menu
  • Our Story

    • Overview
    • Careers
    • Locations
    • Diversity, Equity & Inclusion
    • Pro Bono
    • Community Involvement
    • Firm Leadership
    • History
    • Alumni
    • Affiliations
    • Media Inquiries
    • Make a Payment
  • Our People

  • Our Insights

    • Events/CLE
    • Publications
    • News
    • Blogs
  • Our Practices & Industries

    • Business
      • Business Transitions
      • Construction
      • Corporate, Securities, and M&A
      • ERISA, Life, Health & Disability
      • Finance & Banking
      • Health Care Transactions
      • Immigration
      • Intellectual Property Transactions
      • Labor, Employment & Benefits
      • Private Investment Funds
      • Private Client Services
      • Real Estate
      • Startups & Venture Capital
      • Tax
      • Wage & Hour
    • Litigation
      • Antitrust, Competition & Trade
      • Appellate
      • Class Actions
      • Commercial Litigation
      • Construction
      • Creditors' Rights & Bankruptcy
      • Electronic Discovery, Technology & Strategy
      • ERISA, Life, Health & Disability
      • Fiduciary Litigation
      • Financial Institutions Litigation & Investigations
      • Insurance
      • Intellectual Property Litigation
      • International Arbitration
      • Labor, Employment & Benefits
      • Securities & Corporate Governance Litigation
      • Wage & Hour
    • Industries
      • Blockchain & Cryptocurrency
      • Food, Beverage & Hospitality
      • Government Law
      • Investigations, Compliance & White Collar
      • Japan Practice
      • Nonprofit & Social Enterprise
      • Privacy & Data Security
      • Senior Living & Long Term Care
      • Transportation
    • Services
      • COVID-19 Landlord/Tenant Response Team
      • COVID-19 Resource Center
      • Business Dispute Resolution
  • Our Locations

    • Anchorage
    • Portland
    • Seattle
  • Our Careers

    • Attorneys
    • Summer Associates
    • Professional Staff
  • Our Diversity

    • Diversity, Equity & Inclusion
    • Our Story
Lane Powell Web Site
  • OUR PEOPLE
  • STORY
  • INSIGHTS
  • PRACTICES & INDUSTRIES
Search
  • 日本語
  • 中文
  • 한국어
Email this pagePrint this pagePrint to PDF

Topics

  • Privacy & Data Security
  • Senior Living & Long Term Care

Related People

  • Jeff (Brecht) Duncan

Related Practices & Industries

  • Privacy & Data Security
  • Senior Living & Long Term Care
May 5, 2016Publication

Increased Ransomware Attacks and Phase 2 HIPAA Audits: Two Closely-Related Issues for Long Term Care Providers

Lane Powell White Paper

Long Term Care Provider Data Targeted and Held Hostage by Malicious Software

Long Term Care (LTC) facilities are increasingly targeted by criminals who seek to profit by infecting LTC computer systems with ransomware. Ransomware is a type of software that restricts access to infected computer systems by encrypting data, even across multiple servers. It can be impossible to decrypt those files without the encryption key. Criminals then demand payment of a ransom in exchange for the encryption key.

Why Target LTC Providers?

Ransomware and other types of cyber-attacks on LTC and other health care providers are likely increasing for at least two reasons. First, providers may be viewed as soft targets without robust computer system security or backup systems. Second, because of the private nature of the protected health information contained in providers’ computer systems, providers may be viewed as more willing to promptly pay whoever is holding the files containing that information hostage.

Notification and Publicity

HIPAA may require covered entities and their business associates to provide notification following a breach of unsecured protected health information. A breach is a defined term, constituting an impermissible use or disclosure of covered information that compromises the security or privacy of the protected health information (PHI). In the case of ransomware, which can sometimes lock up PHI without any evidence that the PHI was used or disclosed, an entity’s HIPAA notification obligations must be analyzed on a case-by-case basis. Regardless of whether a particular ransomware incident requires notification, the incident can create public relations problems for health care providers. The first half of this year has brought with it an increasing wave of ransomware incidents that have been widely reported and scrutinized. It was reported that in February, a ransomware called “Locky” infected Hollywood Presbyterian Medical Center in Los Angeles, which took computers offline for a week, and the next month, the same strain of ransomware infected Methodist Hospital in Henderson, Kentucky.

What Now?

While the ransomware threat is increasing, there are steps LTC providers should take to help deal with that threat.

  • Assessment: HIPAA requires covered LTC providers to conduct a risk analysis and to implement a risk management program. This means covered entities must implement a risk management program that, among other things, identifies ePHI data usage and systems; identify gaps (or potential gaps) in compliance; implement and constantly review data breach response plans; determine whether the covered entity (and its vendors and business associates) are adequately insured to cover risks associated with cyber-attacks; and train employees on security awareness. As part of the assessment, covered entities should also identify a data breach response team.
  • Review: HIPAA also requires covered entities to regularly review data security policies and procedures and to make appropriate changes.
  • Document Efforts: Make sure to document all the steps you take to comply with HIPAA and to prepare for a ransomware/data breach incident.

Phase 2 HIPAA Audits Underway

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun Phase 2 of its efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules. According to OCR, it will use the information obtained from the audits to develop tools and guidance to help covered entities with self-evaluation compliance and breach prevention.

OCR launched Phase 1 in 2011 as a pilot program, which involved an evaluation of certain covered entities to determine HIPAA compliance (or lack thereof). Now, with its Phase 2 audit program, OCR will go further, reviewing policies and procedures adopted and employed by covered entities and their business associates to comply with the Privacy, Security and Breach Notification Rules. Phase 2 begins with OCR sending emails to covered entities and business associates requesting verification of addresses and contact information. HHS has cautioned that “communications from OCR will be sent via email and may be incorrectly classified as spam” and it expects “entities to check their junk or spam email folder for emails from OCR.” If you receive such an email, respond promptly. OCR has also made available a sample of its initial Phase 2 automated communication, which can be found at here.

As Phase 2 progresses, OCR will send covered entities a pre-audit questionnaire. The questionnaire will seek data about the size, type and operations of covered entities. OCR will use that, and other data, to help create groups of potential auditees. In advance of receiving the questionnaire, you should update your list that includes the identity of your business associates and their contact information. Every covered entity and business associate is eligible for an audit.

Next, OCR will conduct two rounds of “desk audits,” which it plans to complete by the end of 2016. The desk audits will focus on compliance with specific requirements of the Privacy, Security and Breach Notification Rules. As part of that process, OCR will send auditees a request for specific documents related to the entities’ implementation and compliance with these rules. OCR may decide to not consider documents that were prepared only after the audit process began. Accordingly, covered entities that have not already prepared implementation and compliance documents should do so immediately.

OCR will then launch a third set of Phase 2 audits, which will be onsite, each lasting three to five days in length. The onsite audits will be fewer in number than the desk audits, and they are expected to examine a broader scope of requirements from the HIPAA Rules than will the desk audits. Some desk auditees may be subject to a subsequent onsite audit as well.

OCR auditors will review information and documentation provided by audited entities. Entities that are subject to either a desk or onsite audit will have 10 business days to submit written comments and responses to the draft findings, and those responses will be included in a final audit report. It is critical that covered entities begin preparing now for possible inclusion in the group of desk or onsite audits. If an audit report indicates a serious compliance issue, OCR may initiate a compliance review to further investigate. Keep in mind that under the Freedom of Information Act (FOIA), OCR may be required to release audit information in response to public requests. This could have long-term reputational consequences to audited covered entities. In addition, OCR has been increasingly active in addressing data breach violations, including a recent $850,000 settlement related to the theft of an unencrypted laptop containing ePHI.

Before proceeding, please note:  If you are not a current client of Lane Powell PC, please do not include any information in this email that you or someone else considers to be confidential or secret in nature.  Prior to the establishment of a lawyer-client relationship, unsolicited emails from non-clients containing confidential or secret information cannot be protected from disclosure.

back to top
  • Our Story

    • Overview
    • Careers
    • Locations
    • Diversity, Equity & Inclusion
    • Pro Bono
    • Community Involvement
    • Firm Leadership
    • History
    • Alumni
    • Affiliations
    • Media Inquiries
    • Make a Payment
  • Our People

    • Our Insights

      • Events/CLE
      • Publications
      • News
      • Blogs
    • Our Practices & Industries

      • Business
      • Litigation
      • Industries
      • Services
      • View All

    Blogs

    Boom: The ERISA Law Blog
    Earth & Table Law Reporter

    • Site Map
    • Disclaimer
    • Data Privacy & Security
    • Contact Us
    • Subscribe
    © 2023 Lane Powell PC Lane Powell & LP
    Logo, Reg. U.S. Pat. & Tm. Off.
    Sitemap
    Connect With Us
    • Twitter
    • Facebook
    • Linkedin
    • Vimeo
    • Make a Payment