With a new leader at the helm of the Office for Civil Rights, how might the regulatory climate change as we move into 2022 and what impact could that change have on data privacy and security programs? Dawn Morgenstern, Chief Privacy Officer and Senior Principal Consultant, Clearwater, speaks with Jeff Gibson, Member, Bass Berry & Sims, about government agency developments and the evolving regulatory and enforcement landscapes. They also discuss how to develop compliance strategies that integrate processes, procedures, and technology. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for AHLA comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health. It companies, our solutions include our proprietary software as a service based platform, IRM pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise and advisory support from our deep team of information, security experts for more information, visit Clearwater compliance.Speaker 2:
Okay, welcome everyone to today's podcast. Our topic will focus on the compliance journey and my name is Don Morganstern and I'm a senior principal consultant with Clearwater heading up the privacy and security compliance and vendor risk management programs. I started my foray into HIPAA in early 2002, when implementation of the HIPAA privacy rule became a reality for covered entities. We developed a program from the ground up and then later assisted security compliance team with strategies for implementation of the security rule. I've been in the trenches with HIPAA privacy, breach and security ever since until becoming a consultant where I had the opportunity to partner with many covered entities and business associates to assess their programs and provide recommendations for improving and maturing compliance. I'm here today with Jeff Gibson, attorney and member of bast Berrien Sims. Jeff has an extensive background and experience representing clients in complex civil litigation and government investigations across a range of diverse industries, including healthcare, financial services, energy and technology. In addition to maintaining a business litigation practice, he defends individuals and companies facing quasi criminal, civil fraud claims white collar criminal charges and compliance violations. He leads the internal investigations and provides crisis management services. Jeff also has significant experience in responding to data breaches, including conducting internal investigations, to develop scope and causation fulfilling federal and state notice requirements and responding to regulatory enforcement, inquiries and actions. So the first thing we wanted to do today is set the stage for what we are seeing and enforcement. Then we'll discuss updates in the regulatory landscape, followed by compliance strategies since HIPAA's inception. Uh, the office for civil rights has, uh, had 102 enforcement actions with a total fine of up to$131 million. And that is minus the vacated. Uh, CMPs for MD Anderson of those 102 enforcement actions, 62 R EPHA related events. And of those 89% are failure to conduct a thorough and accurate risk analysis. The other key area is the 20 OCR settlements to date related to access. So while those fines haven't been huge, uh, it's setting the stage that access is a key element moving forward. When you look at the total number of complaints received by OCR, and while the majority of those have been resolved, it's still a staggering number. There's been over 275,000 complaints submitted, and there's still almost 6,000 that are active investigations. The total number of breaches we see of 500 and above just since 2018 have been slightly over 2000, but what's the most impressive number is the number of records that had been involved in those breaches. And that's 125,756,571. That's a very large number. So at this point, it's really unclear what the new director of OCR will focus on as she has just only recently been appointed in September of this year. So one of the things that I also wanted to, um, expand upon is, you know, where those fines originate from, who comes up with the number and how do they figure that. And so OCR takes into account many factors when assessing the civil monetary penalties, obviously the nature and the extent of the violation, and also the harm resulting from the violation and any prior historical compliance or administrative, um, issues that the organization has had. But one of the key things that stands out is in that assessing of the fine is the financial condition of the covered entity or business associate and consideration of that may include whether or not the business associate or covered entity had financial difficulties that affected its ability to comply. And whether the imposition of a civil monetary penalty would jeopardize the ability of the organization to continue to provide or to pay for healthcare there's other factors included, but then there's always the standard catch, all phrase of other matters as justice may require. So these are things that contribute to the enforcement actions that we're seeing at least on the office for civil rights side of the equation. So Jeff, in the last year, we've seen movement in a couple of areas to develop more, a more prescriptive approach to strengthening privacy and security compliance. What are some of the key initiatives that you're seeing?Speaker 3:
Well, I think you're exactly right on, um, there, there are a couple of developments I want to note at this stage. The first is, is something of a positive, I think for, um, for providers, um, HR 78 98 became public law in January of this, uh, this year. And it amends the high-tech act out 78, 98 is a carrot. It's not a stick. And it essentially provides, um, for some level of, of benefit to come from organizations who can demonstrate that they have in place recognize security practices. Um, and in particular, 78 98 says that the secretary of HHS can consider not, not as not required to consider, but can consider whether a covered entity or a business associated business associate, excuse me, has demonstrated for at least the last 12 months, it had recognized security practices in place. And if the entity is able to do so then that could possibly result in mitigation of fines or other remedies that might otherwise flow to the organization from an audit or an investigation. And it could also result in the early favorable termination of an audit. So here we see HHS putting in place, um, some incentives to hopefully, uh, encourage entities, to be more proactive with their, um, with their risk practices. Um, only enforcement front. There was a major, uh, new development, uh, recently, um, in October of 2021, the department of justice announced a new civil cyber fraud initiative, um, under which it will pursue false claims, act liability against government contractors in the cybersecurity space. Now I do a lot of false claims act litigation, and this is a, this is certainly a new development. We do not see many cases, um, in the cybersecurity space. Uh, the DOJ has pointed to three common cyber security failures that it views, uh, as possibly resulting in false claims act liability. Uh, one would be a knowing failure to meet cybersecurity standards, to knowingly misrepresenting security controls and practices, and three failing to timely report suspected breaches, um, which, you know, the, the government uses critical for the government agencies to be able to respond, uh, remediate vulnerabilities and, and limit harm. Um, under this initiative, we are likely to see more false claims, act lawsuits against government contractors, um, filed by the government or the investigations undertaken by the government. If the government believes that that government contractors are, are failing to meet their cyber security obligations under applicable law or the terms of, of government contracts. Um, moreover what we expect to see is, um, whistleblowers being more encouraged to be aggressive in bringing key Tam lawsuits under the false claims act when they believe that their employers are not honoring cybersecurity obligations. And indeed we've, we've already seen whistleblower practice groups, um, kind of sending out a call to arms in that respect. So this is really a major development and we expect, um, a new enforcement mechanism to, to really blossom in, in the coming years.Speaker 2:
Well, it seems that the logical next step then would to reducing that risk is for an organization to adopt a security framework. So where H R 78 98 encourages them the, the DOJ action almost seems like, uh, you, it would be a case where it's really in an organization's best interest. And some of the frameworks that we're seeing, uh, from at least from the office for civil rights is the cybersecurity framework, uh, which is a set of guidelines for mitigating organizational cybersecurity risks. And because it's not specific to any type of industry, it seems to be a good starting point for an organization. Um, no matter which industry they're in. And what's interesting about the cybersecurity framework is that, you know, a successful implementation of the framework is really based on achieving outcomes described in an organization's target profile with tiering influences for prioritization. So it seems like it's a, um, uh, the current profile versus their target profile and establishing, um, outcomes needed to achieve the desired cybersecurity risk management goals. The other thing that, uh, I'm seeing too, the adoption of the health industry, cybersecurity practices, 4 0 5 D a task group, uh, initiatives where they develop technical volumes one and two, which really set up cyber security practices based on the size of your organization. And what I really like about the way this is set out is that identifies the practices to reduce the impact in those five cybersecurity threat areas that we have been seeing, um, a lot of increase in things such as phishing attacks and ransomware, but it also takes into account some of the other areas with loss or theft of equipment. And it does also, uh, consider the insider threat, whether it's accidental or intentional. So it really maps out each of those five key areas, um, and develops, you know, some good, uh, practices. So for example, if we look at, you know, some of the email phishing and how it's based around your system configuration education and doing, uh, simulated phishing attacks, what's, what's nice is they, you know, the volume really talks about what controls to consider to enhance the security posture of your email system. So, I mean, this seems like a no-brainer, but, you know, avoid free or consumer email systems. And it goes through a laundry list for each of the, um, what they call sub-practices, um, for the size of organization. The other thing that's nice is that the 4 0 5 D also maps back to the NIST CSF framework for protect, detect, identify. And so, you know, these frameworks, you know, when we look at the potential threats to an organization, we realize that the regulatory environment, you know, doesn't always keep up. And so these frameworks allow organizations to develop a, uh, set of controls that are in line with their organization for adaptability and agility, so that they can actually respond quicker rather than waiting for regulatory changes. Um, so what are some of the other changes that you're seeing Jeff?Speaker 3:
Well, w one that comes to mind is, um, you know, as part of the regulatory sprint, the coordinated care OCR in January of 2021 issue, the notice of proposed rulemaking, um, seeking to modify the HIPAA privacy rule to support individuals engagement in their health care, remove barriers to coordinated care and to decrease regulatory burdens on the healthcare industry all while, you know, of course, continuing to protect individuals, um, health information, privacy interests. The notice of proposed rulemaking was published in early January 21. Uh, there's no final rule as of yet, but to date we've seen over 1400 comments, a couple of noteworthy aspects. One is, is the, the, um, strengthening of individuals rights to access their own health information. And that includes of course, electronic information and Dawn that, that speaks to the point you made at the, at the outset that, you know, access is, is really going to be a continuing theme in this space. Um, another, uh, noteworthy aspect is, is that the notice of proposed rulemaking seeks to improve information sharing, uh, for care coordination and for case management for individuals.Speaker 2:
Yeah. So I think the push to greater access and greater cybersecurity controls, um, expands around, you know, devices and data collection in general. Um, but it also aligns with what w what, you know, we're seeing with the 21st century cures act, you know, more specifically section 4,002, that an organization does not take any action that constitutes information blocking. Um, that just sounds very familiar with what we're seeing. Like you said, Jeff, in the, um, modifications to the HIPAA privacy rule with, you know, access to information and making access more available, so to speak, um, in that area. And more interestingly, when we look at it from, you know, section 4,004, you know, what is information blocking? It's a practice that's likely to interfere with prevent or material materially discouraged access exchange, or the use of electronic health information. And I think that goes back to what you said Jeff about even, um, you know, when it comes to care coordination. I mean, there's things in the privacy rule that have never prohibited that, but it just seems like because of a misunderstanding or misinterpretation by a lot of organizations, they're reluctant to share that information for certain purposes like that. So it seems that this information blocking, even though it's, it's more agnostic, takes it one step further. Um, it's not just, um, about the individual requesting access, but it's also around the mechanisms to which, uh, they get access to data or how data is transferred. And so, um, you know, when we look at it from a health information technology perspective, you know, organizations that have applications or portals or things like that are really going to have to look at their development, how they exchange the information, uh, the network, um, all these things, um, where practices could likely interfere with, or prevent or discourage individuals from obtaining access to their, um, electronic health information. I think also, um, you know, if these activities are conducted by a healthcare provider, that provider knows that that practice is unreasonable and is likely to interfere is where it's going to run into some challenges. Uh, when we look at it from that perspective, um, the whole point of, you know, preventing information blocking is really to support that seamless and secure access and exchange to what they call electronic health information. And that's a whole nother debate around what EHI is, but some of the initiatives are really to adopt a standardized, um, application programming interface, the API APIs, um, you know, where patients can electronically access all of their EHI. And one of the challenges I think that they talk about in that is that it includes structured and unstructured data at no cost to the individual. So it seems that this whole access and prevention from information blocking really is going to be a cost of doing business. Um, and that, you know, any attempt to discourage access is going to run a foul of the whole purpose behind that. And I think what's also interesting about the, um, information blocking, um, elements are that, um, there are exceptions and while many entities aren't necessarily subject to the privacy act, um, those that are probably are going to see a lot of, um, you know, uh, conceptually similar types of exceptions, you know, the privacy exception if, uh, information, uh, could cause harm. Um, you know, we're looking at a number of different, you know, preventing the harm, exception, uh, security in feasibility. Um, some of the other areas that involve fulfilling requests, you know, round the content and the manner exceptions. So it seems that a lot of these, um, you know, while there are exceptions, I found in my own experience, even under the privacy act that in very few circumstances, um, do we see these exceptions actually coming into play? And so, you know, it's likely that it could be the same similar, um, uh, same similar situation under the information blockingSpeaker 3:
And Don go, it's important to note the enforcement lawyer in the me has to make this point, but, um, you know, there's, you can be penalized and the entities can be penalized for engaging in information blocking, and the penalties can range up to$1 million per violation. So, um, I talked about a Karen earlier, but here's a real stick.Speaker 2:
Yeah. I mean, that's, that's huge. Um, you know, when you look at it, you know, per violation, especially when you compare it with the, um, the, the penalties under HIPAA, I mean, they're structured, they're tiered. Um, so, you know, and there's a lot of factors that go into play there. So it'll be interesting to see how this pans out on the, uh, information blocking side, you know, and if things weren't complicated enough, you know, how challenging will the regulatory environment become when you take into consideration, um, the state and federal and other federal requirements that we continually see, um, implemented, um, across the board. What are your thoughts there, Jeff?Speaker 3:
Well, I think it's a great question, Dawn. Um, you know, th this is an area that that's evolving rapidly, um, and entities that operate in numerous states are going to find that, or currently find themselves subject to a number of state privacy and, and data breach laws that differ in their approach and their coverage. Um, and I note that many of these, um, apply outside of the healthcare space. So it's critically important for entities to understand the various private privacy and breach notification laws that apply to them. Um, what unique requirements each set of laws carries and to develop security programs and breach response protocols that, that meet the various requirements. And, and that's a, that's a difficult ask. And so it's important to really stay abreast of, of where you're operating and what the requirements are that, that, that, uh, that apply. Um, and of course, you know, things get only more complicated if, if an entity operates overseas. Um, so as we've seen with, uh, GDPR,Speaker 2:
Right, and I noticed that there's a lot of, um, states that are adopting just general cybersecurity practices, you know, like the New York DFS, which has been around for a while, the cybersecurity regulation, um, but the New York shield act, but we're seeing it across more states too. Um, and there's not always a clear cut, um, HIPAA carve out that we saw, like with CCPA where it said, you know, if you're complying with HIPAA, then you're complying with CPB CCPA. Um, are you seeing that to be the case as well?Speaker 3:
Yes, no, absolutely. Um, absolutely at that, uh, you know, this is, this is one of those areas where entities just have to be really vigilant and keeping up with what the, what the various obligations are. Right.Speaker 2:
And I know, you know, back in the early days with HIPAA and the preemption analysis, I mean, that was, that was a daunting task, just to try to even look at, at so many different elements at, at the state level and how it all impacts, um, you know, the processes and the procedures that, uh, people are, uh, organizations are putting into place.Speaker 3:
One more point I'll, I'll make there. I mean, especially when, when you think about breach notification, for example, um, if a breach occurs and an organization is subject to, um, five different state laws, and what we see is that the breach, um, notice period varies from state to state. So once they might require, uh, reporting to the, to the attorney general within 30 days, whereas other states require 90 days. So, you know, that's really important, um, for organizations to be mindful of those, those, uh, requirements so that they can put the processes in place, um, to be able to adequately respond to a breach and meet these varying requirements.Speaker 2:
Yeah. I think the other thing I'm seeing too, is that, you know, when it comes to things like access and, um, you know, notification, a lot of states are even taking a more, uh, shorter, uh, timeframe approach to the notification requirements or provisioning of access requirements than what is even contemplated in the modifications, uh, rule. That was just, uh, the notice of proposed rulemaking that came out this year too. So, so what do you think that means for healthcare entities and their business associates, um, when determining next steps and compliance strategies?Speaker 3:
Well, Dawn, as you mentioned earlier, I mean, if they haven't already, this is a good time for entities to assess, um, their data security programs that should really be an ongoing exercise and to consider implement implementing, uh, one of the frameworks that you mentioned. Um, I certainly expect to see a continued, continued emphasis rather on enforcement as we move forward. Um, you know, the right of access initiative complaints and investigations are not going away. Um, it's important, uh, for, for organizations to respond, to request for access in a, in a timely manner. Um, and that includes being proactive in assessing how their organizations function, such that when requests come in, there's a, uh, a clear protocol for responding in a timely fashion. Um, you know, this, this sounds silly, but if you're contacted by OCR with technical assistance respond, it's critically important to respond. Um, and, and in fact, we've seen providers get deemed for failing to do so. Um, and so, you know, I think just, just being reasonable in, in, in your approach, hopefully we'll keep it, you know, keep, uh, an outreach from OCR, from turning into a, a settlement agreement or some type of corrective action plan. Um, and of course, you know, entities now have the specter of false claims act liability to worry about. And in my view, that is the game changer. And if there were not incentive enough or, or threat enough, uh, to get an entity to be more proactive about their, um, their data security programs, then, then I think the prospect of, uh, treble damages and, and per claim penalties under the false claims act should certainly light a fire.Speaker 2:
I would agree after, you know, being in an entity where we had a lot of, you know, because we were so large, you know, we had a larger target on our back, so to speak. And so we did get a lot of complaints, but we were very, um, open and, um, communicative with the investigators, whether it was the FTC or whether it was OCR. So I can tell you that, that from my own experience, uh, that has definitely, um, played an important role in, in our compliance strategy was, you know, not to ignore it and to take those things seriously. Um, and I think the big thing too, when you look at it from your compliance strategies, is that it's always good to be prepared. So while we've talked about a number of different regulatory, um, initiatives in the last year or two around information blocking around HIPAA, um, around the false claims act, um, I think that as far as a compliance strategy, you know, you have to be prepared. Don't wait till the last minute. Um, as more regulatory changes occur, you know, we encourage organizations to have a plan in place, you know, identify ahead of time who your key stakeholders in your processes are, so that you can understand the impact that any of those regulatory scheme has have on your organization and map out a plan so that when the time comes to act, you'll be prepared and you will likely run into less obstacles and have greater success for implementation. So when we look at compliance, um, we have to also look at it from a data perspective. We know that we look at compliance from privacy breach security, but we also have to look at it from a data perspective. So much more is being data-driven in our environment with interoperability. And, um, we have all kinds of internet of things, uh, applications and devices that are sending data. And so it makes it more critical that an organization has mapped their data flows. And this is something that, you know, you should always be doing something that you do continuously know where your data is in order to assess where and what cybersecurity controls are necessary to protect the data from unauthorized access. So you need to know what data is the most critical, because not all data is the same. You need to know where that data resides, and you need to know who has access to that data. So when you take those three questions and you think back to some of the cybersecurity controls, you know, there is a whole litany of things around data access. There's a data governance and, you know, there's applications and data criticality, analyses that all come into play. And these are all parts of the various either frameworks or even regulatory requirements. So, you know, knowing where that data is, is key in your decision-making. And then when you look at that from the hippo or the information blocking perspective, you know, you should define your designated record set. Now, as we talked about an information blocking, we're looking at electronic health information, but there's so many different subsets within EHI, um, and there's work groups out there that have struggled with how to, you know, really identify that designated record set because you have your legal health record, and then you have your us CDI, and then you have your designated record set. And then on the outside of that is really all that EHI. And so you really need to document the decision-making associated with that designated record set. What that enables you to do is it sets not only it, not only does it meet the requirement under HIPAA for designating the record set, but it also reduces the likelihood that the organization will be on OCR has list of 20 entities that failed to provide access, or did not provide, um, all the data. If everyone that is handling access understands what the designated record set is, I call it knowledge is power. So they're in a much better position to be, to respond to those requests, to prevent any, uh, issues down the road with any enforcement actions. And then another side of that is, you know, analyzing requirements and procedures. And while this may seem to be specific to HIPPA the things I'm going to discuss here, you can extrapolate these concepts when analyzing any type of data requests, whether it's external or internal, um, it's that unstructured data too, when it comes to phishing attacks, that seems to cause the greatest heartache. So that's one of the key things. Um, when we go back to looking at it, just from a data perspective, you know, you also have a structured and that unstructured data that you have to consider in this process. And it's really about, you know, people, processes and technology, you know, know who is asking for and who is responding to requests for data. And again, that's external and internal. One of the biggest challenges organizations have is they're very focused on what they send out of the organization, but they're not always as focused about how they exchange data within the organization. And I've seen time and time again, situations where, um, a phishing attack, there was emails that contained, uh, spreadsheets with hundreds of records. And it's just a challenge for an organization to try to, uh, look at that unstructured data. So, you know, know who's asking for it and who's responding to it and know where all the points or locations where records are released. So if we look at it from a healthcare perspective, we see that, um, you know, data is released at many different points. Um, you have a health information management team or release of information team. Uh, sometimes it happens in the clinical environment. So again, not specific just to healthcare, but know what all those points are in those locations where data flows in and out of the organization also know what processes, uh, the organization has in place for responding to requests for data. Do you have a data governance program that evaluates, um, the number of records, uh, that an individual is asking for, for an internal or even a business associate request? Um, what technology does the organization use when responding to these requests? You know, what are the security controls around that? And as we move into, you know, more around the, um, 21st century cures act, you know, there's really going to be a heavy emphasis on your health information management team. Um, who's going to be front and center for many of the changes that we've talked about today. Um, and you, you're going to need to determine how him is going to handle that. You know, test results are a big, um, area that, um, over the years greater access to that has been, um, provided, you know, including that in your designated record set, you have to also look at to what extent, um, those test results are released by clinicians. Um, you know, and how, if that's permitted in your org or permitted in your organization, um, you know, how that process will function, uh, or is, is it going to be driven to your centralized, you know, him or ROI team, and the big thing around this is really educating your workforce to avoid, you know, any conflicts to avoid, you know, situations where, um, you know, patients are now filing complaints with OCR because they didn't get access to everything they asked for. Um, the other thing to keep in mind is, um, when data's received from other providers and how that is added into the patient's record, whether it's scanned as unstructured data, you know, does it contain the CDI fields? We also need to look at it from an incident management perspective, you know, how do you handle a request when access can't immediately be provided, um, and then, you know, monitoring your practices and looking for areas to, for improvement, um, and always, you know, don't be afraid to adjust policies and procedures, you know, because you want to make sure that what you say you're doing is what you're actually doing. And then the biggest thing I already mentioned was really, you know, training that workforce. You know, I'm a big proponent for training because I think the more people understand how the processes work, the more likelihood that they'll be successful in complying with those. Um, you know, a lot of times I see entities, they have a hundred page security manual that has their policies and procedures in it, and they hand it to a new employee and say, here, read this and sign off on it. Well, that employee is not going to retain any of that data, you know, so you have to come up with more creative, uh, mechanisms to train the workforce, so that, that messaging, um, and about compliance and, you know, security protocols, you know, actually, you know, takes hold and it becomes the culture. And I think Jeff, that, you know, that brings us over to, you know, developing a holistic approach, your thoughts.Speaker 3:
Well, I think, I think it abs, you know, being compliant, absolutely demands a holistic approach here. And, and, you know, Don, I think you've done a great job of speaking on a really specific level, the many things that organizations should be considering. Um, if we take a step back, uh, you know, you mentioned three components that are just critically important. Um, people, processes and technology and organizations need to remember that those three building blocks are critical. Um, uh, for them to, to come up with a data security program, that's gonna be the best, uh, uh, the best way to try to ensure compliance. And, you know, it's critical to note that if there's a gap in just one component, if the focus is to, um, to attuned to two of those components, to the, um, to the exclusion of the third, then your compliance program, isn't going to function the way it should. Um, you can invest all the money in the world in technology and put all the, all the processes in place you want to, but if you don't adequately train your employees and not only train them on the front end, but continue to, to educate them, then your compliance program, isn't going to function the way that it should. So it's just really important to think about this from a holistic perspective.Speaker 2:
Yeah. So I think it really comes down to knowing what's happening, staying informed and developing processes that deter from, you know, false or misleading business practices, you know, in general. And I think it's important that an organization really take a unified approach to compliance, you know, no silos and that the strategies developed really support the organization's mission and values. I mean, all you have to do is look at any organization's website and they almost always have a section that talks about, you know, for example, delivering high quality health services, you know, but non-compliance with any of the regulatory requirements that we talked about today can really impact the organ organizations, reputation and finances from a multitude of agencies, um, with enforcement capabilities. Um, so, you know, really, you know, we talked about this compliance journey and how, uh, you know, it's, it's important to really know what's happening and stay informed and plan. Don't be afraid to plan now for the future.Speaker 1:
Thank you for listening. If you enjoy this episode, be sure to subscribe to speaking of health law, wherever you get your podcasts to learn more about AHLA and the educational resources available to the health community, visit American health law at org.