servers to block zip or other files that are likely to be malicious;
  • move quickly on any report of an attack to prevent the malware from spreading, by disconnecting infected systems from a network, disabling Wi-Fi, and removing USB sticks or external hard drives connected to an infected computer system; and
  • limit those who can access files on a single server, so that if a server gets infected, it won’t spread to everyone.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.

Comply with HIPAA, but don’t forget about the FTC Act

Covered entities (CEs) and business associates (BA) must comply with the Health Information Portability and Accountability Act (HIPAA) (P.L. 104-191) when dealing with consumer health information, but the HHS Office for Civil Rights (OCR) is reminding them to stay out of trouble with the Federal Trade Commission (FTC). In recent guidance, the OCR noted that organizations that share such information must ensure that disclosure statements are not deceptive under the FTC Act (15 U.S.C. §§ 41-58).

The FTC Act prohibits companies from engaging in deceptive or unfair acts involving commerce, including misleading advertising.  Companies that don’t comply may face stiff monetary penalties, injunctions, or restraining orders. The OCR noted that providing misleading information surrounding authorizations to share health information is violative of the FTC Act, whether it is done electronically or on paper.  The agency offered specific examples.

Regardless of whether disclosures are provided in an electronic or paper medium, organizations should present information clearly, placing the important information first and making sure that consumers don’t need to read too far to uncover the specific authorizations that are being requested.  Consumers who read that they are agreeing to permit their doctor to view health information shouldn’t have to read through several more papers, click on a link, or scroll down a page to discover that they are also agreeing to submit information to pharmaceutical companies or to make it publicly available.  Furthermore, they shouldn’t be distracted with bold-faced information stating that their information will be kept confidential and then asked, in less prominent type, to sign an authorization to share that same information. Organizations should review the information they provide to consumers and eliminate all contradictions and should ensure that consumers have access to all pertinent information before asking them to authorize the sharing of health information.

In 2013, the FTC published guidance for making effective disclosures in digital advertising, noting that they must be clear and conspicuous. The FTC encourages advertisers to take into consideration proximity and placement, prominence, distracting factors in ads, repetition, types of media used in messages and campaigns, and clarity of language in determining whether disclosures are truly clear and conspicuous.

Webinar replay: Personal Health Information: Hospitals, Health Plans, and Human Resources

Event Date: Thursday, October 13, 2016

Headlines screaming about the mishandling of personal health information have become ubiquitous in the media. Employers handling health records are rightly concerned about their liability for the protection of such data. So where should an anxious employer begin?

This free webinar replay provides employers with an overview of their legal obligations, focusing significantly on health care providers, covered entities, and business associates under HIPAA, as well as the handling of health information from health insurance, medical leave, or disability, and covers GINA, the FMLA, and the ADA.

Replay this webinar to get real answers to questions like:

  • What obligations do organizations have to secure protected health information (PHI) under HIPAA?
  • What can HIPAA-covered entities and business associates expect from OCR audits and compliance investigations?
  • What other laws must employers consider when dealing with health information?