Big, Juicy, Egregious HIPAA Enforcement Cases #BJE—Notes from the OCR/NIST Annual Conference

Practice Briefs Privacy & Data Security

The Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) put on their 11th annual HIPAA conference last week in Washington, DC. Titled “Safeguarding Health Information: Building Assurance through HIPAA Security,” the two-day event pulled together varied perspectives from government and industry sectors to discuss agency priorities and programs. Day 1 kicked off with helpful insights from OCR Director Roger Severino during which he cited his famous quote from last year’s conference as “B.J.E.” – referring to his statement that OCR was looking for big, juicy, egregious cases for enforcement. He then highlighted that from January 2017 to October 2018, OCR has collected over $45M in penalties and settlements from HIPAA enforcement activities. Here is a rundown of key points gleaned from his remarks…

Agency Views. In an unexpected twist, the Director of the federal agency responsible for HIPAA enforcement emphasized the agency’s support of deregulation. According to Severino, the agency is focused on eliminating regulatory requirements that create unnecessary burdens on providers or act as obstacles to the provision of healthcare. As an example, OCR has noted instances when the notice of privacy practices (NPP) and acknowledgment of receipt requirements have resulted in patient confusion and even denial of care. Weighing the balance of benefit to the patient and allowing providers to focus on patient treatment, Severino said the agency wants to minimize these types of issues. Furthermore, the agency wants to “crowdsource” ideas and input through industry collaboration to determine how to go about it. Specifically, in addition to reconsidering the usefulness of NPPs and related requirements, agency priorities and updates to be crowdsourced include:

  • Compensating Affected Individuals: The agency will issue a Request for Information (RFI) soliciting comments on using civil monetary penalty and settlement dollars collected through enforcement activities to compensate individuals affected by a breach.
  • Accountings of Disclosures: As noted earlier in the year, the original notice of proposed rulemaking (NPRM) related to accounting of disclosure requirements is being scrapped. In developing a new NPRM, the agency will issue an RFI seeking input from providers and industry on the administrative burdens and other considerations associated with the requirement.
  • Opioid Crisis: An NPRM is coming soon, introducing changes to more clearly enable providers to use good faith and professional judgment to make certain uses and disclosures (e.g., to parents) related to opioid addiction.
  • Disclosures Between Providers: Last, the agency will also issue an RFI for potentially requiring provider-to-provider information sharing.

The effort not only to refresh some of the administrative aspects of HIPAA requirements, but also to engage and seek out input from providers, patients, and industry professionals about the burdens and benefits of certain obligations presents a new opportunity to better align the regulations with the modern healthcare setting.

HIPAA Audit Program. When asked about OCR’s HIPAA audit program, Severino explained that the purpose of phase 1 audits was not enforcement, but collaboration and information gathering from the industry. Similarly, phase 2 (desk audits) was to broaden the scope of information gathering through further industry collaboration. OCR is now compiling data collected through phases 1 and 2, which will be made available to the public, as a tool for the industry. However, moving away from the “collaboration” of the first two phases, Severino indicated the next step is to use that same information for an enforcement audit program in the future. Notably, the protocol was updated this summer and the agency will soon issue information about the changes–some of which were made to better align with the requests OCR makes during its investigations. This means the OCR audit protocol will continue to be a useful tool not only for audit readiness, but also for understanding what OCR might ask for during a compliance review or related inquiry.

Security Rule Implementation. In response to a question from the audience, Director Severino made clear there are no foreseeable changes to the HIPAA Security Rule on the horizon. Pointing to recurring compliance gaps the agency still sees on a regular basis, Severino noted that many entities are still not even doing the basics. He also emphasized the intentional flexibility of the Security Rule, declining to answer black and white questions about implementation specifications. In short, the agency will not tell you things like how frequently to force password changes. This allows entities of varied sizes and sophistication, resources, and most importantly risk levels, to implement scalable controls appropriate to their environments while allowing for constantly evolving technology. Throughout his remarks, several points related to Security Rule requirements surfaced:

  • Encrypt! Encrypt! Encrypt!: It’s not the first time an OCR Director has made this statement to a room full of HIPAA security and compliance professionals. This time, it came up when discussing the MD Anderson enforcement activities which resulted in an Administrative Law Judge ruling in favor of OCR. Director Severino noted that MD Anderson conducted risk analyses and repeatedly identified the risk of its unencrypted devices but did not follow their own advice. Severino specifically noted that encryption is becoming cheaper and cheaper, suggesting that encryption is not only a safe harbor from breach notification, but is also trending toward a basic security tool the agency may come to expect.
  • Lessons from Anthem: According to Severino, the lessons learned from the Anthem settlement – the largest OCR settlement to date ($16M) resulting from the largest health information data breach in U.S. history (79M individuals) are: 1) monitor your logs; and 2) conduct a complete, enterprise-wide risk analysis. These are not new lessons and in fact, the risk analysis requirement appears as a gap in almost all settlement agreements of late.
  • Hacking: Director Severino also provided some fast stats on the source of data breaches (affecting >500 people) reported to the agency. The percentage of lost/stolen devices has gone down substantially while hacking and other attacks have increased substantially. Specifically, compromises stemming from email hacks shot from 11% for 2009-2017 to 31% in 2018 alone.

The lesson: prioritize development and implementation of tools and techniques to detect and prevent attacks and to minimize impact if they do occur. Don’t be the “low hanging fruit” Severino referred to as the reason his office will not go out of business any time soon, despite his wishes to the contrary.

* * * * * *

While Director Severino plugged the positive aspects of de-regulation, he also made clear that OCR enforcement is not slowing down. He emphasized the need to ensure the availability and provision of healthcare and the agency’s goal to ensure regulatory requirements do not stand in the way of that objective for patients or providers. So, how do we reconcile these perspectives? The few examples the Director noted as potential roadblocks to healthcare – or what some may view as paper-pushing requirements with little benefit – all stem from Privacy Rule obligations. The agency is importantly taking a fresh look at the practicality for providers versus benefit to patients. However, the message was also clear on the security side: the Security Rule will not be changed; covered entities and business associates need to implement scalable controls appropriate to risks within their organizations; and OCR enforcement initiatives are not slowing down.