OCR Risk Analysis Initiative

The Office for Civil Rights (OCR) is the government agency that enforces HIPAA Privacy, Security, and Breach Notification Rules. For several years, OCR has been issuing alerts to increase awareness of cyberattacks in the healthcare industry. It has also issued several guidance documents to help providers secure their electronic protected health information (EPHI) from cyberattacks. Despite these efforts, OCR continues to find during its investigations that large breaches resulting from cyberattacks could have been prevented if HIPAA Security Rule requirements had been met. For this reason, OCR has announced a Risk Analysis Initiative to focus certain investigations on compliance with the HIPAA Security Risk Analysis provision.

The Security Rule specifically requires that every HIPAA covered entity “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

The Security Risk Analysis is a key Security Rule requirement and the foundation for effective cybersecurity measures and the protection of EPHI.  According to OCR Director, Melanie Fontes Rainer, “OCR created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement.

In its first enforcement action in the Risk Analysis Initiative, OCR fined a health care organization $90,000 for failing to conduct a compliant risk analysis which resulted in a ransomware attack and breach of EPHI of 14,273 patients. The organization is also required to implement the following corrective action plan that will be monitored by OCR for three years:

  • Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI; 
  • Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis; 
  • Develop, maintain, and revise, as necessary, its written policies and procedures to comply with the HIPAA Rules; and 
  • Train its workforce on its HIPAA policies and procedures. 

Areas of Non-Compliance

In an instructional video published to YouTube™ in October, OCR discusses Ransomware and the HIPAA Security Rule.  In addition to discussing trends in ransomware and breaches, OCR outlines some common areas of non-compliance that can be addressed through an accurate and thorough security risk analysis:

Deficiency – Unpatched vulnerabilities, such as in computer operating systems, remote access solutions, and routers, as well as unsecure network configurations.

Corrective actions – Processes should be in place to identify technical vulnerabilities, such as through regular vulnerability scanning to detect obsolete software and missing patches, and penetration testing to identify weaknesses. Once risks and vulnerabilities are identified and assessed, they can be mitigated by applying patches, replacing obsolete software and equipment, etc. Network segmentation is an important solution for legacy systems that are needed but can no longer be patched.

Deficiency – Poor access controls and weak authentication processes, particularly in remote access solutions and administrator-level privileges. Worst practices include remote access groups requiring only single factor authentication (i.e., a password), generic software users or service accounts with default passwords.

Corrective actions – Due to the increased risks associated with remote login and the extent of access that is permitted under administrative privileges, covered entities must ensure that authentication solutions are sufficient to reduce those risks. Access controls should be role- or user-based, and use of multi-factor authentication is strongly recommended for remote access and administrator-level privileges. Virtual private networks, Microsoft’s Remote Desktop Protocol, as well as firewalls, network segmentation, and network access control (NAC) are all possible solutions to secure networks.

Deficiency – Lack of thoroughness (e.g., only a subset of a regulated entity’s environment was considered for risks posed to its EPHI).

Corrective actions – A comprehensive assessment of risks and vulnerabilities to all EPHI must be conducted. This will include an assessment of all devices and media that receive, store, or transmit EPHI. An asset listing is the best place to begin to ensure that all computers, servers, removable media, and other devices are considered. Provider cell phones, medical devices/equipment and any other devices that may receive, transmit, or store EPHI must be included. OCR suggests considering all of the ways that EPHI is created or received, how it flows through your organization, and how it leaves or is disclosed.

Deficiency – Audit controls are not in place to record and examine information system activity, neither through manual monitoring nor through an automated rules-based system. Too often, OCR finds that attackers have infiltrated a regulated entity’s network, conducted surveillance, and exfiltrated data over a protracted period, sometimes for months.

Corrective actions – The Security Rule requires implementation of procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. This can be accomplished through manual processes or through an automated cybersecurity system. Cybersecurity software such as anti-malware software, intrusion detection and response solutions can not only detect and alert appropriate personnel, but oftentimes can also proactively take measures to contain or impede the progress of a cyber-attack.

In addition, OCR recommends all covered entities take the following steps:

  • Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
  • Ensure that that EPHI backups are secure, current, accessible and recoverable at all times through performance of periodic test restorations.
  • Integrate risk analysis and risk management into business processes regularly.
  • Encrypt ePHI to guard against unauthorized access to ePHI. 
  • Incorporate lessons learned from incidents into the overall security management process. 
  • Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

Resources

If your organization is due to conduct an accurate and thorough security risk analysis, the following resources are available:

HHS Security Risk Analysis Tool – Assistant Secretary for Technology Policy (ASTP), in collaboration with OCR, offers a free, downloadable Security Risk Assessment Tool here: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

A User Guide for the Security Risk Assessment Tool is available here: https://www.hhs.gov/guidance/document/security-risk-assessment-sra-tool-user-guide


If you are a subscriber to the Eagle Associates HIPAA program, you have access to a Security Risk Analysis tool, and complete Security Rule policies in Section 4.00 of the manual, along with training for staff.

Eagle Associates recorded a Security Risk Analysis webinar for subscribers of the HIPAA Compliance System.  This detailed, step-by-step recording with explanations of each specification, findings and corrective actions can be purchased for $225.  Send an email to info@eagleassociates.net or call us at (800) 777-2337

We will follow-up with more ransomware prevention measures in the January issue.

Updated Guidance for COVID-19 Infection Control

The U.S. Centers for Disease Control and Prevention (CDC) has outlined specific isolation and return-to-work recommendations for healthcare personnel (HCP) regarding COVID-19 infections. In addition to measures such as vaccination, source control, ventilation, disinfection, distancing, and the use of PPE, the CDC recommends an isolation and testing protocol for HCP to prevent the spread of COVID-19 in healthcare settings. This guidance is intended to advise the duration of workplace restrictions for HCP with COVID-19 infections.

Testing

Any HCP with symptoms of COVID-19, even mild symptoms, should undergo testing as soon as possible using an antigen detection assay or nucleic acid amplification test (NAAT). If using an antigen test, a negative result should be confirmed by a NAAT or by a second negative antigen test taken 48 hours after the first negative test. A single negative NAAT is sufficient in most circumstances.


Return to Work After Infection

When determining whether an employee may return to work after a COVID-19 infection, employers should consider both the severity of symptoms and the presence of immunocompromising conditions. HCP should self-monitor for symptoms and report the recurrence or worsening of symptoms.

Either a NAAT (molecular) or antigen test may be used for testing. If using an antigen test, HCP should have a negative test obtained on day 5 and again 48 hours later HCP with mild to moderate symptoms of

COVID-19 who are not moderately to severely immunocompromised could return to work when:

• At least 7 days have passed since symptoms first appeared if a negative viral test is obtained within 48 hours prior to returning to work (or 10 days if testing is not performed or if a positive test at day 5-7), and

• At least 24 hours have passed since last fever without the use of fever-reducing medications, and

• Symptoms (e.g., cough, shortness of breath) have improved.

HCP who are asymptomatic and who are not moderately to severely immunocompromised could return to work when at least 7 days have passed since symptoms first appeared if a negative viral test is obtained within 48 hours prior to returning to work (or 10 days if testing is not performed or if a positive test at day 5-7). HCP with severe to critical symptoms of COVID-19 (which generally require hospitalization) and who are not moderately to severely immunocompromised could return to work when:

• At least 10 days and up to 20 days have passed since symptoms first appeared, and

• At least 24 hours have passed since last fever without the use of fever-reducing medications, and

• Symptoms (e.g., cough, shortness of breath) have improved.

The test-based strategy as described below for moderately to severely immunocompromised HCP can be used to inform the duration of work restriction:

• HCP who are moderately to severely immunocompromised may shed the virus beyond 20 days after symptom onset. These individuals should use a test-based strategy in consultation with an infectious disease specialist or other occupational health specialist to determine the appropriate time frame for returning to work.


Return to Work After Exposure

If HCP are exposed to someone with a confirmed case of COVID-19, testing or restriction from work may be necessary based on the risk level of the exposure. High-risk exposures include the HCP’s eyes, nose, or mouth being exposed to material potentially containing the COVID-19 virus, especially if the HCP were present during an aerosol-generating procedure. Other types of exposures should be evaluated on a case-by-bases basis, considering factors such as the use of PPE, hand hygiene, ventilation, and source control.

High risk-exposures can be classified as having prolonged (more than 15 total minutes), close (within 6 feet) contact with an individual with confirmed COVID-19 and:

• HCP was not wearing a respirator, or if HCP was wearing a facemask and the infected person was not wearing any type of mask

• HCP was not wearing eye protection, and the infected person was not wearing any type of mask

• HCP was not wearing all of the recommended PPE (gown, gloves, eye protection, respirator) while present for an aerosol generating procedure

Following a high-risk exposure, HCP should have a series of three viral tests for COVID-19 infection. Testing should be completed no earlier than 24 hours after exposure, and if negative, two more tests each 48 hours apart. This means the HCP should test on days 1, 3, and 5 after an exposure. Following an exposure, HCP should wear well-fitting source control and monitor themselves for fever and other symptoms. If they develop any symptoms, they should immediately isolate and contact the employer for testing and evaluation.

Generally, work restriction is not required for asymptomatic HCP following an exposure to COVID-19. Work restrictions should be considered in certain cases such as:

• HCP cannot be tested or wear source control for the recommended 10 days following the exposure

• HCP is moderately to severely immunocompromised or works with patients who are moderately to severely immunocompromised

• HCP works in a unit that is experiencing ongoing COVID-19 transmission that is not controlled

If work restriction is recommended after an exposure, HCP may return to work 7 days after the exposure if they do not develop symptoms and all testing is negative. If no testing is performed, HCP may return to work 10 days following the exposure if they do not develop symptoms.

If HCP are exposed to COVID-19 outside of the workplace, their exposure risk level should be evaluated based on the same risk factors above. Exposures to household contacts with confirmed COVID-19 should be treated as a high-risk exposure.