Header graphic for print

HIPAA, HITECH & HIT

Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Tips on Avoiding HIPAA Breaches for Patient-Employee Records

Posted in Articles, Privacy & Security, Sensitive Health Information

Our partner Elizabeth Litten and I were featured again by our good friend Marla Durben Hirsch in her article in the April 2016 issue of Medical Practice Compliance Alert entitled “5 safeguards to take with patient-employee health records.” Full text can be found in the April, 2016 issue, but a synopsis is below.

For her article, Marla asked us to comment about physician medical practices that provide medical treatment to their own employees and other staff or affiliates (collectively, “Patient-Employees”). She observed that “These medical records [of Patient-Employees] are not fair game for colleagues to view unless there’s a job-related reason for them to do so.”

Marla quoted Kline as saying that “It’s human nature to talk about others [that you know]. You also have rogue employees who are ‘frenemies’ [Or simply curious about a co-worker’s treatment].” Nonetheless, as Marla observed, events of improper access are not just potential HIPAA violations; they can also have a negative impact on the workplace.

Our five tips for reducing the risks of improper breaches of Patient-Employees’ health information that were developed with Marla follow:

Litten: Include employee privacy in your HIPAA education. “This is a topic for specific training.” For example, make sure that everyone in the office knows the practice’s HIPAA policies and procedures, and that all patients, even those who are employees are entitled to their privacy rights. Emphasize the fact that employees should only review records when it is necessary to do their job.

Kline: Limit access to the records. “For instance, not all employees need unfettered access to electronic medical records, so different staff members can have different levels of access.    Human resources shouldn’t be able to find out that an employee came in for [medical] help.”

Litten and Kline: Take consistent disciplinary action when warranted. An employee may need to be retrained, disciplined or even fired, and treat all workforce members the same, whether licensed professionals or other staff.

Litten: Require staff to report these kinds of breaches. “At the least the practice can argue that the employee had an obligation to report, and by not doing so the fault lay with the employee, not the employer.”

Litten and Kline: Don’t let Patient-Employees take shortcuts to access their records. All patients are entitled to access their records; Patient-Employees should be required to go through the same procedures to access their records as any non-Patient-Employee.

In this ever more-challenging environment of compliance with the privacy and security requirements of HIPAA (and other applicable federal and state laws), a health care provider should limit the risks appurtenant to providing treatment to its own employees as patients, especially since it may be an economical and efficient alternative. There are enough external risks lurking about. Through establishing discrete policies and procedures, a provider can do much to control its internal risks involving Patient-Employees.

A Checklist to Get Ready for the HIPAA Audits (Part 2)

Posted in HIPAA Business Associates, HIPAA Enforcement, Privacy & Security

Jessica Forbes Olson and T.J. Lang write:

In Part 1, we noted that on March 21, 2016, the Office of Civil Rights (“OCR”) announced it will launch a second round of HIPAA audits this year. As with the first round of audits, in round two OCR will be reviewing compliance with HIPAA Privacy, Security and Breach Notification rules. New for this round, the 2016 audits will focus on covered entities, including health care providers and health insurers, and their business associates.

A HIPAA compliance checklist for health care providers and insurers follows:

  • Determine whether for HIPAA purposes you are a hybrid entity, an affiliated covered entity or part of an organized health care arrangement. Document that status.
  • Appoint a HIPAA privacy official.
  • Appoint a HIPAA security official.
  • Appoint a HIPAA privacy contact person who will handle complaints and respond to the exercise of patient or participant rights.
  • Determine where PHI is located, whether hard copy, electronic, or spoken.
  • Determine the reasons why PHI is used or disclosed (e.g., treatment, payment, health care operations, public health reasons, public policy reasons, to government agencies or officials).
  • Determine which departments and workforce members have access to PHI, why they have such access and the level of access needed.
  • Identify and document the routine requests, uses and disclosures of PHI and the minimum necessary for those requests, uses and disclosures.
  • Identify all business associates: vendors that create, maintain, use or disclose PHI when performing services for your entity.
  • Have executed business associate agreements with all business associates.
  • Have and follow written HIPAA privacy, security and breach notification policies and procedures.
  • Train all workforce members who have access to PHI on the policies and procedures and document the training.
  • Have and use a HIPAA-compliant authorization form.
  • Have and follow process for verifying the status of personal representatives.
  • Distribute a notice of privacy practices and providers must attempt to obtain acknowledgment of receipt of notice from patients and post one in each facility where patients can view it.
  • Establish and document reasonable administrative, technical and physical safeguards for all PHI, including hard copy and spoken PHI.
  • Conduct and document a HIPAA security risk analysis for all electronic PHI (e.g., PHI on desktops, laptops, mobile phones, iPads and other electronic notebooks, copy machines, printers, discs and thumb drives).
  • Address risks to ePHI that are identified in the HIPAA security risk analysis.
  • Update your HIPAA security risk analysis periodically or when there is a material change in your environment that does or could impact PHI or if there are changes in the law impacting PHI.
  • Encrypt PHI to fall within the breach safe harbor.
  • Have written disaster recovery and contingency plans.
  • Prepare for and respond to security incidents and breaches.
  • Comply with HIPAA standard transactions and code set rules related to electronic billing and payment.
  • Although it will not be covered by the audits, comply with more stringent state privacy and security laws (e.g., document retention; patient consent; breach reporting).
  • Maintain HIPAA compliance documentation in written or electronic form for at least 6 years from the date the document was created or last in effect.

For more information about OCR audits or assistance in conducting a HIPAA compliance review, please contact any member of the Fox Rothschild Health Law practice group.


Jessica Forbes Olson is a partner and TJ Lang is an associate, both resident in the firm’s Minneapolis office.

HIPAA Audits: Ready or Not Here They Come! (Part 1)

Posted in HIPAA Business Associates, HIPAA Enforcement, Privacy & Security

Jessica Forbes Olson and T.J. Lang write:

On March 21, 2016, the Office of Civil Rights (“OCR”) announced it will launch a second round of HIPAA audits during 2016. As with the first round of audits, in round two OCR will be reviewing compliance with HIPAA Privacy, Security and Breach Notification rules. New for this round, the 2016 audits will focus on covered entities, including health care providers and health insurers, and their business associates.

The round two audits will occur in three phases: desk audits of covered entities, desk audits of business associates, and finally, follow-up onsite reviews. It is reported OCR will conduct about 200 total audits; the majority of which will be desk audits.

OCR has already begun the process of identifying the audit pool by contacting covered entities and business associates via email.  Health care providers,   insurers and their business associates should be on the lookout for automated emails from OCR which are being sent to confirm contact information. A response to the OCR email is required within 14 days. OCR instructed covered entities and business associates to check their spam or junk email folders to verify that emails from OCR are not erroneously identified as spam.

After the initial email, OCR will send a pre-audit questionnaire to entities it may choose to audit. Receiving a pre-audit questionnaire does not guarantee your entity will be audited. The purpose of the questionnaire is to gather information about entities and their operations, e.g., number of employees, level of revenue, etc. The questionnaire will also require covered entities to identify all of their business associates. Health care providers and insurers who have not inventoried business associates should do so now.

Entities who fail to respond to the initial OCR email or questionnaire will still be eligible for audit. OCR will use publicly available information for unresponsive entities to create its audit pool.

OCR will then, in the “coming months,” randomly select entities to audit and notify them via email that they have been selected for audit.

Health care providers, health insurers and business associates should check their HIPAA compliance status before they are contacted by OCR. Once selected for an audit, entities will only have 10 business days to provide the requested information to OCR.

Recent OCR enforcement activity has shown that noncompliance with HIPAA can be costly:

  • A Minnesota-based hospital entered into a $1.55 million settlement for failure to implement one business associate agreement and failure to conduct a HIPAA security risk analysis;
  • A teaching hospital of a university in Washington entered into a $750,000 settlement for failure to conduct an enterprise-wide HIPAA security risk analysis;
  • An insurance holding company based in Puerto Rico entered into a $3.5 million settlement for failure to implement a business associate agreement, conduct a HIPAA security risk analysis, implement security safeguards and for an improper disclosure of protected health information (“PHI”);
  • A radiation oncology physician practice in Indiana entered into a $750,000 settlement for failure to conduct a HIPAA security risk analysis and implement security policies and procedures.

If you receive any communications from OCR, please contact a member of the Fox Rothschild Health Law practice group immediately. A proactive review of your HIPAA compliance status can identify potential gaps and minimize the risk of potential penalties.

In Part 2, we’ll provide a HIPAA compliance checklist for healthcare providers and insurers. Stay tuned!


Jessica Forbes Olson is a partner and TJ Lang is an associate, both resident in the firm’s Minneapolis office.

There’s An App For That Health Information – But is it HIPAA-Covered?

Posted in EHR and PHR, Health IT

“Maybe” is the take-away from recent guidance posted on OCR’s mHealth Developer Portal, making me wonder whether the typical health app user will know when her health information is or is not subject to HIPAA protection.

The guidance is clear and straightforward and contains no real surprises to those of us familiar with HIPAA, but it highlights the reality that HIPAA, originally enacted close to 20 years ago, often becomes murky in the context of today’s constantly developing technology. Here’s an excerpt from the guidance that illustrates this point:

Consumer downloads to her smart phone a mobile PHR app offered by her health plan that offers users in its network the ability to request, download and store health plan records. The app also contains the plan’s wellness tools for members, so they can track their progress in improving their health.  Health plan analyzes health information and data about app usage to understand the effectiveness of its health and wellness offerings.  App developer also offers a separate, direct-to-consumer version of the app that consumers can use to store, manage, and organize their health records, to improve their health habits and to send health information to providers.

Is the app developer a business associate under HIPAA, such that the app user’s information is subject to HIPAA protection?

Yes, with respect to the app offered by the health plan, and no, when offering the direct-to-consumer app. Developer is a business associate of the health plan, because it is creating, receiving, maintaining, or transmitting protected health information (PHI) on behalf of a covered entity.  Developer must comply with applicable HIPAA Rules requirements with respect to the PHI involved in its work on behalf of the health plan.  But its “direct-to-consumer” product is not provided on behalf of a covered entity or other business associate, and developer activities with respect to that product are not subject to the HIPAA Rules.  Therefore, as long as the developer keeps the health information attached to these two versions of the app separate, so that information from the direct-to-consumer version is not part of the product offering to the covered entity health plan, the developer does not need to apply HIPAA protections to the consumer information obtained through the “direct-to-consumer” app.

So if I download this app because my health plan offers it, my PHI should be HIPAA-protected, but what if I inadvertently download the “direct-to-consumer” version? Will it look different or warn me that my information is not protected by HIPAA?  Will the app developer have different security controls for the health plan-purchased app versus the direct-to-consumer app?

HIPAA only applies to (and protects) individually identifiable health information created, received, maintained or transmitted by a covered entity or business associate, so perhaps health app users should be given a “Notice of Non-(HIPAA) Privacy Practices” before inputting health information into an app that exists outside the realm of HIPAA protection.

Breach or Ransomware Attack? Can’t Sue Under HIPAA, but Maybe Under CFAA

Posted in Privacy & Security, Uncategorized

The following post was contributed by our colleague Lucy Li.

HIPAA itself does not provide a private right of action. So when a hacker or rogue employee impermissibly accesses or interferes with electronic data or data systems containing protected health information, an employer subject to HIPAA cannot sue the perpetrator under HIPAA.  Similarly, when a ransomware attack blocks access to protected health information, employers also cannot sue under HIPAA.  HIPAA violations and ransomware attacks and can be costly to deal with.  Just ask Hollywood Presbyterian Medical Center. But employers have one potential remedy: suing the perpetrator of the access, interference, or misuse for violating the Computer Fraud and Abuse Act (“CFAA”).

The CFAA is a federal law that prohibits fraudulent access to protected computer information. The law prevents unauthorized access or access that exceeds the user’s authority to a protected computer to obtain private information, such as patient data or trade secrets.  The law also prohibits the use of ransomware to extort money or anything of value. If these cyber-attacks occur, the CFAA allows the employer to file a civil lawsuit against the hacker or the rogue employee to recover damages for economic harm.

Best Practices and CFAA Tips

  1. Prevention is best. Encrypt your data and use sophisticated firewalls and security patches to prevent hackers from accessing protected information. Litigation is a tool to recover for economic harm, but it is costly.
  2. Limit electronic access. Give employees or contractors just enough access to perform their job duties. Nothing more.
  3. Disable log-in rights of an ex-employee or contractor as soon as the employment or contractual relationship ends.
  4. State law. The applicability of the CFAA varies by state. Individual states may also have their own causes of action under state computer fraud laws or trade secret appropriation for stealing patient lists.  These laws may be additional tools to help you recover from a HIPAA violation or a ransomware attack.

Health System Settles for $1.5 Million for Failing To Implement Business Associate Agreement

Posted in HIPAA Enforcement

Matthew Redding contributed to this post.

It’s a familiar story: a HIPAA breach triggers an investigation which reveals systemic flaws in HIPAA compliance, resulting in a seven-figure settlement.  A stolen laptop, unencrypted data, a missing business associate agreement, and an aggressive, noncompliant contractor add to the feeling of déjà vu.

North Memorial Health Care of Minnesota, a not-for-profit health care system, settled with the Office of Civil Rights for the Department of Health and Human Services (OCR) for $1.55 million resulting from allegations that it violated HIPAA by failing to timely implement a Business Associate Agreement with Accretive Health, Inc., a major contractor, and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.

The OCR’s investigation arose following North Memorial’s reporting of a HIPAA breach on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a workforce member OF A of a business associate’s (BA’s) locked vehicle, impacting the ePHI of almost 10,000 individuals. The investigation further revealed that, North Memorial began providing Accretive with access to its PHI on March 21, 2011, and the parties did not enter into a business associate agreement until October 14, 2011

In addition to the fine, North Memorial is required to develop policies and procedures specific to documenting the BA relationship, modify its existing risk analysis process, and develop and implement an organization-wide risk management plan. The Resolution Agreement is available here.

In a press release, OCR director Jocelyn Samuel said:

“Two major cornerstones of the HIPAA Rules were overlooked by this entity.  Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

Accretive Health, Inc. may be a familiar name to readers of this blog.  In 2012, the Minnesota Attorney General’s office filed suit against Accretive for allegedly mining, analyzing and using their hospital clients’ data for purposes that were not disclosed to patients and which may adversely affect their access to care.  This suit was subsequently settled for $2.5 million under an agreement under which Accretive agreed to cease operations in Minnesota.  The AG’s lawsuit was triggered by the same laptop theft which compromised the healthcare data of North Memorial and another facility, Fairview Health  Services.  One stolen, unencrypted laptop of a BA has resulted in over $4 million in aggregate liabilities to three covered entities.

The lessons for covered entities from this continuing saga are clear:

  • Encrypt your electronic data. All of it, everywhere it resides and whenever it is transmitted, and pay particular attention to laptops, mobile devices and media.  (While you’re at it, be sure to protect paper data as well and shred it when it is no longer needed  — it can be easily exploited by thieves and dumpster-divers).
  • Make sure you have Business Associate Agreements with all business associates, and review them to make sure they are current and require appropriate safeguards and indemnify you from the costs of the BA’s breaches.
  • Know your BAs and control what they do with your data.  Accretive’s alleged aggressive collection efforts, such as accosting patients on gurneys in the emergency department or while recovering from surgery, did not reflect well on their hospital clients.
  • Do not take your HIPAA obligations lightly.  North Memorial’s incomplete HIPAA implementation and lack of attention to risk analysis may have contributed to the severity of the result.

Death and HIPAA Privacy Rights: What Would Justice Scalia Have Said?

Posted in Privacy & Security

This week’s headlines read: “Scalia’s death probably linked to obesity, diabetes and coronary artery disease, physician says” and “Scalia suffered from many health problems”.   An article from a couple of weeks ago, immediately following reports of Justice Scalia’s February 13th death, reported that Scalia’s doctor said he had chronic cardiovascular disease.

These articles do not say whether the physician(s) who released Scalia’s health information did so in compliance with HIPAA, or whether any subsequent release of this information was HIPAA-compliant. The HIPAA regulations make it clear that the death of an individual does not mean the death of that individual’s right to have his or her individually identifiable health information protected under HIPAA (at least, not until the individual has been deceased for more than 50 years).

Justice Scalia’s status as a public figure, and the public’s general interest in the news of his death, also does not affect his HIPAA rights. As noted in Bill Maruca’s post about New York Giants’ defensive end Jason Pierre-Paul’s injuries last summer, there is no “public figure exception” to HIPAA.  Bill also accurately noted, in his blog about the Ebola cases treated in Texas in 2014, that there is no HIPAA exception for “newsworthy or unusually terrifying medical conditions.”

HIPAA permits a covered entity to disclose protected health information (PHI) to a coroner or medical examiner for the purpose of identifying a cause of death, but does not authorize  the coroner or medical examiner to further disclose the PHI. Because HIPAA also permits an executor, administrator, or other person who has authority to act on behalf of a deceased individual to act as the deceased person’s personal representative, such an authorized person might have provided a HIPAA-compliant authorization to Scalia’s health care providers to disclose Scalia’s PHI to third parties.  In addition, there are other ways in which PHI of someone who has died might be disclosed in compliance with HIPAA, but none of the articles I read provide the detail needed to see whether these circumstances existed.

The articles do, however, make it clear that the late Justice suffered an array of health issues that were not publicized prior to his death.

What would Justice Scalia have said, if, in fact, his PHI was disclosed improperly? His decisions involving the Fourth Amendment may provide some clues, but they are not precisely on point, and we cannot ask the Justice.  We can simply remind covered entities that HIPAA protections have an after-life —  and deserve (in fact, require) post-mortem respect.

 

Apple, the FBI, and iPhone Encryption: A Battle of Biblical Proportions with Implications for HIPAA

Posted in Encryption, Health IT, Privacy & Security

Whether it was an apple or a quince, pomegranate, or some other more botanically-likely fruit growing in the Garden of Eden, God’s command in Genesis was clear: do not eat the fruit from the tree of the knowledge of good and evil.  When Adam and Eve ate the apple (or other fruit) anyway, they gained knowledge of evil (they already knew good).

Many thousands of years later, the battle between Apple and the FBI over device encryption oddly echoes themes from this ancient biblical story.   Is the knowledge of evil potentially gained by unlocking an evildoer’s iPhone worth breaking society’s trust in the security of encryption?

Our law partner Amy Purcell recently posted the following on the Fox Rothschild “Privacy Compliance & Data Security” blog:

Fox Partner and Chair of the Privacy and Data Security Practice Scott L. Vernick was a guest on Fox Business’ “The O’Reilly Factor” and “After the Bell” on February 17, 2016, to discuss the controversy between Apple and the FBI over device encryption.

A federal court recently ordered Apple to write new software to unlock the iPhone used by one of the shooters in the San Bernardino attacks in December. Apple CEO Tim Cook has vowed to fight the court order.

The Federal Government vs. Apple (The O’Reilly Factor, 02/17/16)

Apple’s Privacy Battle With the Federal Government (After the Bell, 02/17/16)

I agree with Scott.

In January, I wrote here about the FTC’s announcement of a settlement with Henry Schein Practice Solutions, Inc. for falsely advertising that the software it marketed to dental practices provided the encryption necessary to protect patient data from breach. In reality, the software did not encrypt the data, but merely “camouflaged” or masked it from access by third parties.  The FTC’s action and settlement seemed to reflect the fact that encryption is viewed as the “gold standard” for protecting protected health information and other sensitive personal information, and advertising that a software product provides encryption when it really doesn’t is a problem.

If Apple is forced to create software that will break “gold standard” encryption so the FBI can gain knowledge of the evil that may lurk within a particular iPhone, this “gold standard” will be immediately devalued. In the HIPAA context, we will need another technology to render PHI “unusable, unreadable, or indecipherable to unauthorized persons” because, in essence, the biblical apple will have been bitten.

Six Tips for Providers to Reduce the Risk of Obtaining Unreliable HIPAA Compliance and Protection Software

Posted in Health IT

Our partner Elizabeth Litten and I had a recent conversation with our good friend Marla Durben Hirsch who quoted us in her Medical Practice Compliance Alert article, “Beware False Promises From Software Vendors Regarding HIPAA Compliance.” Full text can be found in the February, 2016, issue, but some excerpts regarding 6 tips to reduce the risk of obtaining unreliable HIPAA compliance and protection software from vendors are summarized below.

As the backdrop for her article, Marla used the $250,000 settlement of the Federal Trade Commission (the “FTC”) with Henry Schein Practice Solutions, Inc. (“Henry Schein”) for alleged false advertising that the software it marketed to dental practices provided “industry-standard encryption of sensitive patient information” and “would protect patient data” as required by HIPAA. Elizabeth has already posted a blog entry on aspects of the Henry Schein matter that may be found here.

During the course of our conversation with Marla, Elizabeth observed, “This type of problem [risk of using unreliable HIPAA software vendors] is going to increase as more physi­cians and health care professionals adopt EHR systems, practice management systems, patient portals and other health IT.”

The six tips listed by Marla are summarized as follows:

  1. Litten and Kline:

Vet the software vendor regarding the statements it’s making to secure and protect your data. If the vendor is claiming to provide NIST-standard encryption, ask for proof. See what it’s saying in its marketing brochures. Check references, Google the company for lawsuits or other bad press, and ask whether it suffered a security breach and if so, how the vendor responded.

 

  1. Kline: Make sure that you have a valid business associate agreement that protects your interests when the software vendor is a business associate.” However, a provider must be cautious to determine first whether the vendor is actually a business associate before entering into a business associate agreement.

 

  1. Litten: “Check whether your cyberinsurance covers this type of contingency. It’s possible that it doesn’t cover misrepresentations, and you should know where you stand.”

 

  1. Litten and Kline: See what protections a software vendor contract may provide you.”   For instance, if a problem occurs with the software or it’s not as advertised, if the vendor is not obligated to provide you with remedies, you might want to add such protections, using the Henry Schein settlement as leverage.

 

  1. Litten and Kline: Don’t market or advertise that you provide a level of HIPAA protection or compliance on your web-site, Notice of Privacy Practices or elsewhere unless you’re absolutely sure that you do so.” The FTC is greatly increasing its enforcement activity.

 

  1. Kline:Look at your legal options if you find yourself defrauded.” For instance, the dentists who purchased the software [from Henry Schein] under allegedly false pretenses have grounds for legal action.

The primary responsibility for compliance with healthcare data privacy and security standards rests with the covered entity. It must show reasonable due diligence in selecting, contracting with, and monitoring performance of, software vendors to avoid liability for the foibles of its vendors.

HIP-HIP(AA)-HOORAY: Margaret Davino, Esq. Joins Fox Rothschild HIPAA Team and Offers 5 Tips for 2016 HIPAA Compliance

Posted in HIPAA Enforcement, Privacy & Security

I’m sure fellow bloggers Bill Maruca and Michael Kline join me in giving three cheers for the recent growth in our firm’s health care practice (welcome, Minneapolis!) and ever-deepening pool of attorneys dealing with clients’ privacy and data security issues. But one recent addition to our team, Margaret (“Margie”) Davino, gets a fourth cheer for jumping into her new position as a partner practicing out of our New York City and Princeton, NJ offices and immediately leading a HIPAA webinar for HFMA’s Region 2 (metro NY) entitled “HIPAA: What to Expect in 2016”.

Margie covered a wide range of HIPAA topics, discussing how OCR investigations arise, preparing for Phase 2 of OCR’s audits, and how HIPAA might overlap or interplay with other laws (the FTC Act, state law causes of action, and the Telephone Consumer Protection Act, to name a few). For HIPAA nerds like me, it was a satisfying smorgasbord of HIPAA tidbits, past, present and future.  But several of Margie’s take-aways are particularly useful additions to the 2016 HIPAA compliance “To-Do” list:

  1. Make sure your security risk analysis encompasses all entities within your “family” – in other words, don’t just analyze your electronic health record, but focus on each entity and location from which protected health information (PHI) might be stolen or lost.
  2. If you are a small entity, make use of HHS’s Security Risk Assessment Tool to identify whether corrective action should be taken in a particular area. (In other words, there’s no excuse for ignoring item #1 on this list!)
  3. Encrypt data, if at all possible (and make sure it’s up to NIST encryption standards).
  4. Check that you have updated Business Associate (BA) Agreements in place for all BA relationships (and check first to make sure it’s really a BA relationship).
  5. Have a mobile device policy – and include mobile devices in your security risk analysis.

I like this short “To-Do” list because it helps prioritize HIPAA compliance tasks for 2016 based on what we have learned from breaches and enforcement actions in 2015 and prior years.