OCR Provides Enforcement Update at the 2017 HCCA Compliance Institute.
Date posted: April 28, 2017
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently presented an OCR Enforcement Update at the HCCA Compliance Institute in March 2017. Senior Advisor for HIPAA Compliance, Iliana Peters, provided an update on enforcement, current trends, and breach reporting statistics. OCR continues to receive and resolve an increasing number of HIPAA violation complaints. OCR had received 150,507 complaints by the end of March, with 24,879 being resolved with corrective action measures or technical assistance. At the current rate, OCR is estimating receiving 17,000 complaints in 2017.
Ms. Peters indicated that privacy issues will be a major OCR priority this year. OCR will be issuing related guidance, ranging from social media privacy, certification of electronic health record technology, and the rationale for penalty assessment. The Senior OCR Advisor also spoke about OCR’s current Phase 2 audits involving 166 covered entities and 43 business associates. Phase 2 audits are conducted to ensure Covered Entities’ (CEs) and Business Associates’ (BAs) compliance with the HIPAA Privacy, Security, and Breach Notification Rules that include mobile device compliance. The audits address privacy, security, and breach notification requirements and are expected to result in increased monetary penalties this year. Phase 3 will include a review of control rules for privacy protection, breach notification, and security management.
OCR audits and investigations reveal that most HIPAA breaches result from poor control over systems containing personal health information (PHI). A particular vulnerability exists with mobile devices, such as laptop computers, that are not protected with encryption and a password. The OCR Enforcement Update provided considerable advice for Covered Entities regarding breach prevention and other HIPAA related problems.
The Senior OCR Advisor’s tips for HIPAA breach prevention include the following:
- Update or patch changes in the system for HIPAA security;
- Determine what breach safeguards are in place;
- Review OCR guidance on “ransomeware” and “cloud computing”;
- Conduct an accurate and thorough assessment of potential PHI vulnerabilities;
- Review proliferation of ePHI within an organization;
- Implement policies and procedures regarding appropriate access to ePHI;
- Establish controls to guard against unauthorized access;
- Implement policies concerning secure disposal of PHI and ePHI;
- Ensure that clearing, purging and destruction or disposal procedures are in place for electronic devices;
- Screen all work area individuals against the Office of Inspector General’s List of Excluded Individuals and Entities (LEIE);
- Ensure that departing employees’ access to PHI is revoked;
- Identify all ePHI created, maintained, received or transmitted by the organization;
- Review controls for PHI involving EHRs, billing systems, document/spreadsheets, database systems, and all servers (web, fax, backup, Cloud, email, texting, etc.);
- Ensure security measures are sufficient to reduce risks and vulnerabilities;
- Investigate/resolve real or potential breaches identified in audits, evaluations, or reviews;
- Verify that corrective action measures are taken and controls are being followed;
- Ensure that ePHI is encrypted during transmittal;
- Ensure explicit policies and procedures are in place for all controls implemented; and
- Review the functioning of system, router and anti-virus and malware software.