HIPAA Breach & Penalties - Let's Talk Compliance - Foley & Lardner LLP
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
HIPAA Breach & Penalties Let’s Talk Compliance COPYRIGHT © 2021 FOLEY & LARDNER LLP
Presenter
Jennifer L. Urban, JD, CIPP/US
Partner, Foley & Lardner LLP | Milwaukee, WI
Co-founder, Midwest Cyber Security Alliance
jurban@foley.com
414.297.5864
Member of Foley’s Technology Transactions & Outsourcing and Privacy,
Security & Information Management Practices
Focuses her practice on counseling clients on emerging privacy and
security laws, data protection programs, data incident management, breach
response and recovery, monetization of data, and other privacy and
security issues
Provides guidance on privacy and security issues faced by clients as they
implement new health technology solutions and assists in the development
and implementation of health information exchanges, organizations and
data warehouses
COPYRIGHT © 2021 FOLEY & LARDNER LLP 2
Presenter
Barry L. Mathis, CCSFP
Principal, PYA, PC| Knoxville, TN
bmathis@pyapc.com
423-827-7893
Barry has three decades of experience in the information technology (IT) and healthcare
industries as a CIO, CTO, senior IT audit manager, and IT risk management
consultant. He has performed and managed complicated HIPAA security reviews and
audits for some of the most sophisticated hospital systems in the country
He is a visionary, creative, results-oriented senior-level healthcare executive with
demonstrated experience in planning, developing, and implementing complex
information-technology solutions to address business opportunities, while reducing IT risk
and exposure
Barry is a member of United States Marine Corps, Health Care Compliance
Association, Association of Healthcare Internal Auditors, Healthcare Information
Management Systems Society and Information Systems Audit and Control Association.
He was an Honor Graduate in Systems Programming from the United States Marine
Corps Computer Sciences School (MCCDC) in Quantico, VA. He is a Certified
Programmer, a Certified Database Management Specialist, and a Certified Cyber
Security Framework Practitioner.
COPYRIGHT © 2021 FOLEY & LARDNER LLP 3
OCR 2016-2017 HIPAA Audits Report
Desk audits focused on compliance with HIPAA’s Privacy,
Breach Notification, and Security Rules
OCR found material noncompliance
– HIPAA’s Notice of Privacy Practices (NPP)
– Right of access
– Breach notification
– Security risk analysis and risk management requirements
Released in December 2020, relevant because it shows
why OCR chooses to focus on certain compliance areas
COPYRIGHT © 2021 FOLEY & LARDNER LLP 4
OCR 2016-2017 HIPAA Audits Report: Key Takeaways
Breach notification letters must
NPPs must meet requirements
have all required content
1 Contain elements on individual rights and be
written in plain language
4 Ensure letters meet all requirements under 45
C.F.R. § 164.404(c)
NPPs should be easily accessible Conduct ePHI security risk analysis
2 Provide functioning, conspicuous link to
HIPAA Notice on homepage and ensure NPP 5 Maintain appropriate and current risk analysis
consistent with policies, procedures, and changes
identifies correct covered entity in environment, operations, or security incidents
Review individual rights of access Implement appropriate risk
management strategies
3 Review relevant documentation, policies, and
procedures to evidence and improve access 6 Use risk assessment findings and security gaps to
request process develop an enterprise-wide risk management plan
COPYRIGHT © 2021 FOLEY & LARDNER LLP 5
HIPAA Right of Access Initiative
Since the initiative’s announcement in 2019, OCR has settled 18 “right of access” investigations
Alleged violations included failures to:
– Provide timely access
– Transmit PHI to third-parties
– Provide PHI in form and format requested
– Charge proper fees
– Properly deny access to psychotherapy notes
Settlements ranged from $3,500 to $200,000, and required entities to undertake a corrective
action plan that incudes 2 years of monitoring
COPYRIGHT © 2021 FOLEY & LARDNER LLP 6
Right of Access Initiative: Settlement Trends
$200,000
$180,000
$160,000
$140,000
$120,000
$100,000
$80,000
$60,000
$40,000
$20,000
$0
Settlement fine Settlement average
COPYRIGHT © 2021 FOLEY & LARDNER LLP 7H.R. 7898: HIPAA Safe Harbor Bill
Enacted on January 5, 2021
Creates a “HIPAA safe harbor” for covered entities and business associates that
had “recognized security practices” in place for at least the past 12 months
– Mitigate fines
– Result in the early, favorable termination of an audit
– Mitigate the remedies in settlement agreements
The Bill expressly states it does not give HHS the authority to increase fines or
the length, extent, or quantity of audits for entities that do not implement these
“recognized security practices”
COPYRIGHT © 2021 FOLEY & LARDNER LLP 8What Happened at M.D. Anderson
On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit
issued its opinion vacating the $4.3 million penalty that the U.S.
Department of Health and Human Services (“HHS”) had levied against
the University of Texas M.D. Anderson Cancer Center (“M.D.
Anderson”)
Background:
– In 2012, an M.D. Anderson faculty member’s laptop was stolen
The laptop had electronic-protected health information for 29,021 persons
The faculty member’s laptop was not password-protected and was not encrypted
– Also in 2012, an M.D. Anderson trainee lost an unencrypted USB thumb drive
that held ePHI for over 2,000 persons
– Finally, in 2013 another unencrypted USB thumb drive containing the ePHI for
3,600 persons was misplaced by a visiting researcher
COPYRIGHT © 2021 FOLEY & LARDNER LLP 9What Happened at M.D. Anderson
While HHS fined M.D. Anderson $4.3
million for the breaches at issue, the
Fifth Circuit found it compelling that
other health systems with similarly
sized breaches arising from similar
circumstances were fined
substantially less or in some
instances not at all
HHS also agreed with M.D. Anderson
that the penalty amounts charged of
$4.3 million were well in excess of
the penalty amounts stated in the
HIPAA regulations for any HIPAA
violation
COPYRIGHT © 2021 FOLEY & LARDNER LLP 10Takeaways
HHS was criticized by the court for being behind in its
enforcement efforts and statute of limitations. It is possible
the M.D. Anderson case could result in HHS speeding up
enforcement actions in response to breaches, given the
clear edict that HHS should be taking enforcement actions
in a uniform manner
The Fifth Circuit Court noted that M.D. Anderson had
implemented appropriate controls to protect electronic PHI.
While M.D. Anderson’s mechanisms failed in the reported
incidents, the Court noted that this is an area where perfect
compliance is likely impossible
COPYRIGHT © 2021 FOLEY & LARDNER LLP 11Thank you. Barry Mathis Jennifer Urban Betty H. Khin Principal Partner Moderator PYA P.C. Foley & Larder LLP Legal Counsel 865.673.0844 414.297.5864 Mayo Clinic bmathis@pyapc.com jurban@foley.com ATTORNEY ADVERTISEMENT. The contents of this document, current at the date of publication, are for reference purposes only and do not constitute legal advice. Where previous cases are included, prior results do not guarantee a similar outcome. Images of people may not be Foley personnel. © 2021 Foley & Lardner LLP COPYRIGHT © 2021 FOLEY & LARDNER LLP 12
You can also read
