Reprinted from HEALTH PLAN WEEK, the most reliable source of
objective business, financial and regulatory news of the health insurance
industry.
January 16, 2017 Volume 27 Issue 2
In the first HIPAA enforcement action of its kind, the HHS Office
for Civil Rights (OCR) levied a $475,000 fine against a health system that took
too long to notify patients and the government after a breach of unsecured protected
health information (PHI).
Industry observers say the move is a wake-up call for health
insurers, health systems and providers. Under the Breach Notification Rules
(BNR), patients and health plan members must be notified within 60 days of the
discovery of a breach regardless of the breach size. The rules also require
notification to the government, and in incidents affecting more than 500
people, notice to the media.
The incident goes back to October 2013 when Illinois-based
Presence Health discovered hundreds of paper operating schedules — containing
patient names, birth dates, medical record numbers, dates of procedures, types
of procedures and surgeon names — were missing from one of its surgery centers.
OCR didn’t receive a breach notification report from Presence Health until Jan.
31, 2014 — 100 days after the incident was discovered. The health system has
more than 150 sites of care, including 11 hospitals, according to its website.
“This settlement tells me that OCR’s compliance review uncovered systemic
and far-reaching issues of non-compliance,” says David Holtzman, vice president
of compliance strategies at CynergisTek, Inc., a health IT consulting firm. He
adds that “99.99%” of all compliance reviews and complaint investigations are
resolved informally. “That this review went to a monetary settlement and
long-term corrective action plans signals that OCR found deeply rooted
problems,” says Holtzman, who previously served on OCR’s health information
privacy team.
OCR Timing May ‘Raise an Eyebrow’
Chris Apgar, CEO and president of the health care privacy and
security consulting firm Apgar & Associates, says investigators tend to
look for patterns and multiple problems when conducting an investigation. In
the case of Presence Health, he says, it had a pattern of not reporting
breaches within the required 60 days. Organizations fined in the past typically
have had more than one problem, such as a lack of business associate agreement
and no risk assessment, for example. The penalty against Presence Health was
unique in that it was focused only on the organization’s response time.
Since the BNR took effect in 2009, 1,800 large breaches have been
reported to OCR along with more than 240,000 small ones. Since mid-2015, OCR
has collected more than $27 million in penalties from covered entities and business
associates, according to Holtzman.
Michael Adelberg, a former senior official in CMS’s Center for
Consumer Information and Insurance Oversight (CCIIO), suggests the timing of
the enforcement action, in the waning days of the Obama administration, likely
isn’t coincidental, and could have implications for stakeholders that have
access to PHI. Adelberg is a senior director at FaegreBD Consulting in
Washington, D.C.
The timing of the penalty “might raise an eyebrow” given the
offense occurred three years ago, he tells AIS Health. He suggests that the
action could alter breach enforcement for years to come.
While Apgar doesn’t think the penalty sets a precedent, he says
health plans must understand that OCR wants companies to take breaches
seriously and report them quickly. “To me, OCR is saying, ‘this is an issue,
and we aren’t putting up with it anymore.’”
Among health insurers, Apgar says delayed reporting doesn’t appear
to be as common as failing to conduct a risk analysis or not having the
appropriate infrastructure in place to identify when a breach has occurred.
“OCR will fine that organization because it would have identified [the breach]
sooner if it had a proper risk-management program in place,” he says.
“Due to the increased publicity and scope of data breaches, the
precedent-setting action by OCR can be seen as part of a broader response to
data privacy and security issues, and a resulting desire to encourage
transparency on the part of data-holders,” according to a Jan. 12 paper
co-authored by Adelberg.
‘Spear Phishing’ Is Latest Threat
The biggest cybersecurity threat is social engineering. So-called
phishing expeditions, which lure employees to unknowingly click on a
virus-infected email or malicious web link, have proven very effective. More
sophisticated “spear phishers” might steal personal information about an
employee and use it to personalize an infected email. The name of that
employee’s child, for example, might be used in the subject line, which could
be made to appear to be coming from the child’s school, says Apgar. Or, a
message to the company’s CEO might be made to look like it’s coming from
another executive within the company. “In the end, your biggest risk is
people,” he warns.
For 2017, health insurance companies need a “C-suite commitment”
to focus on security, says Apgar, and that needs to go beyond buying
sophisticated tools. Carriers also need to conduct a risk analysis to identify
potential gaps, ensure that policies and procedures are in place, and conduct
mock phishing exercises to see which employees might click on malicious links.
Without first completing those steps, sophisticated tools aren’t much use.
“I’ve heard from health plans and health care providers that don’t
want to spend millions of dollars on infrastructure and security improvements
when the fines are far less expensive. It’s cynical, but I have heard that,” he
says, adding that such a philosophy is also foolish.
Along with a fine, a breach could lead to bad press and
class-action lawsuits filed by those affected. He points to a $1.5 million fine
that BlueCross BlueShield of Tennessee agreed to pay in response to 57 hard
drives being stolen in 2009, affecting more than 1 million people. The
insurance carrier wound up spending nearly $17 million on the investigation,
data encryption, notification and mitigation.
How Should Carriers Prepare?
Incidents in which there has been a breach of PHI can include
everything from lost paper documents or messages sent to an incorrect fax
number to a theft of unencrypted hard drives or a lost laptop. Having a program
in place that identifies your gaps before they’re exploited is half the battle,
says Holtzman. Here’s a look at steps he says health plans should take to
protect themselves and their members:
·
Prepare: Organizations should conduct a risk
assessment and implement a mitigation plan to narrow or eliminate gaps in an
organization’s approach to safeguarding PHI or assuring their systems for
securing information are effective, he says.
·
Document: Health plans must have a well-documented
incident response plan. “It’s better to map out and prepare the steps you are
going to take when there is a breach well before the breach has actually occurred,”
Holtzman says.
·
Investigate: All incidents — in which there is a
suspected unauthorized use or disclosure of PHI — must be thoroughly
investigated and documented. When there has been an incident involving an
electronic information system, it’s important to conduct a forensic analysis of
the incident and to implement the response plan to stop the breach from
spreading. If an outside firm is hired to conduct the analysis, it needs to be
brought in as early as possible, he says.
·
Notify: The BNR requires covered entities like
health plans to notify affected individuals within 60 days after they have
discovered that there has been a breach. The BNR also requires notification to
the government, and in incidents affecting more than 500 people, notice to the
media. (Some state laws may require a shorter notification window.) Once a
breach is detected, there needs to be a process in place to notify affected
individuals, HHS and the media, if necessary. Breaches impacting fewer than 500
people can be reported to OCR in an annual report, and within 60 days of the
end of the calendar year, said Holtzman.
Jocelyn Samuels, an Obama-administration appointee, will head OCR
until Jan. 20 when Donald Trump is sworn in as president. Samuel’s replacement
will be appointed by the incoming HHS secretary. Rep. Tom Price, M.D. (R-Ga.),
Trump’s pick to head that office, is expected to be confirmed. Given
congressional efforts to repeal and replace the Affordable Care Act, appointing
someone to head OCR won’t be high on the list of priorities for the Trump
administration. Until a new person is appointed, the agency will continue along
the same path, Apgar says.
Samuels presided over an unprecedented 13 enforcement actions that
netted OCR nearly $25 million in 2016, more than double the agency’s take in
any single prior year. OCR is likely to issue few, if any, settlements before a
new director takes the helm, according to the Health Care Compliance
Association’s Report on Patient Privacy publication.
To see HHS/OCR’s statement on the Presence Health case,
visit http://tinyurl.com/j8omdtk.
The resolution agreement and corrective action plan may be found
on the OCR website at http://tinyurl.com/grps7ez.
https://aishealth.com/archive/nhpw011617-01?utm_source=Real%20Magnet&utm_medium=email&utm_campaign=116736682
No comments:
Post a Comment