Inside an OCR Investigation

Transcription

1 Inside an OCR Investigation Abby Bonjean, Investigator U.S. Department of Health and Human Services, Office for Civil Rights, Region V 1 These slides, along with Ms. Bonjean s remarks, are intended to be purely informational and informal in nature. None of the information contained in the slides or in Ms. Bonjean s statements is intended to represent orreflect the official interpretation or position of the U.S. Department of Health and Human Services, Office for Civil Rights. 2 Overview Current State of Enforcement and Compliance Environment Case Examples Enforcement Statistics Audit Program Responding to OCR Inquiries Common Compliance Issues Guidance and Compliance Tools Mobile Devices 3 1

2 Current State of Enforcement: Case Examples 4 Case Examples Parkview Health System ($800,000) Parkview left 71 boxes of medical records in a retiring physician s driveway NY Presbyterian Hospital and Columbia University Medical Center ($4.8 million) NYP and CUMC filed joint breach report Deactivation of server resulted in electronic protected health information (ephi) of 6800 patients being accessible on internet search engines Both entities failed to conduct accurate and thorough risk analyses Both entities failed to implement security measures sufficient to reduce the risks of inappropriate disclosure to an acceptable level 5 Case Examples Concentra Health Services ($1,725,220) Unencrypted laptop containing the ephi of 870 individuals was stolen from one of Concentra s facilities Lack of encryption identified as critical risk prior to breach incident but steps to implement were incomplete and inconsistent QCA Health Plan, Inc. ($250,000) Unencrypted laptop containing the ephi of 148 individuals was stolen from an employee s car QCA failed to conduct an accurate and thorough risk analysis and failed to implement security measures sufficient to reduce the risks of inappropriate disclosure to an acceptable level 6 2

3 Current State of Enforcement: Enforcement Statistics 7 Enforcement Statistics CY 2014 Resolution Agreements/Corrective Action Plans 6RA/CAPs thus far Total resolution amounts of $7,790,220 CY 2013 Investigated Complaints/Compliance Reviews 4,459 investigative closures 3,467 closed with corrective action Breach Reports 930 breaches involving 500 or more individuals Over 113,000 breaches involving fewer than 500 individuals 8 Breach Notification: 500+ Breaches by Type of Breach Hacking/IT Incident 8% Improper Disposal 4% Unknown 2% Other 10% Unauthorized Access/Disclosure 18% Theft 47% Data as of March 25, 2014 Loss 11% 9 3

4 Breach Notification: 500+ Breaches by Location of Breach 5% EMR 3% Other 11% Paper Records 21% Network Server 12% Desktop Computer 14% Portable Electronic Device 11% Laptop 23% 10 Audit Program 11 Audit Program Background HITECH Act Sec Periodic audits to ensure covered entities and business associates comply with requirements of HIPAA and HITECH Audit Objectives Examine mechanisms for compliance Identify best practices Discover risks and vulnerabilities that may not have come to light through complaint investigations and compliance reviews Renew attention of covered entities to health information privacy and security compliance activities 12 4

5 Audit Pilot Process Tiered approach for snapshot of compliance across covered entity types, sizes, complexity Sample of 115 covered entities selected spread across 4 tiers All audits were completed by December 2012 OCR published audit protocol on website Issued final reports to entities audited in pilot 13 Audit Pilot Program Results 14 Audit Phase 2 Approach OCR will distribute pre-audit surveys to entity pool Selected entities will receive notification and data requests Covered entities will be asked to identify their business associates and provide current contact information OCR will select business associate audit subjects through this process Audits will focus on selected provisions of the law Comprehensive on-site audits as resources allow 15 5

6 Audit Phase 2 Expectations Data request will specify content and file organization, file names, and any other document submission requirements Only requested data submitted on time will be assessed All documentation must be current as of the date of the request Auditors will not have the opportunity to contact the entity for clarification or to ask for additional information, so it is critical that documents accurately reflect the program Submitting extraneous information may increase difficulty for auditor to find and assess the required items Failure to submit response to requests may lead to referral for regional compliance review 16 OCR Enforcement Basics 17 OCR Enforcement Basics Types of OCR Inquiries Complaint Investigations 45 C.F.R Compliance Reviews 45 C.F.R

7 OCR Enforcement Basics Overview of Investigative Process Notification and Data Request Covered Entity/Business Associate Response 45 C.F.R outlines responsibilities On-site Investigation Case Resolution No Violation or Voluntary Compliance Resolution Agreement (RA) and Corrective Action Plan (CAP) Civil Money Penalty (CMP) 19 Information OCR Often Requests Name and contact information of individual designated to work with OCR Position statement Business Associate Agreement (if applicable) Policies and procedures Evidence of workforce training Training materials Workforce attendance Evidence of sanctions (if applicable) 20 Information OCR Often Requests (cont.) Security Rule cases Risk analysis Risk management plan Evidence of implemented security measures Security incident report Breach cases Notices to individuals and media Evidence of corrective action 21 7

8 Preparing the Response Ask questions Response format Evidence = documentation Don t be evasive 22 Common Compliance Issues 23 Common Compliance Issues Risk analysis Identify all ephi Ongoing process Mobile devices Implement a policy Train workforce members 24 8

9 Common Compliance Issues Addressable does not mean optional Refer to 45 C.F.R (d)(3) Assess whether the implementation specification is reasonable and appropriate If reasonable and appropriate, implement the measure If not, document rationale andimplement equivalent alternative measure if reasonable and appropriate 25 Common Compliance Issues Policies and Procedures 45 C.F.R , , (i)-(j) Revise as necessary to comply with applicable law and to address changes in business and workflow Should reflect an entity s environment 26 Guidance and Compliance Tools 27 9

10 Guidance and Compliance Tools De-identification Guidance Guidance on Marketing: Refill Reminders ingrefillreminder.html Guidance on Decedents dents.html Sample Business Associate Contract Language tprov.html Security Rule Guidance Risk Analysis Guidance NIST HIPAA Security Rule Toolkit NIST Guidelines for Media Sanitation FTC Guidance on Copier Data Security Educational paper series 28 Guidance and Compliance Tools: Sample Notices of Privacy Practices Versions for providers and health plans Multiple formats Customizable Available in English and Spanish 29 Guidance and Compliance Tools: Medscape Videos Patient Privacy: A Guide for Providers HIPAA and You: Building a Culture of Compliance Examining Compliance with the HIPAA Privacy Rule These Medscape modules offer free Continuing Medical Education (CME) credits for physicians and Continuing Education (CE) credits for health care professionals 30 10

11 Guidance and Compliance Tools: Mobile Devices Use a password or other user authentication. Install and enable encryption. Install and activate wiping and/or remote disabling. Disable and do not install file-sharing applications. Install and enable a firewall. Install and enable security software. Keep security software up to date. Research mobile apps before downloading. Maintain physical control of your mobile device. Use adequate security to send or receive PHI over public Wi-Fi networks. Delete all stored health information before discarding or reusing the mobile device. 31 Guidance and Compliance Tools: Securing Your Mobile Device is Important! The videos explore mobile device risks and discuss privacy and security safeguards providers and professionals can put into place to mitigate risks Dr. Anderson's Office Identifies a Risk A Mobile Device is Stolen Can You Protect Patients' Health Information When Using a Public Wi-Fi Network? Worried About Using a Mobile Device for Work? Here's What To Do! 32 Guidance and Compliance Tools: Fact sheets Posters Brochures 33 11

12 Guidance and Compliance Tools Security Risk Analysis Tool 34 Guidance Still to Come Omnibus Final Rule Breach Safe Harbor update Breach Risk Assessment tool Minimum Necessary More on Marketing More factsheets on other provisions Model Notice Online version Other Guidance Security Rule guidance updates 35 Contact Information (312) Sign up for OCR s listserv: erstanding/coveredentities/listserv.html 36 12