Data Breaches in Healthcare: Responding to Skyrocketing Cyber...
Transcript of Data Breaches in Healthcare: Responding to Skyrocketing Cyber...
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Presenting a live 90-minute webinar with interactive Q&A
Data Breaches in Healthcare:
Responding to Skyrocketing Cyber Attacks Managing Risk, Responding to Breaches and OCR Investigations, Minimizing HIPAA Liability
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
THURSDAY, MARCH 24, 2016
Joshua Carlson, Principal, Joshua Carlson, P.A., Minneapolis
Richard DeNatale, Partner, Jones Day, San Francisco
Todd S. McClelland, Partner, Jones Day, Atlanta
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-927-5568 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
Click on the tab labeled “Handouts” that appears, and there you will see a PDF of
the slides for today's program.
Double click on the PDF and a separate page will open.
Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
Data Breaches in Healthcare:
Responding to Threat of Cyber Attacks
March 24, 2016
Richard DeNatale
Todd McClelland
Introduction
Numerous factors have combined to create a “perfect storm” of cybersecurity risk in the healthcare sector
• External factors
• Targeted by cyber criminals
• Targeted by state actors
• Black market for PHI
• Systemic factors
• Multiple points of entry create vulnerabilities
• Culture of open information exchange creates security challenges
• Some companies slow to invest in IT infrastructure and security
6
Introduction
Numerous factors have combined to create a “perfect storm”
•Legal/regulatory factors
• Highly regulated industry
• Mandatory disclosure requirements
• Regulators becoming more focused on enforcement
• Aggressive and experienced plaintiffs’ class action counsel
• Legal landscape may be shifting in favor of plaintiffs on standing and damages issues
7
Source: Verizon DBIR 2013-2015 8
Topics
I. Breach Preparedness Strategies
A. Cyber risk assessments
B. Vendor management
C. Cyber Insurance
II. Responding to the Breach
A. Effective response planning
B. PHI reporting and notice obligations
C. Damage mitigation
D. Pursuing insurance recovery
III. Responding to an OCR investigation
A. HIPAA and regulatory compliance
B. Interacting with regulators
C. Establishing investigation parameters
D. Data protection
9
Cyber Risk Assessments
10
Key HIPAA Assessment Activities
• Assessments are required under the HIPAA Security Rule. For example:
• 164.308(a)(1)(ii)(A) – Conduct a risk analysis
• 164.308(a)(1)(ii)(B) – Implement a risk management program
• 164.308(a)(8) – Periodic evaluation
11
Key Assessment Activities
Risks and risk management program
Identify ePHI data flows and changes to systems
Compliance gap analysis and mitigation recommendations
Review Incident Response Plan(s)
Review applicable security policies and procedures
Meet key information security stakeholders
Review insurance policies
Review key vendor contracts and investigate “Shadow IT”
Data governance program review
12
Questions your risk assessment should help you answer
Where do you process, store, create or
receive ePHI?
What are your “use cases”? What ePHI
do you create or receive? How is it
used?
What are the threats (internal and
external) to your ePHI?
Is your data identified and classified?
Is someone reviewing your logs? How
often?
Are you storing documentation related to
your security program?
Who has access to your data?
Who is responsible for your information
security program, especially w/r/t ePHI?
Is your data appropriately secured?
Are information/systems monitored?
What is the impact if information is lost,
accessed or compromised?
Are you prepared for a breach?
How do you dispose of your data?
Who within your organization knows
the answers to these questions?
13
Vendor Management
14
Due Diligence
• Increasing due diligence
• Senior management is becoming more aware of third party exposure
• In large part arising from potential legal exposure and enforcement actions
• Contracting parties are becoming more inquisitive
• Questionnaires
• Breach history
• Security Walk-throughs
• Third party audit/assessment review
• Substantiate due diligence was conducted
• Spend is not the right metric for determining which deals get scrutinized.
15
Contracts
Privacy and security issues continue to be contentious in vendor contracts:
HIPAA compliance
Risk apportionment, insurance
Privacy and security representations, warranties and commitments
Breach notification
Audit rights
Changes / Governance
Cloud
16
Audits
• Common after breach disclosures
• Increasing actions against those who fail to regularly review their third party vendors
• Customer/Vendor Tensions:
• Frequency
• Cost
• Who conducts the audit
• What level of access
• Scope
• Cloud services
17
Expectations for 2016+
Continuing push for risk assessment formalization that will include third party vendors.
More enforcement actions
More risk for companies that outsource their data processing activities
Growing complications with breach response, especially cloud.
18
Quick Hits
CISOs and counsel need to work more closely together when contracting with vendors.
Vendor day.
Stay tuned to laws that will affect vendor relationships.
Update dated vendor contracts to address privacy and security issues.
19
Cyber Insurance
20
Cyber Insurance
Insurance coverage has become a critical part of breach preparedness.
Three major shifts in U.S. insurance market over past decade:
New categories of emerging cyber risk
Development of new cyber policy forms
Exclusion of cyber/internet exposures from traditional policies
CGL Policies - Personal Injury Coverage
• Traditionally covered “publication, in any manner, of material that violates a person’s right of privacy”
– including claims involving electronic data transmitted over the internet
• As of April 1, 2014, new exclusion added to standard ISO form barring coverage for data breach claims
21
Cyber Insurance policies cover five major categories of costs
1. Third-party liability coverage for claims and lawsuits
Arising out of security breach, disclosure of PII/PHI, violation of company privacy policy
Covers cost of defense, settlement, or judgment
2. Regulatory coverage for government claims and investigations
Covers cost of defense, fines, or penalties
o Make sure definition of “Claim” includes OCR investigations
Cyber Insurance
22
3. Event Management/Data Breach Response coverage
Covers cost of post-breach forensic and legal investigations
4. Privacy Notification Coverage
Covers cost of breach notice to affected individuals (customers, patients)
May cover credit monitoring or identity theft protection for affected individuals
5. First Party Coverage, akin to property insurance
Covers cost of restoring data and systems
Business interruption coverage for lost revenue
Cyber Insurance
23
• Legal fees for breach response
• Forensic investigation
• Breach Notice
• ID protection/credit monitoring
Response Costs
• Class action defense costs and settlement
• Defense of government proceedings
• Government fines/penalties
• Card brand claims & assessments
Legal Claims
• Restoration of data
• Lost revenue/business interruption
• Extra expenses
• Loss of goodwill / customer confidence
Business Losses
Cyber Insurance
24
Cyber Insurance
Cyber policies are still in their infancy, which creates multiple challenges for buyers
Policies are extremely complex
Standard forms have not yet emerged.
Policies vary greatly in scope of coverage – some have clear deficiencies
Policies may contain onerous conditions and requirements that restrict coverage and create traps for the unwary
Many insurers now required a detailed review of policyholder’s cyber preparedness as part of underwriting process
25
Cyber Insurance
Recommendations for optimizing coverage
Take advantage of favorable market conditions to purchase more and better coverage
Review your cybersecurity profile before going to market
Consult with coverage counsel or broker experienced in data breach claims
o Understand your existing policy – and its flaws
o Understand which terms matter most in the event of a breach
Develop strategy to strengthen coverages via focused negotiations at renewal
26
Responding to the Breach:
Effective Response Planning
27
Breach Preparedness
Tune up the incident response plan, and revisit after material events or at least once a year.
Incorporate “lessons learned”
Identify and periodically meet with your team
Assign roles and responsibilities.
Enterprise focus, not IT focused
Tabletop exercises
Have outside counsel and forensics experts identified and ready to go
28
Breach Preparedness
Coordinate breach preparedness with key third party vendors
Engage your board now and during a breach
When does your board want to be informed about a breach?
Understand your insurance coverage
Address third party vendors and their response when they have an incident
Shadow IT?
Consider the attorney-client privilege before you start any investigation
29
Rapid Response Team Identification
Identify the Rapid Response Team
IT, HR, Legal, Risk Management, Communications, Security, Audit, and other key personnel
External counsel
Forensic experts
Third party notification, mail sort, and help desk providers
Public relations and communications firms
30
Role Assignments
Litigation hold scoping and development
Crisis and timeline management
Law enforcement coordination
Identification, engagement, and management of SMEs
Evidence gathering, artifact creation, reporting, and maintaining attorney-client privilege
Engagement with Board / Executives
31
Role Assignments
Regulatory compliance and investigation management
Third party audit management
Incident reporting SOP
Investigation procedures and management
FAQs (internal, external, regulatory)
Notice drafting protocols (individuals, government bodies, credit bureaus, etc.)
Forensic investigations
32
Final Preparedness Exercises
• Board / senior management engagement and training
• Guided tabletop exercises and training
• Assess key third party vendor breach readiness
• Data governance program walkthrough and tune-up
• Strategic threat intelligence evaluation
33
Responding to the Breach:
PHI Reporting and Notice Obligations
34
HIPAA Incident response obligations
164.308(a)(6)
Look at NIST 800-66 for guidance:
• Determine goals of incident response
• Develop and deploy an incident response team or other reasonable and appropriate response mechanism
• Develop and implement procedures to respond to and report security incidents
• Incorporate post-incident analysis into updates and revisions
35
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires covered entities and their business associates to provide notification following a breach of unsecured protected health information.
(1)Individual Notice
a. Form: Written notice by first-class mail (or substitute notice)
b. Timing: “without unreasonable delay” (no later than 60 days following discovery of breach)
c. Content: brief description of the breach, steps individuals should take to protect themselves; what covered entity is doing to investigate, mitigate, and prevent further breaches; and contact information, including a toll-free number for 90+ days where individuals can obtain additional information
(2)Media Notice
a. If breach affects >500 residents of a state.
(3)Notice to the Secretary
36
Responding to the Breach:
Pursuing insurance recovery
37
Cyber/data breach losses require a different approach to insurance recovery
Proactive strategy
o Need to understand coverage landscape
o Decisions must be made quickly – esp. where security incident is still ongoing
Early engagement with insurers
o To obtain necessary consents and meet policy requirements
o Insurer expectations, custom & practice
Coordination between insurance efforts and other aspects of breach response
Insurance Recovery
38
Insurance Recovery
Major breaches are crisis events
Companies must respond to multiple challenges simultaneously, each with legal risks
• May face impaired IT infrastructure or other obstacles to communication
• Insurance objectives may conflict with other corporate priorities
• Effective breach response requires decisive, focused, and coordinated action
39
Insurance Recovery
Insurance Best Practices
1. Within 1-2 weeks, develop an insurance strategy that identifies the specific steps that must be taken to obtain recovery
Review relevant policies to determine available coverage
Identify policy requirements and pitfalls
2. Integrate insurance strategy into overall breach response plan
Establish internal team to manage insurance claim, with representatives from risk management, legal, accounting, and coverage counsel.
3. Identify and track all breach-related costs.
40
Insurance Recovery
Insurance Best Practices
4. Maintain active and ongoing communication with insurers
• Keep them informed of major developments
Obtain required consents for counsel and expenses
Manage insurer information requests
o Duty to cooperate requires policyholder to provide information
o Process must be managed so it doesn’t interfere with overall response efforts
41
Presenter
Richard DeNatale is a litigation partner at Jones Day who
represents policyholders in cyber insurance and data breach
coverage matters. He has been recognized in Chambers
USA as one of the nation’s leading coverage lawyers. He
has acted as lead counsel in precedent-setting coverage
litigation on data privacy issues in both California and New
York.
Rich has been retained to handle insurance strategy and cost
recovery for more than 20 data breach incidents, including
some of the largest in history. He also regularly advises
clients on cyber policy acquisitions and renewals.
He can be reached at (415) 875-5740, or at
42
Presenter
Todd McClelland advises clients on data breach response and
other information security-related issues, including pre-
breach cybersecurity risk assessment and management,
compliance, response preparedness, and other risk
mitigation activities. He also counsels clients on data privacy
issues, outsourcing transactions, technology and data
licensing, technology audits, and cloud transactions.
Todd is a frequent speaker at professional seminars and
author of articles on cybersecurity. He is member of the
International Association of Privacy Professionals and the
CISO Executive Network, and is recognized in The Best
Lawyers in America for his data security practice.
He can be reached at 404.581.8326, or at
43
OCR Authority
www.TheCarlsonFirm.Com
* OCR is responsible for enforcing the HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164, Subparts A, C, and E). One of the ways that OCR carries out this responsibility is to investigate complaints filed with it. OCR may also conduct compliance reviews to determine if covered entities are in compliance, and OCR performs education and outreach to foster compliance with requirements of the Privacy and Security Rules. Breaches and other privacy violations give rise to enforcement. Compliance with the HIPAA Privacy and Security Rules is a mandatory requirement, as is, responding to and working with the OCR during an investigation.
* Source OCR.
44
OCR Authority
www.TheCarlsonFirm.Com
The HIPAA Enforcement Rule is codified at 45 CFR Part 160, Subparts C, D, and E. This authority is vast, and since HITECH, has more teeth. All CEs, BAAs and sub BAAs all the way down the chain are subject to the privacy rule, security rule and compliance with the OCR and its authority granted in the Enforcement Rule and are subject to enforcement, with fines up to 1.5 million for a violation and potential referral to the Department of Justice for criminal investigation.
* Source OCR.
45
Responding to Breaches and OCR Investigations
www.TheCarlsonFirm.Com 46
Responding to Breaches and OCR Investigations
Joshua Carlson Esq. CIPP /G, CISSP, PCI-ISA, Chair | Minnesota State Bar Computer Technology Law Section Mr. Carlson is an attorney who practices nationally and internationally in the area of computer and technology law, namely: Healthcare Law (HIPAA & HITECH) Privacy & Security Compliance
US and international regulatory data privacy, data security compliance PCI, HIPAA, FISMA, NIST, GLBA, Safe Harbor, CyberSecurity, Cloud Security frameworks
Government cyber security & FISMA program compliance
47 www.TheCarlsonFirm.Com
AGENDA
1.OCR: by the numbers, complaints, investigations, most common issues to be aware of
2. The OCR investigation process; how to reduce risks
3. How do OCR investigations get started, how to reduce risks of an investigation
4. What to do when you get an OCR letter of investigation, what it will request, how to manage the interaction, response options and the potential results 5. Keys to handling and managing the OCR process
www.TheCarlsonFirm.Com 48
Intended Audience
Lawyers – Plaintiff & Defense
In-house & outside counsel
Privacy Officers
Compliance Attorneys
Boards and Organizational Leadership
www.TheCarlsonFirm.Com 49
Objectives
Understand causes of OCR investigation in first place (how to
prevent)
Understand what to do if (when) you do get contacted
Understand what not to do if (when) you get contacted
Understand good form and practice from beginning to end
Get your situational questions asked and answered
www.TheCarlsonFirm.Com 50
What does the OCR Look Like
Make sure you have visited the OCR website, know the site. http://www.hhs.gov/ocr/ There is a large amount of current information there. The information here contains many details an OCR investigator may expect you to know, or wish you knew to save everyone time. Get up to speed on the FAQs and other sources of information.
www.TheCarlsonFirm.Com 51
OCR: by the numbers, complaints, investigations, most common issues
www.TheCarlsonFirm.Com
Since the compliance date of the Privacy Rule in April 2003, OCR has received over 125,445 HIPAA complaints and has initiated over 854* compliance reviews. OCR has investigated and resolved over 24,047 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates. OCR has successfully enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate. To date, OCR has settled 29 such cases resulting in a total dollar amount of $27,974,400.00. OCR has investigated complaints against … national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.
* Source OCR. 52
OCR: by the numbers, complaints, investigations, most common issues
www.TheCarlsonFirm.Com
* Source OCR. 53
OCR: by the numbers, complaints, investigations, most common issues
www.TheCarlsonFirm.Com
* Source OCR. 54
OCR: by the numbers, complaints, investigations, most common issues
www.TheCarlsonFirm.Com
* Source OCR. 55
OCR: by the numbers, complaints, investigations, most common issues
www.TheCarlsonFirm.Com
STATE
INVESTIGATED:
RESOLVED AFTER INTAKE AND REVIEW
INVESTIGATED:
NO VIOLATION CORRECTIVE ACTION
Alaska 10% 62% 27%
Alabama 13% 66% 21%
Arkansas 17% 61% 22%
Arizona 11% 63% 26%
California 11% 68% 21%
Colorado 11% 64% 25%
Connecticut 14% 60% 26%
District of Columbia 10% 63% 27%
You can see what average results are for your state. Use this for your firm, or your client, and this will give you some perspective.
* Source OCR.
56
OCR: by the numbers, complaints, investigations, most common issues
www.TheCarlsonFirm.Com
Impermissible uses and disclosures of protected health information;
1.Lack of safeguards of protected health information;
2.Lack of patient access to their protected health information; OCR has recently published a brand new FAQ about many issues, e.g., emailing insecurely.
3.Lack of administrative safeguards of electronic protected health information; and
4.Use or disclosure of more than the minimum necessary protected health information.
* Source OCR. 57
OCR: by the numbers, complaints, investigations, most common issues
www.TheCarlsonFirm.Com
The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency: 1. Private Practices; 2. General Hospitals; 3. Outpatient Facilities; 4. Pharmacies; and 5. Health Plans (group health plans and health insurance issuers)
* Source OCR. 58
OCR: The Process
www.TheCarlsonFirm.Com
* Source OCR. 59
OCR: The Process & How to Catch Issues Before a Complaint
www.TheCarlsonFirm.Com
The KEY sources/actions that can spur OCR Investigations: 1.Complaint filed – A complaint can be submitted by anyone; your brothers cousins friends sister. There is no privity requirement that requires the Complainant to be the patient. It is incredibly easy to file a complaint. (see next slide for a view of the OCR Complaint Portal Assistant website)
2.Breach reporting/notifications
3.State Attorney General actions
4.OCR Audits
5.Whistleblowers
60
OCR: The Process & How to Catch Issues Before a Complaint
www.TheCarlsonFirm.Com
Any unhappy or concerned person can go here and file a Complaint, which will get reviewed. Make sure to address issues brought to your attention locally right away.
61
OCR: The Process & How to Catch Issues Before a Complaint
www.TheCarlsonFirm.Com
Install and review systems to catch and address problems at the earliest point: 1.Watch for/track letters/e-mails/calls of complaint to Privacy Officer 2.Watch for/track letters/e-mail/calls of complaint to Compliance Officer 3.Watch for/track letters/e-mails/calls of complaint to Chief Medical Director, or other executives or any staff. 4. Have a system in place to identify complaint situations then have the proper team respond to the issues. * If OCR receives a Complaint, and Complainant says letters or e-mails or calls to leaders about problems went unaddressed, or worse, not even responded to, that will likely add to the problem, Track the issue, response and resolution like any other.
62
OCR: Failed to Catch a Problem Letter Arrives
www.TheCarlsonFirm.Com
Least enjoyable scenario, first time you hear about an issue is from the OCR.
63
OCR: Failed to Catch a Problem Letter Arrives
www.TheCarlsonFirm.Com
Letter will state a number of business days to respond, request name, title, address and contact information of person designated to work with OCR during the investigation. Copy of internal investigation and timeline of incident Copy of findings of any internal investigation with evidence supporting conclusions (there is some benefit for outside objective analysis for the matter at hand)
Copy of HIPAA policies and procedures Proof of all corrective actions taken and all actions taken to prevent any reoccurrence of the problem Copy of breach notification letter (sample copy)
Copy of most recent risk analysis performed and for past X years Copy of most recent risk assessments Copies of policies and procedures related to access, access review, incidents, malware reports, documentation of actions to mitigate vulnerabilities to ePHI.
64
OCR: Failed to Catch a Problem Letter Arrives
www.TheCarlsonFirm.Com
Read the letter, then read it again and open a file. Get familiar with the issue, complaint, complainant, systems etc.
Identify who the primary will be, this may be identified in the letter, there should be only 1 very knowledgeable person who is intimate with the issues to liaison with OCR
Review any insurance reporting requirement
Review with in-house or external counsel
Activate your team (which should be pre-assembled as a part of HIPAA) that will perform the investigation
Team will likely consist of; Chief Compliance Officer, Security Officer, Legal Counsel, IT, HIM, Privacy Officer
65
OCR: Failed to Catch a Problem Letter Arrives
www.TheCarlsonFirm.Com
Perform your own internal investigation on the matter
Be aware this will likely end up a part of the OCR file/response and potentially in any FOIA requests
Require artifacts/proof of any mitigation actions taken in the organization as they will be required in the OCR response
Pay special attention and concern to the manner in which you will exchange data with the OCR, determine and agree on a secure method for exchange which complies with your policies
Make sure to follow your own entities policies and procedures in the transfer of the data with the OCR
Make sure any changes to IT systems are/were in line with the policies and procedures required by your organization (breaking more policies and procedures to fix an issue will add to the scope.)
66
OCR: Failed to Catch a Problem Letter Arrives
www.TheCarlsonFirm.Com
OCR investigators are very busy, being organized, clear and concise in the response will help greatly
Organize your response with the supporting evidence correlated to each issue
Confirm response was received
There will likely be some iterative rounds
67
OCR: Failed to Catch a Problem Letter Arrives
www.TheCarlsonFirm.Com
Evidence of sanctions performed for policy violations Evidence of retraining required for policy violations
For staff breaking critical policies, I recommend when a staff person violates a
policy, that the entire staff or team all have to retake the training. This helps give pause to staff who are quick to take shortcuts.
You will be required to have your Risk Analysis (step 1, before anything else) (the one single thing you must have), to hand over.
Do NOT overshare, do not just zip up the entire catalogue of policies and procedures and send over.
Be forthcoming and timely, and make sure the sharing is specific to the request. This saves everyone time.
68
OCR: Failed to Catch a Problem Letter Arrives
www.TheCarlsonFirm.Com
Timeline to respond will be ~10 business days
You can ask for an extension or other agreed upon response time, think of a week more
Call the OCR to get a better in-person understanding of the issues and expectations of the investigator
Do not take longer than you need to respond
Phone calls and written correspondence will be the primary method for responding
It is crucial that all correspondence (phone or in writing) is accurate, specific, forthright, and is from the most knowledgeable HIPAA person on the matter
69
OCR: CE Response Options
www.TheCarlsonFirm.Com
We are not a Covered Entity or a BA and not regulated under HIPAA
Alleged violation did not occur, e.g., complainant’s description/perception or stated facts of the issue is not accurate/complete etc.
Organization is in Compliance with the Rules
Breach did occur, but, the organization had all of the requisite policies and procedures in place and took prompt corrective action, sanctions, training, organizational, procedural, policy changes.
*see prior slide, if initial issues directed to organization went ignored, and changes only as a result of OCR investigation this position may be more difficult.
70
OCR: Possible Outcomes Voluntary compliance, corrective action, or resolution agreement
www.TheCarlsonFirm.Com
Complaint dismissed (YaY) your organization was prepared and your response was on point, credible, timely and did not raise more issues.
Prepare and submit for OCR review and eventual approval of additional and modified HIPAA policies, procedures and the requisite HIPAA training on these updates
OCR requires a Compliance Agreement to be put into place which will involve oversight from OCR
Civil Fine is Imposed
OCR turns matter over to DOJ for further investigation
71
OCR: Possible Outcomes
www.TheCarlsonFirm.Com
Closing of the file.
Once the OCR is satisfied with the CEs response and corrective actions, they may call and offer “HIPAA technical assistance”.
Once the investigation is closed, you will get a letter outlining the closing, which also goes to the Complainant, and outlines the issue, actions taken and satisfaction the issues are resolved.
Review the letter and use it to continue to make improvements for the future.
72
OCR: Outcomes
www.TheCarlsonFirm.Com
73
OCR: Outcomes
www.TheCarlsonFirm.Com
74
Final Thoughts
COOPERATION after contact from the OCR is the winning approach
Organizational competence prior to receiving the OCR contact is critical to a smooth response process, you can’t make it up on the fly
Perform a test OCR investigation exercise with your team as a part of breach response exercises. www.TheCarlsonFirm.Com 75
Questions?
www.TheCarlsonFirm.Com 76
Joshua Carlson TheCarlsonFirm 800 Washington Avenue North, Suite 704 Minneapolis, MN 55401 [email protected]