On May 31, 2017, the US Department of Justice announced a Settlement Agreement under which eClinicalWorks, a vendor of electronic health record software, agreed to pay $155 million and enter into a five-year Corporate Integrity Agreement to resolve allegations that it caused its customers to submit false claims for Medicare and Medicaid meaningful use payments in violation of the False Claims Act.

Read the full article.

On April 24, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement in the amount of $2.5 million based on the impermissible disclosure of unsecured electronic protected health information (ePHI) by a provider of remote mobile monitoring, with a focus on patients who are at risk for cardiac arrhythmias.

In January 2012, the remote monitoring company reported that a workforce member’s laptop containing the ePHI of over a thousand individuals was stolen from a parked vehicle outside of the employee’s home. A little over one year later, the same company reported a second breach that compromised the ePHI of twice as many individuals (details regarding this breach were not provided by OCR).

OCR’s investigation revealed that the company allegedly had insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, the company’s draft policies and procedures implementing the standards of the HIPAA Security Rule had never been implemented, and the company was also unable to produce final versions of any policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

Continue Reading Recent $2.5 Million OCR Settlement Is a Warning to Wireless Health Service Providers

The Final Rule published by the US Department of Health and Human Services on January 18, 2017, largely avoids major modifications to the Common Rule. However, it specifically addresses creation of biospecimen and data repositories and use of those repositories for secondary research. All stakeholders involved in federally funded research should be aware of the Final Rule’s changes and prepare to implement them.

Read the full article here.

On January 18, 2017, the Department of Health and Human Services (HHS) and 15 other federal agencies issued a final rule overhauling the federal human subjects research regulations known as the “Common Rule.” These are the first revisions to the Common Rule since its original enactment in 1991, and have been in progress since HHS first published an Advanced Notice of Proposed Rulemaking in July 2011. According to the press release accompanying the final rule, HHS made “significant changes” to its most recent proposals (published in September 2015) in response to the 2,100+ public comments they received.

The majority of the Common Rule’s changes and new provisions will go into effect in 2018. We are reviewing the final rule in detail, and a summary of changes and new provisions is forthcoming.

On January 4, 2017, the Department of Health and Human Services (HHS) submitted a draft final rule to amend the federal human research regulations to the Office of Management and Budget (OMB). These regulations, often referred to as the Common Rule, were originally developed in 1991 and have been adopted by multiple federal departments and agencies. OMB review is the last step before final publication and suggests that HHS is trying to release a final rule before President Obama leaves office on January 20, 2017.

Through its Office for Human Research Protections (OHRP), HHS initially published an Advanced Notice of Proposed Rulemaking in July 2011. The Advanced Notice generated significant controversy and OHRP did not publish a notice of proposed rulemaking (Proposed Rule) for over four years, ultimately doing so on September 8, 2015. The Proposed Rule, like its earlier Advanced Notice counterpart, suggested major changes to the Common Rule, including changes to its overall jurisdictional scope, requirements relating to secondary use of biospecimens and individually identifiable information, and the general research review and oversight process.

Since the Proposed Rule’s publication, OHRP has received significant feedback from both industry and expert advisory groups about the proposed changes and their overall impact. While certain proposed changes have been applauded, the Proposed Rule has also generated considerable concern and uncertainty among stakeholders.

The current status of OMB’s review is pending.

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.

Read the full article here.

During 2014, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services initiated six enforcement actions in response to security breaches reported by entities covered by the Health Insurance Portability and Accountability Act (HIPAA) (covered entities), five of which involved electronic protected health information (EPHI).  The resolution agreements and corrective action plans resolving the enforcement actions highlight key areas of concern for OCR and provide the following important reminders to covered entities and business associates regarding effective data protection programs.

  1. Security risk assessment is key.

OCR noted in the resolution agreements related to three of the five security incidents, involving QCA Health Plan, Inc., New York and Presbyterian Hospital (NYP) and Columbia University (Columbia), and Anchorage Community Mental Health Services (Anchorage), that each entity failed to conduct an accurate and thorough assessment of the risks and vulnerabilities to the entity’s EPHI and to implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level.  In each case, the final corrective action plan required submission of a recent risk assessment and corresponding risk management plan to OCR within a relatively short period after the effective date of the resolution agreement.

      2.  A risk assessment is not enough – entities must follow through with remediation of identified threats and vulnerabilities.

In the resolution agreement related to Concentra Health Services (CHS), OCR noted that although CHS had conducted multiple risk assessments that recognized a lack of encryption on its devices containing EPHI, CHS failed to thoroughly implement remediation of the issue for over 3-1/2 years.

      3.  System changes and data relocation can lead to unintended consequences. 

In two of the cases, the underlying cause of the security breach was a technological change that led to the public availability of EPHI.  A press release on the Skagit County incident notes that Skagit County inadvertently moved EPHI related to 1,581 individuals to a publicly accessible server and initially reported a security breach with respect to only seven individuals, evidentially failing at first to identify the larger security breach.  According to a press release related to the NYP/Columbia security breach, the breach was caused when a Columbia physician attempted to deactivate a personally-owned computer server on the network, which, due to lack of technological safeguards, led to the public availability of certain of NYP’s EPHI on internet search engines.

      4.  Patch management and software upgrades are basic, but essential, defenses against system intrusion.

OCR noted in its December 2014 bulletin on the Anchorage security breach (2014 Bulletin) that the breach was a direct result of Anchorage’s failure to identify and address basic security risks. For example, OCR noted that Anchorage did not regularly update IT resources with available patches and ran outdated, unsupported software.

      5.  HIPAA policies and procedures that merely sit on the shelf are not sufficient.

OCR noted the failure of two covered entities to follow policies and procedures that each entity had adopted.  In the NYP resolution agreement, OCR noted that, with respect to a data sharing arrangement with Columbia, NYP had “failed to comply with its own policies on information access management.”  Similarly, OCR noted in the 2014 Bulletin that its investigation of Anchorage revealed that Anchorage “had adopted sample Security Rule policies and procedures in 2005, but [that] these were not followed.”