MedCity Influencers, Health IT

Where is the future of HIPAA enforcement headed?

Since January 2016, the Office of Civil Rights has entered into resolution agreements with, and imposed Corrective Action Plans on, providers and others in at least 12 matters involving the Security Rule.

Security concept with cloud and lock in electronic circuit

Enforcement activity under the HIPAA Security Rule has picked up steam in recent years.  HIPAA establishes various privacy, information security, and breach notification requirements for healthcare providers and other covered entities. In its early HIPAA enforcement days, the Office for Civil Rights of the Department of Health and Human Services (OCR) generally focused on the HIPAA Privacy Rule, but in recent years it has placed growing emphasis on Security Rule enforcement as well. This article offers some brief thoughts on the Security Rule-related settlement agreements that the OCR has entered into recently, and what they might indicate for the future of HIPAA enforcement.

Since January 2016, the OCR has entered into resolution agreements with, and imposed Corrective Action Plans (CAPs) on, providers and others in at least 12 matters involving the Security Rule. It has also imposed a Civil Monetary Penalty on one entity.  Most of these cases involve stolen, unencrypted laptop computers (at least six cases), mobile devices such as iPads or iPhones, office computers, or portable storage devices.

A smaller number of these cases involve unauthorized access to information networks by third parties or employees, malware infections, the loss of backup tapes, or reports containing medical information being publicly accessible on the internet.  (Some of these cases involve more than one breach.)  The entities involved include hospitals, academic medical centers, a wireless health service provider, a life insurance company, and a federally qualified health center.  The fines imposed range from $400,000 to $5.55 million, with the more modest fines often being levied on entities of limited financial means.

Notably, while the underlying facts of these cases vary somewhat, their CAPs do not.  All 12 of the CAPs hone in on the obligation under the Security Rule to perform an annual Risk Analysis and Risk Management Plan.  The CAP typically describes this obligation in expansive terms. It could include a requirement to perform a “comprehensive and thorough Risk Analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of” electronic Protected Health Information (ePHI) on all electronic equipment, data systems, and applications controlled, administered, or owned by the entity that contains, stores, transmits, or receives ePHI.

The CAP generally requires that the entity develops “a complete inventory of all of its facilities, electronic equipment, data systems, and applications that contain or store ePHI that will then be incorporated into” the Risk Analysis.  It further instructs the entity to either perform a Risk Analysis or improve the existing (inadequate) one, typically pursuant to some timeline and always subject to HHS’ review and approval.  Likewise, all 12 CAPs require the entity to develop and implement, or to enhance, an enterprise-wide Risk Management Plan to address and mitigate any security vulnerabilities found in the Risk Analysis, again subject to HHS’ review and approval.  The Risk Analysis and Risk Mitigation Plan are typically required to be reviewed annually and updated in response to any “environmental or operational” changes that affect the security of the ePHI.

It is telling that not a single Risk Analysis or Risk Mitigation Plan reviewed in these cases was found to pass regulatory muster.  This certainly underscores the OCR’s observation that it considers the Risk Analysis and Risk Mitigation Plan to be the “cornerstones of the HIPAA Security Rule.”  It also signals that all providers, even smaller ones, should be thinking closely about their Risk Analyses and Risk Management Plans; conducting them regularly and in a meaningful, not cursory, way; and documenting them appropriately.

Policy revision

Another recurrent theme in these CAPs is policy revision.  All 12 CAPs require the entity to either develop new policies or revise existing (inadequate) ones.  Many also expressly instruct the entity to distribute and upload the policies, train employees on them, and regularly review them.  In some cases the requirement is worded broadly, though in others the OCR sets forth numerous specific subject areas (in one case, 15!) in which the entity must review or develop policies.

This focus on policies is also noteworthy.  It signals that the OCR places weight on HIPAA’s numerous policy and procedure requirements, on carefully implementing and training staff on them, and ensuring and documenting compliance with them.  In addition, and like the emphasis on Risk Analyses and Risk Mitigation plans, it suggests that, once the OCR undertakes a Security Rule-related investigation, it “pops the hood open” and looks around widely, investigating and imposing remediation with respect to a broad range of Security Rule requirements, even where the technical cause of the security incident at issue may be narrow.

Photo:  turk_stock_photographer, Getty Images

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.