OSHA Whistleblower Protection

The OSH Act contains whistleblower protections that prohibit employers from retaliating against employees who report workplace health and safety concerns. Examples of retaliation include suspension, termination, demotion, intimidation, harassment, or reducing pay or hours in response to an employee’s report of health hazards in the workplace.

The General Duty Clause of the OSH Act requires employers to provide a safe and healthful workplace, free from recognized hazards. If an employee reports having concerns regarding health or safety in the workplace, the employer has a duty to address such concerns and should not undertake any retaliatory actions against the employee. Complaints of employer retaliation may be reported electronically

(https://www.osha.gov/whistleblower/WBComplaint) or by contacting an OSHA area office.

OIG Protected Disclosures

Employees who make reports of suspected fraud, waste, or abuse of federal funds are also protected by law. Employers are not permitted to retaliate against employees for making a “protected disclosure.” A disclosure is protected if it meets the following criteria:

1. The report is made in good faith, meaning it must be based on a reasonable belief that fraud, waste, or abuse has occurred.

2. The report is made to a person or entity that is authorized to receive it. Employees may make a good faith report to the Compliance Officer or Committee of your organization or to the OIG Hotline: https://oig.justice.gov/hotline

The OIG makes it clear that anyone who makes a good faith report may not be subjected to or threatened with retaliation. If you believe you have been retaliated against for making a protected disclosure, you may file a retaliation complaint to the OIG Hotline.

Patient Privacy Complaints

If a patient believes that their HIPAA privacy rights have been violated, they may choose to make a formal complaint to your organization. The patient should be asked to complete a privacy complaint form to document their concerns and allow the Privacy Officer or Compliance Committee to investigate the complaint.

A patient may also choose to report a suspected Privacy Rule violation directly to the Department of Health and Human Services’ Office for Civil Rights (OCR). OCR will review the complaint and take action to investigate if the patient’s rights were violated and the complaint was filed within 180 days of the violation.

Regardless of the method of reporting that a patient uses to make a complaint, an organization must never retaliate against the patient, including by withholding healthcare, access to their PHI, or by dismissing the patient from care without sufficient cause.

NOTE: Subscribers to Eagle Associates’ compliance programs have relevant policies in section 1.03 of the Safety Manual, section 3.38f of the HIPAA Manual and section 1.04 of the OIG Policy Manual.

On December 27, 2024, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the HIPAA Security Rule to strengthen cybersecurity protections for electronic protected health information (EPHI). OCR administers and enforces the Security Rule, which establishes national standards for the protection of individuals’ EPHI by covered entities and their business associates.  The proposed rule seeks to strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.

A fact sheet on the NPRM includes a summary of the proposals and clarifications, including:

• Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
• Require written documentation of all Security Rule policies, procedures, plans, and analyses.
• Update definitions and revise implementation specifications to reflect changes in technology and terminology.
• Add specific compliance time periods for many existing requirements.
• Require the development and revision of a technology asset inventory and a network map that illustrates the movement of EPHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
• Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things:
  • A review of the technology asset inventory and network map.
  • Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
  • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
  • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
• Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
• Strengthen requirements for planning for contingencies and responding to security incidents. Specifically, regulated entities would be required to, for example:
  • Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
  • Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
  • Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
  • Implement written procedures for testing and revising written security incident response plans.
• Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
• Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
• Require encryption of EPHI at rest and in transit, with limited exceptions.
• Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include:
  • Deploying anti-malware protection.
  • Removing extraneous software from relevant electronic information systems.
  • Disabling network ports in accordance with the regulated entity’s risk analysis.
• Require the use of multi-factor authentication, with limited exceptions.
• Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
• Require network segmentation.
• Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
• Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.
• Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
• Require group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide EPHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

While the Department is undertaking this rulemaking, the current Security Rule remains in effect.

The NPRM may be viewed or downloaded at: 

https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information

HHS encourages all stakeholders, including patients and their families, health plans, health care providers, health care professional associations, consumer advocates, and government entities, to submit comments on the proposed rule.

You may submit electronic comments through the Federal Register link provided above and clicking the Submit a Public Comment button just below the title. Attachments should be in Microsoft Word or Portable Document Format (PDF).

You may mail written comments via Regular, Express, or Overnight Mail to the following address only:

U.S. Department of Health and Human Services, Office for Civil Rights
Attention: HIPAA Security Rule NPRM
Hubert H. Humphrey Building, Room 509F
200 Independence Avenue SW
Washington, DC 20201

Please allow sufficient time for mailed comments to be timely received in the event of delivery or security delays. Public comments on the NPRM are due 60 days after publication of the NPRM in the Federal Register (on or before March 7, 2025).

Eagle Associates will provide updates on finalization of the new Security Rule as soon as the information becomes available.

The Office for Civil Rights (OCR) is the government agency that enforces HIPAA Privacy, Security, and Breach Notification Rules. For several years, OCR has been issuing alerts to increase awareness of cyberattacks in the healthcare industry. It has also issued several guidance documents to help providers secure their electronic protected health information (EPHI) from cyberattacks. Despite these efforts, OCR continues to find during its investigations that large breaches resulting from cyberattacks could have been prevented if HIPAA Security Rule requirements had been met. For this reason, OCR has announced a Risk Analysis Initiative to focus certain investigations on compliance with the HIPAA Security Risk Analysis provision.

The Security Rule specifically requires that every HIPAA covered entity “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

The Security Risk Analysis is a key Security Rule requirement and the foundation for effective cybersecurity measures and the protection of EPHI.  According to OCR Director, Melanie Fontes Rainer, “OCR created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement.”

In its first enforcement action in the Risk Analysis Initiative, OCR fined a health care organization $90,000 for failing to conduct a compliant risk analysis which resulted in a ransomware attack and breach of EPHI of 14,273 patients. The organization is also required to implement the following corrective action plan that will be monitored by OCR for three years:

• Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI; 
• Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis; 
• Develop, maintain, and revise, as necessary, its written policies and procedures to comply with the HIPAA Rules; and 
• Train its workforce on its HIPAA policies and procedures. 

Areas of Non-Compliance

In an instructional video published to YouTube™ in October, OCR discusses Ransomware and the HIPAA Security Rule.  In addition to discussing trends in ransomware and breaches, OCR outlines some common areas of non-compliance that can be addressed through an accurate and thorough security risk analysis:

Deficiency – Unpatched vulnerabilities, such as in computer operating systems, remote access solutions, and routers, as well as unsecure network configurations.

Corrective actions – Processes should be in place to identify technical vulnerabilities, such as through regular vulnerability scanning to detect obsolete software and missing patches, and penetration testing to identify weaknesses. Once risks and vulnerabilities are identified and assessed, they can be mitigated by applying patches, replacing obsolete software and equipment, etc. Network segmentation is an important solution for legacy systems that are needed but can no longer be patched.

Deficiency – Poor access controls and weak authentication processes, particularly in remote access solutions and administrator-level privileges. Worst practices include remote access groups requiring only single factor authentication (i.e., a password), generic software users or service accounts with default passwords.

Corrective actions – Due to the increased risks associated with remote login and the extent of access that is permitted under administrative privileges, covered entities must ensure that authentication solutions are sufficient to reduce those risks. Access controls should be role- or user-based, and use of multi-factor authentication is strongly recommended for remote access and administrator-level privileges. Virtual private networks, Microsoft’s Remote Desktop Protocol, as well as firewalls, network segmentation, and network access control (NAC) are all possible solutions to secure networks.

Deficiency – Lack of thoroughness (e.g., only a subset of a regulated entity’s environment was considered for risks posed to its EPHI).

Corrective actions – A comprehensive assessment of risks and vulnerabilities to all EPHI must be conducted. This will include an assessment of all devices and media that receive, store, or transmit EPHI. An asset listing is the best place to begin to ensure that all computers, servers, removable media, and other devices are considered. Provider cell phones, medical devices/equipment and any other devices that may receive, transmit, or store EPHI must be included. OCR suggests considering all of the ways that EPHI is created or received, how it flows through your organization, and how it leaves or is disclosed.

Deficiency – Audit controls are not in place to record and examine information system activity, neither through manual monitoring nor through an automated rules-based system. Too often, OCR finds that attackers have infiltrated a regulated entity’s network, conducted surveillance, and exfiltrated data over a protracted period, sometimes for months.

Corrective actions – The Security Rule requires implementation of procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. This can be accomplished through manual processes or through an automated cybersecurity system. Cybersecurity software such as anti-malware software, intrusion detection and response solutions can not only detect and alert appropriate personnel, but oftentimes can also proactively take measures to contain or impede the progress of a cyber-attack.

In addition, OCR recommends all covered entities take the following steps:

• Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
• Ensure that that EPHI backups are secure, current, accessible and recoverable at all times through performance of periodic test restorations.
• Integrate risk analysis and risk management into business processes regularly.
• Encrypt ePHI to guard against unauthorized access to ePHI. 
• Incorporate lessons learned from incidents into the overall security management process. 
• Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

Resources

If your organization is due to conduct an accurate and thorough security risk analysis, the following resources are available:

HHS Security Risk Analysis Tool – Assistant Secretary for Technology Policy (ASTP), in collaboration with OCR, offers a free, downloadable Security Risk Assessment Tool here: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

A User Guide for the Security Risk Assessment Tool is available here: https://www.hhs.gov/guidance/document/security-risk-assessment-sra-tool-user-guide

If you are a subscriber to the Eagle Associates HIPAA program, you have access to a Security Risk Analysis tool, and complete Security Rule policies in Section 4.00 of the manual, along with training for staff.

Eagle Associates recorded a Security Risk Analysis webinar for subscribers of the HIPAA Compliance System.  This detailed, step-by-step recording with explanations of each specification, findings and corrective actions can be purchased for $225.  Send an email to info@eagleassociates.net or call us at (800) 777-2337

We will follow-up with more ransomware prevention measures in the January issue.