Last week’s “WannaCry” worldwide Ransomware attack was particularly targeted against international health organizations. Though the attack was thwarted not without a little good luck and less financial loss that might have been predicted, it unsurprisingly triggered responses from U.S. government agencies including the Department of Homeland Security (DHS) and, with specific reference to health care providers, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS). It also is no surprise that these government agencies took a carrot and stick approach – speaking about cooperation on one hand and enforcement (by OCR) on the other.

On the cooperative side, DHS and HHS have sought to work with the tech sector to employ cybersecurity best practices to address the ransomware threat, now the most common problem faced across the cyber universe but especially in health care. DHS has opined that “Individual users are often the first line of defense against this and other threats, and we encourage all Americans to update your operating systems and implement vigorous cybersecurity practices including installation of the latest patches and avoiding phishing efforts that can implant ransomware to lock down a system. Among the recommended best practices include employee training to avoid clicking on unfamiliar links and files in emails, and to backing up data to prevent possible loss. Beyond those somewhat simplistic suggestions, one detects a decided trend towards to adoption of the voluntary framework of cybersecurity standards issued by the National Institute of Standards and Technology (NIST), which was issued in 2014 and is in the process of being updated per public comments and meetings.  This also is consistent with the recently issued Executive Order that mandates federal department compliance to the same standards suggested for the private sector, particularly the NIST framework.

The OCR enforcement component is more problematic.  On May 17, 2017, Iliana Peters, a HIPAA compliance and enforcement official at OCR, announced at a Georgetown University Law Center cybersecurity conference that OCR will “presume a breach has occurred” when an HIPAA covered entity or associate has experienced a ransomware attack, due to the nature of how ransomware attacks work. This is somewhat at odds with the way that ransomware actually works. Ransomware generally is a form of blackmail where a Trojan will deprive a data owner of access to its own data unless a ransom is paid (often by Bitcoin or another block chain currency). OCR’s presumption can be overcome especially if health care data were encrypted prior to the incident (and presumably that would include data at rest). HHS’s ransomware guide provides that:

“Unless the covered entity or business associate can demonstrate that there is a ‘low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. … The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements.”

Thus, if there is anything to take away from this, it is to encrypt PHI – period.

OCR offers to work with the private sector to provide technical assistance.  This might be useful to very small, unsophisticated  organizations.  Larger private sector entities arguably have resources and technical skills that surpass those of the government.  Indeed, the President’s Executive Order recognizes this.

We at Epstein Becker Green will have more to say about the ransomware threat and other cyber security vectors affecting the health care space. Expect a webinar and other publications like this one in the near future.

The Information Sharing and Analysis Organization-Standards Organization (ISAO-SO) was set up under the aegis of the Department of Homeland Security pursuant to a Presidential Executive Order intended to foster threat vector sharing among private entities and with the government. ISAOs are proliferating in many critical infrastructure fields, including health care, where cybersecurity and data privacy are particularly sensitive issues given HIPAA requirements and disproportionate industry human and systems vulnerabilities.  Therefore, in advising their companies’ management, general counsel and others  might benefit from reviewing the FAQ’s and answers contained in the draft document that can be accessed at the link below.

Announcing the April 20 – May 5, 2017 comment period, the Standards Organization has noted the following:

Broadening participation in voluntary information sharing is an important goal, the success of which will fuel the creation of an increasing number of Information Sharing and Analysis Organizations (ISAOs) across a wide range of corporate, institutional and governmental sectors. While information sharing had been occurring for many years, the Cybersecurity Act of 2015 (Pub. L. No. 114-113) (CISA) was intended to encourage participation by even more entities by adding certain express liability protections that apply in several certain circumstances. As such proliferation continues, it likely will be organizational general counsel who will be called upon to recommend to their superiors whether to participate in such an effort.

With the growth of the ISAO movement, it is possible that joint private-public information exchange as contemplated under CISA will result in expanded liability protection and government policy that favors cooperation over an enforcement mentality.

To aid in that decision making, we have set forth a compilation of frequently asked questions and related guidance that might shed light on evaluating the potential risks and rewards of information sharing and the development of policies and procedures to succeed in it. We do not pretend that the listing of either is exhaustive, and nothing contained therein should be considered to contain legal advice. That is the ultimate prerogative of the in-house and outside counsel of each organization. And while this memorandum is targeted at general counsels, we hope that it also might be useful to others who contribute to decisions about cyber-threat information sharing and participation in ISAOs.

The draft FAQ’s can be accessed at :  https://www.isao.org/drafts/isao-sp-8000-frequently-asked-questions-for-isao-general-counsels-v0-01/

The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”), the agency tasked with enforcing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), recently announced that it will redouble its efforts to investigate smaller breaches of Protected Health Information (“PHI”) that affect fewer than five-hundred (500) individuals.

It has been widely known that OCR opens an investigation for every breach affecting more than 500 individuals; this announcement describes OCR’s new initiative to investigate smaller breaches as well.  OCR stated that in determining when it will open an investigation, it will evaluate a number of factors, such as: (1) the size of the breach, (2) whether the PHI was stolen or improperly disposed of, (3) whether an entity reports multiple breaches, (4) whether numerous entities are reporting breaches of a particular type, and (5) whether the breach involved unauthorized access to an IT system.  The announcement also notes that OCR may consider lack of breach reports for a region, suggesting that OCR is interested in investigating the potential of under reporting.

The announcement emphasized that OCR can determine both large scale trends among HIPAA regulated entities, and entity-specific compliance issues that must be addressed by investigating breaches.  The announcement also serves as a warning to persons and/or entities subject to HIPAA to ensure that their breach reporting and other HIPAA compliance efforts are up-to-date and ready to withstand any potential scrutiny from OCR.

By Arthur J. Fried, Patricia M. Wagner, Adam C. Solander, Evan Nagler, and Jonathan Hoerner

On September 2, 2015, the U. S. Department of Health and Human Services (“HHS”) announced a $750,000 settlement with Cancer Care Group, P.C. (“CCG”), a radiation oncology practice in Indiana, for Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules violations. The alleged violations occurred in 2012, but a subsequent HHS Office for Civil Rights (OCR) investigation led to allegations from OCR that there was a lack of compliance with HIPAA Privacy and Security Rules requirements dating back to 2005.

CCG notified OCR on August 29, 2012 of a data breach of electronic protected health information (ePHI) resulting from the theft of a laptop bag that was left unattended in an employee’s car.  The bag contained a laptop computer and unencrypted backup storage media.  OCR estimated that the stolen data included the names, addresses, dates of birth, Social Security numbers, insurance information, and clinical information of approximately 55,000 current and former patients.

After receiving notification of the breach, OCR conducted an investigation that OCR alleged revealed CCG was in “widespread non-compliance with the HIPAA security rule.”  Specifically, OCR determined that CCG failed to conduct an enterprise-wide risk analysis at any time between April 21, 2005 (the compliance date of the Security Rule) and November 5, 2012, almost 5 months after the data breach.  OCR also determined that CCG also failed to have in place a written policy covering the removal of hardware and electronic media containing ePHI from CCG facilities.  OCR noted that an enterprise-wide risk analysis would have determined that removal of unencrypted media was a high risk to the group’s ePHI security.

In addition to the $750,000 payment, the settlement requires CCG to adopt a robust corrective action plan to correct HIPAA compliance program deficiencies. The entire Resolution Agreement can be viewed here.

This case highlights the need for all covered entities and business associates to conduct regular risk assessments and vulnerability testing.  A proper risk assessment will help organizations to identify vulnerabilities to the ePHI they store. While the Security Rule does not mandate encryption, as it is an addressable implementation specification, this settlement again reinforces OCR’s position that unencrypted computer hard drives, mobile devices, and electronic media will be under intense scrutiny should a breach occur. Thus, in most instances it is advisable for those types of devices to be encrypted.

One thing’s certain – the vast and growing supply of data contained in electronic medical records systems will play a significant role in improving the speed and efficiency of research into new treatments in the years to come.  The challenge will be striking an appropriate balance between the unquestionable promise of this data to enable research – research that will enhance available treatments and save lives – with the rights of individual patients in the privacy of their health information.  Attempts to strike that balance are at the heart of current legislative, regulatory and policy initiatives that will shape the manner and extent to which this valuable resource will be used in the future.

Included in the 21st Century Cures legislation that passed the House on Friday, July 10, 2015 are changes to HIPAA intended to expand access to patient health records for research purposes.  Specifically, subject to certain requirements, the changes permit use and disclosure of PHI by covered entities for research purposes and remove the prohibition on remote access by a researcher to PHI. In addition, the long-anticipated proposed revisions to the Common Rule, pending with OMB, are expected to significantly alter the consent and IRB review requirements for many research activities, particularly for EMR-based research. For instance, the Advance Notice of Proposed Rulemaking sought comments on proposals to increase data privacy and security requirements for research data, while at the same time reducing informed consent requirements and IRB oversight of research using existing data or biospecimens.

The latest piece of the puzzle came in the form Proposed Privacy and Trust Principles for the Precision Medicine Initiative released by the White House on Thursday, July 8, 2015.  The Precision Medicine Initiative, first introduced in President Obama’s State of the Union Address and supported by $215 million in funding to NIH, NCI, FDA and ONC, aims to establish a voluntary national research cohort made up of at least one million individuals who agree to contribute data from a range of sources, which may include access to medical records, analysis of biospecimens, environmental and lifestyle data, patient-generated information, and personal device and sensor data.  This data will be aggregated and made available to qualified researchers, including those from academic, non-profit and for-profit entities.

The proposed privacy and trust principles provide broad guidance regarding the operation of the research cohort, including its “governance; transparency; reciprocity; respect for participant preferences; data sharing, access, and use; data quality and integrity; and security.” Established by an ‘interagency working group’ convened by the White House, the principles are intended to build privacy into the cohort and ensure confidentiality of patient health information.

Certain of the proposed principles will impact the accessibility and utility of the data to interested researchers, including those in the pharmaceutical and medical device industries, and the details of the further development and implementation of these broad principles will be of critical importance to those who hope to use the cohort data in their future research. For example, the requirement that all data users must publish or post their summary research findings publically as a condition for use of data within the cohort may present challenges for many users. The nature of the findings that would be subject to that public disclosure requirement, and precisely how and when those findings must be disclosed, will impact whether industry, in particular, will be willing and able to leverage this valuable resource while maintaining necessary protections for proprietary information. Additionally, as the data are intended for use not only for hypothesis-driven research, but for hypothesis-generating and feasibility assessments as well, the nature of the findings that must be disclosed will need to be carefully considered to avoid imposing an undue burden by requiring publication of data with limited scientific value, and to avoid the potential disclosure of commercially sensitive information on the early research strategy or direction being contemplated by a researcher; this may limit the extent to which researchers are willing to utilize the data to its full potential.

Similarly, the manner in which certain principles are operationalized will determine how burdensome the use of cohort data will become. Specifically, the proposed principles contemplate a multi-layer consent model for participants in the cohort.  The working group determined that the duration and potential breadth of the research activities contemplated would render a single contact consent at the time of participant enrollment insufficient.  Instead, an ongoing, dynamic consent process has been proposed. As those involved in research know, the development, IRB review and approval, and administration of the informed consent process is burdensome, and the ability to forgo this consent for certain types of non-interventional records research would have a significant impact on reducing the cost and time required to conduct research using cohort data.  The extent to which the implementation of the consent process includes emerging practices for obtaining informed consent through remote, electronic means will impact the magnitude of this potential burden.

The White House is seeking public feedback on these privacy and trust principles online through August 7, 2015. Companies intending to use and participate in the cohort should carefully review these principles and provide feedback at https://www.whitehouse.gov/precision-medicine.

This post was written with assistance from Thejasree Kayam, a 2015 Summer Associate at Epstein Becker Green.

On Tuesday, September 1, 2015, from 1:00 PM to 2:00 PM ET, George BreenChair of Epstein Becker Green’s National Health Care and Life Sciences Practice Steering Committee, will co-present “Opportunities and Obstacles: Preparing for the Transition to the ICD-10 Code Set,” a webinar hosted by Bloomberg BNA.

With the transition to the ICD-10 code set coming in October, the health-care industry is grappling with adopting new technology and making last-minute preparations. The switch to ICD-10 also presents new opportunities to increase productivity and improve patient health.

The International Classification of Diseases is a standardized coding system used by providers for identifying illnesses and treatments, as well as for reimbursement. ICD-10 updates health-care diagnoses and procedure codes from the currently used 13,000 in ICD-9 to 68,000, and will be required for all entities covered under the Health Insurance Portability and Accountability Act.

Providers have several concerns about ICD-10, including how it will affect their reimbursements. Health-care professionals are going to have differences over what constitutes the correct diagnosis code under ICD-10, which might negatively impact reimbursement and also result in fraud and abuse concerns.

Epstein Becker Green would like to offer you a 25% discount off the registration fees for this program.  To sign up at this discounted rate, please follow the steps below:

  1. Go to http://www.bna.com/opportunities-obstacles-preparing-m17179930152/
  2. Click on “add to cart.”
  3. Sign in to your bna.com account – if you do not have a bna.com account, please click “create an account & continue”
  4. On the checkout screen you will see a box on the right side labeled “promotion code”.  Please enter the code FIRMDISC25 in this box and click submit.  Then click proceed to checkout.

Our colleague Mollie K. O’Brien at Epstein Becker Green wrote an advisory on a new law that will increase the protection of personal information under HIPPA by mandating encryption on all computerized data collected by health insurance carriers: “Beyond HIPAA: New Jersey Law Requires Encryption of Personal Data by Health Insurance Carriers.” Following is an excerpt:

In response to data breaches that have occurred across the United States, several of which involved the theft of laptop computers, beginning August 1, 2015, health insurance carriers in New Jersey will be obligated to do more to protect patient information than simply comply with the federal Health Insurance Portability and Accountability Act (“HIPAA”). A new law, signed by Governor Chris Christie on January 9, 2015, specifically requires health insurance carriers to encrypt electronically gathered and stored personal information.

The key terms in the law are defined as follows:

  • “Health insurance carriers” means “an insurance company, health service corporation, hospital service corporation, medical service corporation, or health maintenance organization authorized to issue health benefits plans in this State.”
  • “Personal information” means “an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number of State identification card number; (3) address; or (4) identifiable health information.”

Read the full advisory here.

Our colleagues Adam Solander and Ali Lakhani provide an update on the HIPPA Conference last week in Washington, DC. 

On September 23 and 24, 2014, the National Institute of Standards and Technology (“NIST”) and the Department of Health and Human Services Office of Civil Rights (“HHS OCR”) hosted their annual HIPAA conference “Safeguarding Health Information: Building Assurance through HIPAA security.”

OCR officials and key industry leaders engaged in dialogue regarding developments and trends in data breach incidents with respect to health information as well as stakeholder responses and best practices to mitigate risk and respond to potential incidents.

For the full post, please visit the TechHealth Perspectives blog.

 

By Adam Solander, Ali Lakhani and Wenxi Li

The increasing prevalence of mobile technology in the healthcare sector continues to create compliance concerns for physician practices and other health care entities.  While the Office of Civil Rights (OCR) of the Department of Health and Human Services, has traditionally focused on technology breaches within larger health systems, smaller physician practices and health care entities must also ensure that their policies and practices related to mobile technology do not foster non-compliance and create institutional risk.

Physicians Integrate Mobile Technology Into Daily Practice

The Physicians Practice’s 2014 Technology Survey found that only 31 percent of more than 1,400 survey respondents reported implementing policies and rules to address bring your own device (“BYOD”) practices.  With more than 80 percent of doctors using mobile devices at work and integrating their personal devices into their professional practice, these devices could potentially represent a significant privacy and security risk.

Traditional Safeguards Undermined By “Anywhere” Access

The HIPAA Security Rule applies when any protected health information (PHI) is accessed and communicated through a mobile device, such as texting a patient’s name and phone number for follow-up calls.  In the annual OCR report to Congress on breaches of unsecured PHI for calendar years 2011 and 2012, OCR reported that information loss or theft from mobile devices was among the top three sources of breached PHI in 117 of the 222 reported breaches in 2012. Additionally, the Physicians Practice’s 2014 Technology Survey indicated that only 61 percent of the respondents surveyed reported securely backing data on a second server or via another method, thereby not complying with the HIPAA Security Rule which requires covered entities to create and maintain retrievable copies of electronic protected health information (ePHI).

OCR Enforcement Areas, Especially Among Small Breaches, Continue to Grow

OCR officials routinely remind covered entities and business associates to understand their obligations with respect to mobile device security – obligations that continue to become more complex to satisfy as the use of mobile technology in the workplace proliferates.  Simultaneously, OCR continues to increase enforcement of data breaches by entities subject to the HIPAA Security Rule. Significantly, this enforcement expansion has included smaller entities and breaches affecting fewer than 500 individuals.  OCR expects HIPAA Security Rule enforcement to continue its trend and increase going forward in 2014

Be Prepared

Physician practices and health care entities should conduct a thorough risk assessment which addresses the use of mobile devices and storage of mobile device data in their environment.  Additionally, policies and procedures should be developed to manage the risk associated with mobile devices to a business tolerable level.  Risk management plans and security evaluations should be updated and conducted periodically.  Additionally, physician practices and health care entities must remember that their business associates must also comply with the HIPAA Security Rule.  Thus, some diligence on the use of mobile devices in their business associates environment is advisable.  In practice, over 20 percent of HIPAA data breaches have been traced to noncompliant business associates. While the risk may be significant, with proper staff training to identify and address questionable HIPAA behaviors, physician practices and health care entities can minimize the risk of OCR enforcement and large settlement costs associated with mobile devices.

 

By Patricia WagnerAli Lakhani and Jonathan Hoerner

 

On May 20, 2014, the Secretary of the Department of Health and Human Services (HHS) submitted the agency’s Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 (“Breach Report”). This report provides valuable insight for healthcare entities regarding their data security and enforcement priorities.

Section 13402(i) of the Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Secretary of Health and Human Services to prepare an annual report regarding the number and nature of breaches report to HHS, as well as the actions taken in response to those breaches.

By way of background, HITECH requires that both covered entities and business associates (as defined under HIPAA) provide notifications after a breach of unsecured protected health information (PHI).  These required notifications include the affected individuals, HHS, and also media outlets in cases where the breach includes more than 500 residents of a state or jurisdiction.  However, HHS has issued guidance explaining that encryption and destruction make PHI “unusable, unreadable, or indecipherable to unauthorized persons” and, thus, loss of such secured PHI does not trigger the breach notification requirements.

Report Findings

                Healthcare providers accounted for the majority of breaches affecting 500 or more individuals in both 2011 and 2012 while business associates and health plans accounted for the remainder, as illustrated below.

Breaching Entity 2011 2012 Change
Providers 63% 68% 5%
Business Associates 27% 25% (2%)
Health Plans 10% 7% (3%)
Total 100% 100%

 

Theft of PHI was the leading cause of a breach in both 2011 and 2012 followed by loss of PHI and unauthorized access/disclosures.  In 2011, theft was the cause for 24% of the total number of individuals affected by a breach and loss accounted for 54% of individuals affected. This high affected rate due to loss was the result of single breach incident involving a business associate and loss of back-up tapes containing information on 4.9 million individuals. In 2012, the causes of breach returned to expected rates with 36% of individuals affected due to theft and 13% due to loss. The below tables outline the frequency of breach causes in 2011 and 2012 as well as the sources of the breached information in each year.

 

Causes of Data Breach 2011 2012
Theft 50% 52%
Loss of PHI 17% 12%
Unauthorized Access 19% 18%
Hacking/IT incident 8% 27%

 

Sources of Breach 2011 2012 Change
Laptop 20% 27% 7%
Paper 27% 23% (4%)
Server 9% 13% 4%
Desktop Computer 14% 12% (2%)
Other Portable Device 13% 9% (4%)
Email 1% 4% 3%
Electronic Medical Records 2% 2% 0
Other 14% 10% (4%)

 

Audit Information

HITECH authorizes and requires HHS to conduct periodic audits of covered entities and business associates to ensure compliance with HIPAA rules. Unlike compliance reviews (which occur after a major breach) or compliance investigations, these audits are not triggered by an adverse event or incident.  Instead, they are “based on application of a set selection criteria.”

The Office for Civil Rights (OCR) (the office within HHS that is responsible for administering the Breach Notification Rules) implemented a pilot program of the audit process to assess the privacy and security compliance which was described in the Breach Report. The audit revealed that 31 out of 101 audited entities had at least one negative audit finding related to the Breach Notification Rule.  Specifically, the audit examined the following four areas:  (1) notification to individuals, (2) timeliness of notification, (3) methods of individual notification, and (4) burden of proof.  All four areas had a similar number of deficiencies noted.

Implications and Recommendations for Healthcare Entities

Breaches involving 500 or more individuals accounted for less than 1% of reports filed with HHS, yet represent almost 98% of the individuals affected by a PHI breach.  It is likely that OCR will continue investing significant resources into large scale PHI breaches due to the extensive impact of these breaches. Additionally, theft remains one of the top causes of PHI breaches and covered entities and business associates must take appropriate measures to ensure that any PHI stored or transported on portable electronic devices is properly safeguarded.  Chronic vulnerabilities include:

Encryption: Even if a device is stolen or misplaced, the Breach Notification Rule will not apply if the data is properly encrypted. Thus, it is imperative that covered entities and business associates encrypt portable electronic devices (such as laptops) and all CDs or USB thumb drives.

Access Control: Healthcare entities must pay close attention to the physical access to and proper disposal of devices that contain PHI.  Server rooms should be locked with limited access, and the physical access to buildings, floors, and offices should be secured to prevent theft of desktop computers containing PHI.

Disposal: Electronic devices need to be purged and the data securely erased (also known as “scrubbed”) prior to the device being discarded, recycled, sold, or transferred to a third party, such as a leasing company.  Such devices include computers, external storage media, and photocopiers.

Lastly, as explained in the Breach Report discussion of OCR’s audit pilot program, covered entities most often explain noncompliance with the various aspects of the Breach Notification Rule by pleading unawareness of the requirements of the Rules. Covered entities and business associates should ensure that comprehensive privacy and security policies and procedures are developed and implemented to mitigate the risks of a breach and to effectively respond to a breach should one occur.