Moving into 2020, organizations with health data should be aware of:
- Shifting OCR enforcement priorities;
- Regulators’ continued attention to key HIPAA compliance activities;
- The changing threat landscape for health data; and
- New guidance and frameworks for health data not regulated by HIPAA.
Enforcement Trends and Priorities
The Director of OCR, Roger Severino, and Serena Mosely-Day, Senior Advisor for HIPAA Compliance and Enforcement at OCR, were among the speakers at the annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference co-hosted on October 16 and 17 by the National Institute of Standards and Technology (NIST) and the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS). They emphasized OCR’s focus on ensuring patients and their families have access to important information, including through the regulatory sprint for coordinated care (with potential changes to HIPAA), agency guidance (including new FAQs for health information and mobile apps), and enforcement actions.
Presentations at the conference highlighted OCR’s changing emphases in enforcement and provided insight into how the agency is approaching its case selection and investigations.
- OCR chooses cases based on perceived importance and message.
OCR chooses cases based on their import and potential message, with OCR’s Director stating that “we go for big cases and small cases” and that the office has no monetary targets for its investigations and settlements. The recent Elite Dental Associates settlement is an example of OCR’s willingness to pursue small cases with clear messages. Although the eventual settlement was only $10,000, the case was chosen in part to send a message about providers’ appropriate use of social media. In the Elite Dental case, the provider allegedly posted patients’ health information to an online review site in response to negative reviews – something OCR views as potentially problematic, especially if it involves revealing patients’ names and treatment information publicly. As OCR’s priorities change it is moving away from frequent enforcement on laptops and encryption towards enforcement for the HIPAA Right of Access and hacking cases.
- OCR will take action to enforce the HIPAA Right of Access.
OCR highlighted its Right of Access Initiative, which settled its first case in September. Bayfront Health St. Petersburg settled with OCR after a complaint from a parent who struggled to get records related to her child’s care. OCR has emphasized that providers must respond to requests for access within the required amount of time and need to ensure that they have the proper procedures in place to differentiate Right of Access requests from authorizations. Unlike authorizations, Right of Access Requests must be fulfilled within 30 days, and OCR has been hearing that sometimes organizations do not distinguish between these timelines and therefore fail to respond in a timely manner.
- OCR emphasizes the importance of responding timely and appropriately to breaches and complaints.
OCR annually receives approximately 350 breach reports concerning 500 or more individuals. All of these breaches are investigated. However, the agency has made a point of noting that small breaches are also investigated, and that such investigations have led to settlements such as a $3.5 million settlement in 2018.
In addition, organizations should “pay attention to the red flags” and to update and monitor their risk analysis. A $3 million settlement in April 2019 has been used as an example of inadequate response, with OCR citing the entity’s initial denial that there was a problem and failure to conduct an appropriate investigation.
The importance of cooperating with OCR investigators regardless of the source of the investigation was also underscored. This includes investigations stemming from complaints. OCR emphasized that the standard for breach notifications is “without unreasonable delay” from the time of discovery, regardless of how long it takes to conduct the forensics investigation and prepare to notify individuals. If notice can be made without unreasonable delay prior to 60 days, in the view of the agency, notice should be provided earlier, as expeditiously as possible, rather than waiting until day 60.
- OCR reiterates importance of compliance cornerstones.
Given the growing threats posed by malicious insiders and persistent threats, OCR urged organizations to conduct “risk analysis at the front end” and described risk analysis as a major point of enforcement. Severino specifically recommended that organizations “really consider” testing employees about phishing, describing such training as “almost becoming standard,” and that organizations “really consider two-factor authentication.” He also emphasized the importance of appropriate access controls, including that “shared passwords are a huge no-no.” It is important for organizations to have both technological safeguards and training to successfully prevent attacks.
OCR highlighted that many HIPAA-regulated entities continue to lack appropriate business associate agreements. In addition to being compliance violations, the lack of such an agreement can contribute to other violations such as a failure to respond appropriately to Right of Access requests or insufficient cooperation with OCR. Security incident procedures are an “often overlooked” administrative safeguard and emphasized the importance of appropriate documentation of breach risk assessments.
Emerging Trends in Breaches
OCR highlighted the increasing number of breaches related to hacking/IT incidents noting that “phishing attacks are one of the prime threat actors” and that “we’re getting a lot more phishing attacks and network attacks.” Speakers predicted that OCR would see a lot more breaches of this type in the future.
During the first three quarters of 2019, hacking/IT breaches made up 61% of reported breaches of 500 or more individuals, despite being only 28% of such reports over the last 10 years. Network servers and email were the location of 65% of 2019’s breaches, a notable increase over historical percentages. Laptops and theft of PHI, once frequent sources of breaches, are less common now, which OCR attributes to increased use of encryption and improvements in safeguards and awareness. Phishing attacks have become increasingly well-targeted and sophisticated, making them more likely to be successful than past attempts containing outlandish claims or spelling errors. Insider threats are also an important area of focus for organizations.
New and Enhanced Frameworks and Tools
There are also notable developments in several initiatives in which government agencies are working together to provide guidance on privacy and security best practices.
NIST Privacy Framework
Following the success of the NIST Cybersecurity Framework, NIST is working on an aligned Privacy Framework. The tool is intended to help organizations operationalize privacy risk management and meet the requirements of multiple legal frameworks. NIST is soliciting public comments on its preliminary draft through October 24, 2019. Version 1.0 of the tool is expected to be published by the end of 2019. Our previous coverage of the framework can be found here.
Framework for the Use and Protection of Health Data Outside HIPAA
The National Committee on Vital and Health Statistics has developed a framework for protecting health data outside the HIPAA context. Its recommendations include the establishment of federal standards for health information security and privacy for health data registries, mobile device manufacturers, and mobile app creators. The Committee’s report on the framework also urges the development of consumer guidance concerning direct-to-consumer genetic testing that is not protected by HIPAA.
HHS Security Risk Assessment Tool
The developers of HHS’s Security Risk Assessment Tool are incorporating feedback received during webinars on the tool offered by the agency during the summer of 2019 into the next version of the tool, which is intended primarily for small- and mid-sized organizations. The feedback will be incorporated into the upcoming version of the tool in the form of enhancements to vulnerability ratings, improved reporting functionality, and cross-references to the NIST Cybersecurity Framework.
The conference agenda with links to presentations is available here.
Coverage of past years’ conferences can be found here.
Authored by Marcy Wilder, Paul Otto and Katherine Kwong