Understanding and Avoiding OCR Investigations

Posted by Mark Greisiger

A Q&A with Lynn Sessions of Baker Hostetler
In enforcing the HIPAA/HITECH regulations, the Department of Health and Human Services’ Office of Civil Rights (OCR) has been coming down on healthcare organizations with recent fines of US $1.7 million, and yet the OCR and its investigations remains an area of mystery for many organizations. I asked Lynn Sessions, counsel at Baker Hostetler in Houston, TX, for some perspective on OCR’s process for ensuring data security and privacy compliance in healthcare.

In defending clients from an OCR inquiry, what are some of the shortcomings you often see in the data protection efforts that may increase the scorn of the government?
Some of the biggest concerns are an incomplete risk assessment or one that was created several years ago and shelved, a risk management plan that’s not followed or maintained, a lack of an incident response plan, and a lack of organizational support for information security projects. We also see issues with organizational silos in communication, where the people who work in compliance and privacy may not talk to risk management or information security or IT—and all of those people should be talking. Many organizations have data encryption but they don’t have encrypted Blackberrys or laptops or backup tapes. This is important because with some insurance companies, if the data isn’t encrypted, you fall out of coverage. The OCR has come back to some of our clients who had encryption, to point out that there were still laptops that were not encrypted. On the other hand, many organizations say ‘we don’t have to worry because we encrypted,’ but they still have to document what they did with the encrypted devices, that they met safe harbor requirements, and that a risk of harm analysis was conducted in relation to devices.

Explain at a high level how the OCR investigation process may work, from notice letter to enforcement penalty.
After a data breach incident, the OCR will send out a letter to the covered entity that includes approximately 20 different requests for information. It typically starts out broadly–they’re looking to see whether or not the entity is compliant. They narrow the requests more and more as they look at documents in an increasingly detailed fashion. It’s amazing how, by going down what seems like an unrelated rabbit hole, they may find a smoking gun. We’ve worked with several clients whose investigations go back to 2011 breach incidents and are now on the third round of questions from OCR, and investigations from 2010 that are now on their sixth round of questions. We haven’t had to go to the penalty phase yet with any of our clients, but we anticipate that if the OCR found a lack of compliance, the client would be assessed and given a penalty for the violations and the OCR and the organization could take it into settlement to come up with some kind of corrective action plan and fines. The fines are usually proportionate to the size of the organization and the violation. Still, you want to avoid this at all costs: At the point of a penalty, there is always a public announcement that gets picked up by industry publications. Once you’ve been fined, you will have the OCR looking over your shoulder for the next few years. We’ve also heard that in the coming years the fines could be growing, up into the eight-figure range.

Are there one or more key areas that OCR or state attorneys general have been focused upon for most breach incidents?
Mobile devices are still a very hot topic for OCR, as they are for state attorneys general. Third party compliance is another one. We saw recently that the Massachusetts attorney general fined a healthcare organization that where a third party had disposed of records in a dumpster. That’s not necessarily a typical finding, but it’s something we’ve seen.

HIPAA/HITECH leaves some gray area with regard to its classifications of safeguard measures. Can you explain what “addressable” means versus “required” and can HHS/OCR regulators or state attorneys general have different interpretations of the regulation when it comes to a breach incident?
What we’re hearing from OCR is that just because it says it’s “addressable” doesn’t mean you have an option of addressing the issue. You can check the box choosing not to address encryption because it’s not required but what OCR is saying is that if you choose not to, you should have a risk analysis as to why the unencrypted data is still safe. If you haven’t documented what you’re doing to protect the PHI, then the OCR can still come after you. This is important in healthcare, because some devices can’t be encrypted—we’ve heard vendors say that in the case of some medical equipment, patient safety could be compromised by encryption. OCR would say that just because you haven’t encrypted it, doesn’t mean you can’t have other safeguards in place. As long as you can demonstrate what you’ve done to protect the information and you’ve documented those processes, you have some protection.

In conclusion…
The issue of protecting healthcare-related data will only get more attention from regulators and plaintiff lawyers in the coming years. It is advisable for any company worried about safeguarding private health information (PHI) to be proactive and fully assess (document) its enterprise information security posture.  But companies should still expect the inevitable bad event (breach) and have a response plan in place that includes a relationship with leading counsel, like Lynn Sessions, to guide them through the labyrinth of Federal regulations (HIPAA) and state laws (which can be gray). Ideally, legal counsel should also have a working relationship with enforcement regulators to better represent the victimized company and improve the outcome of any regulatory investigation.