HIPAA Breach & Penalties - Let's Talk Compliance - Foley & Lardner LLP

Page created by Fernando Hunter
 
CONTINUE READING
HIPAA Breach & Penalties - Let's Talk Compliance - Foley & Lardner LLP
HIPAA Breach & Penalties
 Let’s Talk Compliance

COPYRIGHT © 2021 FOLEY & LARDNER LLP
HIPAA Breach & Penalties - Let's Talk Compliance - Foley & Lardner LLP
Presenter
                                       Jennifer L. Urban, JD, CIPP/US
                                       Partner, Foley & Lardner LLP | Milwaukee, WI
                                       Co-founder, Midwest Cyber Security Alliance
                                       jurban@foley.com
                                       414.297.5864
                                        Member of Foley’s Technology Transactions & Outsourcing and Privacy,
                                         Security & Information Management Practices

                                        Focuses her practice on counseling clients on emerging privacy and
                                         security laws, data protection programs, data incident management, breach
                                         response and recovery, monetization of data, and other privacy and
                                         security issues

                                        Provides guidance on privacy and security issues faced by clients as they
                                         implement new health technology solutions and assists in the development
                                         and implementation of health information exchanges, organizations and
                                         data warehouses

COPYRIGHT © 2021 FOLEY & LARDNER LLP                                                                                 2
HIPAA Breach & Penalties - Let's Talk Compliance - Foley & Lardner LLP
Presenter
                                       Barry L. Mathis, CCSFP
                                       Principal, PYA, PC| Knoxville, TN
                                       bmathis@pyapc.com
                                       423-827-7893

                                        Barry has three decades of experience in the information technology (IT) and healthcare
                                         industries as a CIO, CTO, senior IT audit manager, and IT risk management
                                         consultant. He has performed and managed complicated HIPAA security reviews and
                                         audits for some of the most sophisticated hospital systems in the country

                                        He is a visionary, creative, results-oriented senior-level healthcare executive with
                                         demonstrated experience in planning, developing, and implementing complex
                                         information-technology solutions to address business opportunities, while reducing IT risk
                                         and exposure

                                        Barry is a member of United States Marine Corps, Health Care Compliance
                                         Association, Association of Healthcare Internal Auditors, Healthcare Information
                                         Management Systems Society and Information Systems Audit and Control Association.
                                         He was an Honor Graduate in Systems Programming from the United States Marine
                                         Corps Computer Sciences School (MCCDC) in Quantico, VA. He is a Certified
                                         Programmer, a Certified Database Management Specialist, and a Certified Cyber
                                         Security Framework Practitioner.

COPYRIGHT © 2021 FOLEY & LARDNER LLP                                                                                               3
HIPAA Breach & Penalties - Let's Talk Compliance - Foley & Lardner LLP
OCR 2016-2017 HIPAA Audits Report
  Desk audits focused on compliance with HIPAA’s Privacy,
      Breach Notification, and Security Rules
  OCR found material noncompliance
      –   HIPAA’s Notice of Privacy Practices (NPP)

      –   Right of access

      –   Breach notification

      –   Security risk analysis and risk management requirements

  Released in December 2020, relevant because it shows
      why OCR chooses to focus on certain compliance areas

COPYRIGHT © 2021 FOLEY & LARDNER LLP                                4
HIPAA Breach & Penalties - Let's Talk Compliance - Foley & Lardner LLP
OCR 2016-2017 HIPAA Audits Report: Key Takeaways

                                                                    Breach notification letters must
                 NPPs must meet requirements
                                                                    have all required content
      1          Contain elements on individual rights and be
                 written in plain language
                                                                4   Ensure letters meet all requirements under 45
                                                                    C.F.R. § 164.404(c)

                 NPPs should be easily accessible                   Conduct ePHI security risk analysis

      2          Provide functioning, conspicuous link to
                 HIPAA Notice on homepage and ensure NPP        5   Maintain appropriate and current risk analysis
                                                                    consistent with policies, procedures, and changes
                 identifies correct covered entity                  in environment, operations, or security incidents

                 Review individual rights of access                 Implement appropriate risk
                                                                    management strategies
      3          Review relevant documentation, policies, and
                 procedures to evidence and improve access      6   Use risk assessment findings and security gaps to
                 request process                                    develop an enterprise-wide risk management plan

COPYRIGHT © 2021 FOLEY & LARDNER LLP                                                                                    5
HIPAA Breach & Penalties - Let's Talk Compliance - Foley & Lardner LLP
HIPAA Right of Access Initiative
     Since the initiative’s announcement in 2019, OCR has settled 18 “right of access” investigations
     Alleged violations included failures to:
      – Provide timely access

      – Transmit PHI to third-parties

      – Provide PHI in form and format requested

      – Charge proper fees

      – Properly deny access to psychotherapy notes

     Settlements ranged from $3,500 to $200,000, and required entities to undertake a corrective
      action plan that incudes 2 years of monitoring

COPYRIGHT © 2021 FOLEY & LARDNER LLP                                                                     6
HIPAA Breach & Penalties - Let's Talk Compliance - Foley & Lardner LLP
Right of Access Initiative: Settlement Trends

                    $200,000
                    $180,000
                    $160,000
                    $140,000
                    $120,000
                    $100,000
                     $80,000
                     $60,000
                     $40,000
                     $20,000
                          $0

                                       Settlement fine   Settlement average

COPYRIGHT © 2021 FOLEY & LARDNER LLP                                          7
H.R. 7898: HIPAA Safe Harbor Bill
  Enacted on January 5, 2021

  Creates a “HIPAA safe harbor” for covered entities and business associates that
      had “recognized security practices” in place for at least the past 12 months
      – Mitigate fines

      – Result in the early, favorable termination of an audit

      – Mitigate the remedies in settlement agreements

  The Bill expressly states it does not give HHS the authority to increase fines or
      the length, extent, or quantity of audits for entities that do not implement these
      “recognized security practices”

COPYRIGHT © 2021 FOLEY & LARDNER LLP                                                       8
What Happened at M.D. Anderson
  On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit
      issued its opinion vacating the $4.3 million penalty that the U.S.
      Department of Health and Human Services (“HHS”) had levied against
      the University of Texas M.D. Anderson Cancer Center (“M.D.
      Anderson”)
  Background:
      – In 2012, an M.D. Anderson faculty member’s laptop was stolen
             The laptop had electronic-protected health information for 29,021 persons
             The faculty member’s laptop was not password-protected and was not encrypted

      – Also in 2012, an M.D. Anderson trainee lost an unencrypted USB thumb drive
          that held ePHI for over 2,000 persons
      – Finally, in 2013 another unencrypted USB thumb drive containing the ePHI for
          3,600 persons was misplaced by a visiting researcher

COPYRIGHT © 2021 FOLEY & LARDNER LLP                                                         9
What Happened at M.D. Anderson
                                        While HHS fined M.D. Anderson $4.3
                                         million for the breaches at issue, the
                                         Fifth Circuit found it compelling that
                                         other health systems with similarly
                                         sized breaches arising from similar
                                         circumstances were fined
                                         substantially less or in some
                                         instances not at all
                                        HHS also agreed with M.D. Anderson
                                         that the penalty amounts charged of
                                         $4.3 million were well in excess of
                                         the penalty amounts stated in the
                                         HIPAA regulations for any HIPAA
                                         violation

COPYRIGHT © 2021 FOLEY & LARDNER LLP                                         10
Takeaways
  HHS was criticized by the court for being behind in its
      enforcement efforts and statute of limitations. It is possible
      the M.D. Anderson case could result in HHS speeding up
      enforcement actions in response to breaches, given the
      clear edict that HHS should be taking enforcement actions
      in a uniform manner
  The Fifth Circuit Court noted that M.D. Anderson had
      implemented appropriate controls to protect electronic PHI.
      While M.D. Anderson’s mechanisms failed in the reported
      incidents, the Court noted that this is an area where perfect
      compliance is likely impossible

COPYRIGHT © 2021 FOLEY & LARDNER LLP                                   11
Thank you.
  Barry Mathis                                   Jennifer Urban                         Betty H. Khin
  Principal                                      Partner                                Moderator
  PYA P.C.                                       Foley & Larder LLP                     Legal Counsel
  865.673.0844                                   414.297.5864                           Mayo Clinic
  bmathis@pyapc.com                              jurban@foley.com

  ATTORNEY ADVERTISEMENT. The contents of this document, current at the date
  of publication, are for reference purposes only and do not constitute legal advice.
  Where previous cases are included, prior results do not guarantee a similar
  outcome. Images of people may not be Foley personnel.
  © 2021 Foley & Lardner LLP

COPYRIGHT © 2021 FOLEY & LARDNER LLP                                                                    12
You can also read