On December 14, 2018 the Department of Health and Human Services, Office for Civil Rights (“OCR”) formally issued a Request For Information (“RFI”) seeking public input on “ways to modify the HIPAA Rules to remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management and to promote the transformation to value-based healthcare, while preserving the privacy and security of PHI.”  OCR is seeking comments for a series of 54 different specific questions (many with additional subparts) corresponding to the following five major topic areas:  (1) the promotion of information sharing for treatment and care coordination; (2) the promotion of parental and caregiver involvement in addressing the opioid crisis and serious mental illness; (3) additional ways to remove regulatory obstacles and burdens to facilitate care coordination and promote value-based health care; (4) an effective means to implement the accounting of disclosures requirement of the HITECH Act; and (5) Notice of Privacy Practices operational practices.

While some of the questions ask for factual information (such as the typical time it takes a covered entity to transfer PHI to another covered entity), many of the questions raise larger policy issues.  For example, the RFI includes a series of questions on whether it would make sense to have health care clearinghouses play a much more direct role in providing information to individuals, whether health care clearinghouses should be treated only as covered entities, and if so, could other covered entities impose contractual obligations on the health care clearinghouses to protect PHI without the use of a business associate agreement.  Similarly, the RFI includes multiple questions on whether the OCR could amend the Privacy Rule to allow for better coordination for patients suffering from a substance abuse disorder or serious mental illness, and how such changes might interact with current state privacy laws and 42 CFR Part 2 that would otherwise prohibit the sharing of such information.

From an operational perspective, the RFI requests comments on how to effectively implement the HITECH Act requirement to provide an accounting of all disclosures made through an electronic health record and whether requiring providers to make a good faith effort to obtain written acknowledgement from a patient that they have received a Notice of Privacy Practices places an unnecessary burden on providers, and perhaps inadvertently confuses patients.

OCR is requesting comments to the elucidated questions on or before February 12, 2019.

On October 16, 2018 the Department of Health and Human Services Office for Civil Rights (“OCR”) and the Office of the National Coordinator for Health Information Technology (“ONC”) announced an update to their previously provided Security Risk Assessment Tool.  According to ONC and OCR, the “tool is designed to help healthcare providers conduct a security risk assessment” as required under the HIPAA Security Rule.  ONC states that the updated tool includes additional features such as:

  • Enhanced user interface
  • Modular workflow
  • Custom assessment logic
  • Progress tracker
  • Threats & vulnerabilities rating
  • Detailed reports
  • Business associate and asset tracking
  • Overall improvement of the user experience

As with prior tools, the ONC/OCR tool includes a broad disclaimer noting that use of the tool “does not guarantee compliance with federal, state or local laws”.  Indeed, ONC and OCR encourage providers to “seek expert advice when evaluating the use of the tool.”

Ultimately, while the tool may provide a useful resource for small physician groups, larger organizations are more likely to need what is rapidly becoming the industry standard of having a security risk assessment/risk analysis performed by an outside third party, and ensuring additional assessments (such as penetration testing of the systems) are a part of that full risk assessment for the organization.

***

If your organization has any questions or needs assistance with a privacy and security related issue, please reach out to members of our Privacy and Security Group: Patricia Wagner, Alaap Shah, Brian CesarattoAdam Forman, or Wenxi Li.

Last week’s “WannaCry” worldwide Ransomware attack was particularly targeted against international health organizations. Though the attack was thwarted not without a little good luck and less financial loss that might have been predicted, it unsurprisingly triggered responses from U.S. government agencies including the Department of Homeland Security (DHS) and, with specific reference to health care providers, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS). It also is no surprise that these government agencies took a carrot and stick approach – speaking about cooperation on one hand and enforcement (by OCR) on the other.

On the cooperative side, DHS and HHS have sought to work with the tech sector to employ cybersecurity best practices to address the ransomware threat, now the most common problem faced across the cyber universe but especially in health care. DHS has opined that “Individual users are often the first line of defense against this and other threats, and we encourage all Americans to update your operating systems and implement vigorous cybersecurity practices including installation of the latest patches and avoiding phishing efforts that can implant ransomware to lock down a system. Among the recommended best practices include employee training to avoid clicking on unfamiliar links and files in emails, and to backing up data to prevent possible loss. Beyond those somewhat simplistic suggestions, one detects a decided trend towards to adoption of the voluntary framework of cybersecurity standards issued by the National Institute of Standards and Technology (NIST), which was issued in 2014 and is in the process of being updated per public comments and meetings.  This also is consistent with the recently issued Executive Order that mandates federal department compliance to the same standards suggested for the private sector, particularly the NIST framework.

The OCR enforcement component is more problematic.  On May 17, 2017, Iliana Peters, a HIPAA compliance and enforcement official at OCR, announced at a Georgetown University Law Center cybersecurity conference that OCR will “presume a breach has occurred” when an HIPAA covered entity or associate has experienced a ransomware attack, due to the nature of how ransomware attacks work. This is somewhat at odds with the way that ransomware actually works. Ransomware generally is a form of blackmail where a Trojan will deprive a data owner of access to its own data unless a ransom is paid (often by Bitcoin or another block chain currency). OCR’s presumption can be overcome especially if health care data were encrypted prior to the incident (and presumably that would include data at rest). HHS’s ransomware guide provides that:

“Unless the covered entity or business associate can demonstrate that there is a ‘low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. … The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements.”

Thus, if there is anything to take away from this, it is to encrypt PHI – period.

OCR offers to work with the private sector to provide technical assistance.  This might be useful to very small, unsophisticated  organizations.  Larger private sector entities arguably have resources and technical skills that surpass those of the government.  Indeed, the President’s Executive Order recognizes this.

We at Epstein Becker Green will have more to say about the ransomware threat and other cyber security vectors affecting the health care space. Expect a webinar and other publications like this one in the near future.

Executive Order Delay Trumps Administration Policy Development

President Trump’s first hundred days did not produce the event that most people in the cybersecurity community expected – a Presidential Executive Order supplanting or supplementing the Obama administration’s cyber policy – but that doesn’t mean that this period has been uneventful, particularly for those in the health care space.

The events of the period have cautioned us not to look for an imminent Executive Order. While White House cybersecurity coordinator Robert Joyce recently stated that a forthcoming executive order will reflect the Trump administration’s focus on improving the security of federal networks, protecting critical infrastructure, and establishing a global cyber strategy based on international law and deterrence, other policy demands have intruded. Indeed as the 100-day mark approached, President Trump announced that he has charged his son-in-law, Jared Kushner, with developing a strategy for “innovation” and modernizing the government’s information technology networks. This is further complicating an already arduous process for drafting the long-awaited executive order on cybersecurity, sources and administration officials say.

The Importance of NIST Has Been Manifested Throughout the Hundred Days

The expected cyber order likely will direct federal agencies to assess risks to the government and critical infrastructure by using the framework of cybersecurity standards issued by the National Institute of Standards and Technology, a component of the Department of Commerce.

The NIST framework, which was developed with heavy industry input and released in 2014, was intended as a voluntary process for organizations to manage cybersecurity risks. It is not unlikely that regulatory agencies, including the Office of Civil Rights of the Department of Health and Human Services, the enforcement agency for HIPAA, will mandate the NIST framework, either overtly or by implication, as a compliance hallmark and possible defense against sanctions.

NIST has posted online the extensive public comments on its proposed update to the federal framework of cybersecurity standards that includes new provisions on metrics and supply chain risk management. The comments are part of an ongoing effort to further revise the cybersecurity framework. NIST will host a public workshop on May 16-17, 2017

Health Industry Groups Are Urging NIST to Set up a ‘Common’ Framework for Cybersecurity Compliance

Various health care industry organizations including the College of Healthcare Information Management Executives and the Association for Executives in Healthcare Information Security have asked NIST to help the industry develop a “common” approach for determining compliance with numerous requirements for protecting patient data. Looking for a common security standard for compliance purposes, commenters also argue that the multiplicity of requirements for handling patient data is driving up healthcare costs. Thus, the groups urge NIST to work with the Department of Health and Human Services and the Food and Drug Administration “to push for a consistent standard” on cybersecurity. One expects this effort, given strong voice in the First Hundred Days, to succeed.

The Federal Trade Commission is Emerging as the Pre-eminent Enforcement Agency for Data Security and Privacy

With administration approval, the Federal Communications Commission is about to release today a regulatory proposal to reverse Obama-era rules for the internet that is intended to re-establish the Federal Trade Commission as the pre-eminent regulatory agency for consumer data security and privacy. In repealing the Obama’s “net neutrality” order, ending common carrier treatment for ISP and their concomitant consumer privacy and security rules adopted by the FCC, the result would be, according to FCC Chairman Pai, to “restore FTC to police privacy practices” on the internet in the same way that it did prior to 2015. Federal Trade Commission authority, especially with regard to health care, is not without question, especially considering that the FTC’s enforcement action against LabMD is still pending decision in the 9th Circuit. However, the FTC has settled an increasing number of the largest data breach cases The Federal Trade Commission’s acting bureau chief for consumer protection, Thomas Pahl, this week warned telecom companies against trying to take advantage of any perceived regulatory gap if Congress rolls back the Federal Communications Commission’s recently approved privacy and security rules for internet providers.

OCR Isn’t Abandoning the Field; Neither is DoJ

While there have been no signal actions during the First Hundred Days in either agency. The career leadership of both has signaled their intentions not to make any major changes in enforcement policy.  OCR is considering expanding its policies with respect to overseeing compliance programs and extending that oversight to the conduct off Boards of Directors.

The Supreme Court Reaches Nine

Many would argue that the most important, or at least most durable, accomplishment of the Trump Administration to date is the nomination and confirmation of Neil Gorsuch to the Supreme Court. Justice Gorsuch is a conservative in the Scalia mold and is expected to case a critical eye on agency regulatory actions. There is no cybersecurity matter currently on the Supreme Court’s docket, but there will be as the actions and regulations of agencies like the FTC, FCC and DHHS are challenged.

The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”), the agency tasked with enforcing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), recently announced that it will redouble its efforts to investigate smaller breaches of Protected Health Information (“PHI”) that affect fewer than five-hundred (500) individuals.

It has been widely known that OCR opens an investigation for every breach affecting more than 500 individuals; this announcement describes OCR’s new initiative to investigate smaller breaches as well.  OCR stated that in determining when it will open an investigation, it will evaluate a number of factors, such as: (1) the size of the breach, (2) whether the PHI was stolen or improperly disposed of, (3) whether an entity reports multiple breaches, (4) whether numerous entities are reporting breaches of a particular type, and (5) whether the breach involved unauthorized access to an IT system.  The announcement also notes that OCR may consider lack of breach reports for a region, suggesting that OCR is interested in investigating the potential of under reporting.

The announcement emphasized that OCR can determine both large scale trends among HIPAA regulated entities, and entity-specific compliance issues that must be addressed by investigating breaches.  The announcement also serves as a warning to persons and/or entities subject to HIPAA to ensure that their breach reporting and other HIPAA compliance efforts are up-to-date and ready to withstand any potential scrutiny from OCR.

Our colleagues Adam Solander and Ali Lakhani provide an update on the HIPPA Conference last week in Washington, DC. 

On September 23 and 24, 2014, the National Institute of Standards and Technology (“NIST”) and the Department of Health and Human Services Office of Civil Rights (“HHS OCR”) hosted their annual HIPAA conference “Safeguarding Health Information: Building Assurance through HIPAA security.”

OCR officials and key industry leaders engaged in dialogue regarding developments and trends in data breach incidents with respect to health information as well as stakeholder responses and best practices to mitigate risk and respond to potential incidents.

For the full post, please visit the TechHealth Perspectives blog.

 

By Patricia WagnerAli Lakhani and Jonathan Hoerner

 

On May 20, 2014, the Secretary of the Department of Health and Human Services (HHS) submitted the agency’s Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 (“Breach Report”). This report provides valuable insight for healthcare entities regarding their data security and enforcement priorities.

Section 13402(i) of the Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Secretary of Health and Human Services to prepare an annual report regarding the number and nature of breaches report to HHS, as well as the actions taken in response to those breaches.

By way of background, HITECH requires that both covered entities and business associates (as defined under HIPAA) provide notifications after a breach of unsecured protected health information (PHI).  These required notifications include the affected individuals, HHS, and also media outlets in cases where the breach includes more than 500 residents of a state or jurisdiction.  However, HHS has issued guidance explaining that encryption and destruction make PHI “unusable, unreadable, or indecipherable to unauthorized persons” and, thus, loss of such secured PHI does not trigger the breach notification requirements.

Report Findings

                Healthcare providers accounted for the majority of breaches affecting 500 or more individuals in both 2011 and 2012 while business associates and health plans accounted for the remainder, as illustrated below.

Breaching Entity 2011 2012 Change
Providers 63% 68% 5%
Business Associates 27% 25% (2%)
Health Plans 10% 7% (3%)
Total 100% 100%

 

Theft of PHI was the leading cause of a breach in both 2011 and 2012 followed by loss of PHI and unauthorized access/disclosures.  In 2011, theft was the cause for 24% of the total number of individuals affected by a breach and loss accounted for 54% of individuals affected. This high affected rate due to loss was the result of single breach incident involving a business associate and loss of back-up tapes containing information on 4.9 million individuals. In 2012, the causes of breach returned to expected rates with 36% of individuals affected due to theft and 13% due to loss. The below tables outline the frequency of breach causes in 2011 and 2012 as well as the sources of the breached information in each year.

 

Causes of Data Breach 2011 2012
Theft 50% 52%
Loss of PHI 17% 12%
Unauthorized Access 19% 18%
Hacking/IT incident 8% 27%

 

Sources of Breach 2011 2012 Change
Laptop 20% 27% 7%
Paper 27% 23% (4%)
Server 9% 13% 4%
Desktop Computer 14% 12% (2%)
Other Portable Device 13% 9% (4%)
Email 1% 4% 3%
Electronic Medical Records 2% 2% 0
Other 14% 10% (4%)

 

Audit Information

HITECH authorizes and requires HHS to conduct periodic audits of covered entities and business associates to ensure compliance with HIPAA rules. Unlike compliance reviews (which occur after a major breach) or compliance investigations, these audits are not triggered by an adverse event or incident.  Instead, they are “based on application of a set selection criteria.”

The Office for Civil Rights (OCR) (the office within HHS that is responsible for administering the Breach Notification Rules) implemented a pilot program of the audit process to assess the privacy and security compliance which was described in the Breach Report. The audit revealed that 31 out of 101 audited entities had at least one negative audit finding related to the Breach Notification Rule.  Specifically, the audit examined the following four areas:  (1) notification to individuals, (2) timeliness of notification, (3) methods of individual notification, and (4) burden of proof.  All four areas had a similar number of deficiencies noted.

Implications and Recommendations for Healthcare Entities

Breaches involving 500 or more individuals accounted for less than 1% of reports filed with HHS, yet represent almost 98% of the individuals affected by a PHI breach.  It is likely that OCR will continue investing significant resources into large scale PHI breaches due to the extensive impact of these breaches. Additionally, theft remains one of the top causes of PHI breaches and covered entities and business associates must take appropriate measures to ensure that any PHI stored or transported on portable electronic devices is properly safeguarded.  Chronic vulnerabilities include:

Encryption: Even if a device is stolen or misplaced, the Breach Notification Rule will not apply if the data is properly encrypted. Thus, it is imperative that covered entities and business associates encrypt portable electronic devices (such as laptops) and all CDs or USB thumb drives.

Access Control: Healthcare entities must pay close attention to the physical access to and proper disposal of devices that contain PHI.  Server rooms should be locked with limited access, and the physical access to buildings, floors, and offices should be secured to prevent theft of desktop computers containing PHI.

Disposal: Electronic devices need to be purged and the data securely erased (also known as “scrubbed”) prior to the device being discarded, recycled, sold, or transferred to a third party, such as a leasing company.  Such devices include computers, external storage media, and photocopiers.

Lastly, as explained in the Breach Report discussion of OCR’s audit pilot program, covered entities most often explain noncompliance with the various aspects of the Breach Notification Rule by pleading unawareness of the requirements of the Rules. Covered entities and business associates should ensure that comprehensive privacy and security policies and procedures are developed and implemented to mitigate the risks of a breach and to effectively respond to a breach should one occur.