Responding to Skyrocketing Cyber Attacks Managing Risk, Responding - - PowerPoint PPT Presentation

The audio portion of the conference may be accessed via the telephone or by using your computer's

• speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Presenting a live 90-minute webinar with interactive Q&A

Data Breaches in Healthcare: Responding to Skyrocketing Cyber Attacks

Managing Risk, Responding to Breaches and OCR Investigations, Minimizing HIPAA Liability

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific THURSDAY, MARCH 24, 2016

Joshua Carlson, Principal, Joshua Carlson, P.A., Minneapolis Richard DeNatale, Partner, Jones Day, San Francisco Todd S. McClelland, Partner, Jones Day, Atlanta

Tips for Optimal Quality

Sound Quality If you are listening via your computer speakers, please note that the quality

• f your sound will vary depending on the speed and quality of your internet

connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-927-5568 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance Affirmation/Evaluation after the webinar. A link to the Attendance Affirmation/Evaluation will be in the thank you email that you will receive immediately following the program. For additional information about continuing education, call us at 1-800-926-7926

• ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please complete the following steps: Click on the ^ symbol next to “Conference Materials” in the middle of the left- hand column on your screen. Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program. Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Data Breaches in Healthcare: Responding to Threat of Cyber Attacks March 24, 2016 Richard DeNatale Todd McClelland

Introduction

Numerous factors have combined to create a “perfect storm” of cybersecurity risk in the healthcare sector

• External factors
• Targeted by cyber criminals
• Targeted by state actors
• Black market for PHI
• Systemic factors
• Multiple points of entry create vulnerabilities
• Culture of open information exchange creates security challenges
• Some companies slow to invest in IT infrastructure and security

6

Introduction

Numerous factors have combined to create a “perfect storm”

• Legal/regulatory factors
• Highly regulated industry
• Mandatory disclosure requirements
• Regulators becoming more focused on enforcement
• Aggressive and experienced plaintiffs’ class action counsel
• Legal landscape may be shifting in favor of plaintiffs on standing and

damages issues

7

Source: Verizon DBIR 2013-2015

8

Topics

I. Breach Preparedness Strategies A. Cyber risk assessments B. Vendor management C. Cyber Insurance II. Responding to the Breach A. Effective response planning B. PHI reporting and notice obligations C. Damage mitigation D. Pursuing insurance recovery III. Responding to an OCR investigation A. HIPAA and regulatory compliance B. Interacting with regulators C. Establishing investigation parameters D. Data protection

9

Cyber Risk Assessments

10

Key HIPAA Assessment Activities

• Assessments are required under the HIPAA Security Rule.

For example:

• 164.308(a)(1)(ii)(A) – Conduct a risk analysis
• 164.308(a)(1)(ii)(B) – Implement a risk management

program

• 164.308(a)(8) – Periodic evaluation

11

Key Assessment Activities

• Risks and risk management program
• Identify ePHI data flows and changes to systems
• Compliance gap analysis and mitigation recommendations
• Review Incident Response Plan(s)
• Review applicable security policies and procedures
• Meet key information security stakeholders
• Review insurance policies
• Review key vendor contracts and investigate “Shadow IT”
• Data governance program review

12

Questions your risk assessment should help you answer

• Where do you process, store, create or

receive ePHI?

• What are your “use cases”? What ePHI

do you create or receive? How is it used?

• What are the threats (internal and

external) to your ePHI?

• Is your data identified and classified?
• Is someone reviewing your logs? How
• ften?
• Are you storing documentation related to

your security program?

• Who has access to your data?
• Who is responsible for your information

security program, especially w/r/t ePHI?

• Is your data appropriately secured?
• Are information/systems monitored?
• What is the impact if information is lost,

accessed or compromised?

• Are you prepared for a breach?
• How do you dispose of your data?
• Who within your organization knows

the answers to these questions?

13

Vendor Management

14

Due Diligence

• Increasing due diligence
• Senior management is becoming more aware of third party exposure
• In large part arising from potential legal exposure and enforcement

actions

• Contracting parties are becoming more inquisitive
• Questionnaires
• Breach history
• Security Walk-throughs
• Third party audit/assessment review
• Substantiate due diligence was conducted
• Spend is not the right metric for determining which deals get

scrutinized.

15

Contracts

• Privacy and security issues continue to be contentious in vendor

contracts:

• HIPAA compliance
• Risk apportionment, insurance
• Privacy and security representations, warranties and

commitments

• Breach notification
• Audit rights
• Changes / Governance
• Cloud

16

Audits

• Common after breach disclosures
• Increasing actions against those who fail to regularly review their third

party vendors

• Customer/Vendor Tensions:
• Frequency
• Cost
• Who conducts the audit
• What level of access
• Scope
• Cloud services

17

Expectations for 2016+

• Continuing push for risk assessment formalization that will

include third party vendors.

• More enforcement actions
• More risk for companies that outsource their data processing

activities

• Growing complications with breach response, especially cloud.

18

Quick Hits

• CISOs and counsel need to work more closely together

when contracting with vendors.

• Vendor day.
• Stay tuned to laws that will affect vendor relationships.
• Update dated vendor contracts to address privacy and

security issues.

19

Cyber Insurance

20

Cyber Insurance

• Insurance coverage has become a critical part of breach preparedness.
• Three major shifts in U.S. insurance market over past decade:
• New categories of emerging cyber risk
• Development of new cyber policy forms
• Exclusion of cyber/internet exposures from traditional policies
• CGL Policies - Personal Injury Coverage
• Traditionally covered “publication, in any manner, of material that

violates a person’s right of privacy” – including claims involving electronic data transmitted over the internet

• As of April 1, 2014, new exclusion added to standard ISO form

barring coverage for data breach claims

21

Cyber Insurance policies cover five major categories of costs 1.Third-party liability coverage for claims and lawsuits

• Arising out of security breach, disclosure of PII/PHI, violation
• f company privacy policy
• Covers cost of defense, settlement, or judgment

2.Regulatory coverage for government claims and investigations

• Covers cost of defense, fines, or penalties
• Make sure definition of “Claim” includes OCR

investigations

Cyber Insurance

22

• 3. Event Management/Data Breach Response coverage
• Covers cost of post-breach forensic and legal investigations
• 4. Privacy Notification Coverage
• Covers cost of breach notice to affected individuals

(customers, patients)

• May cover credit monitoring or identity theft protection for

affected individuals

• 5. First Party Coverage, akin to property insurance
• Covers cost of restoring data and systems
• Business interruption coverage for lost revenue

Cyber Insurance

23

• Legal fees for breach response
• Forensic investigation
• Breach Notice
• ID protection/credit monitoring

Response Costs

• Class action defense costs and settlement
• Defense of government proceedings
• Government fines/penalties
• Card brand claims & assessments

Legal Claims

• Restoration of data
• Lost revenue/business interruption
• Extra expenses
• Loss of goodwill / customer confidence

Business Losses

Cyber Insurance

24

Cyber Insurance

• Cyber policies are still in their infancy, which creates multiple

challenges for buyers

• Policies are extremely complex
• Standard forms have not yet emerged.
• Policies vary greatly in scope of coverage – some have clear

deficiencies

• Policies may contain onerous conditions and requirements that

restrict coverage and create traps for the unwary

• Many insurers now required a detailed review of policyholder’s

cyber preparedness as part of underwriting process

25

Cyber Insurance

• Recommendations for optimizing coverage
• Take advantage of favorable market conditions to purchase

more and better coverage

• Review your cybersecurity profile before going to market
• Consult with coverage counsel or broker experienced in data

breach claims

• Understand your existing policy – and its flaws
• Understand which terms matter most in the event of a

breach

• Develop strategy to strengthen coverages via focused

negotiations at renewal

26

Responding to the Breach: Effective Response Planning

27

Breach Preparedness

• Tune up the incident response plan, and revisit after material

events or at least once a year.

• Incorporate “lessons learned”
• Identify and periodically meet with your team
• Assign roles and responsibilities.
• Enterprise focus, not IT focused
• Tabletop exercises
• Have outside counsel and forensics experts identified and ready

to go

28

Breach Preparedness

• Coordinate breach preparedness with key third party vendors
• Engage your board now and during a breach
• When does your board want to be informed about a breach?
• Understand your insurance coverage
• Address third party vendors and their response when they have an

incident

• Shadow IT?
• Consider the attorney-client privilege before you start any

investigation

29

Rapid Response Team Identification

• Identify the Rapid Response Team
• IT, HR, Legal, Risk Management, Communications, Security, Audit,

and other key personnel

• External counsel
• Forensic experts
• Third party notification, mail sort, and help desk providers
• Public relations and communications firms

30

Role Assignments

• Litigation hold scoping and development
• Crisis and timeline management
• Law enforcement coordination
• Identification, engagement, and management of SMEs
• Evidence gathering, artifact creation, reporting, and maintaining attorney-

client privilege

• Engagement with Board / Executives

31

Role Assignments

• Regulatory compliance and investigation management
• Third party audit management
• Incident reporting SOP
• Investigation procedures and management
• FAQs (internal, external, regulatory)
• Notice drafting protocols (individuals, government bodies, credit

bureaus, etc.)

• Forensic investigations

32

Final Preparedness Exercises

• Board / senior management engagement and training
• Guided tabletop exercises and training
• Assess key third party vendor breach readiness
• Data governance program walkthrough and tune-up
• Strategic threat intelligence evaluation

33

Responding to the Breach: PHI Reporting and Notice Obligations

34

HIPAA Incident response obligations

• 164.308(a)(6)
• Look at NIST 800-66 for guidance:
• Determine goals of incident response
• Develop and deploy an incident response team or other

reasonable and appropriate response mechanism

• Develop and implement procedures to respond to and

report security incidents

• Incorporate post-incident analysis into updates and

revisions

35

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires covered entities and their business associates to provide notification following a breach of unsecured protected health information. (1)Individual Notice a. Form: Written notice by first-class mail (or substitute notice) b. Timing: “without unreasonable delay” (no later than 60 days following discovery of breach) c. Content: brief description of the breach, steps individuals should take to protect themselves; what covered entity is doing to investigate, mitigate, and prevent further breaches; and contact information, including a toll-free number for 90+ days where individuals can obtain additional information (2)Media Notice a. If breach affects >500 residents of a state. (3)Notice to the Secretary

36

Responding to the Breach: Pursuing insurance recovery

37

• Cyber/data breach losses require a different approach to insurance

recovery

• Proactive strategy
• Need to understand coverage landscape
• Decisions must be made quickly – esp. where security

incident is still ongoing

• Early engagement with insurers
• To obtain necessary consents and meet policy requirements
• Insurer expectations, custom & practice
• Coordination between insurance efforts and other aspects of

breach response

Insurance Recovery

38

Insurance Recovery

• Major breaches are crisis events
• Companies must respond to multiple challenges

simultaneously, each with legal risks

• May face impaired IT infrastructure or other obstacles to

communication

• Insurance objectives may conflict with other corporate

priorities

• Effective breach response requires decisive, focused, and

coordinated action

39

Insurance Recovery

Insurance Best Practices 1. Within 1-2 weeks, develop an insurance strategy that identifies the specific steps that must be taken to obtain recovery

• Review relevant policies to determine available coverage
• Identify policy requirements and pitfalls

2. Integrate insurance strategy into overall breach response plan

• Establish internal team to manage insurance claim, with

representatives from risk management, legal, accounting, and coverage counsel. 3. Identify and track all breach-related costs.

40

Insurance Recovery

Insurance Best Practices 4. Maintain active and ongoing communication with insurers

• Keep them informed of major developments
• Obtain required consents for counsel and expenses
• Manage insurer information requests
• Duty to cooperate requires policyholder to provide

information

• Process must be managed so it doesn’t interfere with
• verall response efforts

41

Presenter

Richard DeNatale is a litigation partner at Jones Day who represents policyholders in cyber insurance and data breach coverage matters. He has been recognized in Chambers USA as one of the nation’s leading coverage lawyers. He has acted as lead counsel in precedent-setting coverage litigation on data privacy issues in both California and New York. Rich has been retained to handle insurance strategy and cost recovery for more than 20 data breach incidents, including some of the largest in history. He also regularly advises clients on cyber policy acquisitions and renewals. He can be reached at (415) 875-5740, or at rdenatale@jonesday.com.

42

Presenter

Todd McClelland advises clients on data breach response and

• ther information security-related issues, including pre-

breach cybersecurity risk assessment and management, compliance, response preparedness, and other risk mitigation activities. He also counsels clients on data privacy issues, outsourcing transactions, technology and data licensing, technology audits, and cloud transactions. Todd is a frequent speaker at professional seminars and author of articles on cybersecurity. He is member of the International Association of Privacy Professionals and the CISO Executive Network, and is recognized in The Best Lawyers in America for his data security practice. He can be reached at 404.581.8326, or at tmcclelland@jonesday.com

43

OCR Authority

www.TheCarlsonFirm.Com

* OCR is responsible for enforcing the HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164, Subparts A, C, and E). One of the ways that OCR carries out this responsibility is to investigate complaints filed with it. OCR may also conduct compliance reviews to determine if covered entities are in compliance, and OCR performs education and outreach to foster compliance with requirements of the Privacy and Security Rules. Breaches and other privacy violations give rise to enforcement. Compliance with the HIPAA Privacy and Security Rules is a mandatory requirement, as is, responding to and working with the OCR during an investigation. * Source OCR.

44

OCR Authority

www.TheCarlsonFirm.Com

The HIPAA Enforcement Rule is codified at 45 CFR Part 160, Subparts C, D, and E. This authority is vast, and since HITECH, has more teeth. All CEs, BAAs and sub BAAs all the way down the chain are subject to the privacy rule, security rule and compliance with the OCR and its authority granted in the Enforcement Rule and are subject to enforcement, with fines up to 1.5 million for a violation and potential referral to the Department of Justice for criminal investigation. * Source OCR.

45

Responding to Breaches and OCR Investigations

www.TheCarlsonFirm.Com

46

Responding to Breaches and OCR Investigations

Joshua Carlson Esq. CIPP /G, CISSP, PCI-ISA, Chair | Minnesota State Bar Computer Technology Law Section

• Mr. Carlson is an attorney who practices nationally and

internationally in the area of computer and technology law, namely:

• Healthcare Law (HIPAA & HITECH) Privacy & Security Compliance
• US and international regulatory data privacy, data security

compliance

• PCI, HIPAA, FISMA, NIST, GLBA, Safe Harbor, CyberSecurity,

Cloud Security frameworks

• Government cyber security & FISMA program compliance

47

www.TheCarlsonFirm.Com

AGENDA

1.OCR: by the numbers, complaints, investigations, most common issues to be aware of

• 2. The OCR investigation process; how to reduce risks
• 3. How do OCR investigations get started, how to reduce risks of an

investigation

• 4. What to do when you get an OCR letter of investigation, what it will

request, how to manage the interaction, response options and the potential results

• 5. Keys to handling and managing the OCR process

www.TheCarlsonFirm.Com

48

Intended Audience

 Lawyers – Plaintiff & Defense  In-house & outside counsel  Privacy Officers  Compliance Attorneys  Boards and Organizational Leadership

www.TheCarlsonFirm.Com

49

Objectives

 Understand causes of OCR investigation in first place (how to prevent)  Understand what to do if (when) you do get contacted  Understand what not to do if (when) you get contacted  Understand good form and practice from beginning to end  Get your situational questions asked and answered

www.TheCarlsonFirm.Com

50

What does the OCR Look Like

Make sure you have visited the OCR website, know the site. http://www.hhs.gov/ocr/ There is a large amount of current information there. The information here contains many details an OCR investigator may expect you to know, or wish you knew to save everyone time. Get up to speed on the FAQs and other sources of information.

www.TheCarlsonFirm.Com

51

OCR: by the numbers, complaints, investigations, most common issues

www.TheCarlsonFirm.Com

Since the compliance date of the Privacy Rule in April 2003, OCR has received over 125,445 HIPAA complaints and has initiated over 854* compliance reviews. OCR has investigated and resolved over 24,047 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates. OCR has successfully enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate. To date, OCR has settled 29 such cases resulting in a total dollar amount of $27,974,400.00. OCR has investigated complaints against … national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices. * Source OCR.

52

OCR: by the numbers, complaints, investigations, most common issues

www.TheCarlsonFirm.Com

* Source OCR.

53

OCR: by the numbers, complaints, investigations, most common issues

www.TheCarlsonFirm.Com

* Source OCR.

54

OCR: by the numbers, complaints, investigations, most common issues

www.TheCarlsonFirm.Com

* Source OCR.

55

OCR: by the numbers, complaints, investigations, most common issues

www.TheCarlsonFirm.Com

STATE INVESTIGATED: RESOLVED AFTER INTAKE AND REVIEW INVESTIGATED: NO VIOLATION CORRECTIVE ACTION Alaska 10% 62% 27% Alabama 13% 66% 21% Arkansas 17% 61% 22% Arizona 11% 63% 26% California 11% 68% 21% Colorado 11% 64% 25% Connecticut 14% 60% 26% District of Columbia 10% 63% 27%

You can see what average results are for your state. Use this for your firm, or your client, and this will give you some perspective. * Source OCR.

56

OCR: by the numbers, complaints, investigations, most common issues

www.TheCarlsonFirm.Com

Impermissible uses and disclosures of protected health information; 1.Lack of safeguards of protected health information; 2.Lack of patient access to their protected health information; OCR has recently published a brand new FAQ about many issues, e.g., emailing insecurely. 3.Lack of administrative safeguards of electronic protected health information; and 4.Use or disclosure of more than the minimum necessary protected health information. * Source OCR.

57

OCR: by the numbers, complaints, investigations, most common issues

www.TheCarlsonFirm.Com

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency: 1. Private Practices; 2. General Hospitals; 3. Outpatient Facilities; 4. Pharmacies; and 5. Health Plans (group health plans and health insurance issuers) * Source OCR.

58

OCR: The Process

www.TheCarlsonFirm.Com

* Source OCR.

59

OCR: The Process & How to Catch Issues Before a Complaint

www.TheCarlsonFirm.Com

The KEY sources/actions that can spur OCR Investigations: 1.Complaint filed – A complaint can be submitted by anyone; your brothers cousins friends sister. There is no privity requirement that requires the Complainant to be the patient. It is incredibly easy to file a complaint. (see next slide for a view of the OCR Complaint Portal Assistant website) 2.Breach reporting/notifications 3.State Attorney General actions 4.OCR Audits 5.Whistleblowers

60

OCR: The Process & How to Catch Issues Before a Complaint

www.TheCarlsonFirm.Com

Any unhappy or concerned person can go here and file a Complaint, which will get reviewed. Make sure to address issues brought to your attention locally right away.

61

OCR: The Process & How to Catch Issues Before a Complaint

www.TheCarlsonFirm.Com

Install and review systems to catch and address problems at the earliest point: 1.Watch for/track letters/e-mails/calls of complaint to Privacy Officer 2.Watch for/track letters/e-mail/calls of complaint to Compliance Officer 3.Watch for/track letters/e-mails/calls of complaint to Chief Medical Director, or

• ther executives or any staff.
• 4. Have a system in place to identify complaint situations then have the proper

team respond to the issues. * If OCR receives a Complaint, and Complainant says letters or e-mails or calls to leaders about problems went unaddressed, or worse, not even responded to, that will likely add to the problem, Track the issue, response and resolution like any other.

62

OCR: Failed to Catch a Problem Letter Arrives

www.TheCarlsonFirm.Com

Least enjoyable scenario, first time you hear about an issue is from the OCR.

63

OCR: Failed to Catch a Problem Letter Arrives

www.TheCarlsonFirm.Com

Letter will state a number of business days to respond, request name, title, address and contact information of person designated to work with OCR during the investigation. Copy of internal investigation and timeline of incident Copy of findings of any internal investigation with evidence supporting conclusions (there is some benefit for outside objective analysis for the matter at hand) Copy of HIPAA policies and procedures Proof of all corrective actions taken and all actions taken to prevent any reoccurrence of the problem Copy of breach notification letter (sample copy) Copy of most recent risk analysis performed and for past X years Copy of most recent risk assessments Copies of policies and procedures related to access, access review, incidents, malware reports, documentation of actions to mitigate vulnerabilities to ePHI.

64

OCR: Failed to Catch a Problem Letter Arrives

www.TheCarlsonFirm.Com

 Read the letter, then read it again and open a file. Get familiar with the issue, complaint, complainant, systems etc.  Identify who the primary will be, this may be identified in the letter, there should be only 1 very knowledgeable person who is intimate with the issues to liaison with OCR  Review any insurance reporting requirement  Review with in-house or external counsel  Activate your team (which should be pre-assembled as a part of HIPAA) that will perform the investigation  Team will likely consist of; Chief Compliance Officer, Security Officer, Legal Counsel, IT, HIM, Privacy Officer

65

OCR: Failed to Catch a Problem Letter Arrives

www.TheCarlsonFirm.Com

 Perform your own internal investigation on the matter  Be aware this will likely end up a part of the OCR file/response and potentially in any FOIA requests  Require artifacts/proof of any mitigation actions taken in the organization as they will be required in the OCR response  Pay special attention and concern to the manner in which you will exchange data with the OCR, determine and agree on a secure method for exchange which complies with your policies  Make sure to follow your own entities policies and procedures in the transfer of the data with the OCR  Make sure any changes to IT systems are/were in line with the policies and procedures required by your organization (breaking more policies and procedures to fix an issue will add to the scope.)

66

OCR: Failed to Catch a Problem Letter Arrives

www.TheCarlsonFirm.Com

 OCR investigators are very busy, being organized, clear and concise in the response will help greatly  Organize your response with the supporting evidence correlated to each issue  Confirm response was received  There will likely be some iterative rounds

67

OCR: Failed to Catch a Problem Letter Arrives

www.TheCarlsonFirm.Com

 Evidence of sanctions performed for policy violations  Evidence of retraining required for policy violations  For staff breaking critical policies, I recommend when a staff person violates a policy, that the entire staff or team all have to retake the training. This helps give pause to staff who are quick to take shortcuts.  You will be required to have your Risk Analysis (step 1, before anything else) (the one single thing you must have), to hand over.  Do NOT overshare, do not just zip up the entire catalogue of policies and procedures and send over.  Be forthcoming and timely, and make sure the sharing is specific to the

• request. This saves everyone time.

68

OCR: Failed to Catch a Problem Letter Arrives

www.TheCarlsonFirm.Com

 Timeline to respond will be ~10 business days  You can ask for an extension or other agreed upon response time, think of a week more  Call the OCR to get a better in-person understanding of the issues and expectations of the investigator  Do not take longer than you need to respond  Phone calls and written correspondence will be the primary method for responding  It is crucial that all correspondence (phone or in writing) is accurate, specific, forthright, and is from the most knowledgeable HIPAA person on the matter

69

OCR: CE Response Options

www.TheCarlsonFirm.Com

 We are not a Covered Entity or a BA and not regulated under HIPAA  Alleged violation did not occur, e.g., complainant’s description/perception or stated facts of the issue is not accurate/complete etc.  Organization is in Compliance with the Rules  Breach did occur, but, the organization had all of the requisite policies and procedures in place and took prompt corrective action, sanctions, training,

• rganizational, procedural, policy changes.

 *see prior slide, if initial issues directed to organization went ignored, and changes only as a result of OCR investigation this position may be more difficult.

70

OCR: Possible Outcomes Voluntary compliance, corrective action, or resolution agreement

www.TheCarlsonFirm.Com

 Complaint dismissed (YaY) your organization was prepared and your response was on point, credible, timely and did not raise more issues.  Prepare and submit for OCR review and eventual approval of additional and modified HIPAA policies, procedures and the requisite HIPAA training on these updates  OCR requires a Compliance Agreement to be put into place which will involve

• versight from OCR

 Civil Fine is Imposed  OCR turns matter over to DOJ for further investigation

71

OCR: Possible Outcomes

www.TheCarlsonFirm.Com

 Closing of the file.  Once the OCR is satisfied with the CEs response and corrective actions, they may call and offer “HIPAA technical assistance”.  Once the investigation is closed, you will get a letter outlining the closing, which also goes to the Complainant, and outlines the issue, actions taken and satisfaction the issues are resolved.  Review the letter and use it to continue to make improvements for the future.

72

OCR: Outcomes

www.TheCarlsonFirm.Com

73

OCR: Outcomes

www.TheCarlsonFirm.Com

74

Final Thoughts

• COOPERATION after contact from the OCR is

the winning approach

• Organizational competence prior to receiving the

OCR contact is critical to a smooth response process, you can’t make it up on the fly

• Perform a test OCR investigation exercise with

your team as a part of breach response exercises.

www.TheCarlsonFirm.Com

75

Questions?

www.TheCarlsonFirm.Com

76

Joshua Carlson

TheCarlsonFirm 800 Washington Avenue North, Suite 704 Minneapolis, MN 55401 joshua.carlson@thecarlsonfirm.com