This entry is part 58 of 60 in the series HIPAA Security Risk Analysis Tips

HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez

We received almost 100 questions in our May 3rd web event entitled “WHAT OCR EXPECTS IN YOUR HIPAA RISK ANALYSIS: A Conversation with Former OCR Director, Leon Rodriguez”.  We are breaking up the questions and providing the answers in this blog post series “HIPAA Risk Analysis Tips”.  Enjoy Part 4 as we work our way through them all!

  1. Doesn’t using the funds from fines that are levied / determined by the OCR to then fund additional auditing activity create a pretty significant conflict of interest?

Answer: The HITECH Act of 2009 delivered a bundle of carrots and a bundle of sticks. The bundle of sticks included increased enforcement, increased civil monetary penalties and a wider net being cast to include business associates. YES, one aspect of increased enforcement includes a funding mechanism for OCR at SEC. 13410. IMPROVED ENFORCEMENT  (c) DISTRIBUTION OF CERTAIN CIVIL MONETARY PENALTIES COLLECTED.— IN GENERAL.—Subject to the regulation promulgated pursuant to paragraph (3), any civil monetary penalty or monetary settlement collected with respect to an offense punishable under this subtitle or section 1176 of the Social Security Act (42 U.S.C. 1320d–5) insofar as such section relates to privacy or security shall be transferred to the Office for Civil Rights of the Department of Health and Human Services to be used for purposes of enforcing the provisions of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act.

Experts may argue whether this represents a conflict of interest.  Many believe this funding mechanism represents a way to make compliance and safeguarding this sensitive information more of a “main street” issue. President Trump has proposed significant budget cuts for OCR and some have surmised that the fines and penalties collected by OCR might replace that funding and provide for the hiring of contractors to help with enforcement.

  1. Leon, since the audit program only audited a very small amount of CE’s/BA’s, is there a plan to enforce an audit program that will actually have the effect to push CE/BA’s to actually follow compliance, give them a reason, let them know OCR actually cares and is truly trying to enforce this.

Answer: Although we expect, and the regulations require, that OCR establish a permanent audit program, the timing and size of that program has not yet been established. In working with organizations subjected to enforcement actions, we’ve noticed that OCR uses the Phase 2 audit protocol when investigating a complaint or breach, beyond the cause of the complaint or breach… meaning that OCR uses these opportunities to determine the organization’s broader level of compliance and security.  OCR appears to be trying to strike a balance between “reasonable diligence” and “willful neglect.”  The fines are much bigger when no effort has been made at compliance or remediating known risks.

  1. Does Leon think, there will be more enforcement, which would drive compliance for entities that have no fear of an audit, other than a random or security incident/breach.

Answer: The audits, as you know, are relatively few in number. But keep in mind that OCR has fixed their case-tracking systems (as requested by OIG) and has been investigating organizations with multiple breaches, and increasing fines when no or insufficient mitigation has been undertaken.  In addition, 9 of the 51 settlements (almost 20%) to date have been initiated as a result of complaints. And complaints have been steadily increasing following the implementation of the on-line portal.  In fact, in 2016, complaints received by OCR equated to approximately 60 a day.  As a result, we can see that enforcement in increasing, both in number and in size of penalties associated with settlement agreements.

  1. Does the OCR plan on defining policy attestation in a way that clearly helps organizations determine who should be attesting to what? We have privacy, security and breach policies (100’s) where it’s difficult to determine exactly who should be reviewing/signing for attestation.

Answer: We’re not clear on what’s behind this question:

  • If this question is related to a CAP, it is typically written in the CAP that the “owner or officer” of the organization must attest to the completeness of the requirement.
  • If this question is related to the development of P&Ps under a CAP, and the signature of the person having reviewed and/or approved it, that person might be the Compliance Officer, Security Officer and/or Privacy Officer, or Legal Counsel as appropriate for the organization – but OCR would not have specific requirements related to the individual’s level or title.
  • If this question is related to the following: CMS has legal authority under Title XVIII of the Social Security Act to require health care providers to meet the legal requirements of the civil rights nondiscrimination statutes and regulations enforced by OCR in order to participate in the Medicare Part A program. Medicare Part A providers are required to sign an attestation of their compliance with all applicable civil rights laws enforced by OCR (including Title VI of the Civil Rights Act of 1964, Section 504 of the Rehabilitation Act of 1973, Title IX of the Education Amendments of 1972, the Age Discrimination Act of 1975, and Section 1557 of the Affordable Care Act). This attestation is referred to as an Assurance of Compliance, and it can be found on the HHS website (Form HHS-690). New applicants for Medicare funding and current providers undergoing a change of ownership are responsible for submitting this attestation electronically to OCR via the Assurance of Compliance Portal.
  1. Do you have any insight on the audits sent last year? Findings were expected by the end of December 2016 but the practice I consult with has not received any additional correspondence.

Answer: At the HIMSS 17 conference in February, Deven McGraw, deputy director of OCR, indicated that the onsite audits have been delayed in order to assess the results of the desk audit process. She also indicated that OCR was beginning to finalize reports on the covered entity desk audits that they hoped would be shared with those organizations “in the next few weeks” at which point OCR would start the drafting of the reports on the business associate desk audits. “The commitment I’m making to folks is to be transparent about where we are in the process and to give folks a better estimate as soon as we can.” You might try calling.

  1. Many settlements published now are for investigations that began as far back as 2012. Does OCR publish how many investigations are ongoing – i.e. how many potential settlements are forthcoming?

Answer: We have not seen nor do we expect a disclosure of ongoing investigations. Since fixing their case-tracking systems, OCR appears to be going back to find organizations with multiple breaches in the past, perhaps in order to find out what work has been done to remediate gaps.  Unlike the treatment of complaints, OCR does not reveal how many investigations are ongoing and would not guess at how many settlements might result.  The OCR budget was increased $4 million to $43 million in 2017 in order to support the audit program mandated by the HITECH Act.  And fines and penalties from settlement agreements do transfer to OCR’s budget.  We may assume that the investigators are doing faster research due to the improved tracking system and the Phase 2 Audit Protocol provides them with the right questions to ask, so we believe that there will be an increase in the number of investigations.  Do keep in mind, however, that the follow-up to the Corrective Action Plans consumes significant resource time as well.

  1. Questions regarding Likelihood and Impact seem subjective – Is OCR looking for evidence that threats were merely being considered?

Answer: Until we move to more quantitative risk analyses methodologies, yes, assessing Likelihood and Impact will be subjective. It is important for organizations to define these terms and train and “calibrate” their risk analysts in the use of their Likelihood and Impact rating scales.

In OCR’s Final Guidance on Risk Analysis, OCR provides “several elements a risk analysis must incorporate, regardless of the method employed.” Regarding “Likelihood”, the guidance notes that “the Security Rule requires organizations to take into account the probability of potential risks to ePHI” which should include “documentation of all threat and vulnerability combinations with associated likelihood estimates that may impact the confidentiality, availability and integrity of ePHI of an organization.”  We would suggest examining the causes of breaches and complaints compared to your organization’s vulnerabilities, as well as the causes of incidents or breaches by your own organization.

Regarding “Impact”, the Guidance states” An entity may use either a qualitative or quantitative method or a combination of the two methods to measure the impact on the organization.”  Qualitative may involve a scale of critical, high, medium, low. Quantitative may be calculated using the model offered for free from the ANSI webstore.   “The output of this process should be documentation of all potential impacts associated with the occurrence of threats triggering or exploiting vulnerabilities that affect the confidentiality, availability and integrity of e-PHI within an organization.

  1. Will you cover appropriate types/formats/templates of documentation of remediating RA findings? What does the OCR expect for documentation?

Answer: We know from reading the details of OCR Resolution Agreements / Corrective Action Plans that following the conduct of a Risk Analysis, OCR is looking for a documented “Risk Management Plan to address and mitigate any security risks and vulnerabilities identified in its risk analysis. The Plan shall include a process and timeline for implementation, evaluation and revisions.” The organization will then “annually conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by [the organization] and document the security measures implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level.”  OCR has provided no guidance regarding format or suggested templates.  We would recommend when assessing mitigation activities following a risk analysis, that documentation be retained for:

  • the information for decision-making on mitigation including
    • the total cost of implementing controls and
    • the residual risk that would exist following their implementation
  • along with, ultimately, the reason(s) for implementing or not implementing those controls.
  1. I didn’t think the audits resulted in fines? Are the fines related to HIPAA violations or as a result of the OCR audits?

Answer: Civil money penalties or negotiated settlement amounts are typically the result of HIPAA violations. An audit may trigger further action by OCR.  OCR published this FAQ on their website: What Happens After an Audit?  “Audits are primarily a compliance improvement activity. OCR will review and analyze information from the final reports. The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.

Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. However, under the Freedom of Information Act (FOIA), OCR may be required to release audit notification letters and other information about these audits upon request by the public. In the event OCR receives such a request, we will abide by the FOIA regulations.”

  1. I read in an OCR email that a CE was fined in spite of the fact they had the issue resolved. They still got fined because they didn’t do it back in 2013.  Can OCR go back before you have proper risk analysis in place?

Answer: To the specific question of how far back in time can OCR request documentation and / or evidence of a proper risk analysis for the prior 6 years. Please reference the HIPAA Security Rule at 45 C.F.R. §164.316 (b)(2)(i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.

We have seen the following language in OCR investigation letters and data requests “Please submit a copy of XYZ Hospital’s most recent risk analysis, as well as a copy of all risk analyses performed for or by copy XYZ Hospital within the past 6 years pursuant to 45 C.F.R. § 164.308(a)(l)(ii)(A). If no risk analysis has been performed, please state so.”

Stay tuned for Part 6 of the Questions and Answers from the May 3rd web event entitled “WHAT OCR EXPECTS IN YOUR HIPAA RISK ANALYSIS: A Conversation with Former OCR Director, Leon Rodriguez”

Now what?

  1. Download the OCR-issued “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.
  2. Learn the definition of an information asset.
  3. View a recorded demo of our award-winning software for conducting OCR-quality risk analysis and risk management work products.
  4. Learn how Clearwater may complete a Confidential, Complimentary Review of your current risk analysis, under the direction of outside counsel, and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis.
  5. Read the OCR Resolution Agreements / Corrective Action Plans, especially the 39 involving ePHI where 35 organizations had adverse findings for incomplete and/or inaccurate HIPAA Risk Analysis and HIPAA Risk Management work.
Series Navigation<< HIPAA Risk Analysis Tip – Part 2 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon RodriguezHIPAA Risk Analysis Tip – #WannaStopCrying >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.