HIPAA-covered entity and business associate breaches continue to draw attention from the Office for Civil Rights (OCR) and other regulators. In almost every HIPAA incident we handled in 2019 involving more than 500 individuals, OCR issued a data request. While OCR investigations can be burdensome, few of them result in penalties.
State attorneys general have been laboratories of privacy enforcement. Over the years, they have devoted significant time and energy to, and played an increasingly active role in, data privacy and security matters. They have used their broad consumer protection authority and authority given them under the HITECH Act to enforce the HIPAA privacy and security rule in order to investigate data security lapses. More recently, we have seen expanded authority given to nontraditional regulators, including state departments of insurance and financial regulation. A number of states have adopted or are adopting a model law promoted by the National Association of Insurance Commissioners that requires 72-hour notice of a cybersecurity event to the state insurance regulator.
Last year we assisted clients in more than 1,000 data security incidents. Among the trends revealed by our analysis of these incidents, we found that regulators continue to make inquiries in the wake of data security events. In fact, in the matters we handled, regulators made inquiries 40 percent of the time after notifications were made. This is up from 34 percent the prior year.
This uptick in activity may be due to (1) expanded legislation requiring that state attorneys general and insurance regulators be notified after a data breach, (2) more offices having set up civil enforcement units dedicated solely to data privacy and cybersecurity, and (3) additional coordination among federal and state regulators to pool their resources.
When a breach impacts more than 500 individuals in a HIPAA matter, makes the news or may affect a large number of residents in a particular state, a regulatory investigation is almost certain to follow. In those situations, a prudent organization should begin preparing for regulatory inquiries even before announcing the breach. Any incident response strategy should consider how the investigation, communications (internal and external) and actions taken in response to the incident would be viewed by a regulator. This is why it is essential to view incident response as part of an overall legal strategy that takes into account likely regulatory investigations. This includes understanding the regulator’s focus, the process of the investigation and the potential remedies.
A regulatory investigation is likely to go beyond the incident at issue, and a resolution is likely to require significant changes to data security practices. Regulators are becoming more sophisticated in seeking information in an investigation. Look for more technical requests regarding the impacted environment, the incident and safeguards in place. Regulators have engaged subject matter experts to assist with these technical requests. These experts, including forensic firms, work with the regulators to investigate an organization.
Regulators are taking a hard look at what they see as systemic issues in an organization – slow to investigate, slow to notify and repeatedly experiencing data incidents. Focus on complete and timely remediation following an incident. More and more regulators want to ensure that the organization has taken significant steps to prevent another incident from occurring.
The OCR has openly acknowledged that investigators are seeking “low-hanging fruit,” or small violations that show a larger pattern of noncompliance. Our experience has found this to be true, with more requests focused on patient record requests, access controls, information system activity review, risk analysis, implementation of past risk management plans and documentation of individual employee training. In April 2019, OCR lowered the cap on dollar amounts it could obtain for a single HIPAA violation for certain culpability tiers. However, recent investigations have shown OCR taking the position that the conduct of the entity rises to the level of willful misconduct, which is highest penalty tier – a cap that was not lowered. This has resulted in high settlement demands from OCR.
State attorney general and insurance department investigations have focused on statements made regarding security in privacy policies; the information security program as a whole, including encryption, access controls, asset inventory, network segmentation, file integrity and endpoint monitoring; security training; and management oversight of compliance with HIPAA and other regulations. Some of the more recent settlement agreements have required the organization to employ a compliance officer to oversee the compliance program, employ a chief information security officer with relevant experience in the industry to oversee the security program (a position that is separate from that of the chief information officer) and engage independent third parties to assess the compliance program and information security program.
Because of greater regulatory scrutiny as well as the potential for litigation, organizations need to think strategically about the timing and language in their investigation vendor engagements and scope of work letters and documentation, especially when they engage existing vendors to assist with an incident investigation. Not everything related to an incident is privileged. Think strategically about the real privileged engagements and how to keep a proper paper trail for those engagements. Where vendors will have dual purposes, one of which is clearly litigation or anticipation of litigation, consider additional engagement letters or scope of work agreements. Even though some public relations communications and materials may be privileged, clients should assume that these communications will not be privileged and should conduct themselves accordingly when public relations/crisis management firms are on team calls or in meetings.
Read more by downloading our 2020 BakerHostetler Data Security Incident Response Report containing data from 950 of the 1,000+ incidents we helped clients address in 2019.