This document summarizes a presentation on the intersection of healthcare privacy enforcement and cybersecurity. It discusses new guidance from the Office of Civil Rights on mental health information sharing and the 21st Century Cures Act. It outlines recent cyber attacks, the importance of compliance programs and incident response planning. It provides an overview of HHS and FTC enforcement actions and resources available from HHS, FTC and Polsinelli to help organizations comply with privacy and security rules.

1. The Intersection of OCR
Enforcement and Health Care
Data Privacy & Security

2. Agenda
 New Guidance from OCR
 HIPAA Security Rule and Cyber Security
 HHS and FTC Enforcement Update
 Resources
2

3. 21st Century Cures/Opioid Crisis
https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-
health/index.html
 HIPAA Helps Mental Health Professionals to Prevent Harm
 HIPAA Helps Family and Friends Stay Connected with Loved Ones Who Have a Substance
Use Disorder, including Opioid Abuse, or a Mental or Behavioral Health Condition
 When can I obtain treatment information about my loved one? (decision chart)
 If You Experience a Health or Mental Health Crisis, HIPAA Helps Your Doctors, Nurses, and
Social Workers to Reconnect You with Family, Friends, and Caregivers
 How HIPAA Allows Doctors to Respond to the Opioid Crisis
 When Your Child, Teenager, or Young Adult has Mental Illness: What Parents Need to Know
about HIPAA
 Am I my child’s personal representative under HIPAA?
 When may a mental health professional use professional judgment to decide whether to
share a minor client’s treatment information with a parent?
 When can parents access information about their minor child’s mental health treatment?
(Decision Chart)
 HIPAA Privacy Rule and Sharing Information Related to Mental Health
3

4. Recent Cyber Security Attacks,
Threats, and Trends
 2017 Cyber Healthcare & Life Sciences Survey
found that 47 percent of providers and health
plans had a security-related HIPAA violation or
a cybersecurity attack that impacted data.
 Office for Civil Rights data regarding Breaches
involving 500+ individuals
 Ransomware – WannaCry
 Phishing and Social Engineering
 Other Attacks
4

5. Preparing for a Cybersecurity Attack
It’s not a matter of IF an attack will occur, but
rather WHEN…
Steps to take to help address the WHEN:
 Implementing an effective compliance program
 Information assurance and information system
architecture
 Obtaining adequate cyberliability coverage
5

6. Key Security-Related Aspects of an
Effective Compliance Program
 View the HIPAA Security Rule only as a
baseline and policy framework requirement
– Risk Analysis and Risk Management Plans
– Encryption and password management
– “Addressable” does not mean “Optional”
 Ensuring internal/external expertise is
readily available
 Effective workforce training and monitoring
 Effective incident response procedures
6

7. Incident Handling Preparation
 Assign Roles and Responsibilities
 Assert Information needed to Construct
Event
 Define Relationships with Third Parties
 Train your Team
7

8. Cyber Security
https://www.hhs.gov/hipaa/for-
professionals/security/guidance/cybersecurity/index.html
 Cyber Security Checklist and Infographic
 Ransomware Guidance
 NIST Cybersecurity Framework
 OCR Cyber Awareness Newsletters
https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-
computing/index.html
 Cloud Computing
8Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services

9. Effectively Responding to an Attack
 Time is of the Essence
– Immediate Isolation
– Notification Timeframes (including insurance
carrier)
 Engaging Outside Assistance
– Security forensic experts
– Legal counsel
– Law Enforcement
 Returning to Business As Usual
9

10. Key Takeaways
 Too small to be a target is a myth.
 Preparation does not guarantee Prevention,
but is the most important mitigation step.
 All individuals at your organization are
responsible and need to be involved.
 Time is always of the essence.
 Human error cannot be 100% prevented,
but awareness goes a long way.
10

11. HITECH Audit Program
Phase 2 Status
 166 covered entity desk audits
 41 business associate desk audits
 After Phase 2, on-site audits will be conducted as a part of the
permanent audit program.
– On-site audits will evaluate auditees against comprehensive
selection of controls in the audit protocol:
– https://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/audit/protocol/
11Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services

12. Desk Audit Scope
 Covered Entities
– Security: risk analysis and risk management
– Breach: content and timeliness of notifications
– Privacy: notice and access
 Business Associates
– Security: risk analysis and risk management
– Breach: reporting to covered entities
12Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services

13. Ratings
13
Compliance Effort Ratings – Legend
Rating Description
1 The audit results indicate the entity is in compliance with both goals and
objectives of the selected standards and implementation specifications.
2 The audit results indicate that the entity substantially meets criteria; it
maintains appropriate policies and procedures, and documentation and other
evidence of implementation meet requirements.
3 Audit results indicate entity efforts minimally address audited requirements;
analysis indicates that entity has made attempts to comply, but implementation
is inadequate, or some efforts indicate misunderstanding of requirements.
4 Audit results indicate the entity made negligible efforts to comply with the
audited requirements - e.g. policies and procedures submitted for review are
copied directly from an association template; evidence of training is poorly
documented and generic.
5 The entity did not provide OCR with evidence of serious attempt to comply with
the Rules and enable individual rights with regard to PHI.
Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services

14. CE Desk Audit Ratings
14
Rating
Element # Provision 1 2 3 4 5 N/A
P55 Notice 2 34 40 11 16 0
P58 eNotice 59 16 4 6 15 3
P65 Access 1 10 27 54 11 0
BNR12 Timeliness 67 6 2 9 12 7
BNR13 Content 14 15 24 38 7 5
S2 Risk Analysis 0 9 20 21 13 0
S3 Risk Management 2 2 15 28 16 0
Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services

15. BA Desk Audit Ratings
15
Rating
Element # Provision 1 2 3 4 5 N/A
BNR17 Notice to CEs 1 2 3 3 0 32
S2 Risk Analysis 3 5 15 12 6 0
S3 Risk Management 0 5 8 21 7 0
Linda Sanches, Office for Civil Rights (OCR), U.S. Department of Health and Human Services

16. Recent HHS Enforcement Actions
16
 April 24, 2017: CardioNet
– $2,500,000
– $2.5 million settlement shows that not understanding HIPAA requirements creates risk
 May 10, 2017: Memorial Hermann Health System (MHHS)
– $2,400,000
– Texas health system settles potential HIPAA violations for disclosing patient information
 May 23, 2017: St. Luke’s Roosevelt Hospital System Inc.
– $387,200
– Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k
 December 18, 2017: 21st Century Oncology
– $2,300,000
– $2.3 Million Levied for Multiple HIPAA Violations at NY-Based Provider
 February 1, 2018: Fresenius Medical Care North America (FMCNA)
– $3,500,000
– Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk
analysis and risk management rules
 February 13, 2018: Filefax, Inc.
– $100,000
– Consequences for HIPAA violations don’t stop when a business closes

17. Recent FTC Enforcement Actions
17
 Feb 27, 2018:
– PayPal Settles FTC Charges that Venmo Failed to Disclose
Information to Consumers About the Ability to Transfer Funds
and Privacy Settings; Violated Gramm-Leach-Bliley Act
 Nov 29, 2017:
– FTC Gives Final Approval to Settlements with Companies that
Falsely Claimed Participation in Privacy Shield
 Nov 8, 2017:
– FTC Gives Final Approval to Settlement with Online Tax
Preparation Service
 Aug 15, 2017:
– Uber Settles FTC Allegations that It Made Deceptive Privacy
and Data Security Claims

18. GDPR: What’s All the Fuss?
 EU’s General Data Protection Regulation
– More broad territorial scope, and may apply to
entities with no physical presence in the EU
– Unlike HIPAA, applies to all personal data, not
just PHI
– Permits uses and disclosures of health data, but
exceptions do not always align with HIPAA
– Heavy fines and penalties
– Stay tuned for more information regarding
GDPR as applied to the U.S. health care industry

19. HHS/FTC Resources
 https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
 https://www.hhs.gov/hipaa/for-professionals/security/index.html
 https://www.hhs.gov/hipaa/for-professionals/breach-
notification/index.html
 https://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/index.html
 https://www.ftc.gov/
 https://www.ftc.gov/system/files/documents/plain-language/pdf0205-
startwithsecurity.pdf
 https://www.ftc.gov/news-events/press-releases/2018/02/ftc-
recommends-steps-improve-mobile-device-security-update
 https://www.ftc.gov/news-events/press-releases/2018/02/ftc-report-
finds-some-small-business-web-hosting-services-could
19

20. Polsinelli Resources
 Polsinelli serves clients nationally:
– https://www.polsinelli.com/
– 100+ services and 70+ industry areas
– 800+ Attorneys
– https://www.polsinelli.com/professionals/lacevedo
– https://www.polsinelli.com/professionals/ipeters
– 20 Cities – Metropolitan offices in:
20
 Atlanta
 Boston
 Chicago
 Dallas
 Denver
 Houston
 Kansas City
 Los Angeles
 Nashville
 New York
 Phoenix
 St. Louis
 San Francisco
 Silicon Valley
 Washington, D.C.
 Wilmington

21. Polsinelli PC, Polsinelli LLP in California | polsinelli.com
Polsinelli PC provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice.
Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws,
rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship.
Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is
different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon
advertisements.
© 2018 Polsinelli® is a registered trademark of Polsinelli PC. In California, Polsinelli LLP.
21