Iliana Peters recently provided a thorough update of HIPAA enforcement trends as well as a road map to OCR’s current and future endeavors. Iliana is an attorney and senior advisor for HIPAA compliance and enforcement at the US Department of HHS Office for Civil Rights. She addressed a wide range of compliance issues at the Annual Compliance Institute hosted by Health Care Compliance Association in Washington, D.C.
Key points for HIPAA enforcement trends and OCR endeavors:
OCR will continue to provide guidance to providers and business associates in an effort to inform CEs and BAs of best practices when it comes to HIPAA compliance, such as Impermissible disclosures, Lack of BAA, Incomplete or inaccurate Risk Analysis, Failure to Manage Identified Risk, Lack of Appropriate Auditing, Lack of Transmission Security, Mobile Device Security, Patching software, Insider Threats, Disposal of PHI, Insufficient Backup and Contingency Planning.
As part of HIPAA enforcement trends, privacy issues will be a major OCR priority this year. OCR will be issuing related guidance, ranging from social media privacy, use of certification of electronic health record technology (CEHRT) & compliance with HIPAA Security Rule (w/ONC), Privacy and Security for “All of Us” (PMI) research program, RA/CMP Process, The Resolution Agreement and Civil Monetary Penalty process, Updates of existing FAQs to account for the Omnibus Rule and other recent developments, and the “minimum necessary” requirement.
OCR has conducted desk audits of 166 covered entities and 43 business associates. Ms. Peters confirmed that Phase 2 of the OCR audit (Desk Audits) is winding down and Phase-3 on-site audits of both covered entities and business associates will be conducted in 2017 after the desk audits are completed. More than 150,507 complaints have been received to date. Over 24,879 cases have been resolved with corrective action and/or technical assistance. OCR expects to receive 17,000 complaints this year.
Ransomware attacks will constitute a breach unless there is substantial evidence to the contrary. HIPAA-regulated covered entities and their business associates will now be responsible for following specific guidance laid out by the OCR in the event of a ransomware attack. It's no longer enough to be defensive - healthcare organizations must be proactive.
Cloud Providers are generally BAs. Covered Entity will have to understand what risk to their data is in that type of solution. BA and cloud computing vendors will be liable when there is no compliance in terms of HIPAA Rule.
Peters reported OCR has only levied 3 Civil Monetary Penalties over the years. OCR will go to court for Civil Monetary Penalties when the entity refuses to negotiate and settle with a Resolution Agreement.
Peters made the point that most HIPAA breaches still commonly occur as a result of poor controls over systems containing protected health information (PHI). A particular vulnerability has been mobile devices, such as laptops computers, that failed to be properly protected with encryption and password. A covered entity or business associate that suffers a breach due to transmitting unencrypted PHI over the internet will likely garner little sympathy from OCR going forward.
The presentation also identified two long-term regulatory goals to implement certain provisions of the HITECH Act.
Watch our video on Five Steps to HIPAA Compliance:
Five Steps to HIPAACompliance from 24By7Security, Inc. on Vimeo.