2. Agenda
New Guidance from OCR
HIPAA Security Rule and Cyber Security
HHS and FTC Enforcement Update
Resources
2
3. 21st Century Cures/Opioid Crisis
https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-
health/index.html
HIPAA Helps Mental Health Professionals to Prevent Harm
HIPAA Helps Family and Friends Stay Connected with Loved Ones Who Have a Substance
Use Disorder, including Opioid Abuse, or a Mental or Behavioral Health Condition
When can I obtain treatment information about my loved one? (decision chart)
If You Experience a Health or Mental Health Crisis, HIPAA Helps Your Doctors, Nurses, and
Social Workers to Reconnect You with Family, Friends, and Caregivers
How HIPAA Allows Doctors to Respond to the Opioid Crisis
When Your Child, Teenager, or Young Adult has Mental Illness: What Parents Need to Know
about HIPAA
Am I my child’s personal representative under HIPAA?
When may a mental health professional use professional judgment to decide whether to
share a minor client’s treatment information with a parent?
When can parents access information about their minor child’s mental health treatment?
(Decision Chart)
HIPAA Privacy Rule and Sharing Information Related to Mental Health
3
4. Recent Cyber Security Attacks,
Threats, and Trends
2017 Cyber Healthcare & Life Sciences Survey
found that 47 percent of providers and health
plans had a security-related HIPAA violation or
a cybersecurity attack that impacted data.
Office for Civil Rights data regarding Breaches
involving 500+ individuals
Ransomware – WannaCry
Phishing and Social Engineering
Other Attacks
4
5. Preparing for a Cybersecurity Attack
It’s not a matter of IF an attack will occur, but
rather WHEN…
Steps to take to help address the WHEN:
Implementing an effective compliance program
Information assurance and information system
architecture
Obtaining adequate cyberliability coverage
5
6. Key Security-Related Aspects of an
Effective Compliance Program
View the HIPAA Security Rule only as a
baseline and policy framework requirement
– Risk Analysis and Risk Management Plans
– Encryption and password management
– “Addressable” does not mean “Optional”
Ensuring internal/external expertise is
readily available
Effective workforce training and monitoring
Effective incident response procedures
6
7. Incident Handling Preparation
Assign Roles and Responsibilities
Assert Information needed to Construct
Event
Define Relationships with Third Parties
Train your Team
7
9. Effectively Responding to an Attack
Time is of the Essence
– Immediate Isolation
– Notification Timeframes (including insurance
carrier)
Engaging Outside Assistance
– Security forensic experts
– Legal counsel
– Law Enforcement
Returning to Business As Usual
9
10. Key Takeaways
Too small to be a target is a myth.
Preparation does not guarantee Prevention,
but is the most important mitigation step.
All individuals at your organization are
responsible and need to be involved.
Time is always of the essence.
Human error cannot be 100% prevented,
but awareness goes a long way.
10
11. HITECH Audit Program
Phase 2 Status
166 covered entity desk audits
41 business associate desk audits
After Phase 2, on-site audits will be conducted as a part of the
permanent audit program.
– On-site audits will evaluate auditees against comprehensive
selection of controls in the audit protocol:
– https://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/audit/protocol/
11Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services
12. Desk Audit Scope
Covered Entities
– Security: risk analysis and risk management
– Breach: content and timeliness of notifications
– Privacy: notice and access
Business Associates
– Security: risk analysis and risk management
– Breach: reporting to covered entities
12Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services
13. Ratings
13
Compliance Effort Ratings – Legend
Rating Description
1 The audit results indicate the entity is in compliance with both goals and
objectives of the selected standards and implementation specifications.
2 The audit results indicate that the entity substantially meets criteria; it
maintains appropriate policies and procedures, and documentation and other
evidence of implementation meet requirements.
3 Audit results indicate entity efforts minimally address audited requirements;
analysis indicates that entity has made attempts to comply, but implementation
is inadequate, or some efforts indicate misunderstanding of requirements.
4 Audit results indicate the entity made negligible efforts to comply with the
audited requirements - e.g. policies and procedures submitted for review are
copied directly from an association template; evidence of training is poorly
documented and generic.
5 The entity did not provide OCR with evidence of serious attempt to comply with
the Rules and enable individual rights with regard to PHI.
Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services
14. CE Desk Audit Ratings
14
Rating
Element # Provision 1 2 3 4 5 N/A
P55 Notice 2 34 40 11 16 0
P58 eNotice 59 16 4 6 15 3
P65 Access 1 10 27 54 11 0
BNR12 Timeliness 67 6 2 9 12 7
BNR13 Content 14 15 24 38 7 5
S2 Risk Analysis 0 9 20 21 13 0
S3 Risk Management 2 2 15 28 16 0
Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services
15. BA Desk Audit Ratings
15
Rating
Element # Provision 1 2 3 4 5 N/A
BNR17 Notice to CEs 1 2 3 3 0 32
S2 Risk Analysis 3 5 15 12 6 0
S3 Risk Management 0 5 8 21 7 0
Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services
16. Recent HHS Enforcement Actions
16
April 24, 2017: CardioNet
– $2,500,000
– $2.5 million settlement shows that not understanding HIPAA requirements creates risk
May 10, 2017: Memorial Hermann Health System (MHHS)
– $2,400,000
– Texas health system settles potential HIPAA violations for disclosing patient information
May 23, 2017: St. Luke’s Roosevelt Hospital System Inc.
– $387,200
– Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k
December 18, 2017: 21st Century Oncology
– $2,300,000
– $2.3 Million Levied for Multiple HIPAA Violations at NY-Based Provider
February 1, 2018: Fresenius Medical Care North America (FMCNA)
– $3,500,000
– Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk
analysis and risk management rules
February 13, 2018: Filefax, Inc.
– $100,000
– Consequences for HIPAA violations don’t stop when a business closes
17. Recent FTC Enforcement Actions
17
Feb 27, 2018:
– PayPal Settles FTC Charges that Venmo Failed to Disclose
Information to Consumers About the Ability to Transfer Funds
and Privacy Settings; Violated Gramm-Leach-Bliley Act
Nov 29, 2017:
– FTC Gives Final Approval to Settlements with Companies that
Falsely Claimed Participation in Privacy Shield
Nov 8, 2017:
– FTC Gives Final Approval to Settlement with Online Tax
Preparation Service
Aug 15, 2017:
– Uber Settles FTC Allegations that It Made Deceptive Privacy
and Data Security Claims
18. GDPR: What’s All the Fuss?
EU’s General Data Protection Regulation
– More broad territorial scope, and may apply to
entities with no physical presence in the EU
– Unlike HIPAA, applies to all personal data, not
just PHI
– Permits uses and disclosures of health data, but
exceptions do not always align with HIPAA
– Heavy fines and penalties
– Stay tuned for more information regarding
GDPR as applied to the U.S. health care industry
20. Polsinelli Resources
Polsinelli serves clients nationally:
– https://www.polsinelli.com/
– 100+ services and 70+ industry areas
– 800+ Attorneys
– https://www.polsinelli.com/professionals/lacevedo
– https://www.polsinelli.com/professionals/ipeters
– 20 Cities – Metropolitan offices in:
20
Atlanta
Boston
Chicago
Dallas
Denver
Houston
Kansas City
Los Angeles
Nashville
New York
Phoenix
St. Louis
San Francisco
Silicon Valley
Washington, D.C.
Wilmington
Enterprise-wide Approach to security (not just an IT issue)
Security Officers
Internal expertise on IT issues, if not outsource
STRONGLY advise against relying too heavily on EHR vendors