The HIPAA Security Rule requires covered entities and business associates to implement physical, administrative, and technical safeguards to protect protected health information (PHI). The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently issued guidance warning that “essential” physical security is often overlooked.
Despite the lack of significant settlements for HIPAA enforcement by the federal Office of Civil Rights (OCR) so far in 2018, states have not hesitated to patrol privacy and security breach activity and take action against perceived violations. Indeed, under the HITECH Act, state attorneys general have their own HIPAA enforcement authority. Two recent settlements suggest that states are ramping up their enforcement activities.
The New Jersey Attorney General recently announced a settlement of nearly $418,000 involving physician network Virtua Medical Group, P.A. (Virtua) for an alleged breach of privacy involving 1,654 patients, most of whom reside in New Jersey. The settlement followed an investigation by the New Jersey Division of Consumer Affairs, which concluded that an online server misconfiguration during a software update by a third party vendor and business associate of Virtua rendered patient medical records and related electronic personal health information (ePHI) to be viewed online and indexed by search engines. The New Jersey Division’s investigation determined that the third party vendor and business associate of Virtua discovered the breach in January 2016 and reinstated the security protections put in place prior to the update, but did not notify Virtua upon its discovery of the breach. The resulting settlement stemmed allegations that Virtua failed to conduct a comprehensive analysis of risks relative to PHI sent to the third party vendor, failed to safeguard against the risk of disclosure, failed to set forth sufficient procedures requiring security measures necessary to mitigate the risk, and failed to implement awareness and training programs for workforce members related to impermissible disclosures.
Furthermore, in March 2018, the New York Attorney General announced a $575,000 settlement with EmblemHealth and wholly-owned subsidiary Group Health Incorporated (EmblemHealth), following an incident in which 81,122 social security numbers were disclosed on a mailing. In EmblemHealth’s case, a Medicare Prescription Drug Plan Evidence of Coverage notice included a mailing label with the policyholder’s social security number on it. In addition to the settlement, EmblemHealth is required to implement a corrective action plan.
These settlements serve as reminders to covered entities and business associates that states may aggressively enforce data privacy and security violations, separate from what the OCR does. Some state laws (such as those in New Jersey and New York) may not expressly target PHI breaches in the same manner as HIPAA and other federal data privacy and security regulations, but they may have similarly sharp teeth. Furthermore, state enforcers may share information with and involve federal enforcers in activities constituting a violation of such federal regulations. In addition, covered entities should thoroughly examine business associate agreements to ensure that third party vendors bear the financial risk for failures to provide notice regarding breaches and to maintain adequate security measures to mitigate against the risk of disclosures.
Health Information Highlight
Welcome back to our three-part series examining ways to efficiently identify, address and mitigate gaps in HIPAA compliance in transaction diligence. In Part I, we discussed four key diligence questions upon which buyers should focus their efforts in a transaction. In Part II, we reviewed considerations related to storage of and access to diligence materials, particularly in the context of using a data room or other cloud-based server. Here, we address potential risk mitigation strategies when HIPAA issues are identified in the course of diligence.
It is not unusual to identify gaps or deficiencies in HIPAA compliance during the diligence process. These deficiencies can range from a lack of robust policies, procedures and employee training to inappropriate use of texting and cloud storage or failure to conduct a required security risk assessment. Several years ago when HIPAA enforcement risk was more of a secondary concern, many buyers did not take a proactive approach to remediation and assumed these areas could be addressed in the ordinary course. Given the uptick in enforcement against both covered entities and business associates and ever-increasing fines, it is important to take a proactive approach to quickly address compliance gaps. When a buyer encounters compliance gaps, there are various ways to mitigate this risk, several of which are discussed below:
- Require Compliance Actions as a Pre- or Post-Close Condition. Depending on the level of risk and exposure, buyers should consider whether addressing compliance gaps should begin prior to closing. In other instances, it may be reasonable to address compliance post-close; however, it is important to ensure that any post-close compliance is completed within a specified time, such as 30, 60, 90 or 120 days post-close.
- Indemnification, Escrows & Representation and Warrantee Insurance. Buyers should consider whether it is appropriate to obtain specific indemnification or escrow of funds to cover potential HIPAA non-compliance. When negotiating indemnification provisions, a buyer should consider applicable dollar caps, floors and the survival period to ensure appropriate coverage for potential future liability.
- Ongoing Settlements. If the seller is involved in any government or third party investigation or settlement negotiation related to HIPAA compliance, buyers should consider obtaining a waiver of liabilities and rights from the government or third party prior to close. Buyers should also ensure that the indemnification provisions from the seller are modified so as to adequately protect the buyer from undue risk or exposure.
With the continued risk of HIPAA enforcement, privacy and security diligence should not be a “check the box” activity. Buyers should fully understand the scope of potential risk in the early stages of transaction diligence, take steps to adequately mitigate that risk and understand the cost of protecting the target’s greatest assets.
Health Information Highlight
Welcome back to our three-part series examining ways to efficiently identify, address and mitigate gaps in HIPAA compliance in transaction diligence. In Part I of this series, we discussed four key diligence questions upon which buyers should focus their efforts in a transaction. Here, we review considerations related to storage of and access to diligence materials, particularly in the context of using a data room or other cloud-based server.
For an online or virtual data room administrator, opening access to an inquiring stakeholder, valuator, or reviewer party to an acquisition target company’s documentation may be as simple as a few clicks and perhaps an email or two. However, if any document contains personal or identifiable health information, a number of privacy and data protection regulations may deem access to such information by an unauthorized party to be a violation. In the case of disclosure of protected health information (PHI) in a healthcare transaction, HIPAA may impose significant penalties on target providers posting the PHI and the unauthorized parties accessing the PHI alike.
There are a number of ways to minimize the risk of inadvertent unauthorized disclosure:
1. Consider Restricted Access. The uploading party can restrict the access of unauthorized parties to uploaded PHI by either (a) preparing separate data rooms with PHI for authorized parties and with no PHI for unauthorized parties, or (b) if the data room’s user features permit, restricting access to unauthorized parties to certain documents or folders which may contain PHI. Prior to permitting or restricting access, a covered entity uploading its data should review and categorize its relationship with each accessing party for HIPAA purposes. All parties accessing data should enter into and be bound by certain confidentiality provisions relative to the data, which may include putting into place a Business Associate Agreement (BAA).
2. Remove Patient Identifiers. Alternatively, prior to uploading any data into the room, ensure that the uploading party scrubs all data and financials of any patient identifiers and only uploads “clean” versions of documents. The uploading party could also elect to provide “model” contracts rather than contracts which might disclose PHI. With respect to provider financial data, which may have patient detail containing PHI identifying a patient, this process may be a particularly time-consuming investment in resources. Regardless, the up-front investment in cleaning data prior to uploading would reduce the risk of disclosing any actual PHI.
3. Secure Data Rooms. Choose a secure data room provider which complies with data protection laws. Services such as popular file-sharing applications may be exceedingly simple to set up, share, and have no costs, however, many such cloud providers may not have appropriate security or data protection measures in place and may increase the risk of unauthorized access.
Stay tuned for Part Three where we will examine HIPAA risk mitigation strategies.
Health Information Highlight
Welcome to a three-part series that will examine several ways to efficiently identify, address, and mitigate gaps in HIPAA compliance in transaction diligence.
A target’s value is often held in its information and people. An increased risk of HIPAA enforcement means that privacy and security diligence should not be a “check the box” activity. Buyers should fully understand the scope of potential risk in the early stages of transaction diligence, take steps to adequately mitigate any potential go-forward risk, and, most importantly, understand the cost of protecting the target’s greatest assets.
Beginning last year, we saw a substantial increase in the economic impact of HIPAA enforcement by the Department of Health and Human Services, Office for Civil Rights (OCR). Since then, several new cases have illuminated the need for increased scrutiny of HIPAA compliance during the transaction diligence process.
To better understand a seller’s overall HIPAA compliance, there are four key diligence questions upon which buyers should focus their efforts in a transaction:
1. Does the seller have the core HIPAA documentation in place? At minimum, the buyer should look for:
- Privacy and Security Rule Policies and Procedures
- Breach Notification Policies and Procedures and Risk Assessments
- Security Audits and Incident Logs
- HIPAA Risk Analyses (for the last 2-3 years) and corresponding Management Plans
- Business Associate Agreements (BAAs) with Contractors/Customers
- As applicable, Notice of Privacy Practices
2. Is the seller complying with its policies? The principal measure of the effectiveness of a HIPAA compliance program is whether the seller’s internal controls and compliance practices live up to the promise set out in the policies. To determine whether a seller is complying with its policies, a buyer should look to whether the seller is:
- sufficiently training employees and documenting this training;
- assessing and tracking security incidents;
- identifying and empowering compliance personnel;
- auditing and monitoring compliance on a periodic basis; and
- performing frequent security assessments regarding risk areas.
In some cases, a simple public news search may identify target’s incidents or reputational risks that may be meaningful to the buyer, even where a formal investigation or enforcement has not yet been triggered.
3. How does the seller address potential HIPAA security and breach risk areas? A seller’s representation that “no HIPAA breaches have occurred” may tell the buyer much about what the seller is not doing to identify and take action on various security and privacy compliance risks. The buyer should review seller security risk analyses, breach assessments, and investigation logs to understand the seller’s historical liabilities and what the seller has treated as actionable risks. Buyer may also wish to understand how seller is assessing third party risks, including determining BAA compliance and determining whether and how third parties are accessing and using protected health information (PHI).
4. What is the nature of risk related to any identified gaps? A buyer should carefully consider the spectrum of liability to the parties related to risks identified in transaction diligence. Buyer should review the liabilities in the context of:
- the risk of governmental enforcement, including more restrictive state and international laws that may attach to the data;
- civil liability, including contractual breaches;
- ethical and organizational fines;
- criminal executive liability for profiting off or knowingly not reporting breaches; and
- related reputational harm to the parties related to an enforcement action or third party suit.
Stay tuned for Part Two where we will examine cloud server data and HIPAA compliance strategies.
So far, 2018 has been a light year in terms of HIPAA enforcement. There have been only two publicly-disclosed settlements. But that doesn’t mean covered entities and business associates should let their guard down and assume that they don’t need to be mindful of HIPAA. Indeed, it is hard to know what is going on in the Office for Civil Rights (OCR) with respect to enforcement. Theories include that the priorities of the current administration are driving less enforcement, that the OCR is focusing its efforts on the current round of audits, and that the OCR is simply holding back on some settlements so that it can ensure a consistent approach to multiple settlements that it will announce in the near future. No matter the answer, it is not safe to assume that things will remain quiet on the HIPAA front.
Looking at the 2018 settlements, they reflect two very different scenarios, and they both demonstrate that HIPAA settlements can take a long time to work their way through the OCR (which makes enforcement predicting even more difficult). The first settlement of the year was with Fresenius Medical Care North America (Fresenius) for $3.5 million and the adoption of a comprehensive corrective action plan. The Fresenius settlement dates back to 2012 when Fresenius experienced breaches at five different facilities around the country. The OCR’s investigation revealed systematic failures by Fresenius to adopt appropriate policies and procedures to address the Privacy and Security Rules. In the press release for the Fresenius settlement, the OCR Director stressed the importance of enterprise-wide risk analysis.
The second settlement was for $100,000 with the receiver that was appointed to liquidate the assets of Filefax, as it was closing its operations in 2015. The OCR’s investigation followed an anonymous complaint regarding improper disposal of medical records, and the OCR found a variety of issues in which records were left unsecured. Even though Filefax had closed, the receiver was held responsible for on-going compliance with HIPAA. Thus, the OCR has confirmed that closing operations does not relieve covered entities of HIPAA obligations, and that any entity that assumes custody of health records needs to be mindful of HIPAA.
Given that the Omnibus Final Rule is now more than five years old, the OCR is unlikely to tolerate non-compliance and it is probably only a matter of time before the sleeping giant awakens—or, more likely, that we learn that the giant hasn’t been sleeping at all. Indeed, because settlements take so long to process, no one outside the OCR really knows how active the OCR is with respect to enforcement activities for situations occurring right now. Therefore, all covered entities and business associates need to stay vigilant with respect to the three pillars of HIPAA compliance: Privacy Rule Policies and Procedures, reasonably current Security Rule Risk Assessments, and workforce training regarding HIPAA. And, any entity that experiences a breach—particularly a breach involving 500 or more individuals that requires prompt notice to the OCR—should revisit all three of these compliance pillars.
To better mitigate HIPAA enforcement actions, stay tuned for a three-part series that will examine several ways to efficiently identify and address gaps in HIPAA compliance during transaction diligence.
With 2017 having drawn to a close, it is once again time for HIPAA covered entities to complete their annual breach reporting obligations to the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”). Whereas covered entities must report breaches involving 500 or more individuals no later than 60 calendar days from the discovery date, for breaches affecting less than 500 individuals, entities have the option of submitting the year’s incident notifications 60 days after the end of the respective calendar year.
Even as entities work to meet this deadline, certain trends are becoming apparent. To assist with identifying trends and mitigating risks, this post explores a brief overview of current OCR activity and 2017 breach reports. Because breaches can be reported until February 28, 2018, the figures herein are not yet final. Nevertheless, the 2017 statistics to date provide insight into the healthcare industry’s current challenges, general trends in data security, and considerations for 2018 OCR compliance.
To date, the annual figures of HIPAA privacy breaches of unsecured protected health information (“PHI”) reveal network servers, emails, and other information technology (“IT”) events continued to challenge the healthcare industry in 2017. OCR data shows that HIPAA privacy breach reports affecting 500 or more individuals remained relatively stable when compared to 2016, increasing slightly from 327 to 345. Hacking and IT incidents, however, rose by 25%, with 142 in 2017 compared to 113 in 2016. Other events, such as unauthorized access/disclosures, theft, and improper disposal saw more modest fluctuations. Breaches occurring via portable electronic devices in the workplace (e.g., smartphones and tablets) remained stable, with 22 in 2017 and 21 in 2016. The increase in email based breaches, however, rose by 60% — up to 85 in 2017 from 50 in 2016.
The healthcare industry obviously still has work to do, particularly with larger data sets. The numbers show an increase in hacking and email related breaches, which makes the need for email and software safety measures more apparent.
There are several key lessons gleaned from the 2017 statistics on protection measures that a covered entity may take in 2018 to help mend current gaps and minimize risk of the increasingly commonplace hacking and email incidents:
- Work force training and education that emphasizes the identification of suspicious emails and links that may allow hackers into a covered entity’s network remain vital compliance tools.
- From an administrative and management perspective, as well as OCR enforcement perspective, updating risk analyses of systems is more important than ever.
- Following a management plan, created from the identification of threats to PHI through the risk analysis, can significantly minimize risk exposure and avoidable attacks.
- Investment and implementation of advanced intrusion detection systems can identify malicious activity or software more quickly, creating real-time alerts.
- Continued auditing and monitoring of systems and the workforce further assist entities with identifying abnormalities or weak points in its safeguards.
- Software updates can help shut out malicious and expansive attacks. As seen with the global “WannaCry” security breach and the most recent “Meltdown” and “Spectre” hardware glitches, potential hacks, phishing schemes, and viruses may be easily mitigated with the appropriate patches and operating system updates.
The 2017 numbers regarding data breaches show the need for HIPAA entities to remain vigilant against large breaches, especially as they are growing increasingly malicious and difficult to anticipate. Large and small solutions exist, each of which can make a significant impact on protecting against breaches in the coming year.
 45 C.F.R § 164.408(b),(c); Submitting Notice of a Breach to the Secretary, U.S. Dep’t Health & Human Servs. (Jan. 5, 2015), https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html;
Drug adherence programs have significantly evolved over the last few years with drug companies, health plans, and providers taking steps to monitor patient medication compliance. Drug adherence is the degree to which a patient complies with medication administration advice for treatment of chronic disease. Beyond the obvious benefits to patients’ health and health entities’ bottom lines, drug adherence can have a large effect on public health and social communities. Therefore, although it is no surprise that the health care industry has turned its focus to adherence in a big way, it may be surprising that in an industry where confidentiality is king, the most recent strategy may be turning to big brother.
U.S. Food & Drug Administration Announcement
This past November, the U.S. Food & Drug Administration (“FDA”) announced approval of a new solution to medication noncompliance – digital tracking. The FDA has not broadly blessed the practice, which has been around since 2012, but rather took a large leap in that direction by approving the digital drug Abilify MyCite – a collaboration between drug manufacturer Otsuka and technology company Proteus Digital Health. The drug is used for the treatment of schizophrenia, episodes associated with bipolar I disorder, and certain depression diagnoses in adults, and Abilify MyCite, specifically, uses an ingestible sensor embedded in the drug tablet to trigger an electrical signal upon reacting with stomach acids. The signal is sent to a wearable patch and a mobile application, which records that medication was taken. The medication compliance can be tracked by patient relatives and caregivers so that they may directly access the information through a similar application or web-based portal.
Privacy Concerns and Obtaining Consent
As the industry looks to improve public health and reduce health care costs (medication noncompliance is estimated to cost $100 billion/year in the U.S.), it works to balance the need to uphold patient rights, including patient privacy, especially where disease increases patients’ vulnerability. While HIPAA and state laws generally allow the access to and disclosure of patient information with consent as well as for treatment purposes, regulation regarding this kind of monitoring by third parties and resulting use of the data is less explicit. Just as states are beginning to take a stronger stance on protection of biometric and genetic information, digital drugs and medication compliance may be next to receive additional scrutiny and increased protections. Continue Reading Big Brother is a Pill: Digital Tracking Drugs
The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently issued guidance emphasizing the increased risks of using mobile devices in the workplace when the mobile devices contain or have access to sensitive data. Particularly, OCR warns of the risks of the use of mobile devices by healthcare organizations when the mobile devices are used to create, receive, maintain or transmit electronic protected health information (“ePHI”) that is protected by the Health Insurance Portability and Accountability Act (“HIPAA”).
Under the HIPAA Security Rule, covered entities and their business associates are required to conduct a risk analysis of the organization’s security risks and vulnerabilities and address identified vulnerabilities. OCR highlights that compliance with the Security Rule requires organizations to include mobile devices in the risk analysis and to address the inherent risks “to a reasonable and appropriate level.” A significant portion of reported settlements of alleged HIPAA claims have involved lost or stolen mobile devices that were not addressed in a risk assessment or not appropriately secured. In some cases, settlements for alleged non-compliance involving mobile devices have exceeded $2 million.
In addition to their inherent risk of being lost or stolen, OCR notes the following risks of using mobile devices to store or transmit ePHI: Continue Reading Balancing Convenience and Risk: OCR Issues Statement on Use of Mobile Devices
HIPAA’s Security Rule requires that Covered Entities perform “periodic” Security Risk Assessments. All too often, however, this regulatory obligation is ignored altogether, performed extremely sporadically, or treated as a regulatory hoop-jumping exercise to be completed as quickly as possible. Aside increasing the risk of HIPAA liability, treating the Security Rule Risk Assessment in these ways means missing out on an opportunity to explore and shore up the entity’s data security systems.
Despite what criticisms may exist for other parts of the HIPAA regulations, the Security Rule can be a remarkably helpful tool. It was rolled out in 2013, and it has survived the test of time despite astonishing changes in technology. Indeed, one of the reasons for this is that the Security Rule expressly incorporates a “flexibility of approach,” making it applicable to Covered Entities of all sizes and configurations.
At its core, the Security Rule risk aims to ensure the confidentiality, integrity, and availability of electronic PHI, and the elements of the rule are pretty much the very same things that would be expected of any responsibility organization operating in the digital age anyway.
When done properly, the Security Rule Risk Assessment helps entities to examine their operations to identify where and how their data is stored; reasonably anticipate and address the risks that may exist to their data; and identify the various ways in which the entity manages its operations with respect to a fairly logical set of required and addressable criteria. This exercise can be critically important in helping in-house counsel and the compliance team to understand where the organization’s information “lives,” who is in charge of securing the data, and what areas of potential vulnerability require attention.
Lawyers do not often applaud regulations, but in the case of data security practices, HIPAA Security Rule can be tremendously helpful, and all entities should take it very seriously.