From Dorothy Cociu, COIN Editor and HIPAA Privacy & Security Consultant & Trainer
November, 2017
I promised in the last issue to report on the NIST/HHS/OCR Annual Privacy & Security Conference in Washington, DC, so that’s what I’ll focus on.
Each year, the National Institute for Standards & Technology co-hosts the HIPAA Privacy & Security Conference with the Department of Health & Human Services and the Office of Civil Rights. I have been an attendee most years, including this year.
Let me start with the current status of complaints and OCR cases. According to Iliana Peters of OCR, they have received over 158,293 complaints to date (through September, 2017). They have had 25,312 cases resolved with corrective action and/or technical assistance. OCR expects to receive 17,000 complaints in 2017 alone.
Breaches are always of interest to all of us. OCR reported between 2009 and September 30 2017, they have had approximately 2,017 reports involving 500 or more individuals, with 48% of large breaches involving theft and loss, 17% hacking/IT related, 26% involving laptops and other portable storage devices, and 21% paper records . Individuals affected are approximately 174,974,489. In addition, approximately 293,288 reports of breach were reported for less than 500 individuals.
In the areas of enforcement, it is important to note that there are two distinct areas of enforcement; the Audit Program (much of which OCR considers “free consulting by OCR,” except for cases referred over to enforcement for compliance review or other investigations), which is often used to help to set protocols for future enforcement, and actual enforcement areas, including complaint investigations and compliance reviews.
Compliance reviews are often driven by breach reports, referrals from state attorney generals, FTC, DOJ, news reports of breaches or ransomware that were not reported, etc.
Both complaint investigations and compliance reviews can result in civil monetary penalties or settlements. OCR’s Iliana Peters informed attendees that they would rather enter into settlements, which are a smaller percentage of what the could have received in civil monetary penalties, allowing them to set up corrective actions plans to be sure they problem is resolved. Less than 1% of all cases result in civil monetary penalties.
To update us on the latest auditing program, OCR’s Linda Sanches reported that desk audits for covered entities have now been completed for the 2016 audit program. They are now focusing all desk audit efforts on Business Associates. On-site audits will begin once they complete the desk auditing of business associates.
To date in this round of auditing, they have completed 166 covered entity audits (privacy and breach 103, security 63), and 41 business associates audits, all of which were in the categories of breach and security.
The desk audits performed in 2016-2017 were 90% provider, 8.7% health plan, and 1% health care clearinghouse.
Entities that failed to respond to the desk audits have remained in the audit pool and may be subject to compliance reviews.
A “highlight” of the conference, in the opening session, new OCR Director Roger Severino, made the news by stating that is highest priority is the “big, juicy, egrigious case” in 2017. Clearly, he wants to make news in the big one, and use it as an example to other covered entities.
“I have to balance that law enforcement instinct with the educational component that we do.” Severino stated. “I really want to make sure people come into compliance without us having to enforce. I want to underscore that.”
But clearly, he wants the big one, and soon. Already this year, OCR has entered into eight settlements with covered entities to resolve HIPAA violations discovered during investigations of complaints and data breaches and has issued one civil monetary penalty. 2017 HIPAA Enforcement Actions included (previously reported in the COIN) Memorial Healthcare System – $5.5 million; Children’s Medical Center of Dallas- $3.2 million (Civil monetary penalty); Cardionet – $2.5 million; Memorial Hermann Health System (MHHS) – $2.4 million; MAPFRE Life Insurance Company of Puerto Rico – $2.2 million; Presense Health – $475,000; Metro Community Provider Network – $400,000; Luke’s-Roosevelt Hospital Center Inc. – $387,000; The Center for Children’s Digestive Health – $31,000.
The largest HIPAA settlement of 2017, also as previously reported in the COIN, was Memorial Healthcare System, which is a health system consisting of 6 hospitals and various other facilities in South Florida. The settlement of $5.5 million resolved potential violations of HIPAA Rules relating to the impermissible accessing of ePHI by employees and the impermissible disclosure of PHI to affiliated physician office staff. The settlement underscored the importance of audit controls and the need to carefully control who has access to the ePHI.
I look forward to the next issue’s updates!
##
