In 2014, the Federal Bureau of Investigation sent a private notice to healthcare organizations regarding the industry’s preparedness to fight cyber intrusions. The notice stated healthcare organizations are “not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”[1] Until recently, privacy and information security has not been a significant focus of the healthcare industry. That is changing. In 2013, it was estimated that North American healthcare organizations were expected to spend $34.5 billion in 2014 on information technology.[2] While there are numerous privacy and security risks in the healthcare space, two key areas for 2015 are enforcement by the Office for Civil Rights (OCR) through audits and investigations and the increase of bring-your-own-device workplaces.
Office for Civil Rights Activity
OCR Audits
HIPAA had not been a key focus for many healthcare organizations in its early stages between 2003 and 2008. This was largely due to the lack of enforcement by the OCR. Initially, the OCR did enforcement on a complaint-driven basis. After the first OCR Resolution Agreement between OCR and Providence Health System, covered entities began to think more about enforcement. However, covered entities still did not appear to be concerned about privacy and information security issues. Then along came the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH significantly increased the civil monetary penalties for non-compliance and mandated the OCR engage in proactive auditing activity.[3]
In 2011, OCR launched its pilot audit program. The program was completed and healthcare organizations, including providers, health plans, and clearinghouses, failed miserably. There were very few organizations that came through the audit without any findings. The vast majority had significant findings under all three rules audited.[4] OCR announced it would initiate its ongoing audit program in 2014.[5] The audit program will include both desk audits (review of submitted documents only) and onsite audits. OCR originally indicated it would conduct more desk audits than onsite. However, in September 2014, OCR announced increased resources would allow them to conduct more onsite audits and reduce the number of desk audits.
Healthcare organizations should be preparing now for the potential of being selected for an audit. The timelines for responding to OCR requests for documents is short and OCR has not been inclined to grant extensions. If the healthcare organization is de-centralized, gathering documents can be quite complex.
The most likely focus of the desk audits will be the Risk Analysis process under the Security Rule, the patient access right under the Privacy Rule, and the notification process under the Breach Notification Rule. To be prepared for the audits, healthcare organizations should be able to provide the details of their Risk Analysis process, including the mitigation actions it has taken for risks identified in earlier risk analyses. If no mitigation was done, the organizations should be prepared to explain why.
The information supporting access rights needs to show how access is granted when a patient makes a request. Finally, the information should include breach responses, including the analysis of why notification was not required or demonstrating that notification was timely and by the appropriate means.
An additional change for the 2015 audits is the addition of business associates (BAs). This has not been a risk area in the past. OCR will identify BAs by requesting a list from the covered entities selected for audit. Thus, covered entities must be prepared to provide such a list to OCR and assure that it is comprehensive.
The onsite audits will be more comprehensive than the desk audits. OCR will be looking to see if covered entities have and are following their policies and procedures around the three rules. If selected for an onsite audit, covered entities should be prepared for the disruption, including the potential for OCR to interview workforce members on their understanding of the HIPAA rules.Additional OCR Enforcement
The enforcement arena for HIPAA has changed significantly since the Privacy Rule became enforceable in 2003. OCR has become much more aggressive in its enforcement actions. The first resolution agreement signed with Providence Health in 2008 was for $100,000. The highest dollar figure for resolution agreement as of October 2014 was $4,800,000. In a speech before the American Bar Association in Chicago in June 2014, an OCR official indicated the worst of the HIPAA settlements were yet to come. The OCR enforcement activity in the 12 months prior to June 2014 will “pale in comparison to the next 12 months.”[6] The official went on to say, “Knowing what is in the pipeline, I suspect that that number will be low compared to what’s coming up,” discussing the $4.8 million settlement.[7]
Preparing Your Organization
Having the elements of an effective privacy and information security compliance program in place will take an organization a long way to being prepared for an OCR audit or investigation. Focusing efforts on the key areas OCR has indicated they will review is critical; however, ignoring other areas to focus only on these key areas would be a mistake. Breach notification is still required, and if the breach involves more than 500 individuals, the healthcare covered entity must notify OCR immediately. Just under 50 percent of the Resolution Agreements OCR has entered as of October 2014 were the result of self-reported breaches.
If a healthcare organization has not done ongoing risk analysis or cannot demonstrate it has created an appropriate risk mitigation strategy for the risk, it has identified this would be a good area to review. Even conducting a mock audit would be a way to ensure the organization is prepared to respond to an OCR audit. While the OCR officials have stated the audit program is not intended to be punitive in nature, they have also stated that findings could result in a more intensive review of an organization. Being prepared will help organizations avoid additional scrutiny.
Bring Your Own Device
It is not uncommon for organizations to view the trend of bring your own device (BYOD) as bring your own disaster. The world of technology is moving toward an environment where BYOD will be the norm. However, when it comes to protecting an organization’s information, the BYOD world carries huge challenges. These challenges are present for virtually any type of organization, not just healthcare.
BYOD challenges include a multitude of issues, so this article will only focus on a few. The most basic is whether the organization allows BYOD. In today’s ever more mobile world, the more realistic focus should be how to control BYOD rather than whether to allow it, because BYOD is already occurring. Approximately 81 percent of Americans use their personal mobile device for work.[8] Unless the organization is able to physically control the entry or use of devices, there are very few ways to completely disallow BYOD. While this can be done by policy, the enforcement of such a policy is quite difficult. If an organization has a complete prohibition against BYOD but has no method to enforce it, this might create more legal liability than allowing BYOD with some controls.
In addition to simply controlling the device, an additional challenge is ensuring the privacy and security of information on the device when the organization does not fully control it. There are technology solutions that can provide encryption of any data moved to a mobile device, including a personal device, from the organization’s network. There are also technology solutions to evaluate devices attached to the network. These technologies can either prevent the device’s use or ensure that minimal security features are enabled before data can be downloaded or pushed to the device.
These solutions are not a panacea. The solutions cannot guarantee a user does not share his password for an encrypted device with a family member—forty-six percent of Americans allow others to borrow their devices.[9] Nor can it assure a user won’t be careless with a password. If BYOD is allowed and technology solutions are not enabled, then it is more challenging for the organization to ensure minimal standards are met.
A third challenging area is appropriate data back-up. If a researcher is keeping the data from an experiment on her personal USB drive and the drive is lost, stolen, or corrupted, where is the back-up? Most organizations have some method for routine back-up of data kept on their networks. But if the only copy of the data is on the researcher’s personal device and it is not linked in some way to the network for back-up, the organization could lose months or even years of the researcher’s work if something happens to the device.
Yet another challenge is data on departure. How does an organization assure its proprietary information is not walking out the door with an employee who is leaving the organization? Healthcare organizations often think about private patient information such as the data protected by HIPAA. But when thinking about BYOD, all organizations need to think more broadly. Consider the consequences if the business loses other types of data such as strategic business information, customer data, intellectual property, or other types of proprietary information.
To be prepared for this challenge, the organization should have a mobile device policy that addresses each of the following questions:
1. When it is considered appropriate to use personally owned mobile devices for business purposes such as document and data storage or receiving e-mails?
2. What security features must a mobile device have, whether personally owned or owned by the healthcare enterprise?
-Passwords?
-Encryption?
3. What are the company’s rights?
-Can it audit the data on a personally owned device?
-Can it access the data on a personally owned device?
-Can it wipe data remotely if the device is lost or stolen or the employee leaves the company?
4. Must the employee get approval and/or sign a document regarding protection of the data before using a personal device for business?
5. What software applications, if any, will the company require before allowing the use of personally owned mobile devices?
6. What happens if the employee takes company data when he leaves the organization?
-Is there a process to allow this under certain circumstances?
Conclusion
Like most industries, healthcare faces a significant risk when data is compromised. This is no longer an “if.” All healthcare organizations and business associates must be taking steps to ensure compliance with the HIPAA Rules and any other state or federal laws around the protection of its information. The monetary and non-monetary costs are simply too great.
[1] SecurityWeek, FBI Issues Warning to Healthcare Industry on Cyber Security: Report, April 24, 2014.
[2] Healthcare IT News, Study: Health IT Spending to Top $34.5B, Diane Manos, August 29, 2013, available at http://www.healthcareitnews.com/news/study-health-it-spending-top-34b-north-america-next-year.
[3] The HITECH Act of 2013 increased the potential annual civil monetary penalties that OCR could impose for each standard violated from $25,000 to $1,500,000.
[4]OCR audited for compliance with the Privacy, Security, and Breach Notification Rules.
[5] The program was originally slated to start in 2014, but because of delays, it will not start until early in calendar year 2015.
[6] Data Privacy Monitor by BakerHostetler, June 13, 2014, by Kimberly M. Wong and Cory Fox, available at http://www.dataprivacymonitor.com/enforcement/hhs-attorney-major-hipaa-fines-and-enforcement-coming/. Quoting Jermone Meites, Chief Regional Civil Rights Counsel Region V, Chicago from a presentation at the American Bar Association 2014 Physicians Legal Issues Conference, June 12-13, 2014, Chicago, IL.
[7] Id.
[8] From Leapfrog article BYOD Stats: What Business Leaders Need to Know Right Now. March 2013, attributing the statistics to Gartner, Ovum, IBM, Vertic, Flurry, Magic Software, Motorola, and Harris Poll, available at http://www.ribbit.net/frogtalk/id/143/byod-stats-what-business-leaders-need-to-know-right-now.
[9] Id.