Lack of a sufficient risk analysis continues to be one of the most commonly alleged violations in Office for Civil Rights (OCR) HIPAA enforcement actions, appearing in half of all OCR settlements announced in the last 12 months and in almost all of the $1 million-plus settlements during that time period. Significant confusion remains across the health care industry as to what actually constitutes a compliant risk analysis for purposes of the HIPAA Security Rule. On April 30, 2018 OCR issued guidance discussing the differences between a HIPAA Security Rule risk analysis and a HIPAA compliance “gap analysis.” Drawing from our experience reviewing clients’ historical risk analysis documents, helping clients to navigate OCR investigations and negotiating several recent HIPAA settlements with OCR, we elaborate on what constitutes a compliant HIPAA Security Rule risk analysis, discuss common risk analysis misunderstandings and pitfalls, and encourage covered entities and business associates to consider whether to conduct these reviews under attorney-client privilege.
Edward (Ed) G. Zacharias focuses his practice on complex transactions and regulatory compliance matters. He represents hospitals and health systems, academic medical centers, physician group practices, post-acute care providers, health information technology vendors, biotech companies, insurers, pharmaceutical companies and a variety of other health care entities. Read Edward Zacharias' full bio.
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently posted guidance (OCR guidance) clarifying that a business associate such as an information technology vendor generally may not block or terminate access by a covered entity customer to protected health information (PHI) maintained by the vendor on behalf of the customer. Such “information blocking” could occur, for example, during a contract dispute in which a vendor terminates customer access or activates a “kill switch” that renders an information system containing PHI inaccessible to the customer. Many information vendors have historically taken such an approach to commercial disputes.
Read full article here.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently transmitted HIPAA pre-audit screening surveys to covered entities that may be selected for a second phase of HIPAA compliance audits (Phase 2 Audits). OCR is required to conduct compliance audits of covered entities and business associates under the 2009 Health Information Technology for Economic and Clinical Health Act.
Unlike the pilot audits conducted in 2011 and 2012 (Phase 1 Audits), which focused on covered entities, OCR is conducting Phase 2 Audits of both covered entities and business associates. The Phase 2 Audit program will focus on areas of greater risk to the security of protected health information (PHI) and pervasive non-compliance based on OCR’s Phase I Audit findings and observations, rather than a comprehensive review of all of the HIPAA Standards. The Phase 2 Audits are also intended to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities. OCR will use the Phase 2 Audit findings to identify technical assistance that it should develop for covered entities and business associates. In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties.
OCR had previously planned to issue the pre-audit screening surveys in the summer of 2014, but postponed their release until it completed its implementation of a new web portal that will be used for the submission of audit-related materials.
We will publish a fuller On the Subject regarding the Phase 2 Audits in the coming days.
Following an Office for Civil Rights investigation, Anchorage Community Mental Health Services, Inc., agreed to pay $150,000 and comply with a two-year Corrective Action Plan to settle allegations that it violated the HIPAA Security Rule. This settlement is another reminder that covered entities and business associates should take the necessary steps to ensure compliance with HIPAA and to reasonably and appropriately safeguard the electronic protected health information in their possession.
In building a stout privacy and security compliance program that would stand up well to federal HIPAA audits, proactive healthcare organizations are generally rewarded when it comes to data breach avoidance and remediation. But an important piece of that equation is performing consistent risk analyses.
McDermott partner, Edward Zacharias, was interviewed by HealthITSecurity to discuss these topics and more.
“Heartbleed” has been all over the news, and companies have been scrambling to respond. What sounds like a nasty medical condition is actually a recently discovered flaw in popular encryption software called OpenSSL. It has been widely reported in the news outlets that approximately 60 percent of all web servers use OpenSSL. According to the Federal Trade Commission, the flaw can permit a hacker to unlock the encryption and “monitor all communication to and from a server—including usernames, passwords, and credit card information—or create a fake version of a trusted site that would fool browsers and users, alike.”
So how can companies stop the bleeding?
- Figure out if any websites, systems (like e-mail) or applications (like virtual private network [VPN] endpoints, load balancers or database management software) use OpenSSL. More information about how internal information technology (IT) teams can find and fix the flaw can be found on heartbleed.com.
- A comprehensive review of systems is important because, according to security firm Coalfire, OpenSSL is a program that is not just used on externally facing websites. It also is frequently used on internal applications, management consoles, “appliances” and legacy systems, which will remain vulnerable until patched. This is especially critical for systems that contain sensitive information, such as protected health information, financial information, Social Security numbers and other highly confidential items. A firm like Coalfire can scan corporate systems to discover the vulnerability at a relatively modest cost.
- Update to the latest version of OpenSSL to fix the flaw. After updating, companies need to generate a new encryption key (most IT teams know how to do this) and obtain a new SSL Certificate from a trusted authority, which will signal to browsers that the website is secure. Generating the new key is critical—otherwise a company’s server and data could still be at risk.
- Confirm that vendors, business partners and contractors that provide technical services or support to company systems have addressed any OpenSSL flaws in their systems.
But what about the blood that’s already spilled?
After taking these steps to stop the bleeding by fixing OpenSSL flaws, a critical next step is for companies to conduct an assessment of data and actions previously thought to be encrypted.
Companies should consider evaluating with counsel how and when to communicate with customers and employees about changing log-in credentials and taking any other appropriate steps in light of the particular situation addressed by the company.
In addition, given the publicity and attention to this issue, customer service lines might see an increase in calls inquiring whether a company’s website is secure and whether log-in credentials should be changed. Convening the right internal resources to prepare clear, concise talking points will help those customer service teams convey accurate, consistent information in a way that minimizes harm to consumers and brand.
Even if companies are confident that their own sites have been fixed, they should consider whether employees may have used corporate log-in credentials on mobile devices or over connections, such as remote access VPN systems or third-party hotspots, that may have been vulnerable to Heartbleed. Those credentials will need to be changed and employees instructed on how to avoid exposing that information again through another connection that may not yet be patched.
Finally, organizations that find themselves to have been impacted significantly by this vulnerability should pre-plan with counsel for potential regulator attention and class action litigation in response to breach reports, media coverage and consumer complaints. To do this, companies should contact their regular McDermott lawyer or any one of the authors who are poised to help.
In Boston, we celebrated Data Privacy Day (January 28) by presenting “U.S. Privacy and Data Protection: 2013 Year In Review and a Prediction of What’s to Come in 2014” for participants in an IAPP KnowledgeNet. Our panel of speakers discussed significant U.S. data privacy and protection events from 2013 and shared thoughts about what’s ahead for 2014 in U.S. data privacy and protection. You may download the presentation slides here.
We hope you find our presentation materials informative. Of course, please do not hesitate to contact any member of the Of Digital Interest editorial team with questions or comments.