- The Office for Civil Rights (OCR) entered into one settlement of $16 million in penalties, the largest monetary settlement in the agency's HIPAA enforcement program history.
- HIPAA-regulated entities should review vendor management practices to avoid HIPAA violations.
- A HIPAA-regulated entity’s security risk management process does not end with performing a risk analysis. OCR expects an ongoing plan to reduce identified risks.
$25 million in penalties demonstrates OCR focus on data security
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) continues to aggressively enforce the HIPAA Privacy, Security, and Breach Notification Rules against covered entities and business associates. In addition, it has sought input for future HIPAA rulemaking and issued guidance about HIPAA compliance topics. This overview of HIPAA issues by several partners in the McDermott Will & Emery law firm includes notable enforcement actions, requests for input from stakeholders, and guidance issued by OCR in 2018.
Key lessons from OCR enforcement actions
According to McDermott Partner Daniel Gottlieb, OCR announced 10 important enforcement actions and collected approximately $25.68 million in settlements and civil money penalties (CMPs) from HIPAA-regulated entities in 2018. Notably, an HHS administrative law judge upheld the fourth CMP that OCR has assessed against a HIPAA-regulated entity, and the agency entered into one settlement of $16 million in penalties. It is the largest monetary settlement ever in the OCR’s HIPAA enforcement program.
Gottlieb says, “OCR continues to emphasize the importance of implementing a security risk management process, appropriately identifying and handling relationships with business associates, and safeguarding protected health information (PHI) against unauthorized disclosures.” According to Gottlieb, the following are key lessons learned from OCR enforcement actions in 2018:
- OCR will often scrutinize not only a breached entity’s incident response and mitigation efforts, but all aspects of the entity’s pre-breach HIPAA compliance program.
- OCR will hold digital health vendor HIPAA business associates directly liable for noncompliance with the HIPAA Rules.
- HIPAA-regulated entities should review their vendor management practices to avoid violations of HIPAA’s business associate agreement requirement. Those agreements require business associates to protect PHI in accordance with HIPAA standards.
- A HIPAA-regulated entity’s security risk management process does not end with performing a risk analysis. The entity is expected by OCR to create and implement an ongoing plan to reduce identified risks to reasonable and appropriate levels.
- HIPAA-regulated entities must implement administrative and technical safeguards to ensure terminated or departed workforce members no longer have access to electronic PHI (ePHI) after they have left their positions.
In May 2018, OCR released two advance notices of proposed rulemaking (NPRM) concerning amendments to the HIPAA regulations required by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, according to Jiayan Chen, another McDermott partner.
“The first notice asked for public comment on how to implement HITECH’s requirement that OCR begin sharing a percentage of settlement money with affected consumers,” Chen says. The second NPRM requested comments on how to address the HITECH Act’s modification to the Privacy Rule’s accounting of disclosures provisions, which expands the types of disclosures a covered entity must track in an accounting.
At the same time, OCR withdrew its 2011 proposed rulemaking on accountings of disclosures. As Amada Enyeart, a McDermott partner, says, “OCR had sought to require covered entities that use electronic health record (EHR) systems to provide so-called ‘access reports’ describing each instance of unauthorized access of ePHI during a three-year period, regardless of whether the access resulted in a prohibited use or disclosure of the information.” That idea garnered largely negative feedback from the healthcare industry.
Gottlieb adds that in December 2018, OCR sought comments on whether the HIPAA rules need to be modified to better facilitate the transition to value-based health care and improve the coordination of care among patients, covered entities, and non-HIPAA regulated healthcare providers. “We discuss this in more detail in our analysis of the Request for Information,” Gottlieb says.
OCR guidance materials
Chen suggests organizations may find the following 2018 guidance materials and tools helpful as they navigate HIPAA compliance challenges:
Risk Analyses vs. Gap Analyses — What Is the Difference? In the April 2018 edition of its monthly cybersecurity newsletter, OCR discussed one of the common deficiencies it encounters in the HIPAA Security Rule risk analyses performed by covered entities and business associates. OCR explains why a “gap analysis,” which generally evaluates security controls in place against an information security framework, is insufficient to meet the agency’s expectations for a Security Rule risk analysis of potential threats and vulnerabilities to ePHI. (Enyeart suggests review of additional information on the continuing disconnect regarding HIPAA’s risk analysis requirements.)
Security Risk Assessment Tool. In September 2018, OCR and the HHS Office of the National Coordinator for Health Information Technology jointly released an updated version of their HIPAA Security Risk Assessment Tool. “This document was designed to help small- to medium-sized healthcare providers and business associates comply with the HIPAA risk analysis requirement,” Chen says.
Uses and Disclosures of PHI for Research. In June 2018, pursuant to the 21st Century Cures Act, OCR issued guidance on obtaining HIPAA-compliant authorizations from research subjects to use or share their PHI for research purposes, including the parameters of an individual’s right to revoke such authorizations, as well as obtaining authorizations for the use or disclosure of PHI for future research purposes. This is essentially a placeholder on the issue of what constitutes a sufficient description of the purpose of a use or disclosure for future research because it largely reiterates prior guidance. Stakeholders should anticipate potential future OCR engagement on this issue and additional detailed guidance about the level of specificity that an authorization must include.
Other federal privacy/security developments
Finally, the McDermott attorneys note that federal protection of health information is not limited to HIPAA. Both the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) have exercised their authority to regulate the use and disclosure of data related to certain populations or communicated via specific channels. These include the FTC’s regulation of the Children’s Online Privacy Protection Act (15 U.S.C. §§ 6501-6506) and the FCC’s enforcement of the Telephone Consumer Protection Act (47 U.S.C. § 227).
These and other notable privacy and security enforcement actions are discussed in a special report, 2018 Digital Health Year in Review: Focus on Data published by McDermott Will & Emery.
Interviewed for this article: