Thus far in 2017, the Office for Civil Rights (OCR) has announced that they have negotiated settlements or levied penalties in seven cases that have resulted in covered entities and business associates paying over $14.3 million. In all but one of these cases, organizations have also been saddled with multi-year corrective action plans in which HHS will exercise oversight of their compliance with the HIPAA standards. At this pace, OCR will eclipse its record-setting performance of 2016 in which there were 13 formal enforcement actions that had covered entities and business associates paying $23.5 million in fines and penalties for HIPAA violations.
For several years, we have seen OCR treat a breach report as an opportunity to undertake a broad-based review of an organization’s compliance with the Privacy and Security Rule to determine the root cause of the incident. Accordingly, the size of the breach is often a less important factor when compared to the magnitude of the issues that led to the breach, as well as the size of the organization.
There are several key lessons and best practices healthcare organizations can glean from the most recent OCR enforcement actions.
- Risk Assessment – There is no substitute for an enterprise-wide risk analysis and a program to address threats to PHI found during an assessment. In every breach incident involving e-PHI, OCR tied the organization’s failure to safeguard data with the absence of an adequate enterprise-wide risk analysis and development of a risk management plan to mitigate the vulnerabilities that were, or would have been, identified through an assessment.
- Auditing and Monitoring Controls – OCR called out that some healthcare organizations are not doing enough to monitor information system activity and putting into place an effective process for auditing the activity on networks and applications that maintain PHI. The agency recently issued Audit Control Guidance emphasizing the role of access monitoring and audit controls in safeguarding PHI.
- Documentation – Two recent enforcement actions have highlighted OCR’s expectations for covered entities and business associates to maintain records of which devices and media maintain PHI. It should also be documented if the data is encrypted and the location and/or workforce member assigned to the asset.
- Business Associate Agreements – Another settlement focused attention to the absolute obligation of covered entities and business associates to have a current business associate agreement in place with contractors and vendors who handle PHI when performing an activity or function on their behalf. We strongly encourage you to take the time to review all of your organization’s vendor agreements. Identify each contract that requires the vendor to create or maintain PHI. Verify if your Business Associate Agreement (BAA) is updated to current requirements of the HIPAA Rule. If a BAA is not in place, have one executed at once. If your vendor refuses to sign a BAA, OCR’s position is you should cease disclosing PHI to the contractor and have all PHI in their possession returned or securely disposed of. This can create a very real business risk for your organization.
If you have questions about strategies to safeguard PHI, compliance with the HIPAA Privacy or Security Rules, or preparing for an OCR enforcement action, please contact us.