: OCR : Workplace Privacy, Data Management & Security Report

Idaho State University Investigated by HHS Following Report of Data Breach

Posted on May 24, 2013 by Joseph Lazzarotti

Like many universities, Idaho State University (ISU) operates a number of health facilities, some of which are subject to the HIPAA privacy and security regulations. According to a U.S. Department of Health Human Services (HHS) press release, the Office for Civil Rights (OCR) opened an investigation after ISU notified HHS of a breach in which the electronic "protected health information" (ePHI) of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. To settle the alleged violations of the HIPAA security rules, ISU has agreed to pay $400,000, and to comply with a two-year corrective action plan.

OCR’s action here is consistent with prior reported breaches and with its discussions of enforcement in recent final regulations, which we reported on. It is important to note that OCR's investigation indicated that:

ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring.

Additionally, OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner.

This makes clear that it is NOT sufficient to simply create policies and procedures that safeguard protected health information. A HIPAA covered entity must conduct and document a risk assessment, a process OCR Director Leon Rodriguez noted is a cornerstone of an effective HIPAA security compliance program. This basic requirement also applies to business associates, and is a common sense practice any entity should follow when setting out to safeguard data.

Tags: Data Security, HIPAA, Health Information Technology, ISU, Idaho State University, Information Management, Information Risk, OCR, Office for Civil Rights, Written Information Security Program, risk assessment

Final HIPAA/HITECH Privacy and Security Regulations Released

Posted on January 17, 2013 by Joseph Lazzarotti

The Office for Civil Rights released on January 17, 2013, final privacy and security regulations (563 pages) under the Health Insurance Portability and Accountability Act. The rules address four key issues:

Reflecting the changes made by the Health Information for Economic and Clinical Health Act (HITECH);
Revisions to the HIPAA enforcement rule;
Updates to the previously issued data breach regulations; and
Incorporating the changes made by the Genetic Information Nondiscrimination Act.

In general, covered entities and business associates will need to comply by September 23, 2013. We expect to be reporting on some of the key changes shortly.

ACCESS SUMMARY HERE

Tags: Data Security, Featured, HIPAA, HITECH, Health Information Technology, Health Information for Economic and Clinical Health Act, Health Insurance Portability and Accountability Act, Information Management, Information Risk, OCR, Office for Civil Rights, Written Information Security Program

Health Care Providers May Disclose PHI to Avert Threats to Health and Safety, HHS Letter Confirms

Posted on January 16, 2013 by Joseph Lazzarotti

Following the mass shootings in Newtown, CT, and Aurora, CO, Office for Civil Rights Director Leon Rodriguez issued a letter on January 15, 2013, reminding covered health care providers about disclosures of protected health information that may be made to avert threats to health and safety.

The letter points out, for example, that mental health professionals may alert police, a parent or other family member, school administrators or campus police, and others who are in a position to stop a credible threat by a patient to inflict serious and imminent bodily harm on one or more persons. It is important that the letter also points out that while HIPAA may permit the disclosure, other federal and state laws, along with professional ethical standards, need to be taken into account because they may provide greater protections. Of course, health care providers should not wait for a crisis to happen to think through these issues, but should instead address this issue in its crisis management policy.

Tags: Aurora, HIPAA, Newtown, OCR, Office for Civil Rights, Written Information Security Program, crisis management

Start 2013 On The Right Foot - Assess Your Organization's Information Risk

Posted on January 4, 2013 by Joseph Lazzarotti

The $50,000 in penalties that the Office for Civil Rights (OCR) recently imposed on a health care provider in Idaho was due in part to allegations that the HIPAA covered entity had not conducted a risk assessment as required under the HIPAA privacy and security regulations. Of course, HIPAA is not the only law that requires a risk assessment. State laws, such as the Massachusetts data security regulations, contemplate and require a risk assessment in order to establish reasonable safeguards for personal information.

In short, this process involves examining what information the organization maintains, the nature of that information, how it moves through the organization and to/from its vendors, and the organization's current set of safeguards in order to determine the vulnerabilities to that information in terms of privacy, security, accessibility and integrity. This process is critical to ensuring that privacy and security policies are appropriate for the organization. There are a number of resources to assist you in getting started - here are a couple:

Organizations that have performed risk assessements need to periodically re-evaluate their prior efforts based on changes in their business. So, whether your organization has not conducted a risk assessment, or it has been a few years since your last assessment, or there have been substantial changes in your business, this may be as good a time as any to make this a priority.

Tags: Data Security, Identity Theft, Information Management, Information Risk, OCR, Workplace Privacy, Written Information Security Program, risk assessment, vulnerabilities

Small HIPAA Breach (Affecting Fewer Than 500) Leads to Substantial Penalties

Posted on January 2, 2013 by Joseph Lazzarotti

The U.S. Department of Health and Human Services’ (HHS) reported today its first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals. According to a statement from the Office for Civil Rights Director Leon Rodriguez, “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

The breach occurred in June 2010, when an unencrypted laptop belonging to the Hospice of North Idaho (HONI) that contained ePHI of 441 patients was stolen. The Office for Civil Rights (OCR) learned of the incident when HONI reported it to OCR pursuant to the annual reporting requirement for breaches affecting fewer than 500 individuals under the Health Information Technology for Economic and Clinical Health (HITECH). When OCR investigated, it discovered "that HONI had not conducted a risk analysis to safeguard ePHI." OCR also reported that HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.

HONI agreed to pay HHS $50,000 to settle potential violations of the Security Rule.

Tags: Data Security, HIPAA, HITECH, Health Information Technology, Identity Theft, Information Management, Information Risk, OCR, Written Information Security Program, data breach, encrypt, laptop

OCR Releases Guidance on "De-Identification" of PHI under HIPAA

Posted on November 27, 2012 by Joseph Lazzarotti

On Monday, the Office for Civil Rights released guidance regarding methods for de-identification of protected health information (PHI) in accordance with the HIPAA Privacy Rule and as required by the American Recovery and Reinvestment Act of 2009.

HIPAA covered entities and business associates recognize the increasing risks related to handling "protected health information." One way to reduce these risks is through the "de-dentification" process. When performed correctly, de-identification causes the remaining information to no longer constitute "protected health information," and therefore no longer subject to the HIPAA privacy and security rules.

The OCR page provides greater detail, in question and answer format, concerning the two methods that can be used to satisfy the Privacy Rule’s de-identification standard:

"Expert Determination" - a formal determination by a qualified expert.
"Safe Harbor" - the removal of specified individual identifiers as well as absence of actual knowledge by the covered entity (or business associate) that the remaining information could be used alone or in combination with other information to identify the individual.

Under either method, PHI is no longer protected by the Privacy Rule, but the remaining data has limited usefulness. However, the guidance also describes de-identification strategies that can minimize the loss of usefulness to the data. Of course, where de-identification is not practical, which is often the case, covered entities and business associates need to ensure compliance with HIPAA privacy and security rules.

Tags: HIPAA, Health Information Technology, Information Risk, OCR, Office for Civil Rights, Written Information Security Program, de-identification, expert determination

OCR Issues Protocol For HIPAA Privacy, Security and Breach Notification Audit Program

Posted on June 27, 2012 by Jason C. Gavejian

As we previously discussed, the Office of Civil Rights (“OCR”) continues to push forward with the HIPAA audits required by the HITECH Act. To this end, the OCR recently posted the protocol which is used to conduct the HIPAA audits on its website.

The HITECH Act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, OCR piloted a program to perform audits of covered entities to assess privacy and security compliance. This HIPAA audit program analyzes processes, controls, and policies of selected covered entities (e.g., health plans, health care clearinghouses, and certain health care providers) as well as the requirements to be assessed through these performance audits. The audit protocol is organized around “modules,” as follows:

The first audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for Protected Health Information (“PHI”), (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
The second protocol covers Security Rule requirements for administrative, physical, and technical safeguards.
The third protocol covers requirements for the Breach Notification Rule.

Notably, the combination of these multiple requirements may vary based on the type of covered entity selected for review. Healthcare providers, health plans, and business associates, all who could be affected by the HIPAA audits, need to not only be aware of the OCR’s audit activities, but also HHS’s efforts to increase enforcement of HIPAA.

Tags: Attorney General, Featured, HIPAA, HIPAA Enforcement Training, HITECH, HITECH Act, OCR, Office of Civil Rights, Protocal, audit, audits, breach, breach notification, business associates, covered entities

HHS Makes HIPAA Training Materials Available to State Attorneys General

Posted on June 5, 2012 by Joseph Lazzarotti

To date, State Attorneys General (State AGs) in at least four states (Connecticut, Indiana, Minnesota, Vermont) have exercised their authority to enforce the HIPAA privacy and security rules as granted by the Health Information Technology for Clinical and Economic Health (HITECH) Act (pdf), part of the American Recovery and Reinvestment Act of 2009 (ARRA). Following a nationwide live training campaign, the Office of Civil Rights (OCR) is continuing its efforts to train State AGs by making training materials available online.

The training materials now available through the OCR website include videos and slides from in-person training sessions for State AGs that OCR conducted in 2011, as well as computer-based training modules that can be downloaded. Topics include:

General introduction to the HIPAA Privacy and Security Rules
Investigative techniques for identifying and prosecuting potential violations
A review of HIPAA and State Law
OCR's role in enforcing the HIPAA Privacy and Security Rules
State AG roles and responsibilities under HIPAA and the HITECH Act
Resources for State AGs in pursuing alleged HIPAA violations
HIPAA Enforcement Support and Results

State AG interest in pursing these cases may be growing. For example, the Connecticut Attorney General's website instructs residents on how to file complaints concerning HIPAA. This action by OCR also may indicate it is closer to issuing the long awaited final regulations under HITECH. Health care providers, health plan sponsors and administrators and business associates should be taking steps to ensure they are ready to survive a HIPAA audit, as well as an enforcement action by a State AG.

Tags: Attorney General, HIPAA, HITECH, OCR

OCR Announces HIPAA Audit Program

Posted on November 8, 2011 by Joseph Lazzarotti

Today, the Office for Civil Rights formally announced it is implementing the audit requirement under the American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act. The agency confirmed that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance, and that the pilot phase will begin November 2011 and conclude by December 2012.

A new page on OCR's website answers some helpful questions for covered entities and business associates...

When Will Audits Begin?

The pilot audit program is a three step process... OCR expects the initial audits to begin in November 2011.The results of the initial audits will inform how the rest of the audits will be conducted...All audits in this pilot will be completed by the end of December, 2012.

Who Will Be Audited?

Every covered entity and business associate is eligible for an audit. Selections in the initial round will be designed to provide a broad assessment of a complex and diverse health care industry. OCR is responsible for selection of the entities that will be audited. OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit. We expect covered entities to provide the auditors their full cooperation and support and remind them of their cooperation obligations under the HIPAA Enforcement Rule.

Business Associates will be included in future audits.

So, it appears business associates will be spared for the first round of audits.

How Will the Audit Program Work?

The privacy and security performance audit process will include generally familiar audit mechanisms. Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts.

Accordingly, it is critical that covered entities be sure their policies and procedures are in order, including the new mandates under HITECH, such as breach notification policies.

In this pilot phase, every audit will include a site visit and result in an audit report. During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. Following the site visit, auditors will develop and share with the entity a draft report; audit reports generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity.

Having written policies and procedures clearly is not going to be sufficient to survive an audit. Covered entities will need to be sure their workforce members have been trained and are performing their responsibilities consistent with HIPAA and the organizations' policies and procedures.

What is the General Timeline for an Audit?

When a covered entity is selected for an audit, OCR will notify the covered entity in writing. The OCR notification letter will introduce the audit contractor, explain the audit process and expectations in more detail, and describe initial document and information requests. It will also specify how and when to return the requested information to the auditor. OCR expects covered entities and business associates who are the subject of the audit to provide requested information within 10 business days of the request for information.

In light of this 10-day time frame, be sure the appropriate persons are on the look out for a notice and prepared to respond in a timely manner. Here is the kind of notice they should be looking for.

OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits may take between 3 and 10 business days depending upon the complexity of the organization and the auditor’s need to access materials and staff. After fieldwork is completed, the auditor will provide the covered entity with a draft final report; a covered entity will have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR.

What Happens After an Audit?

Audits are primarily a compliance improvement activity. OCR will review the final reports, including the findings and actions taken by the audited entity to address findings. The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed, and what types of corrective action are most effective. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity.

Based on these statements, it appears that the audits are part of an overall learning process for the agency to better guide covered entities and business associates concerning compliance. However, it is not clear what the agency considers "a serious compliance issue."

Tags: Data Security, Featured, HHS, HIPAA, Health Information Technology, Information Management, Information Risk, OCR, Written Information Security Program, audit

HIPAA Audits to Begin Early 2012

Posted on October 11, 2011 by Joseph Lazzarotti

CLICK HERE FOR UPDATED INFORMATION CONCERNING THE AUDIT PROGRAM

The Health Information Technology for Economic and Clinical Health law (“HITECH”) made a number of changes for HIPAA covered entities and business associates. One key change stems from Section 13411 of HITECH, which gives the Secretary of the Department of Health and Human Services authority to conduct “periodic audits to ensure that covered entities and business associates” comply with the privacy and security mandates under HIPAA. Susan McAndrew, the Deputy Director for Health Information Privacy at the Office of Civil Rights ("OCR"), has been speaking out about the nature, scope and timing of these audits, which are expected to begin in February 2012. A summary of reports about the audit program follows below.

Covered entities and business associates need to be prepared and take stock of their HIPAA compliance. One hundred percent compliance can be an elusive goal, particularly in a short time frame. So, perhaps a more efficient way to prepare for the coming wave of audits it to look, at a minimum, for the low hanging fruit, such as: (i) having clear policies and procedures on topics such as access management, breach notification, discipline, passwords, managing portable data storage devices, distributing notices of privacy practices, and similar items, (ii) conducting and documenting training of workforce members, and (iii) ensuring appropriate agreements are in place with business associates and subcontractors.

According to statements from Ms. McAndrew about the planned audits, as reported in Employer's Guide to HIPAA Privacy Requirements, a Thomson Publication, and elsewhere:

The 150 planned audits will likely commence in February 2012, and be completed by the end of 2012.
Covered entities will be the prime focus of this initial audit effort, however, the agency expects to also audit business associates.
The decision of what entities to audit will not be based on specific incidents, but on an objective process aimed to learn what are the compliance challenges for the entire industry.
OCR decided to take a traditional approach to auditing - that is, on-site audits.
The audits are not part of the agency's enforcement function, but certainly could lead to enforcement based on the audit findings.
Audits likely will incorporate recommendations of HHS' Office of Inspector General
OCR will (i) provide advance notice of the audit; (ii) seek documentation well in advance of coming on-site, and (iii) provide an opportunity for the covered entity or business associate to comment on audit findings.
While audit findings will be made public, the agency likely will aggregate the audit findings before making them public.

On-site visits, to be performed by KPMG LLP, the contractor selected to design and perform the audits, will involve, among other things:

interviewing leadership, particuluarly those charged with privacy compliance,
examining physical features and operations,
assessing consistency of process to policy, and
observation of compliance with regulatory requirements.

KPMG will submit a report of its audit findings to OCR. Among other things, the report will include for each finding:

Condition: the defect or noncompliant status observed, and evidence of each
Criteria: a clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules, with citation
Cause: the reason that the condition exists, along with identification of supporting documentation used
Effect: the risk or noncompliant status that results from the finding
Recommendations for addressing each finding
Entity corrective actions taken, if any

Tags: Data Security, Featured, HIPAA, Health Information Technology, Information Management, Information Risk, KPMG, OCR, Written Information Security Program, audits, on-site audits

HHS to Help Train State Attorneys General to Enforce HIPAA

Posted on March 19, 2011 by Joseph Lazzarotti

HHS continues to show signs of increased enforcement of HIPAA. Earlier this month, the agency announced it would hold 2-day, instructor-led HIPAA Enforcement Training courses in 4 locations across the country. Some Attorneys General, such as Connecticut's former Attorney General Richard Blumenthal, have already used their new found authority to enforce HIPAA. This announcement follows two significant, high profile Office of Civil Rights (OCR) press releases touting its own enforcement activities, one involving the first imposition of penalties under HIPAA and the other involving a significant settlement with a Massachusetts hospital.

The Health Information Technology for Clinical and Economic Health (HITECH) Act (pdf), part of the American Recovery and Reinvestment Act of 2009, gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act permits State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules.

Attendees at each of the HIPAA Enforcement Training sessions will receive instruction on a number of enforcement topics including:

Investigative techniques for identifying and prosecuting potential violations
A review of HIPAA and State Law
The role and responsibility of an Attorney General under HIPAA and the HITECH Act
Resources available to Attorneys General to pursue alleged HIPAA violations

In addition to training, OCR promises that it will collaborate with and assist State Attorneys General seeking to bring civil actions to enforce HIPAA and Security Rules. This collaboration and assistance will include OCR providing to Attorneys General (i) information upon request about pending or concluded OCR actions against covered entities or business associates related to attorney general investigations, and (ii) guidance regarding the HIPAA statute, the HITECH Act, and the HIPAA Privacy, Security, and Enforcement Rules as well as the Breach Notification Rule.

While years of lax enforcement may have lulled many HIPAA covered entities and business associates to not take HIPAA seriously, these recent activities should spur renewed efforts toward compliance.

Tags: Attorney General, Featured, HIPAA, HIPAA Enforcement Training, HITECH, HITECH Act, OCR

HHS Posts On Its Website Covered Entities Reporting HIPAA Data Breaches

Posted on February 22, 2010 by Joseph Lazzarotti

On February 22, 2010, the Office of Civil Rights (OCR) posted on its website its first list of covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals. OCR acknowledged the HITECH Act requires HHS to make this information public by posting it on an HHS website.

The breach notification rule became effective on September 23, 2009. In short, as we reported previously, the rule requires covered entities to provide notification of breaches of unsecured protected health information directly to the Secretary of HHS, as well as to the affected individuals. Breaches that affect 500 or more individuals must be reported to HHS within 60 days, and covered entities must provide this notification via the online form on the OCR website.

Of course, covered entities need to be aware that breaches reported to HHS will be made public on its site. Some states, such as Maryland and New Hampshire, have had a similar policy in effect for some time for breaches of personal information affecting residents of their states.

Tags: HHS, HIPAA, OCR, Office of Civil Rights, data breach

Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Published By
Jackson Lewis, LLP