OCR Enforcement Update: Under 500 Breach Investigations and Inner

Workings of an OCR Settlement

Lisa Acevedo - Shareholder, Polsinelli PC Rebecca Romine - Shareholder, Polsinelli PC

Katie Kenney - Attorney, Polsinelli PC Abby Bonjean - Attorney, Polsinelli PC

Agenda

Current HIPAA Enforcement Landscape

OCR’s Under 500 Breach Initiative

The Anatomy of an OCR Investigation and Settlement

Quick Tips and Lessons Learned in the Settlement Process

Current Government Enforcement Landscape

Enforcement continues to increase!!

– In 2017, OCR has already settled 2 cases and successfully imposed civil monetary penalties in 1 case ranging from $475,000 to $3.2 million

– In 2016, OCR settled 12 cases and successfully imposed civil monetary penalties in 1 case ranging from $25,000 to $5.55 million

Recent Settlement/ Enforcement Actions

Children’s Medical Center of Dallas – February 2017

– Only the third case involving a civil monetary penalty – $3.2 million

– Children’s submitted two breach reports involving a lost unencrypted, non-password protected mobile device, and a stolen unencrypted laptop

– OCR noted that Children’s was aware of the risk of maintaining unencrypted ePHI on its devices as far back as 2007, but no significant risk management plan was implemented

MAPFRE Life Insurance Company – January 2017

– Agreed to settle with OCR for $2.2 million

– Involved multiple violations of HIPAA that OCR uncovered while investigating a breach involving a stolen USB drive

– OCR noted that during the investigation the agency discovered that MAPFRE failed to implement or delayed implementing corrective action it informed OCR it would take

Recent Settlement/ Enforcement Actions

Presence Health – January 2017

– First settlement involving untimely breach notification – $475,000

– Involved missing paper-based operating room schedules that contained the ePHI of 836 individuals

– Presence failed to timely notify individuals, the media, and OCR

– OCR noted that Presence also failed to timely notify individuals with respect to several under 500 breach reports submitted during 2015 and 2016

Recent Settlement/ Enforcement Actions

University of Massachusetts Amherst – November 2016

– Agreed to settle with OCR for $650,000

– Involved malware that infiltrated UMass’ system due to lack of firewalls

– OCR found that UMass failed to conduct an accurate and thorough risk analysis until September 2015 and failed to comply with the transmission security standard

– OCR also noted that UMass failed to properly designate its healthcare components when hybridizing

Recent Settlement/ Enforcement Actions

Care New England – September 2016

– Agreed to settle with OCR for $400,000 on behalf of the covered entities under its common ownership or control

– Stemmed from breach report filed by Women & Infants Hospital of Rhode Island involving the loss of unencrypted backup tapes

– WIH failed to enter into a BAA with CNE prior to disclosing PHI

Recent Settlement/ Enforcement Actions

Under 500 Breach Investigations

Push to investigate more under 500 breaches

Factors OCR will consider:

– Number of individuals affected

– Amount and type of PHI involved

– Cause of breach

– Entities that have filed numerous reports involving the same issues

Sweat the Small Stuff

OCR is following through on less than 500 breach investigations

Annual reporting is approaching – ensure you are documenting less than 500 breach like you would a 500+

Compliance history matters – see Presence case

Use small incidents as opportunity to train

Status of HIPAA Audit Program

Phase 2 Audits:

– 167 covered entity desk audits well underway

– Business Associate desk audits started Fall 2016

– Desk audit scope limited to seven areas of the Security, Privacy, Breach Notification Rule Protocols

– Covered Entity focus on: Security Rule or Privacy Rule and Breach Notification Rule

– Business Associate focus on: Security Rule and Breach Notification Rule

– On-site audit update

Recent OCR Guidance

Cloud guidance

Guidance on disclosures to friends and family

Ransomware guidance

Cyber Awareness Newsletter series

Fact sheet on permitted disclosures for public health

Overview of Investigative Process

Notification and data Request

Covered entity/business associate response

– 45 C.F.R. § 160.310 outlines responsibilities

On-site investigation

Case resolution

– No violation or voluntary compliance

– Resolution Agreement (RA) and Corrective Action Plan (CAP)

– Civil Monetary Penalty (CMP)

Information OCR Requests

Name and contact information of individual designated to work with OCR

Position statement

Business Associate Agreement (if applicable)

Policies and procedures

Evidence of workforce training

– Training materials

– Workforce attendance

Evidence of sanctions (if applicable)

Information OCR Requests

Security rule cases

– Risk analysis (be prepared to go 6 years back)

– Risk management plan

• Evidence of implemented security measures

– Security incident report

Breach cases

– Notices to individuals and media

– Evidence of corrective action

Preparing the Response

Do not leave room for OCR to follow up with questions anticipate questions in advance

Be transparent if you revised a policy after a breach, produce it

Review OCR corrective action plans ask yourself, what could they ask me to do in a CAP and voluntarily do it

Bridge the gap with IT – if you don’t understand your documentation, an investigator won’t either

Signs Formal Settlement May Be Near

Varies region to region but key indicators may include:

– Request to provide financial information about your organization

– On-site visit/interviews

– Interviewing former employees (if applicable)

*Keep in mind – time passing or slow movement does not necessarily mean your case will close out without more

Settlement Process – Key Questions to Examine

Covered Conduct is the timeframe accurate? Do you have evidence of compliance prior to date listed in Resolution Agreement?

How did OCR calculate the amount?

How long is the corrective action plan? Can I negotiate timeframe?

Is a monitor required?

Are there terms in corrective action plan that do not tie back to covered conduct?

Negotiating a Settlement

Review resolution agreements and corrective plans on OCR website understand where other entities may have scaled back

Be cooperative each enforcement agency is different – understand OCR’s big picture goal and proceed accordingly

Demonstrate how your organization has invested in its privacy and security program since the triggering event

Be realistic know your weaknesses and emphasize your strengths (e.g., lost unencrypted laptop but encrypted everything within year in response to incident)

Quick Tips and Lessons Learned

Setting the tone

– Collaboration is key

Additional documentation

– Don’t be afraid to submit it

In-person meeting

– Personalizing the process

Quick Tips and Lessons Learned

Corrective action plan considerations

– Carefully review corrective action plan be mindful of what is feasible for your organization

– Take advantage of time with OCR to ensure you understand where you went wrong so you can get it right

– When looking at enterprise risks and potential costs; calculate corrective action plan into the equation

Key Tips for Avoiding Settlement Stage

Encrypt! safe harbor = no breach reporting obligation

Take each incident (small or large) seriously document corrective action

Conduct a risk analysis and mitigate identified risks on an ongoing basis

Proactively prepare

– Cyber attacks

– Breach response

Questions?

Feel free to contact us for more information:

– Lisa Acevedo: lacevedo@polsinelli.com

– Rebecca Frigy Romine: rromine@polsinelli.com

– Katie Kenney: kdkenney@polsinelli.com

– Abby Bonjean: abonjean@polsinelli.com

Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements. © 2017 Polsinelli PC. In California, Polsinelli LLP. Polsinelli is a registered mark of Polsinelli PC