OCR shows no signs of slowing HIPAA enforcement

The HHS Office for Civil Rights (OCR) is on pace to have another record-breaking year for enforcement actions against covered entities (CEs) and business associates (BAs) accused of Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) violations. As of February 13, 2017, it had already entered into two resolution agreements with CEs and imposed civil monetary penalties (CMPs) on another for only the third time in its history. Prior to 2016, the OCR had not entered into more than six resolution agreements with CEs or BAs in single year. As of December 2016, the OCR had entered into twice that number. As of February 13, 2016, the OCR had just imposed its second CMP, but had not yet entered into any resolution agreements.

The agency kicked off the year by entering into a $475,000 resolution agreement with Presence Health. Unlike past agreements that settled potential violations of the HIPAA Privacy and Security Rules, the Present Health resolution represented the OCR’s first agreement to resolve potential violations of the HIPAA Breach Notification Rule. Presence failed to notify the OCR, affected individuals, and the media that paper-based operating schedules containing the protected health information (PHI) of 836 individuals had gone missing in the statutorily-required 60-day timeline for breaches affecting more than 500 individuals; instead, it waited more than 100 days.

Eight days later, the OCR announced a $2.2 million resolution agreement with MAPFRE Life Insurance Company of Puerto Rico for Security Rule violations affecting the data of 2,209 individuals. The OCR determined that MAPFRE failed to perform a risk analysis, implement risk management plans, and encrypt data stored in removable storage media led to a breach caused when a thief stole a USB data storage device containing electronic PHI (ePHI).

In early February, the OCR announced that it had issued a final determination and imposed a $3.2 million CMP on Children’s Medical Center of Dallas due to a pattern of noncompliance with the Security rule. Children’s suffered a breach in 2010 due to the loss of an unencrypted, non-password-protected BlackBerry device containing the ePHI of 3,800 individuals.  It suffered a second breach in 2013; despite the first breach, Children’s had failed to encrypt a laptop containing the ePHI of 2,462 individuals that was later stolen. The agency determined that the CMP was merited based on Children’s failure to implement risk management plans, in contravention of prior recommendations to do so, and its failure to encrypt mobile devices, storage media, and workstations. The OCR also imposed CMPs against Lincare, Inc., a home health company, in 2016 and against Cignet Health in Prince George’s County, Maryland, in 2011.

The agency stepped up enforcement efforts in 2016, in part due to negative reports regarding its performance from the HHS OIG and the Government Accountability Office (GAO). It began the Phase 2 audit process, targeting both CEs and BAs, and announced its intention to allocate resources for the first time to investigate complaints of breaches affecting 500 individuals or fewer. It appears geared to continue, if not ramp up, its enforcement efforts, but the impact of newly appointed HHS Secretary Thomas E. Price, M.D.–who will appoint a new OCR director–remains to be seen. Price, a physician and former Congressional representative has historically opposed government regulatory activity of physicians. However, Adam H. Greene, Partner at Davis Wright Tremaine, suggests that, although Price the physician may dislike HIPAA, “his personal views will [not] necessarily lead to a significant change in enforcement.”

 

HIPAA lets docs share info with non-related loved ones

The Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) Privacy Rule permits covered entities (CEs) to disclose information to non-family members of a patient when that information relates to the non-family member’s care of or payment for health care of the patient, but it also allows CEs to notify a non-family member of the patient’s location, general condition, or death.  The HHS Office for Civil Rights (OCR) issued an FAQ discussing these issues in response to the 2016 Pulse Nightclub shootings in Orlando, when confusion arose over hospitals’ ability to discuss patients’ conditions with their partners. In an emailed press release, the OCR noted, “the FAQ makes clear that the potential recipients of information under the relevant permissive disclosure provisions . . . are not limited by the sex or gender identity of the person.”

45 C.F.R. section 164.510(b)(1) states that CEs may disclose protected health information (PHI) relevant to a person’s involvement with a patient’s care or payment for the patient’s care, to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual.” It further permits a CE to share PHI “to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual’s location, general condition, or death.” When a patient is unable to give verbal permission regarding the disclosure of PHI to specific people, the OCR stated that the Privacy Rule defers to the CE’s professional judgment without requiring it to verify the relationship between the person receiving the disclosure and the patient.

The OCR also discussed required disclosures in relationship to the rights of same-sex spouses, and issued additional guidance regarding same-sex spouses’ rights. Pursuant to the U.S. Supreme Court decision in Obergefell v. Hodges, states must permit same-sex marriages and recognize lawful same-sex marriages performed in other states. The guidance reminds CEs that the term “marriage” refers to all lawful marriages, the term “spouse” refers to all lawfully married spouses, and the term “family member”  includes both the lawful spouses and the dependents of all lawful marriages.   The Privacy Rule regards persons authorized under state or other applicable law to act on behalf of the individual in making health care related decisions as the individual’s “personal representative.” 45 C.F.R. section 164.502(g) provides when, and to what extent, the personal representative must be treated as the individual. Therefore, if a state grants legally married spouses the authority to make health care related decisions on each other’s behalf, the spouses are personal representatives and CEs must provide them with access to medical records.

 

Hackers to focus on hospitals in 2017

Hackers will target the health care sector above all others in 2017, with their focus shifting from insurers to hospitals, predicts Experian® Data Breach Resolution. The company’s fourth annual Data Breach Industry Forecast also indicates that ransomware will be an increased threat to hospitals. It suggests that “nation-state” cyberattacks will increase, with at least one significant incident in 2017, and that passwords will be phased out in favor of two-factor authentication.

Hospital focus

In 2015, four of the six data breaches reported to the HHS Office for Civil Rights (OCR) affecting more than one million individuals targeted health care insurance companies.  As a result, Michael Bruemmer, vice president of Experian Data Breach Resolution, noted that many insurers “doubled down on defenses.” Protected health information (PHI) remains a lucrative source of data for hackers, but the report suggests that hackers will seek this information from hospitals, in lieu of insurers, in 2017. Bruemmer noted that hospitals “tend to be more decentralized, making their cybersecurity defenses easier to penetrate.” Electronic health records (EHRs), in particular, are targeted because they are accessible by various entities and individuals. The report predicts that ransomware–which encrypts data, effectively preventing providers from using data unless they pay a ransom–will increase, and may shift from simply locking systems in exchange for money to actually stealing data. At any rate, recent OCR guidance on ransomware makes it likely to be a more publicized topic in 2017 (see Data for ransom: OCR offers ransomware guidance).

Nation-state attacks

The report also anticipates an escalation in cyberattacks between nation-states in 2017, noting that both U.S. presidential candidates discussed the issue in 2016. Although Bruemmer noted in December that the incoming Trump administration’s cyberweapons policy is unclear, he anticipates “a publicly observable action in the near future” and thus recommends that the administration “shor[e] up its defense mechanisms and identify[ ] vulnerabilities.”  Amidst heated discussions on both sides regarding Russia’s alleged interference with the recent U.S. presidential election, President-elect Trump appointed Thomas P. Bossert as Assistant to the President for Homeland Security and Counterterrorism. Bossert indicated, “We must work toward cyber doctrine that reflects the wisdom of free markets, private competition and the important but limited role of government,” and noted, “The internet is a U.S. invention,” that should reflect the nation’s values “as it continues to transform the future for all nations and all generations.”  The president-elect, recently reflecting on cybersecurity, noted “no computer is safe.”

Death of the password?

The report also predicts that individual passwords will be phased out, in all industries, in favor of two-factor authentication, which requires secondary authentication to allow access to systems and networks.  It lists tokens, geo location confirmation, and biometrics as examples of secondary authentication. Individuals’ use of the same passwords for various accounts can lead to “aftershock” breaches, which occur when a password compromised in one breach is used to break into another network in the future.  Experian Data Breach Resolution suggests that health care organizations will be forced to use two-factor authentication to protect against aftershocks.

Webinar replay: Personal Health Information: Hospitals, Health Plans, and Human Resources

Event Date: Thursday, October 13, 2016

Headlines screaming about the mishandling of personal health information have become ubiquitous in the media. Employers handling health records are rightly concerned about their liability for the protection of such data. So where should an anxious employer begin?

This free webinar replay provides employers with an overview of their legal obligations, focusing significantly on health care providers, covered entities, and business associates under HIPAA, as well as the handling of health information from health insurance, medical leave, or disability, and covers GINA, the FMLA, and the ADA.

Replay this webinar to get real answers to questions like:

  • What obligations do organizations have to secure protected health information (PHI) under HIPAA?
  • What can HIPAA-covered entities and business associates expect from OCR audits and compliance investigations?
  • What other laws must employers consider when dealing with health information?