Regulators provided key insights into enforcement trends and potential changes to HIPAA regulations at the 11th Annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference in October co-hosted by the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). The following themes emerged:
Potential Changes to HIPAA Rules
OCR will release two new Requests for Information (RFIs) related to potentially dramatic changes to the HIPAA regulations. One will focus on reducing regulatory burdens and improving care coordination. OCR Director Roger Severino highlighted three areas for likely examination: notice of privacy practices (NPP), required provider to provider information sharing, and accounting of disclosures (for which he indicated the agency would be “starting from scratch”). The second RFI will focus on the agency’s statutory obligation to distribute a percentage of civil monetary penalties or monetary settlements to harmed individuals. In addition, Severino noted that the “Joint Guidance on the Application of FERPA and HIPAA to Student Health Records” may be revisited in light of recent school shootings.
Data Breach and HIPAA Enforcement Trends
Severino focused on the agency’s aggressive enforcement actions and noted that the cases resolved in 2017 and 2018 already totaled over $45 million. Serena Mosely-Day, Acting Senior Advisor for Compliance and Enforcement at OCR, discussed enforcement trends and noted that the same issues tend to appear repeatedly including: (i) incomplete or improper risk analysis; (ii) failure to manage identified risk (e.g., encryption at rest for devices and media); (iii) not having compliant Business Associate Agreements (BAAs) in place; (iv) lack of transmission security; (v) lack of appropriate auditing; (vi) not patching software; (vii) insider threats; (viii) improper disposal; and (ix) insufficient backup and contingency planning.
Mosley-Day noted that OCR opens investigations into breaches affecting 500+ individuals and that OCR pays particular attention to the following three issues when assessing an entity’s compliance: (i) the underlying cause of the breach; (ii) actions taken to respond to the breach (including compliance with breach notification requirements) and prevent a future breach incident; and (iii) an entity’s overall HIPAA compliance prior to the breach. Specific to the last point, OCR inquires as to what an entity could have done to prevent a breach or mitigate the impact of the breach. In essence, OCR attempts to create a “snapshot of the compliance program” pre and post breach.
HIPAA Audit Program Update
Phase 2 desk audits for covered entities through September 2017 and for business associates through December 2017 have now concluded and OCR will publish summary findings in the coming months. The purpose of the desk audits was to assess HIPAA compliance to supplement OCR’s other enforcement tools. OCR will examine observed best practices to identify lessons learned from the audits that can be shared in technical assistance. OCR noted that there were positive results for the timely notice of a breach, providing the required NPP content, and the posting of NPP on entity websites. With respect to areas with most room for improvement, OCR identified risk analysis, risk management, and enabling individual access (consistent with the preliminary findings announced at the 2017 conference). In response to a question, Severino noted his intent that the audit program would continue with more focus on enforcement, including the potential to launch audits or reviews where OCR does not see breach reporting occurring (in line with Severino’s emphasis at the 2017 conference that enforcement is a key aspect of HIPAA).
Security Risk Assessment (SRA) Tool
OCR announced an update to its SRA tool created in conjunction with the HHS Office of the National Coordinator for Health Information Technology (ONC). Director Severino provided insight into how entities should use the SRA tool, stating that the tool should be a starting point for risk analysis for all company sizes, although not necessarily a standalone solution for meeting the risk analysis requirement—especially with respect to large organizations. The SRA tool remains targeted at, and optimized for, use by small and mid-size covered entities. OCR and ONC representatives emphasized that the SRA tool is meant to give entities some “comfort” as to expectations and guidelines.
Cybersecurity Threat Landscape
In advance of the conference, the Food and Drug Administration (FDA) made several cybersecurity-related announcements, as summarized in our recent client alert. Among those were updates to the FDA’s guidance for managing cybersecurity issues for medical devices before such devices hit the market, as well as the announcement of formalized partnerships with the Department of Homeland Security and other entities to enhance cybersecurity coordination and information sharing.
Bob Bastani, Branch Chief, IT Policy and Planning, Assistant Secretary for Preparedness and Response (ASPR) at HHS, noted that supply chain threats can very easily propagate in an organization’s environment and therefore organizations need to pay particular concern to vendor-level security. He added that over 40 percent of healthcare organizations reported facing thousands of security alerts daily, and only 50 percent of those alerts were investigated. Of the alerts that healthcare security teams did investigate, 31 percent were legitimate threats—but only 48 percent of those legitimate incidents were actually remediated. Bastani concluded that this gap in remediation may be a result of a lack of personnel able to adequately track threats and protect systems, or an organization may not have sufficient bandwidth to quickly detect attacks on systems.
Vendor Risk Assessment
A panel including Julie Chua from HHS Risk Management, Kevin Stine from NIST and Nick Heesters from OCR underscored the importance of assessing a vendor’s risk profile. The panel suggested that organizations collaborate with vendors to ensure that vendors conduct their own vulnerability assessment and implement security measures to reduce risk to acceptable levels. The panel recommended a best practice of collaborating with industry peers to hold vendors accountable so that vendors are apprised of heightened security expectations. The panel also advised against outsourcing risk-based decisions to vendors.
Severino noted that with respect to offshoring, there are issues surrounding the trustworthiness of handling of ePHI. If the entity is outside of the United States, there are questions of accountability and whether proper recourse exists. Representatives from HHS, NIST, and Sentara Healthcare on a panel on “Best Practices for Managing Risk” noted that some organizations try to avoid offshoring by specifically providing in contracts that data will not be stored or accessed offshore. In the event that an organization decides to offshore its data, such organizations treat offshore vendors as they treat other third parties, including conducting risk assessments and involving legal counsel to the extent there are country-specific laws to take into consideration.