12,915 complaints were reported in 2013 to the Department of Health and Human Services Office of Civil Rights (“OCR”) according to Illiana L. Peters, Senior Adviser for HIPAA Compliance and Enforcement.  Cozen O’Connor attended Ms. Peters’ presentation at the Safeguarding Health Information: Building Assurance through HIPAA Security conference on September 22-23, 2014.  The conference was hosted jointly by OCR and the National Institute of Standards and Technology (“NIST”).  Below are a few discussion points worth mentioning from the conference:

• Between September 2009 and August 31, 2014, OCR investigated 1176 reports involving breach of Protected Health Information (“PHI”) where more than 500 individuals were affected and approximately 122,000 reports affecting less than 500 individuals.
• According to Ms. Peters, 60% of the large breaches could have been prevented by encrypting the covered entities and business associates’ laptops and mobile devices.
• Theft and loss continues to be the most common cause of breaches but OCR expects that IT hacking will continue to rise as a significant breach risk.
• Since 2009, consumer complaints regarding HIPAA violations continue to rise.
• Covered entities and business associates should already have in place business associate agreements that have been updated for the Omnibus Rule.
• Business associates must comply with all of the HIPAA Security Rules applicable to covered entities, “PERIOD.”
• Given the known risks of hacking, theft and loss and the direct guidance from OCR, covered entities and business associates must recognize that inadequate security, inadequate physical and technical safeguards is not acceptable.
• OCR expects that covered entities and business associates will be familiar with recent corrective actions, resolution agreements such as Parkview, NYP/Columbia, Concentra, QCA, Skaget County, Adult & Pediatric Dermatology, P.C., and Affinity Health Plan, Inc.

Ms. Peters provided a helpful slide summarizing the lessons that OCR has learned from recent Corrective Actions, Resolution Agreements and the first audit phase:

1. HIPAA covered entities and their business associates must undertake a careful risk analysis to understand their vulnerabilities to individual’s data and have appropriate safeguards in place to protect this information.
2. HIPAA covered entities and their business associates must take caution when implementing changes to information especially when those changes involve updates to applications, software or portals that are used to provide access to consumers’ health data using the Internet.
3. Senior leadership and executives within HIPAA covered entities and their business associates must create and define a culture of complying with the HIPAA privacy and security requirements to ensure patients’ rights are protected as well as the confidentiality of their health data.

“LoProCo”

Ms. Peters also discussed the expression, “LoProCo” that is used by OCR investigators and enforcers to describe the new breach standard.  All security incidents are presumed to be a HIPAA breach unless the covered entity and the business associate can prove that there is a “low probability that the data has been compromised.”  Ms. Peters emphasized that OCR investigators and enforcers “focus on the risk to the data, instead of risk of harm to the individual.”  LoProCo creates a more objective standard than the previous risk of harm standard.

Documentation is Key 

Documentation of the risk assessment after a security incident is not optional.  Ms. Peters said that OCR finds out about suspected breaches and if the covered entity or business associate did not report the breach, OCR will request copies of the risk assessment.  With correct documentation and evidence that the covered entity and the business associate appropriately and competently perform the risk assessment then OCR will be satisfied and go away.  If the risk assessment was superficial or performed by inexperienced professionals, the covered entity and the business associates can expect OCR to stick around and conduct a detailed investigation.

Guidance on Definition of “Compromised”

One question during the conference was “how OCR defines the term “compromised” as used in the definition of breach.”  Ms. Peters acknowledged that HIPAA does not define compromised and said that OCR will be issuing shortly additional guidance on breaches and this guidance will provide more clarity for when data is compromised.  Ms. Peters said that she considered data compromised when there is a breach, an impermissible use or disclosure under the Security Rule.

Phase II Audit Program

OCR will also be starting the second phase of the audit program.  Covered entities are expected to produce a list of all of their business associates and copies of all of their executed business associate agreements.  Unlike the first phase of audits, the second phase will be used to trigger HIPAA compliance reviews and investigations conducted by OCR’s Regional Offices.

What is coming next?

OCR anticipates issuing a significant amount of further guidance.  Covered entities and business associates should expect guidance on the following:

• Breach Safe Harbor
• Breach Risk Assessment Tool
• Minimum Necessary Standard
• Marketing using PHI
• Security Rule guidance
• Methods for sharing penalty amounts with harmed individuals
• Accounting of Disclosures

If you would like to learn more about OCR’s additional comments during the conference please monitor NIST’s conference website or contact Ryan P. Blaney at Cozen O’Connor.