Healthcare forum yelorda megan himss presentation

Office of the SecretaryOffice for Civil Rights (OCR)

Guidance on OCR’s Process for

Breach Investigations

Presented by

Megan Yelorda, JD, MPH

Equal Opportunity Specialist

OCR

BREACH OVERVIEW /

REPORTING REQUIREMENTS

Guidance on OCR’s Process for BREACH Investigations

2

OCR

Definition of a Breach

• Breach means the acquisition, access,

use, or disclosure of protected health

information (PHI) in a manner not

permitted under HIPAA which

compromises the security or privacy of the

PHI. See 45 C.F.R. § 164.402

3

OCR

Definition of a Breach

• Covered entities (CE) and business associates (BA)

must only provide the required notifications if the breach

involved unsecured PHI.

• Unsecured PHI is PHI that has not been rendered

unusable, unreadable, or indecipherable to unauthorized

persons through the use of a technology or methodology

specified by the Secretary in the guidance issued under

section 13402(h)(2) of Public Law 111-5. See 45 C.F.R.

§ 164.402

4

OCR

Breach Safe Harbors

PHI is rendered unusable, unreadable, or indecipherable to unauthorized

individuals if one or more of the following applies:

• Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the

use of an algorithmic process to transform data into a form in which there is a low

probability of assigning meaning without use of a confidential process or key”

• The media on which the PHI is stored or recorded has been destroyed in one of the

following ways:

– (i) Paper, film, or other hard copy media have been shredded or destroyed such

that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is

specifically excluded as a means of data destruction.

– (ii) Electronic media have been cleared, purged, or destroyed such that the PHI

cannot be retrieved.

5

OCR

When is Notification Required?

A breach of unsecured PHI is presumed to require

notification, unless CEs or BAs can demonstrate low

probability that the PHI has been compromised based on a

risk assessment of at least the following:

– Nature & extent of PHI involved

– Who received/accessed the information

– Potential that PHI was actually acquired or viewed

– Extent to which risk to the data has been mitigated

See 45 C.F.R. § 164.402(2)(i)-(iv)

6

OCR

Breach Reporting Requirements

Once a breach of unsecured PHI is discovered, the CE/BA

must:

• Notify each individual affected:

– Without unreasonable delay and no later than 60

calendar days after discovery

• Notify the media:

– Breaches involving more than 500 residents of a

State or jurisdiction



7

OCR

Breach Reporting Requirements

Once a breach of unsecured PHI is discovered, the CE/BA

must notify the Secretary:

• More than 500 affected individuals:



– In the manner specified on the HHS website

• https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-

redirect=true

• Less than 500 affected individuals:

– Within 60 days of the end of the calendar year in

which the breaches were discovered

8

https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true

OCR

OCR’S INVESTIGATIVE

PROCESS

Guidance on OCR’s Process for BREACH Investigations

9

OCR

Breaches that OCR Investigates

• OCR reviews all breaches that are

reported.

• Breaches involving 500 or more affected

individuals automatically start an

investigation.

• Breaches involving fewer than 500

individuals are reviewed to determine

whether to start an investigation, based on

the facts and circumstances of the breach.10

OCR

Breaches that OCR Investigates

• OCR can also open a breach investigation

based on a complaint received from an

individual.

– Example:

• An anonymous Complainant stated that she

discovered 100 patients charts in a trash dumpster

in the back of the CE’s office.

• OCR could open an investigation based on the

information the Complainant provided.

11

OCR

Verification of Breach Reports

• Once OCR opens an investigation of a

breach, the information in the breach

report is verified with the reporting CE

• Once verified, the information is posted on

our public website

12

OCR

Investigative Process

• If the breach report contains facts that suggest

criminal activity, OCR may refer the case to DOJ

for investigation.

• DOJ accepts cases from OCR based on its own

discretion.

– Example: A CE submitted a breach report that

stated one of its employee’s impermissibly

obtained PHI of several hundred patients and

sold the PHI for personal gain.

13

OCR

Informal Case Resolution

After reviewing the data response from the CE, OCR may take some of

the following actions to resolve the case informally:

• Close after providing technical assistance to the CE

– CE already took action to mitigate the harm caused from the

breach and/or corrective action. CE provided OCR sufficient

documentation of actions taken.

• Close after corrective action is taken

– CE needs to take corrective action (i.e. train employees,

update/implement policies and procedures, implement

appropriate safeguards, etc.)

• Other resolution

– Resolution agreement (RA)

14

OCR


Resolution Agreement

– When the completed investigation indicates noncompliance

– Considerations include:

• Depth and nature of the noncompliance within the CE

• CE failed to comply with multiple requirements of the PR or SR

• The noncompliance affected a very large number of people/extended over a

very long period of time.

– All RAs are made public and published on OCR’s website

– The principal component of a Resolution Agreement is a written corrective action

plan and on-going monitoring of compliance by a third-party monitor retained by

the CE that makes independent compliance reports to OCR and the CE.

– A Resolution Agreement may include a payment from the CE to OCR

– The calculation of the amount of a payment is based on the potential civil

monetary penalty (CMP) that could be imposed in a Notice of Proposed

Determination

15

OCR


Resolution Agreement Examples:• Anchorage Community Mental Health Services, Inc.

– Malware compromising the security of its information technology resources

– Failed to conduct a risk analysis from 2005-2012

– Failed to implement appropriate security policies and procedures from 2005-2012

– Pay HHS $150,000

• Idaho State University

– Firewall protecting the server was taken down maintenance, wasn’t reactivated, and server’s files hacked

– Failed to conduct a risk analysis from 2007-2012

– Failed to implement a risk management plan from 2007-2012

– Pay HHS $400,000

• Alaska Dept. of Health and Social Services

– Electronic portable storage device stolen from vehicle

– Failed to complete risk analysis

– Failed to implement risk management plan

– Failed to address device and media encryption

– Pay HHS $1.7 million

16

OCR

Formal Case Resolution

• Where noncompliance with the Privacy Rule is indicated

and the matter is not resolved by informal means

• 45 C.F.R. § 160.312(a)(3)(i) requires that OCR so inform

the CE and provide the CE with an opportunity to submit,

within 30 days of receipt of such notification, written

evidence of any mitigating factors and/or affirmative

defenses, also know as a Letter of Opportunity (LOO)

17

OCR


• The LOO does not contain a formal finding of noncompliance. Rather, it is

the immediate predecessor to a Notice of Proposed Determination (NPD) in

which the formal findings of fact and findings of noncompliance are made.

• The LOO gives enough information about the indicated noncompliance to

put the CE on notice about the imminent potential for the issuance of a

proposed Civil Money Penalty (CMP) in a NPD.

18

OCR


• The NPD is issued when the covered entity is found to have failed to comply

with the Privacy Rule and OCR’s attempts to resolve the matter by informal

means that are satisfactory to OCR have not been agreed to by the covered

entity.

• The NPD will contain:

– Reference to the statutory basis for the penalty;

– A description of the findings of fact regarding the violations with respect to which the penalty

is proposed;

– The reason(s) why the violation(s) subject(s) the respondent to a penalty;

– The amount of the proposed penalty;

– Any circumstances described in §160.408 that were considered in determining the amount of

the proposed penalty; and

– Instructions for responding to the NPD, including a statement of the respondent's right to a

hearing, a statement that failure to request a hearing within 90 days permits the imposition of

the proposed penalty without the right to a hearing under §160.504, or a right of appeal

under §160.548 of this part, and the address to which the hearing request must be sent.

19

OCR


• When OCR issues a NPD, the NPD will instruct the covered entity

(respondent) that it may request a hearing before an administrative law

judge (ALJ) of the HHS Departmental Appeals Board (DAB) by filing a

written request within 90 days of the respondent’s receipt of the NPD. See

45 C.F.R. §§ 160.420 and 160.504.

• The parties to the hearing will be the respondent and OCR on behalf of the

Secretary.

20

OCR

Example

A CE/BA reported that an employee left a

laptop in his car. The car was broken into

and the laptop was stolen. The CE/BA

reported that the laptop was not encrypted,

but it was password protected. The CE

reported that the laptop contained PHI for

1500 patients. The PHI included,

demographic information, SSN, clinical

diagnosis, and other.

21

OCR

Example

• Report reviewed by OCR management

• Assigned to an Investigator

• Verified with the CE

• Information posted on our website

• Investigation

22

OCR

Example

Potential violations may include:– Privacy Rule

• §164.502(a) – Impermissible Use and Disclosure

• §164.530(c) – Safeguards

• §164.530(f) – Mitigation

• §164.530(i) – Policies and Procedures

– Security Rule

• §164.308(a)(1)(ii)(A) – Risk Analysis (Required)

• §164.308(a)(1)(ii)(B) – Risk Management (Required)

• §164.308(a)(1)(ii)(C)-Sanction Policy (Required)

• §164.308(a)(5)(i)- Security Awareness and Training

• §164.308(a)(6)(i) – Security Incident Procedures

• §164.308(a)(6)(ii) – Response and Reporting (Required)

• §164.310(c) – Workstation Security

• §164.310(d)(1)-Device and Media Controls

• §164.312(a)(2)(iv) – Encryption and Decryption (Addressable)

– Breach notification rule

• §164.404(a) – Breach notification to individuals

• §164.406(a) – Breach notification to the media

23

OCR

Example

Potential data request items may include:

Privacy Rule:

– A copy of HIPAA policies and procedures regarding:

• Use and disclosure of protected health information

• Safeguards

24

OCR

Example Potential data request items may include:

Security Rule:

– A copy of the risk analysis performed prior to the incident and any conducted after the

incident.

– Evidence of the security measures implemented to reduce risks and vulnerabilities identified

in the risk analysis (risk management plan).

– A copy of sanctions policy and documentation of sanctions, if appropriate.

– Evidence of the procedures implemented to review activity related to incident reports.

– Evidence of security training program. Copies of most recent training materials.

– A copy of the incident report created in response to the exposure incident including any

corrective actions taken.

– Policies for the receipt and removal of hardware and electronic media.

• Are all mobile devices and media that store or could store e-PHI identified?

• Are the receipt and removal of e-PHI storage devices logged and tracked?

– Copies of mechanisms in place for encryption/decryption.

– Evidence of the auditing mechanisms implemented by CE for its server.

– A copy of the procedures implemented by CE to verify access to the server.

25

OCR

Example Potential data request items may include:

Breach Notification Rule:

– Documentation that the affected individuals were notified of the breach.

– A sample copy of the notification to individuals.

– Documentation that the media was notified of the breach.

– A copy of the notification to the media.

26

Healthcare forum yelorda megan himss presentation

Technology

Transcript of Healthcare forum yelorda megan himss presentation