Module’6: Panel&Discussion& HIPAA&Enforcement&Preparation&& ·...

Module 6:Panel Discussion

HIPAA Enforcement Preparation

© Clearwater Compliance | All Rights Reserved


Legal Disclaimer

Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. Information and informed recommendations provided by Clearwater are intended to be a general information resource, and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISORS, AS APPROPRIATE.

Copyright Notice

All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.


3

Module 6 Overview

Module Duration = 60 Minutes

Learning Objectives Addressed in This Module:1. Share HIPAA compliance lessons learned2. Share OCR enforcement lessons learned 3. Gain perspective from a former OCR Director4. Gain insight from a large IDN Chief Compliance Officers

“Panel Discussion – HIPAA Enforcement Preparation”


4

CEO & Founder -‐Clearwater Compliance

Bob Chaput, MA, CISSP,HCISPP, CRISC, CIPP/US

Leon Rodriguez, JDPartner, Seyfarth &

ShawVP, Chief Compliance and

Privacy Officer, CHRISTUS Health

Gregory J. Ehardt, JD

Meet Today’s Panelists

Laura Merten, JDChief Privacy OfficerAdvocate Health LLC

Panel Discussion – HIPAA Enforcement Preparation


5

54 OCR Enforcement Actions

• Total dollars collected by OCR $78.7MM• Total Resolution Agreements/CAPs 54• Total ePHI Cases 41• Total Adverse Risk Analysis Findings 37• Total Adverse Risk Management Findings 35


6

2016 Phase 2 Audit Results1 = Meets2 = Substantially Meets3 = Minimally Meets 4 = Negligible Efforts5 = No Serious Effort to Comply

• 57%, 4s and 5s• 86%, 3s, 4s and 5s


7

Case Study -‐ CardioNetFacts• Wireless health services provider – remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias• 2012 –CardioNet submits two reports to OCR that a laptop was stolen from a parked vehicle outside the employee’s home – 1,391 individuals affected in report dated 1/10/12, and 2,219 individuals affected in report dated 2/27/12• $2.5 million settlement announced in April 2017


8

Case Study -‐ CardioNet, cont’dOCR Findings• Insufficient risk analysis and risk management processes in place• Security Rule policies and procedures in draft form – not implemented• No final P&Ps on safeguards for ePHI, including mobile devicesCAP requirements – 2 years

• Comprehensive Risk Analysis with annual or more frequent reviews• Organization-‐wide risk management plan• Revise P&Ps on risk analysis and risk management, including device and media controls• Certification that all laptops, flashdrives, SD cards, and other portable devices are encrypted• Review and revise Security Rule training program based on the risk analysis and risk management plan, the revised P&Ps, and the certification, with emphasis on encryption and handling of mobile devices and out-‐of-‐office transmissions

• Annual reports and attestations


9

Case Study -‐ CardioNet, cont’dQuestions• Why do these cases take so long start to finish? Do entities get “credit” for working to correct issues during the OCR investigation?• Jocelyn Samuels has said that the lost/stolen laptop is the “canary in the coal mine” – a report of one of these is indicative of much larger problems. • Is this your experience? • What kind of policies should entities have on keeping laptops in vehicles? Is it okay to lock them in the trunk? What about paper records or iPads traveling with home health workers? Do the records/iPad always need to stay with them?

• What about the certification that all mobile devices have been encrypted? Would this apply to BYOD devices? • What about encrypting SD cards for cameras that take pictures of patients? • What about encrypting all medical devices that are IoT?


10

Case Study – Memorial Hermann Health SystemFacts• Not-‐for-‐profit health system in Texas, 16 hospitals and specialty services• Media reports• September 2015-‐ patient presents fraudulent ID card, staff alerts appropriate authorities. Patient is arrested.• MHHS then issues press release concerning the incident with patient’s name in press release without authorization.• Senior leaders also disclosed patient’s PHI during three meetings with advocacy group, state representatives, and a state senator without authorization.• $2.4 million settlement announced in May 2017


11

Case Study -‐ Memorial Hermann Health System, cont’dOCR Findings• Knowingly and intentionally failed to safeguard PHI• Impermissible disclosure of PHI• Failed to document timely the sanctions imposedCAP requirements – 2 years

• Update and train on Privacy P&Ps, including authorizations, disclosures for law enforcement purposes, disclosures for health oversight activities, reporting violations, and sanctions

• P&Ps on authorizations shall cover disclosures to media, to public officials, and on the internet

• P&Ps on sanctions to cover description of sanctions, timeframes for applying and documenting sanctions; where documentation stored (e.g., personnel file)

• Review and update training annually• Annual reports and attestations


12

Case Study -‐ Memorial Hermann Health System, cont’dQuestions• This case is reminiscent of the Shasta RMC settlement in June 2013, but that case only resulted in a $275,000 settlement. Is there an explanation for the difference? Is there a clue in the “knowingly and intentionally” language used by OCR? Is it due to the existence of the Shasta case that MHHS was fined so heavily?• Legal and HR departments may feel awkward imposing sanctions on senior leadership. Should a member of senior management be involved in imposing sanctions for this reason?• Given OCR’s increased enforcement, do you see leadership paying more attention to these issues? Or is HIPAA a “back-‐burner” issue to things like false claims, etc?


13

Case Study – Children’s Medical Center of DallasFacts• December 2006 -‐ February 2007-‐ A security gap analysis and assessment was conducted for Children's by Strategic Management Systems. The SMS Gap Analysis identified the absence of risk management as a major finding and recommended that Children's implement encryption to avoid loss of PHI on stolen or lost laptops.

• August 2008 -‐ PwC conducted a separate analysis for Children's and determined that encryption was necessary and appropriate. The PwC Analysis also determined that a mechanism was not in place to protect data on a laptop, workstation, mobile device, or USB thumb drive if the device was lost or stolen, and identified the loss of data at rest through unsecured mobile devices as being "high" risk. PwC identified data encryption as a "high priority" item and recommended that Children's implement data encryption in the fourth quarter of 2008.

• 1/18/2010 – Children’s filed a breach report with OCR indicating the loss of an unencrypted, non-‐password protected BlackBerry device at the DFW Airport on 11/19/2009 (3,800 individuals impacted).

• 11/22/2011 – Medical resident at Children’s lost iPod that was synced to his work email account (22 individuals impacted)


14

Case Study – Children’s Medical Center of DallasFacts, cont’d• September 2012 – HHS OIG issued finding from its audit of Children’s -‐ insufficient controls to prevent data from being written onto unauthorized and unencrypted USB devices

• 7/5/2013 -‐ Children's reported the theft of an unencrypted laptop from its premises 4/4-‐4/9, 2013 (2,462 individuals impacted).

• To sum up -‐ Despite Children's knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children's issued unencrypted BlackBerry devices to nurses and allowed its Workforce to continue using unencrypted laptops and other mobile devices until 2013.

• OCR tries to reach a settlement between 11/6/2015-‐8/30/2016• OCR then issued a Notice of Proposed Determination in accordance with 45 CFR 160.420, which included instructions for how Children’s could file a request for a hearing. Children’s did not request a hearing.

• OCR issued a Notice of Final Determination and Children's paid the full $3.2 million Civil Money Penalty (announced in February 2017)


15

Case Study -‐ Children’s Medical Center of Dallas, cont’dOCR Findings• Impermissible disclosure of unsecured ePHI and non-‐compliance over many years with multiple standards of the HIPAA Security Rule.• Failure to implement risk management plans, contrary to prior external recommendations to do so

• Failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013.

• Although Children's implemented some physical safeguards to the laptop storage area (e.g., badge access and a security camera at one of the entrances), it also provided access to the area to Workforce not authorized to access ePHI


16

Case Study -‐ Children’s Medical Center of Dallas, cont’dThe Awful Math – Possibly $13.5 million versus $3.2 million1. No access controls – encryption and decryption or an alternative. Reasonable cause:

a. Calendar Year 2010 -‐ 93 days, from 9/30-‐12/31 (maximum penalty of $1,500,000) b. Calendar Year 2011 -‐ 365 days (maximum penalty of $1,500,000) c. Calendar Year 2012-‐ 366 days (maximum penalty of $1,500,000) d. Calendar Year 2013-‐ 99 days, from 1/1-‐4/9 (maximum penalty of $1,500,000)

2. Insufficient P&Ps governing receipt and removal of media with ePHI. Reasonable cause:a. Calendar Year 2010 -‐ 93 days, from 9/30-‐12/31 (maximum penalty of $1,500,000) b. Calendar Year 2011 -‐ 365 days (maximum penalty of $1,500,000) c. Calendar Year 2012-‐ 314 days (maximum penalty of $1,500,000)

3. Impermissible Disclosure of at least 2484 individuals. Reasonable cause:a. Number of individuals whose ePHI was impermissibly disclosed due to December, 2010 loss of iPod-‐ 22 (maximum

penalty of $1,500,000). b. Number of individuals whose ePHI was impermissibly disclosed due to April 9, 2013 theft of laptop-‐ 2,462

(maximum penalty of $1,500,000).

No affirmative defense – no corrections within 30 days

Mitigating factors -‐ no known physical, financial or reputational harm to any individuals, care not impacted. Minimum fine of $1,000/day.


17

Case Study -‐ Children’s Medical Center of Dallas, cont’dQuestions• Why didn’t Children’s settle, or request a hearing?• Discuss the hazards of “BYOD” in the context of this case. If the emails containing ePHI were in their own encrypted application such as Good for Enterprise or Airwatch Agent, would “syncing” the iPod have been a problem? How can emails get stored to an iPod? • How does a facility inventory and account for “BYOD” risk?• What new “BYOD” devices are on the horizon that keep you up at night?• Herding cats – how do you incentivize caregivers and staff to bring in their devices for backup and then wiping before trading in/getting battery upgrades?• How do you incentivize people to admit a loss/theft in the face of possible sanctions and the wiping of their device (assuming they have just misplaced it)?


18

Three Terms To Memorize1

1. Reasonable diligencemeans the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.

2. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. NEW!

3. Willful neglectmeans conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.

145 CFR 160.401 Definitions

Give Your CEO and Outside Counsel Something to Work

With!


19

Pause and Quick Poll

6.1 This Module helped me better understand OCR’s enforcement posture and process and how to better prepare.

Strongly Agree

Not Sure

Strongly Disagree

AgreeDisagree


20

Supplemental Materials

1. Resolution Agreements and Civil Money Penalties2. 09-‐06-‐2017_Update on OCR’s Phase 2 HIPAA Audits by

Linda Sanches3. NACD Cyber-‐Risk Oversight Handbook Executive

Summary4. Symantec Healthcare Internet Security Threat Report5. Symantec Internet Security Threat Report6. Securing Hospitals: A research study and blueprint


21

Questions?


www.ClearwaterCompliance.comLINKEDIN | http://www.linkedin.com/in/bobchaput/

TWITTER | @clearwaterhipaaYOUTUBE | Search: ClearwaterCompliance

800-‐704-‐3394


Thank You.

Module’6: Panel&Discussion& HIPAA&Enforcement&Preparation&& ·...

Documents

Transcript of Module’6: Panel&Discussion& HIPAA&Enforcement&Preparation&& ·...