<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Show all

OCR Priorities for 2019-2020

In the recent HIPAA conference organized by the Office for Civil Rights (OCR) and National Institute of Standards and Technology (NIST), OCR Director Roger Severino and Serena Mosley-Day, Senior Advisor Compliance and Enforcement for OCR, both talked about the focus of OCR and enforcement actions taken over the past few months.

Future billing is PHI

One of the first items of concern that Director Severino highlighted was Surprise Billing, where he referred to high unexpected costs presented to patients without giving them any advance notice of what that cost is likely to be.   He said that future billing information is considered Protected Health Information (PHI) and patients have the right to know what their expected out-of-pocket costs will be for items or services before they receive care. Just like a bank provides a good faith estimate to a real estate buyer prior to closing on the transaction, covered entities should also be responsible for providing accurate estimates to patients for health care.

Patient’s Right of Access

Director Severino indicated that OCR has recently placed focus on patient’s right of access to information, because they have seen that there is significant deficiency in this area.  Per HIPAA, patients have the right to request any or all of their health information and providers must give them the information requested within 30 days and may charge a reasonable fee to do so.  

As recently as September 2019, the first enforcement action on patient right of access was settled with Bayfront Health St. Petersburg.  In 2017, a mother had requested fetal records of her unborn child, and was denied these records.  She went on to hire an attorney and eventually, after about 14 months, received the full records she had asked for.  OCR investigated this and levied a penalty of $85,000.   This shows that the number of patients impacted for right of access is not a driving factor for enforcement.  Even a single patient’s complaint is taken seriously enough by OCR.

Hacking/ IT Incidents

The future focus of OCR will most likely be on hacking and IT security breaches.   Over the last years, hacking/IT incidents have grown to become 61% of the total number of breaches.   Of breaches affecting 500 or more individuals, the number of hacking/IT incidents has increased from 39 reported in 2014 to 149 reported in 2018.   Email and network server issues contribute to about 65% of breaches, and this number has also increased significantly over the years.   They have seen the number of breaches increase due to email phishing attacks as well as network server hacks.  It is likely that we will continue to see more healthcare data breaches due to compromise of email and network servers.

Cybersecurity concerns and trends

Director Severino and Serena Mosley-Day highlighted some cybersecurity concerns and trends that OCR has seen in the recent past, and has urged providers to take these concerns seriously in their own healthcare entities.  The issues they highlighted at the conference were:

  • Ransomware – OCR assumes a breach in the case of a ransomware attack. Be sure to follow breach notification protocol any time you experience a ransomware attack.
  • Phishing attacks – Phishing attacks have become much more sophisticated, therefore be sure to conduct regular phishing tests on your employees in addition to training them. 
  • Remote Desktop Protocol Vulnerabilities – be sure to apply manufacturer-issued patches as soon as possible. 
  • Weak authentication – they continue to see problems such as single factor authentication and poor password rules.
  • Access controls – there have been recent investigations where they found that covered entities have not enforced proper access control for current employees and those who have left the workforce. Shared passwords are a no-no - a huge effort will be needed to change passwords every time an employee leaves the department or the company.  Director Severino highlighted that there is a huge technical component to access control, but if you don’t have the human side covered, then you are at tremendous risk.

Your practical guide to HIPAA compliance 24By7Security

Recurring compliance issues

Some recurring compliance issues that OCR has seen in their recent investigations are:

  • Right of Access not honored
  • Lack of Business Associate Agreements
  • Failure to conduct a comprehensive Risk Analysis
  • Impermissible Disclosures
  • Failure to manage identified risk, e.g. encryption, lack of transmission security
  • Lack of appropriate auditing
  • Insider threats

As a covered entity or business associate under HIPAA, do pay heed to these recurring compliance issues and ensure that your entity is taking the necessary steps and following the needed administrative, technical and physical safeguards listed in the HIPAA Security Rule.

Rema Deo
Rema Deo

As CEO and Managing Director of 24By7Security, Inc., Rema is a highly experienced and credentialed information security professional. Among her certifications are PCI Qualified Security Assessor (QSA) from PCI SSC, Health Care Information Security & Privacy Practitioner (HCISPP) from (ISC)2, Certified Information Security Manager (CISM), and Certified Information Security Auditor (CISA) from ISACA. She also holds a certificate in Cybersecurity: Technology, Application, and Policy from the Massachusetts Institute of Technology, and Certified Data Privacy Practitioner (CDPP) from Network Intelligence. She earned her MBA from Symbiosis Institute of Business Management in Pune, India, and her Bachelor of Commerce degree from the University of Bombay. Be sure to follow the 24By7Security Blog for valuable insights from Rema and her colleagues.

Related posts

February, 20 2024
February, 14 2024
February, 6 2024

Comments are closed.

How a cyber range helps IT security teams in getting ready for a cyber attack
How to be HIPAA compliant on social media
Subscribe to our Blog!