- As technology continues to evolve and become more intricate, covered entities and their business associates have to ensure they account for potential risk in all aspects of their organization. A key part to complete HIPAA compliance is an updated and thorough risk analysis, which is something that several of the settlements from the Office for Civil Rights (OCR) have shown to be a main point of interest for the agency.
Anna Spencer, a partner at Sidley Austin LLP, told HealthITSecurity.com in an email that there were numerous key takeaways for healthcare organizations from the 2016 OCR HIPAA settlements.
Spencer said that conducting a comprehensive HIPAA risk analysis, ensuring that Business Associate Agreements (BAAs) are in place, securing individual authorization before posting or publicizing PHI, and ensuring that mobile devices, such as smart phones, are secured, are all key lessons for covered entities.
David Gacioch, a White Collar Defense partner at McDermott Will & Emery LLP, explained to HealthITSecurity.com that OCR has previously said it is going to become even tougher on its HIPAA enforcement process. In OCR’s view, the community of covered entities and business associates has had sufficient time to get ramped up in HIPAA compliance, he said.
“For the first time in FY2016, those statements were backed up with a spike in action,” Gacioch stated, adding that there were 13 settlements totaling approximately $26 million. Both CEs and BAs need to pay more attention to potential risk areas, he cautioned.
Edward Zacharias, also a partner at McDermott Will & Emery LLP, added that OCR is really backing up its previous statements that HIPAA enforcement has become a larger priority for the agency.
Healthcare organizations have had a number of years now to really understand regulations and take steps to put an appropriate compliance program in place, Zacharias said. Settlements, resolution agreements, and corrective action plans are an additional method of communicating to the industry what they should focus on in terms of potential risk areas or possible violations to the HIPAA Privacy or Security Rules.
There have also been more enforcements against entities for not having updated BAAs, he added, and more enforcement against BAs.
Gacioch also pointed out OCR’s heightened focus on organizations’ risk analyses and subsequent risk management plans.
“Part of what OCR seems to be really focused on now is looking at the robustness and freshness of risk analyses along the lines of new systems coming online, or with respect to how much of the organization is covered,” he said. “They want to know if you’ve got a very good risk analysis that covers your EMR system and a few other key systems. Did you sufficiently pick up the mobile imaging devices that feed into your imaging system? Did you sufficiently pick up PHI that comes out of the users’ access over email on mobile devices?”
It is really an ongoing process for a security team within an organization to try and pick all of that, he said.
What actually happens in the OCR enforcement process?
Along with understanding the HIPAA Privacy, Security, and Notification Rules, healthcare organizations should also understand the OCR enforcement process. This can help ensure they work toward comprehensive HIPAA compliance.
“OCR enforcement may arise out of OCR audits, compliance reviews or investigations,” Spencer explained. “Currently, OCR is in Phase 2 of its HIPAA Audit Program, which reviews the policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These analyses are conducted using a comprehensive audit protocol that has been updated to reflect the Omnibus Final Rule.”
Covered entities and business associates that were selected for the audit where notified that they would be included, she added. Those organizations were also asked in a short time frame to provide various documents demonstrating their compliance with certain HIPAA requirements.
“Unlike investigations, which are triggered by complaints, OCR conducts compliance reviews to investigate allegations of violations of the HIPAA Rules brought to OCR's attention through a mechanism other than a complaint (e.g., a media report),” she stated. “OCR will inform the entity of the specific nature of its review in a letter to the company seeking information and will, to the extent practicable, seek the cooperation of the covered entity in obtaining compliance with the applicable provisions.”
Covered entities and business associates involved in a compliance review must provide records and compliance reports, cooperate in the review, and permit access to their facilities, books, records, accounts, and other sources of information. Compliance reviews may be resolved by informal means, but OCR may also proceed directly to formal enforcement in certain circumstances. This could include circumstances that indicate willful neglect.
Complaints may be sent in writing or sent electronically through OCR’s online portal, Spencer continued. Anyone with knowledge of a potential violation may file a complaint with OCR.
“OCR considers a variety of factors when deciding whether to investigate a complaint, including whether the alleged violation pre-dated the compliance deadline for HIPAA, if the entity is subject to HIPAA (i.e., a covered entity or business associate), if the alleged conduct or act, if true, violates the Privacy or Security Rules, and if the complaint is filed within 180 days of when the individual who submits the complaint knew or should have known of the alleged violation,” she said.
Once OCR decides to investigate a complaint, it contacts the individual who filed the complaint and the named covered entity or business associate and requests relevant information. OCR may involve the DOJ if the alleged violation implicates the criminal section of HIPAA. Covered entities and business associates are required by law to cooperate with complaint investigations and compliance reviews.
If OCR finds a violation, it has the discretion to resolve the violation through informal means such as voluntary compliance, corrective action, or a Resolution Agreement. The HHS Secretary may also move directly to imposing a CMP without exhausting informal resolution efforts at her discretion, especially in cases involving willful neglect violations.
“If such informal means are not successful or the HHS Secretary chooses not to pursue informal means of resolution, OCR must notify the covered entity or business associate that the issue(s) was not resolved by informal means and provide an opportunity to provide mitigating factors or affirmative defenses within 60 days,” explained Spencer.
Learning from 2016 settlements, looking ahead to 2017
Spencer said that performing a risk analysis and then addressing the findings is essential for covered entities and business associates. Furthermore, it will also be helpful to deploy encryption for mobile devices that satisfies the HHS encryption guidance, she said.
“I expect that we will see more of the same in terms of enforcement actions taken against entities for failing to conduct risk analyses,” Spencer observed. “In terms of new enforcement, I expect that we will see more enforcement against business associates, including possibly mobile app developers that process health information on behalf of HIPAA covered entities.”
OCR picks cases for maximum PR impact and for a compliance improvement impact across the industry, Gacioch said.
“We’ll likely continue to see risk analysis be a key focus, and more actions directly against business associates,” he continued. “We’re going to continue to see more focus on mobile devices and off site cloud based storage and transmission. Those are areas that are becoming more important in terms of ePHI transmission. The number of breaches in those areas will keep growing.”
Zacharias added that OCR has also asserted that it will focus on smaller data breaches, affecting fewer than 500 individuals.
“If they see an area of focus that is particularly relevant for the industry, or may have a particular impact by it being made publically available, the number of people affected is not going to deter OCR from pursuing that as an opportunity now.”