HIPAA Enforcement - Are you ready for 2017?
HIPAA enforcement is getting more serious in 2017 – are you ready? Director of the Office for Civil Rights (OCR) Jocelyn Samuels has classified digital threats as a public health crisis. OCR is ramping up their HIPAA enforcement activities including audits to include desktop and comprehensive on-site audits of covered entities as well as business associates. Much of the funds collected this year from OCR enforcement efforts are being funneled into the audit program. OCR Deputy Director Deven McGraw has also announced that they may open a compliance review especially if OCR finds a significant risk to Protected Health Information (PHI) or if an entity being audited does not respond to a request for documentation. In addition to OCR enforcement, it is also expected that the Federal Trade Commission (FTC) and state governments may start to weigh in more heavily on patient privacy and consumer protection. Though the regulatory landscape may be subject to changes under a new Administration in 2017, the threats are clear and therefore cyber security and HIPAA compliance remain an important priority.
What should healthcare entities be watchful for in terms of cyber security and HIPAA? Ransomware remains a strong threat to healthcare practices. Theft, loss and improper disposal of PHI continue to be the majority of breach reports. Phishing attacks are getting more and more sophisticated by the day. Lack of or holes in encryption provide open doors to hackers. The number of healthcare organization breaches by sophisticated criminal organizations as well as nation state threats continue to rise, resulting in increased business losses. A healthcare organization must never underestimate the value of continued HIPAA and related training as the employees are known to be the weakest links.
In the annual HIPAA conference organized by OCR and NIST (National Institute of Standards and Technology), speakers focused on a major lesson learned from Phase I of the OCR audit program, which was the failure to conduct an accurate and thorough annual HIPAA Security Risk Assessment.
What are some actions that you can take now as a healthcare provider to reduce your vulnerability for a HIPAA breach and to cover your requirements in the event of an audit?
- Ensure that you have a current completed annual HIPAA Security Risk Assessment, either done by yourself or a reputable HIPAA consulting firm.
- Follow the action plan you should have created as a result of a comprehensive security risk assessment, addressing open vulnerabilities at the earliest.
- Keep updated HIPAA policies and procedures and ensure that your employees are adhering to them.
- Train your employees every year on HIPAA.
- If you are moving your IT processes and data to cloud based services as many organizations are doing, there is new guidance on this from the OCR that should be reviewed.
A HIPAA audit can be either a nightmare or easy to manage. By taking the few steps as detailed above, you can manage your HIPAA requirements with discipline on a daily basis and rest assured that you are ready and prepared for any OCR enforcement action that may come your way in 2017. This will of course, also help you in keeping your office protected from breaches and security vulnerabilities.
By Rema Deo.