Office For Civil Rights Posts HIPAA Phase II Audit Guidance and Advocate Health Care Settlement Information – The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) recently uploaded two items of interest: information regarding the largest penalty to date against a single entity, Advocate Health Care Network (“Advocate”), and HIPAA Phase II Desk Audit guidance materials.
Advocate Health Care Pays $5.55 Million Settlement and Adopts Corrective Action Plan
Advocate has agreed to pay $5.55 million in penalties and adopt a two-year corrective action plan to settle multiple potential violations of HIPAA. According to the OCR, this is the largest penalty against a single entity to date. The resolution and corrective action plan are available here.
OCR’s investigation of Advocate began in 2013 after the company reported three separate breaches involving its subsidiary, Advocate Medical Group (“AMG”). The combined breaches affected the ePHI of approximately 4 million individuals and were caused by:
- The theft of four desktop computers from an AMG administrative office building;
- Unauthorized third-party access of AMG’s billing service provider’s (Blackhawk Consulting Group or “Blackhawk”) network; and
- The theft of an unencrypted laptop containing the ePHI from an AMG workforce member's vehicle.
According to OCR, the breach investigation revealed that Advocate failed to:
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI as part of its HIPAA compliance program;
- Implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
- Enter a business associate agreement with Blackhawk leading to the impermissible disclosure of PHI from AMG to Blackhawk; and
- Reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.
2016 Phase II HIPAA Desk Audit Guidance
OCR recently posted guidance documents for the 2016 Phase II HIPAA Desk Audits (“Desk Audits”), namely:
- Selected Desk Audit protocol elements with the document requests for each element (“Document Request List”) and related Q&As (collectively, the “Protocol”);
- Slides from the July 13, 2016 informational webinar for audited entities (“Webinar Slides”); and
- Comprehensive question and answer listing (“Q&A List”).
The Document Request List offers insight into the kinds of documentation OCR expects in response to the Desk Audit (and audits generally) and what level of documentation is generally considered necessary for HIPAA compliance. The level of documentation OCR expects may take some covered entities and business associates by surprise. For example:
- For Security Rule risk management processes, OCR requests:
- Policies and procedures regarding the entity's risk analysis and risk management processes;
- Documentation demonstrating the efforts used to manage risks from the previous calendar year; and
- Documentation demonstrating the security measures implemented to reduce risks as a result of the current risk analysis or assessment.
- Policies and procedures regarding the entity's risk analysis and risk management processes;
- For Privacy Rule compliance, OCR requests:
- All documentation for the first five access requests of the year and evidence of fulfillment; and
- All documentation for the last five access requests for which the entity extended the time for response to the request; and any template request and response letters and policies and procedures related to access requests.
- All documentation for the first five access requests of the year and evidence of fulfillment; and
The Webinar Slides are from OCR’s July informational webinar for audited entities regarding the Desk Audit process. According to the Webinar Slides, OCR anticipates business associate desk audits will commence in the fall (likely late September). The slides further instruct that these audits may include covered entities and business associates that were subject to the desk audits, as well as newly selected entities that were not part of the desk audit process. Most business associates will be selected from the pool identified by covered entities in their responses to the Desk Audits.
The Webinar Slides indicate that once the Desk Audits are complete, OCR will start the on-site audits in early 2017. Notification for the on-site audits is expected in late fall. These audits will involve a comprehensive set of HIPAA compliance controls. For this reason, covered entities and business associates should prepare for the upcoming on-site audits using the full 2016 Audit Protocol.
The Q&A List contains questions and answers directly related to the Desk Audit process itself and provides general explanations of what OCR considers appropriate documentation to support requests. For example, OCR explains that it wants to see pictures (with the text visible) of required Notices of Privacy Practices hanging on the walls at covered entities’ facilities in addition to paper copies. As another example, OCR indicates it expects current Security Rule risk analyses to be uploaded, and is not concerned about the information becoming public under the FOIA due to the exemption protecting trade secrets and financial information.
While OCR states the Phase II Audits are a compliance tool, and are not intended to be an enforcement tool, multiple recent high-dollar settlements and Resolution Agreements (which now include both covered entities and business associates) indicate OCR is trending toward a higher rate of HIPAA enforcement and higher penalties.
The Protocol, Webinar Slides and Q&A List are available here.
Reporter, Lara Compton, Los Angeles, +1 213 443 4369, lcompton@kslaw.com.
U.S. Business Groups Urge China to Revise “Onerous” Draft Cybersecurity Rules – On August 10, 2016, more than 40 international business associations spanning finance, information technology, insurance, and manufacturing urged the Chinese government to revise drafts of new cybersecurity regulations. Led by industry associations from Asia, Australia, Mexico, Europe, and the United States, the groups sent a letter to Chinese premier Li Keqiang expressing concerns with draft provisions that would require foreign companies to store data in China, assist law enforcement with investigations, and subject information technology products to government security reviews. According to news outlets that reviewed the letter, the groups believe the draft regulations are “onerous” and “may constitute barriers to trade as defined by the World Trade Organization.” Further, the groups wrote that the draft regulations “have no additional security benefits but would impede economic growth and create barriers to entry for both foreign and Chinese companies.”
The controversial draft cybersecurity regulations come less than a year after foreign business groups and governments lobbied against similar provisions in a Chinese anti-terrorism law and draft rules concerning financial institutions’ IT purchases. While the anti-terrorism law was passed in December 2015, and required technology providers to help decrypt certain information at the government’s request, it stopped short of requiring companies to provide the government with encryption keys or other “backdoors” into their systems. Some of the concerns with the draft cybersecurity regulations currently being considered relate to what is seen as an attempt by the Chinese government to reintroduce some of these more controversial requirements.
Reporter, Ehren K. Halse, San Francisco, +1 415 318 1216, ehalse@kslaw.com.
Location Data Poses Risks To Individual Privacy Says Irish Regulator – With the proliferation of location-based app services like traffic alerts and ride-sharing programs, the collection of consumers’ location information has exploded in recent years. It comes as no surprise, therefore, that the Office of the Data Protection Commissioner (“DPC”) in Ireland issued guidance last week on the collection of location data, warning individuals about the risks associated with information relating to their location and clarifying businesses’ obligations when collecting that data. The takeaways: most location-based data constitutes “personal data” and must be protected accordingly, some location-based data will be subject to enhanced protections as “sensitive personal data,” and businesses that collect or process location data should obtain informed consent before collecting consumers’ location information.
The DPC’s guidance classifies location-based data as “personal data” if it relates to a living person and if it is possible to identify that person (the “data subject”). Not surprisingly, location information connected to an individual’s name, phone number, or email address clearly constitutes personal data. Less obviously, data that reveals the location of an individual over a period of time could also be enough to identify the data subject. And it’s not just cell phones that can collect location information amounting to personal data. The location of a self-driving or “autonomous” vehicle, for example, would not normally be considered personal data, but if the autonomous vehicle carried a passenger that could be identified, the location data would constitute personal data relating to the passenger.
Location-based data that amounts to personal data is subject to Ireland’s Data Protection Acts of 1988 and 2003 (collectively, the “Data Protection Acts”), even where companies never intend to link the location data they collect to a particular person. Under the Data Protection Acts, businesses must refrain from “excessive collection or processing of data.” Essentially, businesses should both limit the amount of data gathered to only what is necessary to achieve their business purposes, and they should avoid retaining unnecessary location data. Although some location data will inevitably fall outside the purview of the Data Protection Acts, the DPC guidance noted that businesses collecting aggregated or anonymized data should take “extreme care” to prevent the identification of data subjects.
In addition, some location-based data will amount to “sensitive personal data,” which requires enhanced protection under the Data Protection Acts. Sensitive personal data includes information about a data subject’s religious or political beliefs, the subject’s physical or mental health, or information about the subject’s sexuality—and location-based data constitutes sensitive personal data if it is possible to discern any of the defined traits about the data subject from the data. Businesses might inadvertently collect data showing attendance at a place of worship or repeat hospital visits, for example, which could divulge information about a data subject’s religion or health. Businesses accordingly must take care to identify and protect sensitive personal data they collect.
To comply with the Data Protection Acts, companies must inform data subjects that their location data will be collected and/or processed, as well as give them the opportunity to opt in or opt out. Companies collecting data must take care to get informed consent from the data subject, as opposed to the owner of the device. Employer-provided cell phones and public computers are examples of instances where the device owner might be different from the device user. Alternatively, the Data Protection Acts permit the processing of data without the consent of the data subject in order to protect the “legitimate interests” of the data controller or a third party. However, the data processing cannot amount to an unwarranted infringement of the fundamental rights of the data subject.
In conjunction with its guide for businesses, the DPC also issued separate guidance to inform individuals about companies’ obligations when collecting location data, as well as educate individuals about their rights when it comes to location information.
Reporter, Bailey J. Langner, San Francisco, +1 415 318 1214, blangner@kslaw.com.