This Halloween, the scariest monsters might not be in your closet or under your bed. They may be overseas, orchestrating intrusions into your electronic medical record. Or they may be lurking in your own workforce, carrying around unencrypted laptops or skipping out on HIPAA training. From data harvesting zombie hackers to the impending blood-thirsty auditors of Phase 2, we present a parade of the HIPAA monsters that have been terrorizing regulated entities for most of this year. Be assured that they are lurking around your own privacy and security program just waiting for an opportunity to strike, as soon as you turn off the light, or forget to install the latest security patch or update your risk assessment.
The Sophisticated Overseas (Zombie) Hacker
While we can’t confirm zombie involvement, this monster is responsible for a number of infamous and record-setting breaches this year – CareFirst Blue Cross/Blue Shield (affecting 1.1 million); Premara Blue Cross/Blue Shield (affecting 11.2 million); Anthem (affecting 80 million); UCLA Health (affecting 4.5 million); Excellus BlueCross BlueShield (affecting 10 million); and the Office of Personnel Management (affecting 21.5 million federal workers). Each hacking incident involved detailed personal information such as names, social security numbers, financial information, and more.
It seems that no security measures are sufficient to keep this sneaky monster out – it can go for months or even years without being detected, causing staggering amounts of damage and raising questions about the sufficiency of even the most sophisticated security system. For example, the recent Excellus hack occurred over a year and a half before being discovered, according to the company’s website notification and FAQs. Your best defense against this monster: encryption, potentially (but read on), as well as a comprehensive audit and activity review program.
Tales from the [En]Crypt Keeper
The Office for Civil Rights’ (OCR) settlement with Cancer Care Group, P.C. earlier this fall is the latest in a long string of serious, and very expensive, breaches caused by the loss or theft of unencrypted PHI. In that case, a laptop bag containing a laptop and backup media was stolen from a Cancer Care employee’s car. What might have been an unfortunate trick was made much more serious by the fact that the backup media was unencrypted and contained the PHI of 55,000 current and former patients. OCR noted that Cancer Care had not conducted a risk analysis and did not have a written policy regarding the removal of electronic media containing PHI from its facilities. In OCR’s press release, OCR Director Jocelyn Samuels highlighted the important role of encryption in securing PHI.
Encryption isn’t a panacea; experts have noted that even encryption may not protect against a sophisticated hacking attempt. But though encryption may not save you from the zombie apocalypse, this Halloween it could keep a simple smash and grab from turning into a $750,000 settlement.
OCR's Phase 2 Audits
While OCR had been promising Phase 2 audits for quite some time, OCR's thirst for blood was recently revived following a critical report released by the Department of Health and Human Services's Office of Inspector General (OIG). This is almost certainly a trick, not a treat, for all covered entities and business associates.
The report, released on September 28, 2015, examines whether OCR is sufficiently exercising its oversight responsibilities. As we previously discussed here, the OIG focused on whether OCR is adequately overseeing covered entities’ compliance with HIPAA’s Privacy Rule. The OIG found a number of areas where OCR’s oversight is lacking. Based on its findings, the OIG recommended that OCR should:
- Fully implement a permanent audit program;
- Maintain complete documentation of corrective action;
- Develop an efficient method in its case-tracking system to search for and track covered entities;
- Develop a policy requiring OCR staff to check whether covered entities have been previously investigated; and
- Continue to expand outreach and education efforts to covered entities.
In a letter from OCR to OIG (attached as an appendix to the OIG report), OCR acknowledged OIG's findings and concurred with their recommendations. In its response, OCR stated that it will launch Phase 2 of its audit program in early 2016. According to OCR, Phase 2 will test the efficacy of the combination of desk reviews of policies as well as on-site reviews, target specific common areas of noncompliance, and include HIPAA business associates in its audit process.
Finally, a Treat: OCR's New HIPAA Portal for App Developers; Fitbit Announcement
In a world seemingly beset by tricks, OCR has developed at least one treat: a new online portal aimed at mobile app developers. As we reported earlier this month, OCR recently released an online forum where developers can pose privacy-related questions unique to the burgeoning health app landscape. In addition to providing a means to ask general questions, OCR hopes that developers will use the portal to submit recommendations for future guidance.
Another treat comes from Fitbit, Inc., which announced that it would be supporting HIPAA compliance for its Fitbit Wellness programs. The San Francisco-based company, known for its wearable fitness and activity trackers, also offers hardware, software and services to organizations implementing corporate wellness programs. According to Fitbit's press release, its HIPAA compliance efforts will better support covered entities that are looking to improve the health and wellness of their members and employees. Fitbit also announced that it will agree to sign business associate agreements with health plans and self-insured employers, a move that it believes will increase integration opportunities.
Fitbit's position that it will now sign business associate agreements is likely a result of the limitations that it would otherwise face with its customers that are covered entities under HIPAA. It will be interesting to see if other mobile app developers follow suit and embrace the prospect of HIPAA business associate compliance obligations. It will also be interesting to see if OCR’s online portal supports such a trend.