Long Term Care (LTC) facilities are increasingly targeted by criminals who seek to profit by infecting LTC computer systems with ransomware. Ransomware is a type of software that restricts access to infected computer systems by encrypting data, even across multiple servers. It can be impossible to decrypt those files without the encryption key. Criminals then demand payment of a ransom in exchange for the encryption key.
Ransomware and other types of cyber-attacks on LTC and other health care providers are likely increasing for at least two reasons. First, providers may be viewed as soft targets without robust computer system security or backup systems. Second, because of the private nature of the protected health information contained in providers’ computer systems, providers may be viewed as more willing to promptly pay whoever is holding the files containing that information hostage.
HIPAA may require covered entities and their business associates to provide notification following a breach of unsecured protected health information. A breach is a defined term, constituting an impermissible use or disclosure of covered information that compromises the security or privacy of the protected health information (PHI). In the case of ransomware, which can sometimes lock up PHI without any evidence that the PHI was used or disclosed, an entity’s HIPAA notification obligations must be analyzed on a case-by-case basis. Regardless of whether a particular ransomware incident requires notification, the incident can create public relations problems for health care providers. The first half of this year has brought with it an increasing wave of ransomware incidents that have been widely reported and scrutinized. It was reported that in February, a ransomware called “Locky” infected Hollywood Presbyterian Medical Center in Los Angeles, which took computers offline for a week, and the next month, the same strain of ransomware infected Methodist Hospital in Henderson, Kentucky.
While the ransomware threat is increasing, there are steps LTC providers should take to help deal with that threat.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun Phase 2 of its efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules. According to OCR, it will use the information obtained from the audits to develop tools and guidance to help covered entities with self-evaluation compliance and breach prevention.
OCR launched Phase 1 in 2011 as a pilot program, which involved an evaluation of certain covered entities to determine HIPAA compliance (or lack thereof). Now, with its Phase 2 audit program, OCR will go further, reviewing policies and procedures adopted and employed by covered entities and their business associates to comply with the Privacy, Security and Breach Notification Rules. Phase 2 begins with OCR sending emails to covered entities and business associates requesting verification of addresses and contact information. HHS has cautioned that “communications from OCR will be sent via email and may be incorrectly classified as spam” and it expects “entities to check their junk or spam email folder for emails from OCR.” If you receive such an email, respond promptly. OCR has also made available a sample of its initial Phase 2 automated communication, which can be found at here.
As Phase 2 progresses, OCR will send covered entities a pre-audit questionnaire. The questionnaire will seek data about the size, type and operations of covered entities. OCR will use that, and other data, to help create groups of potential auditees. In advance of receiving the questionnaire, you should update your list that includes the identity of your business associates and their contact information. Every covered entity and business associate is eligible for an audit.
Next, OCR will conduct two rounds of “desk audits,” which it plans to complete by the end of 2016. The desk audits will focus on compliance with specific requirements of the Privacy, Security and Breach Notification Rules. As part of that process, OCR will send auditees a request for specific documents related to the entities’ implementation and compliance with these rules. OCR may decide to not consider documents that were prepared only after the audit process began. Accordingly, covered entities that have not already prepared implementation and compliance documents should do so immediately.
OCR will then launch a third set of Phase 2 audits, which will be onsite, each lasting three to five days in length. The onsite audits will be fewer in number than the desk audits, and they are expected to examine a broader scope of requirements from the HIPAA Rules than will the desk audits. Some desk auditees may be subject to a subsequent onsite audit as well.
OCR auditors will review information and documentation provided by audited entities. Entities that are subject to either a desk or onsite audit will have 10 business days to submit written comments and responses to the draft findings, and those responses will be included in a final audit report. It is critical that covered entities begin preparing now for possible inclusion in the group of desk or onsite audits. If an audit report indicates a serious compliance issue, OCR may initiate a compliance review to further investigate. Keep in mind that under the Freedom of Information Act (FOIA), OCR may be required to release audit information in response to public requests. This could have long-term reputational consequences to audited covered entities. In addition, OCR has been increasingly active in addressing data breach violations, including a recent $850,000 settlement related to the theft of an unencrypted laptop containing ePHI.
Before proceeding, please note: If you are not a current client of Lane Powell PC, please do not include any information in this email that you or someone else considers to be confidential or secret in nature. Prior to the establishment of a lawyer-client relationship, unsolicited emails from non-clients containing confidential or secret information cannot be protected from disclosure.