HIPAA Breach & Penalties - Let's Talk Compliance - Foley & Lardner LLP
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Presenter Jennifer L. Urban, JD, CIPP/US Partner, Foley & Lardner LLP | Milwaukee, WI Co-founder, Midwest Cyber Security Alliance jurban@foley.com 414.297.5864 Member of Foley’s Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices Focuses her practice on counseling clients on emerging privacy and security laws, data protection programs, data incident management, breach response and recovery, monetization of data, and other privacy and security issues Provides guidance on privacy and security issues faced by clients as they implement new health technology solutions and assists in the development and implementation of health information exchanges, organizations and data warehouses COPYRIGHT © 2021 FOLEY & LARDNER LLP 2
Presenter Barry L. Mathis, CCSFP Principal, PYA, PC| Knoxville, TN bmathis@pyapc.com 423-827-7893 Barry has three decades of experience in the information technology (IT) and healthcare industries as a CIO, CTO, senior IT audit manager, and IT risk management consultant. He has performed and managed complicated HIPAA security reviews and audits for some of the most sophisticated hospital systems in the country He is a visionary, creative, results-oriented senior-level healthcare executive with demonstrated experience in planning, developing, and implementing complex information-technology solutions to address business opportunities, while reducing IT risk and exposure Barry is a member of United States Marine Corps, Health Care Compliance Association, Association of Healthcare Internal Auditors, Healthcare Information Management Systems Society and Information Systems Audit and Control Association. He was an Honor Graduate in Systems Programming from the United States Marine Corps Computer Sciences School (MCCDC) in Quantico, VA. He is a Certified Programmer, a Certified Database Management Specialist, and a Certified Cyber Security Framework Practitioner. COPYRIGHT © 2021 FOLEY & LARDNER LLP 3
OCR 2016-2017 HIPAA Audits Report Desk audits focused on compliance with HIPAA’s Privacy, Breach Notification, and Security Rules OCR found material noncompliance – HIPAA’s Notice of Privacy Practices (NPP) – Right of access – Breach notification – Security risk analysis and risk management requirements Released in December 2020, relevant because it shows why OCR chooses to focus on certain compliance areas COPYRIGHT © 2021 FOLEY & LARDNER LLP 4
OCR 2016-2017 HIPAA Audits Report: Key Takeaways Breach notification letters must NPPs must meet requirements have all required content 1 Contain elements on individual rights and be written in plain language 4 Ensure letters meet all requirements under 45 C.F.R. § 164.404(c) NPPs should be easily accessible Conduct ePHI security risk analysis 2 Provide functioning, conspicuous link to HIPAA Notice on homepage and ensure NPP 5 Maintain appropriate and current risk analysis consistent with policies, procedures, and changes identifies correct covered entity in environment, operations, or security incidents Review individual rights of access Implement appropriate risk management strategies 3 Review relevant documentation, policies, and procedures to evidence and improve access 6 Use risk assessment findings and security gaps to request process develop an enterprise-wide risk management plan COPYRIGHT © 2021 FOLEY & LARDNER LLP 5
HIPAA Right of Access Initiative Since the initiative’s announcement in 2019, OCR has settled 18 “right of access” investigations Alleged violations included failures to: – Provide timely access – Transmit PHI to third-parties – Provide PHI in form and format requested – Charge proper fees – Properly deny access to psychotherapy notes Settlements ranged from $3,500 to $200,000, and required entities to undertake a corrective action plan that incudes 2 years of monitoring COPYRIGHT © 2021 FOLEY & LARDNER LLP 6
Right of Access Initiative: Settlement Trends $200,000 $180,000 $160,000 $140,000 $120,000 $100,000 $80,000 $60,000 $40,000 $20,000 $0 Settlement fine Settlement average COPYRIGHT © 2021 FOLEY & LARDNER LLP 7
H.R. 7898: HIPAA Safe Harbor Bill Enacted on January 5, 2021 Creates a “HIPAA safe harbor” for covered entities and business associates that had “recognized security practices” in place for at least the past 12 months – Mitigate fines – Result in the early, favorable termination of an audit – Mitigate the remedies in settlement agreements The Bill expressly states it does not give HHS the authority to increase fines or the length, extent, or quantity of audits for entities that do not implement these “recognized security practices” COPYRIGHT © 2021 FOLEY & LARDNER LLP 8
What Happened at M.D. Anderson On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit issued its opinion vacating the $4.3 million penalty that the U.S. Department of Health and Human Services (“HHS”) had levied against the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”) Background: – In 2012, an M.D. Anderson faculty member’s laptop was stolen The laptop had electronic-protected health information for 29,021 persons The faculty member’s laptop was not password-protected and was not encrypted – Also in 2012, an M.D. Anderson trainee lost an unencrypted USB thumb drive that held ePHI for over 2,000 persons – Finally, in 2013 another unencrypted USB thumb drive containing the ePHI for 3,600 persons was misplaced by a visiting researcher COPYRIGHT © 2021 FOLEY & LARDNER LLP 9
What Happened at M.D. Anderson While HHS fined M.D. Anderson $4.3 million for the breaches at issue, the Fifth Circuit found it compelling that other health systems with similarly sized breaches arising from similar circumstances were fined substantially less or in some instances not at all HHS also agreed with M.D. Anderson that the penalty amounts charged of $4.3 million were well in excess of the penalty amounts stated in the HIPAA regulations for any HIPAA violation COPYRIGHT © 2021 FOLEY & LARDNER LLP 10
Takeaways HHS was criticized by the court for being behind in its enforcement efforts and statute of limitations. It is possible the M.D. Anderson case could result in HHS speeding up enforcement actions in response to breaches, given the clear edict that HHS should be taking enforcement actions in a uniform manner The Fifth Circuit Court noted that M.D. Anderson had implemented appropriate controls to protect electronic PHI. While M.D. Anderson’s mechanisms failed in the reported incidents, the Court noted that this is an area where perfect compliance is likely impossible COPYRIGHT © 2021 FOLEY & LARDNER LLP 11
Thank you. Barry Mathis Jennifer Urban Betty H. Khin Principal Partner Moderator PYA P.C. Foley & Larder LLP Legal Counsel 865.673.0844 414.297.5864 Mayo Clinic bmathis@pyapc.com jurban@foley.com ATTORNEY ADVERTISEMENT. The contents of this document, current at the date of publication, are for reference purposes only and do not constitute legal advice. Where previous cases are included, prior results do not guarantee a similar outcome. Images of people may not be Foley personnel. © 2021 Foley & Lardner LLP COPYRIGHT © 2021 FOLEY & LARDNER LLP 12
You can also read