In response to the increasing prevalence of ransomware cyber-attacks by hackers on electronic health information systems in hospitals and medical practices, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on Monday July 11, 2016 its publication of new HIPAA guidance on ransomware (“Ransomware Guidance”). According to OCR:

Ransomware is a type of malware (or malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data.

Notably, the HIPAA Security Rule already requires implementation of security measures to help covered entities and business associates prevent the introduction of malware (e.g., ransomware) into their systems, and to implement policies and procedures to assist in responding to ransomware attacks. The Ransomware Guidance addresses, among other areas, how to implement security measures in order to prevent, mitigate the chances of, or even recover from ransomware attacks. Not surprisingly, conducting a risk analysis (or risk assessment) is at the core of covered entities and business associates implementing security management processes as required by the HIPAA Security Rule. The Ransomware Guidance further notes that maintaining an overall contingency plan, as required by the Security Rule, that includes disaster recovery planning, emergency operations planning and frequent backups of data can also help covered entities and business associates respond to and recover from malware infections, including ransomware attacks.

In addition, the Ransomware Guidance states that ransomware attacks against a covered entity or business associate can be considered a breach under the HIPAA Rules. Specifically, the Ransomware Guidance provides, “[w]hen electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e. unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” Therefore, unless it can be shown that there is a low probability that the PHI involved in the ransomware attack has been compromised based on the factors in the Breach Notification Rule, a breach is presumed to have occurred, which would trigger the applicable breach notification provisions.

Even before OCR’s publication of the Ransomware Guidance, in late June the Secretary of HHS sent a letter (“Letter”) to the attention of chief executive officers at health care entities addressing the threat of ransomware. The Secretary attached interagency guidance to the Letter containing best practices and mitigation strategies integral to combatting ransomware incidents.

Ransomware is immediately disruptive to the day-to-day operation of businesses, as seen by its impact earlier this year on health care systems like MedStar in Washington, D.C. and Hollywood Presbyterian Medical Center in Los Angeles (“HPMC”), resulting for example, in HPMC paying 40 Bitcoins (approximately $17,000) to regain control of its computer system. Although the Ransomware Guidance does not address whether payment or ransom should be paid to regain access to computer systems, the interagency guidance attached to the Letter advises against paying hackers because, among other reasons, paying a ransom doesn’t necessarily guarantee that an entity will regain access to its system. The Ransomware Guidance does recommend that an entity victimized by a ransomware attack contact its local FBI or United States Secret Service field office.

For more information about the Ransomware Guidance contact Gregory M. Fliszar, Ryan Blaney, J. Nicole Martin or a member of Cozen O’Connor’s Health Law team.

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) finally announced on March 21 that it is ready to begin Phase Two of its HIPAA audit program, which will include business associates. These audits, mandated by HITECH, will primarily be comprised of desk audits, scheduled for completion by the end of December 2016, followed by onsite audits.

OCR explained it will immediately commence Phase Two by verifying, via email, cover entities’ and business associates’ contact information. The OCR is requesting timely responses, so that it can send pre-audit questionnaires out in order to gather data from covered entities and business associates for the creation of potential audit subject pools. The data will relate to the entities’ size, type and operations. Should covered entities and business associates fail to respond to OCR’s requests, they may still be part of OCR’s potential subject pools because OCR plans to compile publicly available information about covered entities and business associates that do not respond to its requests.

The first round of desk audits will focus on covered entities, and the second round will focus on business associates. The third round will be onsite audits, with a greater focus on the HIPAA requirements. OCR explains that some covered entities and business associates who are subject to desk audits may also be subject to onsite audits. According to OCR, all covered entities and business associates are eligible to be audited. The audits will focus on identifying compliance with specific privacy and security requirements under HIPAA/HITECH, and OCR will notify auditees by letter, regarding the subject(s) of their specific audits. On the HHS website, OCR provides a sample letter for review. Subsequent to the audits, OCR will review and analyze information from audit final reports.

Importantly, if an audit report uncovers significant noncompliance with HIPAA, it could prompt an investigation by OCR. The areas of interest for OCR in Phase Two will become clearer as the Phase Two audit program gets underway, but for now, we know OCR will focus on assessing covered entities’ and business associates’ HIPAA compliance, identifying best practices and discovering risks and vulnerabilities.

More information about the Phase Two audits is available here, and you can also contact Greg Fliszar, Ryan Blaney, J. Nicole Martin or another member of Cozen O’Connor’s Health Law team.

On consecutive days, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) recently announced two large HIPAA breach settlements. On March 16, 2016, OCR announced that it entered into a Resolution Agreement with North Memorial Health Care of Minnesota for $1.55 million plus a two-year corrective action plan. On March 17, 2016 OCR followed by announcing that Feinstein Institute for Medical research, a New York biomedical research institute, agreed to pay to OCR $3.9 million and enter into a three-year corrective action plan to settle potential HIPAA violations. Both cases resulted from the all too familiar scenario of breaches resulting from stolen, unencrypted laptops.

In the Minnesota hospital breach, the unencrypted laptop containing the PHI of over 9,000 individuals was stolen from the locked car of an employee of a business associate of the hospital. According to the OCR’s investigation, the hospital failed to have a business associate agreement in place with that particular business associate. OCR also alleged that the hospital had not previously performed a risk analysis to identify and address potential risks and vulnerabilities to the ePHI it maintained, accessed or transmitted.

In the New York research corporation breach, OCR alleged that the institution did not have policies and procedures in place, including a policy on encryption and one that addressed use and access of electronic devices (e.g., the removal of the devices from the institution’s facility), nor did it have in place a security management process that sufficiently addressed potential security risks and vulnerabilities to ePHI, namely, its confidentiality, vulnerability or integrity. Notably, the stolen, unencrypted laptop contained the PHI of approximately 13,000 individuals.

As above, both OCR settlements also include multiple year corrective action plans requiring the hospital and research facility to conduct risk analyses/assessments, train their employees, and have HIPAA compliant policies and procedures in place. The Resolution Agreement for the Minnesota hospital breach is available here, and the Resolution Agreement for the New York research institute breach is available here.

Takeaways: The OCR’s 2016 breach enforcement is off to a very strong start with two high dollar settlements. Lessons learned from both breaches include the significance of encrypting electronic devices, conducting and updating on a regular basis security risk assessments and analyses, having adequate safeguards in place to protect PHI, having business associate agreements with all business associates, and having and implementing HIPAA policies and procedures to protect the security and privacy of PHI, including for example, policies related to encryption, authorized access to ePHI/PHI, and removal of electronic devices from facilities.

For more information, contact Greg Fliszar, J. Nicole Martin, or a member of Cozen O’Connor’s Health Law team.

On April 27, 2015, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that Cornell Prescription Pharmacy (“Cornell Pharmacy”) had entered into a resolution agreement to settle, without an admission of liability or wrongdoing, potential HIPAA violations. As part of the resolution agreement Cornell Pharmacy will pay $125,000 and enter into a two-year corrective action plan (“CAP”) focused on correcting the alleged deficiencies in its HIPAA compliance program.

Cornell Pharmacy is a small, single store pharmacy located in Denver, Colorado that specializes in compound medications and providing services for local hospice agencies. OCR began an investigation into the pharmacy after it received a media report from a Denver news agency that protected health information (“PHI”) belonging to Cornell Pharmacy was apparently disposed of and found in an unlocked, publicly accessible dumpster. The documents were not shredded and contained the PHI of approximately 1,610 of Cornell Pharmacy’s patients.   After conducting its investigation, OCR concluded that Cornell Pharmacy failed to implement any written policies and procedures as required by HIPAA’s Privacy Rule, and further failed to provide training on the Privacy Rule to its workforce members.

This settlement is instructive as OCR again highlights the importance of having updated and comprehensive HIPAA policies and procedures in place, including policies on the proper disposal of PHI, and on training all staff on those policies and procedures.   Further, in this year of massive cyber-attacks and other breaches of electronic data, this HIPAA settlement serves to remind covered entities and business associates not to forget about protecting their paper records as well.   As stated by OCR in its press release, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.” As discovered by Cornell Pharmacy, a breach or other improper disclosure of paper PHI can also result in significant consequences.

For further information please contact the author, Gregory M. Fliszar (Philadelphia, PA), or other members of Cozen O’Connor’s healthcare team.

On October 31, 2014, The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) released its Work Plan for fiscal year (FY) 2015.  The Work Plan summarizes “new and ongoing reviews of activities that OIG plans to pursue with respect to HHS programs and operations during the current fiscal year and beyond.”  In the Work Plan OIG identified several areas related to HIPAA and/or information technology that it will examine and address during FY 2015.

As a new addition to the Work Plan, OIG will determine the extent to which hospitals comply with the contingency requirements of HIPAA.  HIPAA’s Security Rule requires covered entities and their business associates to have in place a contingency plan that establishes policies and procedures for responding to an emergency or other event (such as, for example, natural disasters, system failures, terrorism) that damages systems containing electronic protected health information (ePHI).  These policies and procedures must, at a minimum, include data backup plans, data recovery plans and plans to continue to protect the security of ePHI while operating in emergency operations mode.  In the Work Plan OIG advises that it will compare contingency plans used by hospitals with government and industry recommended practices. 

As part of the Work Plan, OIG will continue to examine whether the Centers for Medicare & Medicaid Services’ (CMS) oversight of hospitals’ security controls over networked medical devices is sufficient to protect ePHI.   The OIG noted that computerized medical devices such as dialysis machines, radiology systems and medication dispensing systems that use hardware, software and networks to monitor a patient’s condition and transmit and/or receive data using wired or wireless communications pose a growing threat to the security and privacy of personal health information. 

OIG also plans to continue to perform audits of covered entities receiving incentive payments for the use of electronic health records (EHRs) and their business associates (including cloud providers) to determine whether they are adequately protecting ePHI created or maintained by certified EHR technology.  In addition, OIG will review the adequacy of CMS’ oversight of states’ Medicaid system and information controls.  Prior OIG audits found that states often fail to have in place adequate security features, potentially exposing Medicaid beneficiary information to unauthorized access.

As to future endeavors, the Work Plan stated that other areas under consideration for new work include the security of electronic data, the use and exchange of health information technology, and emergency preparedness and response efforts.  In addition, OIG advises that in FY 2015 and beyond, it will continue to focus on IT systems security vulnerabilities in health care reform programs such as health insurance marketplaces. 

12,915 complaints were reported in 2013 to the Department of Health and Human Services Office of Civil Rights (“OCR”) according to Illiana L. Peters, Senior Adviser for HIPAA Compliance and Enforcement.  Cozen O’Connor attended Ms. Peters’ presentation at the Safeguarding Health Information: Building Assurance through HIPAA Security conference on September 22-23, 2014.  The conference was hosted jointly by OCR and the National Institute of Standards and Technology (“NIST”).  Below are a few discussion points worth mentioning from the conference:

• Between September 2009 and August 31, 2014, OCR investigated 1176 reports involving breach of Protected Health Information (“PHI”) where more than 500 individuals were affected and approximately 122,000 reports affecting less than 500 individuals.
• According to Ms. Peters, 60% of the large breaches could have been prevented by encrypting the covered entities and business associates’ laptops and mobile devices.
• Theft and loss continues to be the most common cause of breaches but OCR expects that IT hacking will continue to rise as a significant breach risk.
• Since 2009, consumer complaints regarding HIPAA violations continue to rise.
• Covered entities and business associates should already have in place business associate agreements that have been updated for the Omnibus Rule.
• Business associates must comply with all of the HIPAA Security Rules applicable to covered entities, “PERIOD.”
• Given the known risks of hacking, theft and loss and the direct guidance from OCR, covered entities and business associates must recognize that inadequate security, inadequate physical and technical safeguards is not acceptable.
• OCR expects that covered entities and business associates will be familiar with recent corrective actions, resolution agreements such as Parkview, NYP/Columbia, Concentra, QCA, Skaget County, Adult & Pediatric Dermatology, P.C., and Affinity Health Plan, Inc.

Continue reading…

On January 25, 2013, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS) published the long-awaited omnibus final regulation governing health data privacy, security and enforcement (Omnibus Rule).[i]  The Omnibus Rule is a group of regulations that finalizes four sets of proposed or interim final rules, including changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act[ii] and proposed in 2010;[iii] changes to the interim final breach notification rule;[iv] modifications to the interim final enforcement rule; and implementation of changes to the Genetic Information Nondiscrimination Act of 2008 (GINA).  The Omnibus Rule goes into effect on March 26, 2013, and compliance is required by September 23, 2013.  As expected, the Omnibus Rule did not finalize the May 31, 2011 proposed regulation regarding accounting for disclosures. Continue reading…

Since the implementation of the privacy and security regulations of the Health Insurance Portability and Accountability Act (“HIPAA”) in 2003 and 2005 respectively, business associates (“BAs”) – those entities that perform services for or on behalf of covered entities – had been a weak link in the overall protection of protected health information (“PHI”).   BAs were not directly subject to HIPAA, but were only indirectly subject to its requirements through the business associate agreements – which were generally boilerplate – that covered entities were required to maintain as a condition of sharing PHI.  Thus, under the original regulatory structure, the only risk for a BA was for a breach of contract. Continue reading…