DWT Advisory: New HIPAA Reports to Congress Shed Light on OCR Enforcement

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued two reports to Congress, as required by the HITECH Act. The compliance report details OCR’s enforcement activities for 2011 and 2012 and sheds light on what covered entities and business associates can expect from OCR going forward. This is not the first signal that OCR’s enforcement efforts are shifting and accelerating. The breach report summarizes the breaches affecting 500 or more individuals and offers a glimpse of what OCR is seeing for breaches affecting less than 500 individuals. HIGHLIGHTS OCR’s compliance report for 2011-2012 OCR has received approximately 77,000 complaints since the Privacy Rule compliance date (April 14, 2003) as of the end of 2012 and has closed 91% of these complaints. More than half of the complaints OCR receives are closed after a determination that OCR does not have jurisdiction to investigate the matter. OCR clarifies that it opens compliance reviews for all breaches affecting 500 or more individuals. Additionally, OCR may open compliance reviews in response to notifications of breaches affecting fewer than 500 individuals or as it becomes aware of potential non-compliance (such as through media reports). Unlike complaints, OCR does not provide information regarding the number of compliance reviews it has closed. Notably, OCR’s recent enforcement action against New York Presbyterian Hospital and Columbia University resulting in a $4.8 million settlement stemmed from a breach reported in 2010. In light of the three-year time lapse between the breach and the settlement, the industry may expect to see more enforcement action from breaches reported in earlier years. This compliance report also highlights OCR’s audit program. While not new information, OCR again emphasizes that 89% of the 115 entities audited in the pilot audits were not fully compliant with HIPAA. OCR also noted that audit findings relating to security accounted for a disproportionately high number of total findings. To date, most OCR settlement cases involve security incidents. OCR’s breach report for 2011-2012 OCR’s breach report confirms that it received more than 200 large breach reports for both 2011 and 2012 – only a slight increase from 2010. There was a huge jump in the number of individuals affected by breaches in 2011, but this was mostly attributable to a couple of particularly large breach incidents (impacting approximately 4.9 million and 1.9 million individuals, respectively). As of today, OCR has not posted a summary on its website for either of these breaches, potentially indicating that these breaches are still being investigated. While theft and loss remain the top causes of large breaches, there appears to be an uptick of the impact of breaches related to hacking or IT incidents. In 2011 these breaches affected only 1% of individuals affected by large breaches. By 2012, this number jumps up to 27%. This report is also the first time in which OCR referenced a “ransom” attack, in which a malicious outsider makes electronic protected health information inaccessible until a ransom is paid. The breach report also highlights breaches by business associates. In 2011 in particular, most large breach incidents were attributable to health care providers, but more individuals were affected by large breaches attributable to business associates (because the business associate breach incidents were disproportionately large). OCR also has indicated that it will include business associates in future audits. Much of the information on large breaches already is made publicly available through OCR’s website, and Davis Wright now maintains more up to date summary information of such large breaches on its Privacy & Security Law Blog. The breach report, however, sheds new light on the breaches affecting fewer than 500 individuals. The number of reports OCR received in 2011 and 2012 (25,705 and 21,194, respectively) do not deviate much from the number of reports received in 2010 (2009 only accounted for a little more than the last quarter of the calendar year); however, the number of individuals affected by small breaches spiked in 2011 and 2012. The number of individuals affected more than tripled from 2010 to 2011, and increased further in 2012. This comes just a year after OCR announced its first settlement against a covered entity for a small breach. Additionally, there are some clear trends in the small breaches reported to OCR: The vast majority (84% for 2011; 83% for 2012) of these small breaches are happening at the health care provider level. More small breach incidents involve paper records than electronic protected health information (62% for 2011; 61% for 2012). The number one cause of small breaches for both years was unauthorized access or disclosure (84% for 2011; 74% for 2012), which may include misdirected communications, such as records or bills mailed to the wrong patient or an old address. Although theft and loss did not account for a large number of the small breach reports, together they affected a disproportionate number of individuals (46% for 2011; 42% for 2012). Key takeaways for covered entities and business associates OCR is ramping up enforcement. OCR indicates in the compliance report that it is “realign[ing] its enforcement efforts.” OCR has completed six settlements in the past four months with settlement amounts totaling approximately $7.79 million, doubling the total settlement amounts obtained in 2013. An OCR attorney also recently indicated that the settlements to date in 2014 “pale in comparison” to what is to come. OCR is focused on Security Rule enforcement. OCR recommends covered entities and business associates pay particular attention to compliance regarding key aspects of the Security Rule. According to OCR, better compliance in these areas may reduce common breaches. This includes:

• Risk analysis and risk management. Conducting a thorough security risk analysis and risk management plan, identifying and addressing the potential risks and vulnerabilities to all electronic protected health information. The risk analysis and risk management plan also should be updated from time to time.
• Security evaluation. Conducting periodic security evaluations and ensuring that appropriate physical and technical safeguards remain in place during operational changes, including facility or office moves or renovations, and conducting appropriate technical evaluations for software, hardware, and websites upgrades that may impact protected health information.
• Portable electronic devices. Safeguarding protected health information stored and transported on portable electronic devices, including through encryption and policies and procedures.
• Physical access controls. Verifying physical safeguards limit access to facilities and workstations used to maintain or access protected health information.
• Proper disposal. Ensuring policies and procedures account for the proper disposal of protected health information in both paper and electronic forms. Electronic devices and media that may contain protected health information should be purged or wiped before they are recycled, discarded, or returned to a third party, such as a leasing agent.

These are important areas for covered entities and business associates to address, but a compliance program is only as good as its weakest link.  With HIPAA audits in the near future, covered entities and business associates should ensure they have appropriate safeguards in place and have updated all policies and procedures, training materials and business associate agreements in light of the Omnibus Final Rule changes.  The OCR audit protocol is a good place for covered entities to start:http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html. OCR used this protocol to assess covered entities’ compliance in the pilot audits.  We caution that OCR has not updated this protocol to reflect changes made by the Omnibus Final Rule.  This protocol also does not identify provisions applicable to business associates.  Additional resources on HIPAA audits are available through Davis Wright Tremaine, including our Audit Toolkits: http://www.dwt.com/hipaatoolkit/. Business associates may represent a particularly high risk, as their breaches often affect more individuals.

• From September 2009 to June 28, 2014, business associates accounted for approximately 26% of large breaches. However, large breaches involving business associates have affected 48% of all individuals affected by large HIPAA breaches.
• As with covered entity breaches, theft was the number one cause of large business associate breaches from September 2009 to June 28, 2014.
• While paper records accounted for the highest number of large business associate breach incidents (24%) for the same time period, less than 6% of individuals affected by large business associate breaches were affected by breaches of paper records.