No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Healthcare Privacy and Information Security Risk Forecast for 2015

by Marti Arvin
April 10, 2015
in Compliance
Healthcare Privacy and Information Security Risk Forecast for 2015

In 2014, the Federal Bureau of Investigation sent a private notice to healthcare organizations regarding the industry’s preparedness to fight cyber intrusions. The notice stated healthcare organizations are “not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”[1] Until recently, privacy and information security has not been a significant focus of the healthcare industry. That is changing. In 2013, it was estimated that North American healthcare organizations were expected to spend $34.5 billion in 2014 on information technology.[2] While there are numerous privacy and security risks in the healthcare space, two key areas for 2015 are enforcement by the Office for Civil Rights (OCR) through audits and investigations and the increase of bring-your-own-device workplaces.

Office for Civil Rights Activity

OCR Audits

HIPAA had not been a key focus for many healthcare organizations in its early stages between 2003 and 2008. This was largely due to the lack of enforcement by the OCR. Initially, the OCR did enforcement on a complaint-driven basis. After the first OCR Resolution Agreement between OCR and Providence Health System, covered entities began to think more about enforcement. However, covered entities still did not appear to be concerned about privacy and information security issues. Then along came the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH significantly increased the civil monetary penalties for non-compliance and mandated the OCR engage in proactive auditing activity.[3]

In 2011, OCR launched its pilot audit program. The program was completed and healthcare organizations, including providers, health plans, and clearinghouses, failed miserably. There were very few organizations that came through the audit without any findings. The vast majority had significant findings under all three rules audited.[4] OCR announced it would initiate its ongoing audit program in 2014.[5] The audit program will include both desk audits (review of submitted documents only) and onsite audits. OCR originally indicated it would conduct more desk audits than onsite. However, in September 2014, OCR announced increased resources would allow them to conduct more onsite audits and reduce the number of desk audits.

Healthcare organizations should be preparing now for the potential of being selected for an audit. The timelines for responding to OCR requests for documents is short and OCR has not been inclined to grant extensions. If the healthcare organization is de-centralized, gathering documents can be quite complex.

The most likely focus of the desk audits will be the Risk Analysis process under the Security Rule, the patient access right under the Privacy Rule, and the notification process under the Breach Notification Rule. To be prepared for the audits, healthcare organizations should be able to provide the details of their Risk Analysis process, including the mitigation actions it has taken for risks identified in earlier risk analyses. If no mitigation was done, the organizations should be prepared to explain why.

The information supporting access rights needs to show how access is granted when a patient makes a request. Finally, the information should include breach responses, including the analysis of why notification was not required or demonstrating that notification was timely and by the appropriate means.

An additional change for the 2015 audits is the addition of business associates (BAs). This has not been a risk area in the past. OCR will identify BAs by requesting a list from the covered entities selected for audit. Thus, covered entities must be prepared to provide such a list to OCR and assure that it is comprehensive.

The onsite audits will be more comprehensive than the desk audits. OCR will be looking to see if covered entities have and are following their policies and procedures around the three rules. If selected for an onsite audit, covered entities should be prepared for the disruption, including the potential for OCR to interview workforce members on their understanding of the HIPAA rules.Additional OCR Enforcement

The enforcement arena for HIPAA has changed significantly since the Privacy Rule became enforceable in 2003. OCR has become much more aggressive in its enforcement actions. The first resolution agreement signed with Providence Health in 2008 was for $100,000. The highest dollar figure for resolution agreement as of October 2014 was $4,800,000. In a speech before the American Bar Association in Chicago in June 2014, an OCR official indicated the worst of the HIPAA settlements were yet to come. The OCR enforcement activity in the 12 months prior to June 2014 will “pale in comparison to the next 12 months.”[6] The official went on to say, “Knowing what is in the pipeline, I suspect that that number will be low compared to what’s coming up,” discussing the $4.8 million settlement.[7]

Preparing Your Organization

Having the elements of an effective privacy and information security compliance program in place will take an organization a long way to being prepared for an OCR audit or investigation. Focusing efforts on the key areas OCR has indicated they will review is critical; however, ignoring other areas to focus only on these key areas would be a mistake. Breach notification is still required, and if the breach involves more than 500 individuals, the healthcare covered entity must notify OCR immediately. Just under 50 percent of the Resolution Agreements OCR has entered as of October 2014 were the result of self-reported breaches.

If a healthcare organization has not done ongoing risk analysis or cannot demonstrate it has created an appropriate risk mitigation strategy for the risk, it has identified this would be a good area to review. Even conducting a mock audit would be a way to ensure the organization is prepared to respond to an OCR audit. While the OCR officials have stated the audit program is not intended to be punitive in nature, they have also stated that findings could result in a more intensive review of an organization. Being prepared will help organizations avoid additional scrutiny.

Bring Your Own Device

It is not uncommon for organizations to view the trend of bring your own device (BYOD) as bring your own disaster. The world of technology is moving toward an environment where BYOD will be the norm. However, when it comes to protecting an organization’s information, the BYOD world carries huge challenges. These challenges are present for virtually any type of organization, not just healthcare.

BYOD challenges include a multitude of issues, so this article will only focus on a few. The most basic is whether the organization allows BYOD. In today’s ever more mobile world, the more realistic focus should be how to control BYOD rather than whether to allow it, because BYOD is already occurring. Approximately 81 percent of Americans use their personal mobile device for work.[8] Unless the organization is able to physically control the entry or use of devices, there are very few ways to completely disallow BYOD. While this can be done by policy, the enforcement of such a policy is quite difficult. If an organization has a complete prohibition against BYOD but has no method to enforce it, this might create more legal liability than allowing BYOD with some controls.

In addition to simply controlling the device, an additional challenge is ensuring the privacy and security of information on the device when the organization does not fully control it. There are technology solutions that can provide encryption of any data moved to a mobile device, including a personal device, from the organization’s network. There are also technology solutions to evaluate devices attached to the network. These technologies can either prevent the device’s use or ensure that minimal security features are enabled before data can be downloaded or pushed to the device.

These solutions are not a panacea. The solutions cannot guarantee a user does not share his password for an encrypted device with a family member—forty-six percent of Americans allow others to borrow their devices.[9] Nor can it assure a user won’t be careless with a password. If BYOD is allowed and technology solutions are not enabled, then it is more challenging for the organization to ensure minimal standards are met.

A third challenging area is appropriate data back-up. If a researcher is keeping the data from an experiment on her personal USB drive and the drive is lost, stolen, or corrupted, where is the back-up? Most organizations have some method for routine back-up of data kept on their networks. But if the only copy of the data is on the researcher’s personal device and it is not linked in some way to the network for back-up, the organization could lose months or even years of the researcher’s work if something happens to the device.

Yet another challenge is data on departure. How does an organization assure its proprietary information is not walking out the door with an employee who is leaving the organization? Healthcare organizations often think about private patient information such as the data protected by HIPAA. But when thinking about BYOD, all organizations need to think more broadly. Consider the consequences if the business loses other types of data such as strategic business information, customer data, intellectual property, or other types of proprietary information.

To be prepared for this challenge, the organization should have a mobile device policy that addresses each of the following questions:

1. When it is considered appropriate to use personally owned mobile devices for business purposes such as document and data storage or receiving e-mails?

2. What security features must a mobile device have, whether personally owned or owned by the healthcare enterprise?

-Passwords?
-Encryption?

3. What are the company’s rights?

-Can it audit the data on a personally owned device?
-Can it access the data on a personally owned device?
-Can it wipe data remotely if the device is lost or stolen or the employee leaves the company?

4. Must the employee get approval and/or sign a document regarding protection of the data before using a personal device for business?

5. What software applications, if any, will the company require before allowing the use of personally owned mobile devices?

6. What happens if the employee takes company data when he leaves the organization?

-Is there a process to allow this under certain circumstances?

Conclusion

Like most industries, healthcare faces a significant risk when data is compromised. This is no longer an “if.” All healthcare organizations and business associates must be taking steps to ensure compliance with the HIPAA Rules and any other state or federal laws around the protection of its information. The monetary and non-monetary costs are simply too great.

[1] SecurityWeek, FBI Issues Warning to Healthcare Industry on Cyber Security: Report, April 24, 2014.

[2] Healthcare IT News, Study: Health IT Spending to Top $34.5B, Diane Manos, August 29, 2013, available at http://www.healthcareitnews.com/news/study-health-it-spending-top-34b-north-america-next-year.

[3] The HITECH Act of 2013 increased the potential annual civil monetary penalties that OCR could impose for each standard violated from $25,000 to $1,500,000.

[4]OCR audited for compliance with the Privacy, Security, and Breach Notification Rules.

[5] The program was originally slated to start in 2014, but because of delays, it will not start until early in calendar year 2015.

[6] Data Privacy Monitor by BakerHostetler, June 13, 2014, by Kimberly M. Wong and Cory Fox, available at http://www.dataprivacymonitor.com/enforcement/hhs-attorney-major-hipaa-fines-and-enforcement-coming/. Quoting Jermone Meites, Chief Regional Civil Rights Counsel Region V, Chicago from a presentation at the American Bar Association 2014 Physicians Legal Issues Conference, June 12-13, 2014, Chicago, IL.

[7] Id.

[8] From Leapfrog article BYOD Stats: What Business Leaders Need to Know Right Now. March 2013, attributing the statistics to Gartner, Ovum, IBM, Vertic, Flurry, Magic Software, Motorola, and Harris Poll, available at http://www.ribbit.net/frogtalk/id/143/byod-stats-what-business-leaders-need-to-know-right-now.

[9] Id.


Previous Post

The Regulatory Landscape: An Interview with Jean-Marc Levy

Next Post

Beyond the Fines: The Risks of Violating ITAR Compliance

Marti Arvin

Marti Arvin

Marti_ArvinMarti Arvin is a seasoned ethics and compliance professional with deep experience developing, implementing and leading ethics and compliance programs and related infrastructures in large organizational settings. She currently serves at the Chief Compliance Officer for the UCLA Health System and David Geffen School of Medicine and among her many areas of expertise in the ethics and compliance space, her specialties include privacy and data protection, higher education, and health-care compliance.

Related Posts

launch visual lease esg steward

Visual Lease Launches ESG Tool for Asset Portfolios

by Corporate Compliance Insights
March 31, 2023

Lease software provider Visual Lease announced it has launched a new product, VL ESG Steward,  designed to help organizations track...

PW FCPA Enforcement and Anticorruption 2022 Review_f

FCPA Enforcement & Anti-Corruption Developments

by Corporate Compliance Insights
March 30, 2023

The year that was in FCPA & anti-corruption efforts 2022: A Year in Review FCPA Enforcement & Anti-Corruption Developments What’s...

JTC ESG and Impact Investing_f

The Evolution of ESG & Impact Investing: Are You Ready?

by Corporate Compliance Insights
March 30, 2023

Making money *and* doing the right thing Survey Report The Evolution of ESG & Impact Investing: Are You Ready? What’s...

Regology 2023 State of Regulatory Compliance_f

2023 State of Regulatory Compliance

by Corporate Compliance Insights
March 30, 2023

Understanding the impact of regulatory challenges Survey Report 2023 State of Regulatory Compliance What’s in this report from Regology:As the...

Next Post
military defense

Beyond the Fines: The Risks of Violating ITAR Compliance

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT