Over the past several months, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has ramped up its activity and enforcement efforts. Phase 2 audits are underway, and OCR recently announced that it sent desk audit document requests to 48 business associates (in addition to the 167 covered entities that received document requests a few months prior). We understand that, at the end of 2016, some providers who were not subject to a desk audit received notice of an on-site audit, and an OCR Senior Advisor confirmed that OCR will be conducting on-site audits of hospitals in 2017.
But, OCR is not just focused on the audit program. In August 2016, OCR announced that it was going to begin investigating breaches affecting under 500 individuals ("Under 500 Breaches"). Historically, OCR had not investigated Under 500 Breaches as a matter of course – but, as Bob Dylan once wrote, “Times They Are A Changing.” As part of this new initiative, we understand that each of OCR's regional offices has been instructed to investigate a certain number of Under 500 Breaches, and it appears those investigations have begun. Over the past month, some of our clients received data requests about Under 500 Breaches they reported in 2015, and OCR seems to be using these investigations to perform "compliance checks” – delving into HIPAA compliance areas unrelated to the areas/issues that caused or relate to the Under 500 Breaches that triggered the review. According to OCR, when determining whether to investigate Under 500 Breaches, it may consider the number of individuals affected by the breach; the amount and type of protected health information (PHI) involved; breaches caused by theft or improper disposal of PHI; hacking incidents; or entities that have filed numerous Under 500 Breaches involving the same types of issues. Thus, we believe any entity that reported Under 500 Breaches that fit or highlight these focus areas should be prepared for an OCR compliance review.
OCR enforcement is also on the rise. In 2016, we saw the largest number of OCR enforcement actions in a given calendar year. There were 12 settlements and 1 imposition of civil monetary penalties. In June 2016, we saw the first settlement with a business associate after the business associate reported the theft of a mobile device containing unencrypted PHI. In August 2016, we saw OCR’s largest settlement to date based on alleged HIPAA violations -- totaling $5.5 million. Stolen desktops, laptops and thumb drives continued to be the impetus for a number of the enforcement actions, and OCR tagged several entities with failing to enter into or update business associate agreements. This month, we also learned that OCR had settled with a large provider for failing to report a breach within 60 days of discovery.
Along with the increased government activity and enforcement, the health care industry continues to see a rise in cyber threats, including phishing and ransomware attacks -- which often result in large breaches affecting thousands (if not millions) of individuals. OCR is keeping tabs on these ever-changing risks and threats and continues to issue guidance to make sure entities subject to HIPAA are doing what is necessary to protect electronic PHI. We believe it is important (perhaps more important than ever) to know and understand this guidance -- as it will assist with HIPAA compliance efforts, breach response and risk mitigation.
Polsinelli is gearing up for this wave of increased activity and enforcement by hiring another former OCR attorney, Abby Bonjean, to join its robust Health Information Privacy and Security Team. Abby spent the last 6 years as an investigator with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) handling large breach investigations and negotiating settlements, including OCR's largest settlement to date. Abby's arrival to Polsinelli could not be more timely and beneficial to our clients. Polsinelli’s Health Information Privacy and Security Team is staying abreast of OCR's activities and is well-positioned to advise clients on how to protect their data and respond to breaches and government investigations. Abby Bonjean adds another level of experience. For more information about our Health Information Privacy and Security Team (including a list of recent key matters), see here.
For More Information
If you have questions regarding this alert, please contact the authors, a member of Polsinelli's Health Care Practice, or your Polsinelli attorney.