Many companies are still not implementing basic cybersecurity protections and with increased enforcement actions and new laws in effect, the scrutiny and exposure they may face is increasing.
Specifically, health care providers, insurers, and related entities may see increased enforcement actions by the Office for Civil Rights (OCR) at Health and Human Services (HHS) this year. The health care industry still has challenges following the requirements of the Health Insurance Portability and Accountability Act (HIPAA), and the OCR reiterated recently that enforcement is crucial even while self-compliance by the industry is still taking shape. But HIPAA is not the only privacy act that covered entities need to watch. In January, the California Consumer Privacy Act (CCPA) ushered in new requirements that may apply to entities also covered by HIPAA - even though the CCPA has a carve-out for HIPAA.
Entities managing protected health information (PHI) should be aware of simple privacy compliance requirements they may not be following. Director of the OCR, Roger Severino, warned recently that entities are missing out on some of the basics of HIPAA's requirements, leaving them vulnerable to costly enforcement actions. In a recent interview with Law360, Severino called for health care entities and their business associates to take these requirements seriously – and he means business. In 2019, the OCR appeared to focus on smaller dollar amount enforcement actions with a record number of such settlements, and Severino hinted that 2020 will likewise bring a substantial number of actions.
HIPAA, the 1996 legislation that mandated privacy regulations of personal health information, applies to entities that handle electronic health information. This includes every health care provider, regardless of size, that transmits health information electronically. Covered entities are advised to conduct a sweeping analysis of privacy policies and compliance with HIPAA. These are the main areas of concern for Severino.
PHI is some of the most valuable personal information out there, making it especially vulnerable to cyber-attacks. Securing and protecting it from disclosure should be an area of concern to everyone - and it is one fraught with potential enforcement actions against non-compliant entities. Front end risk analysis is a crucial first step for entities to assess the state of their security, identify areas in need of improvement, and stay informed of their progress towards meeting HIPAA requirements. For example, entities should update and enforce stricter password policies and implement privacy training for people with access to PHI. In the interview, Severino specifically cautioned against doctors and nurses accessing patient records out of curiosity. This is something health care entities could address in the privacy training for staff.
Monitoring and reporting on system activity
Entities should be sure to actually conduct system activity reviews. HIPAA mandates an electronic method to detect cyber-attacks or intrusions, but that's not enough. Severino said that entities that have those protections in place are not actually checking the activity logs. Perhaps worse, he said that some entities are checking the logs and monitoring system activity, but violate HIPAA by failing to report data breaches. Reporting data breaches to the OCR, Severino says, is a standard duty of covered entities - but they are not following through. Failure to report a breach is a sign that an entity may be trying to cover it up or prevent OCR from finding out that the entity's security fell short of HIPAA compliance. Either case could result in stricter enforcement, less leniency, and higher monetary penalties.
HIPAA codified and made enforceable patients' rights to access their own medical records. This right of access was a paramount interest to the OCR and was the subject of the OCR's first two enforcement actions in 2019. Severino commented that he thought patients were not being guaranteed access to medical records.
Regarding the CCPA, even health-care-related entities should pay attention. PHI is not subject to the CCPA because of a HIPAA-specific carve-out, and there is another carve-out for "patient information" maintained by HIPAA-covered entities in the same manner as PHI. But that doesn't mean health care related entities should dismiss the CCPA. The carve-out for "patient information" does not apply to business associates of covered entities, unlike the carve-out for PHI. Plus, it is unlikely that covered entities actually maintain "patient information" in the same way they maintain PHI, so a HIPAA-covered entity that is also within the scope of the CCPA should check what kinds of data it collects and how it maintains that data. Data that identifies an individual patient and is not PHI should be handled consistent with the CCPA requirements. PHI that has been de-identified should still be analyzed under the CCPA because HIPAA's de-identification requirements are different, so data that is no longer PHI under HIPAA because of de-identification may still be personal information as defined by the CCPA.
Companies that collect the data of individuals, whether it is PHI or PII or personal information, need to do the back-end risk analysis and put in place the appropriate, mandated protections. As the laws become increasingly complex, regulators are more and more sophisticated and are not hesitating to enforce.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 725 lawyers practicing throughout a network of 13 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy and technology sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.