Don't Wait for It; Recent HIPAA Enforcement Action Signal More to Come in Phase 2 Audits

September.21.2015

Officials at the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) have recently selected a vendor to conduct the second wave of HIPAA audits. These so-called "Phase 2 Audits" are set to commence on the heels of two important HHS OCR enforcement proceedings alleging violations of the HIPAA Security Rule:

St. Elizabeth's Medical Center, a tertiary care hospital in Massachusetts, allegedly failed to conduct a risk assessment before its employees used a cloud document-sharing application and failed to respond to a security incident in a timely manner, leading to a $218,400 fine and Corrective Action Plan (CAP). Orrick reported on this case in a previous alert.
Cancer Care Group (CCG), one of the largest privately owned radiation oncology groups in the country, recently signed a $750,000 settlement and CAP stemming from the theft of PHI belonging to approximately 55,000 patients stored on a stolen laptop and unencrypted backup media. According to OCR, the investigation uncovered that prior to the security incident, CCG failed to conduct an enterprise-wide risk assessment, and failed to implement a policy addressing the removal of unencrypted devices containing ePHI from company facilities – two issues that OCR identified as key contributing factors to the data breach. The CAP requires CCG to conduct risk analysis regarding its handling of ePHI, to develop and implement a risk mitigation plan addressing certain identified risks, and to review and update security policies, procedures and employee training.

The HIPAA Security Rule establishes a federal standard for protecting individuals' PHI and ePHI that is created, received, used, or maintained by Covered Entities (CEs) and Business Associates (BEs). This standard requires that entities design, implement and enforce appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of PHI. HHS OCR is responsible for the administration and enforcement of the Security Rule. It performs compliance audits and investigations and has the authority to impose civil penalties and corrective action plans for violations. In addition to the Security Rule, OCR also enforces the Privacy Rule and Breach Notification Rule.

Required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, HHS OCR initiated its pilot Phase 1 Audit program in November 2011. Those audits were punctuated by HHS OCR's publication in June 2012 of an online searchable audit protocol that mapped the Security, Privacy and Breach Notification requirements evaluated in Phase 1. The audit protocol has emerged as a valuable tool for conducting internal assessments because it established a roadmap for aligning organizational performance of key HIPAA requirements with, among other things, security policy development, security monitoring and detection, security governance and management, workforce training, incident response planning, and business associate contracts.

Although the prior audit focused exclusively on CEs, the Phase 2 Audits will encompass both CEs, as well as BEs, which often serve critical data processing and management services. There is no doubt that HHS OCR will leverage the insights learned during Phase 1 to inform and design the audit protocols for Phase 2, which have not yet been published. If the recent enforcement actions and settlements against St. Elizabeth's and CCG are any indication of things to come, both CEs and BEs should consider conducting comprehensive risk assessments to identify issues for remediation before the Phase 2 Audits begin. As in those investigations, HHS OCR will likely be looking for whether organizations have conducted enterprise-wide risk assessments to identify their core technical and procedural vulnerabilities, and whether those assessments then translated into remediation strategies, as well as operational policies and employee training. In particular, HHS OCR is sure to examine the preparedness of organizations to detect, response, and recover from security incidents and data breaches. Moreover, as Phase 2 will encompass BEs, the same types of risk analysis and risk management, as well as breach reporting issues, promise to be front-and-center given the spate of recent high profile data breaches (across industries) that have been attributable to third-party service providers.

As a result, CEs and BEs should take this opportunity to review their security programs to identify potential HIPAA compliance issues, use the existing searchable online audit protocol tool as a starting point for conducting a comprehensive self-assessment, consider retaining expert outside help as necessary to provide an objective view and to help in developing a comprehensive plan that addresses physical, technical and administrative safeguards, and prepare and begin implementation of remediation plans. The best defense is early identification of risks and areas for remediation to provide organizations with the opportunity to avoid enforcement actions.

Authors

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.