The Intersection of OCR Enforcement and Health Care Data Privacy & Security
Download as PPTX, PDF1 like438 views
This document summarizes a presentation on the intersection of healthcare privacy enforcement and cybersecurity. It discusses new guidance from the Office of Civil Rights on mental health information sharing and the 21st Century Cures Act. It outlines recent cyber attacks, the importance of compliance programs and incident response planning. It provides an overview of HHS and FTC enforcement actions and resources available from HHS, FTC and Polsinelli to help organizations comply with privacy and security rules.
The Intersection of OCR Enforcement and Health Care Data Privacy & Security
- 1. The Intersection of OCR Enforcement and Health Care Data Privacy & Security
- 2. Agenda New Guidance from OCR HIPAA Security Rule and Cyber Security HHS and FTC Enforcement Update Resources 2
- 3. 21st Century Cures/Opioid Crisis https://www.hhs.gov/hipaa/for-professionals/special-topics/mental- health/index.html HIPAA Helps Mental Health Professionals to Prevent Harm HIPAA Helps Family and Friends Stay Connected with Loved Ones Who Have a Substance Use Disorder, including Opioid Abuse, or a Mental or Behavioral Health Condition When can I obtain treatment information about my loved one? (decision chart) If You Experience a Health or Mental Health Crisis, HIPAA Helps Your Doctors, Nurses, and Social Workers to Reconnect You with Family, Friends, and Caregivers How HIPAA Allows Doctors to Respond to the Opioid Crisis When Your Child, Teenager, or Young Adult has Mental Illness: What Parents Need to Know about HIPAA Am I my child’s personal representative under HIPAA? When may a mental health professional use professional judgment to decide whether to share a minor client’s treatment information with a parent? When can parents access information about their minor child’s mental health treatment? (Decision Chart) HIPAA Privacy Rule and Sharing Information Related to Mental Health 3
- 4. Recent Cyber Security Attacks, Threats, and Trends 2017 Cyber Healthcare & Life Sciences Survey found that 47 percent of providers and health plans had a security-related HIPAA violation or a cybersecurity attack that impacted data. Office for Civil Rights data regarding Breaches involving 500+ individuals Ransomware – WannaCry Phishing and Social Engineering Other Attacks 4
- 5. Preparing for a Cybersecurity Attack It’s not a matter of IF an attack will occur, but rather WHEN… Steps to take to help address the WHEN: Implementing an effective compliance program Information assurance and information system architecture Obtaining adequate cyberliability coverage 5
- 6. Key Security-Related Aspects of an Effective Compliance Program View the HIPAA Security Rule only as a baseline and policy framework requirement – Risk Analysis and Risk Management Plans – Encryption and password management – “Addressable” does not mean “Optional” Ensuring internal/external expertise is readily available Effective workforce training and monitoring Effective incident response procedures 6
- 7. Incident Handling Preparation Assign Roles and Responsibilities Assert Information needed to Construct Event Define Relationships with Third Parties Train your Team 7
- 8. Cyber Security https://www.hhs.gov/hipaa/for- professionals/security/guidance/cybersecurity/index.html Cyber Security Checklist and Infographic Ransomware Guidance NIST Cybersecurity Framework OCR Cyber Awareness Newsletters https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud- computing/index.html Cloud Computing 8Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services
- 9. Effectively Responding to an Attack Time is of the Essence – Immediate Isolation – Notification Timeframes (including insurance carrier) Engaging Outside Assistance – Security forensic experts – Legal counsel – Law Enforcement Returning to Business As Usual 9
- 10. Key Takeaways Too small to be a target is a myth. Preparation does not guarantee Prevention, but is the most important mitigation step. All individuals at your organization are responsible and need to be involved. Time is always of the essence. Human error cannot be 100% prevented, but awareness goes a long way. 10
- 11. HITECH Audit Program Phase 2 Status 166 covered entity desk audits 41 business associate desk audits After Phase 2, on-site audits will be conducted as a part of the permanent audit program. – On-site audits will evaluate auditees against comprehensive selection of controls in the audit protocol: – https://www.hhs.gov/hipaa/for-professionals/compliance- enforcement/audit/protocol/ 11Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services
- 12. Desk Audit Scope Covered Entities – Security: risk analysis and risk management – Breach: content and timeliness of notifications – Privacy: notice and access Business Associates – Security: risk analysis and risk management – Breach: reporting to covered entities 12Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services
- 13. Ratings 13 Compliance Effort Ratings – Legend Rating Description 1 The audit results indicate the entity is in compliance with both goals and objectives of the selected standards and implementation specifications. 2 The audit results indicate that the entity substantially meets criteria; it maintains appropriate policies and procedures, and documentation and other evidence of implementation meet requirements. 3 Audit results indicate entity efforts minimally address audited requirements; analysis indicates that entity has made attempts to comply, but implementation is inadequate, or some efforts indicate misunderstanding of requirements. 4 Audit results indicate the entity made negligible efforts to comply with the audited requirements - e.g. policies and procedures submitted for review are copied directly from an association template; evidence of training is poorly documented and generic. 5 The entity did not provide OCR with evidence of serious attempt to comply with the Rules and enable individual rights with regard to PHI. Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services
- 14. CE Desk Audit Ratings 14 Rating Element # Provision 1 2 3 4 5 N/A P55 Notice 2 34 40 11 16 0 P58 eNotice 59 16 4 6 15 3 P65 Access 1 10 27 54 11 0 BNR12 Timeliness 67 6 2 9 12 7 BNR13 Content 14 15 24 38 7 5 S2 Risk Analysis 0 9 20 21 13 0 S3 Risk Management 2 2 15 28 16 0 Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services
- 15. BA Desk Audit Ratings 15 Rating Element # Provision 1 2 3 4 5 N/A BNR17 Notice to CEs 1 2 3 3 0 32 S2 Risk Analysis 3 5 15 12 6 0 S3 Risk Management 0 5 8 21 7 0 Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services
- 16. Recent HHS Enforcement Actions 16 April 24, 2017: CardioNet – $2,500,000 – $2.5 million settlement shows that not understanding HIPAA requirements creates risk May 10, 2017: Memorial Hermann Health System (MHHS) – $2,400,000 – Texas health system settles potential HIPAA violations for disclosing patient information May 23, 2017: St. Luke’s Roosevelt Hospital System Inc. – $387,200 – Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k December 18, 2017: 21st Century Oncology – $2,300,000 – $2.3 Million Levied for Multiple HIPAA Violations at NY-Based Provider February 1, 2018: Fresenius Medical Care North America (FMCNA) – $3,500,000 – Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules February 13, 2018: Filefax, Inc. – $100,000 – Consequences for HIPAA violations don’t stop when a business closes
- 17. Recent FTC Enforcement Actions 17 Feb 27, 2018: – PayPal Settles FTC Charges that Venmo Failed to Disclose Information to Consumers About the Ability to Transfer Funds and Privacy Settings; Violated Gramm-Leach-Bliley Act Nov 29, 2017: – FTC Gives Final Approval to Settlements with Companies that Falsely Claimed Participation in Privacy Shield Nov 8, 2017: – FTC Gives Final Approval to Settlement with Online Tax Preparation Service Aug 15, 2017: – Uber Settles FTC Allegations that It Made Deceptive Privacy and Data Security Claims
- 18. GDPR: What’s All the Fuss? EU’s General Data Protection Regulation – More broad territorial scope, and may apply to entities with no physical presence in the EU – Unlike HIPAA, applies to all personal data, not just PHI – Permits uses and disclosures of health data, but exceptions do not always align with HIPAA – Heavy fines and penalties – Stay tuned for more information regarding GDPR as applied to the U.S. health care industry
- 19. HHS/FTC Resources https://www.hhs.gov/hipaa/for-professionals/privacy/index.html https://www.hhs.gov/hipaa/for-professionals/security/index.html https://www.hhs.gov/hipaa/for-professionals/breach- notification/index.html https://www.hhs.gov/hipaa/for-professionals/compliance- enforcement/index.html https://www.ftc.gov/ https://www.ftc.gov/system/files/documents/plain-language/pdf0205- startwithsecurity.pdf https://www.ftc.gov/news-events/press-releases/2018/02/ftc- recommends-steps-improve-mobile-device-security-update https://www.ftc.gov/news-events/press-releases/2018/02/ftc-report- finds-some-small-business-web-hosting-services-could 19
- 20. Polsinelli Resources Polsinelli serves clients nationally: – https://www.polsinelli.com/ – 100+ services and 70+ industry areas – 800+ Attorneys – https://www.polsinelli.com/professionals/lacevedo – https://www.polsinelli.com/professionals/ipeters – 20 Cities – Metropolitan offices in: 20 Atlanta Boston Chicago Dallas Denver Houston Kansas City Los Angeles Nashville New York Phoenix St. Louis San Francisco Silicon Valley Washington, D.C. Wilmington
- 21. Polsinelli PC, Polsinelli LLP in California | polsinelli.com Polsinelli PC provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements. © 2018 Polsinelli® is a registered trademark of Polsinelli PC. In California, Polsinelli LLP. 21
Editor's Notes
- #7: Enterprise-wide Approach to security (not just an IT issue) Security Officers Internal expertise on IT issues, if not outsource STRONGLY advise against relying too heavily on EHR vendors