Iliana Peters, Office for Civil Rights Senior Advisor for HIPAA Compliance and Enforcement, has given an update on OCR’s enforcement activities in a recent Health Care Compliance Association ‘Compliance Perspectives’ podcast.
OCR reviews all data breaches involving the exposure of theft of greater than 500 healthcare records at one time. The body also investigates official complaints about potential HIPAA violations. Those reviews continue to reveal similar non-compliance issues. Ms Peters said many issues occur on a recurring basis.
She said one of the most commonly experienced problems is the failure to carry out a comprehensive, organization-wide risk assessment and ensure any vulnerabilities discovered are addressed through a HIPAA-compliant risk management process. Many recent settlements have highlighted just how frequently HIPAA covered entities get risk assessments incorrect, either failing to conduct them in the first place, not conducting them frequently enough or not conducting them to the standard demanded by HIPAA.
Ms Peters stated out that privacy violations are occurring on a regular basis, with many HIPAA-covered entities still not certain of the allowable uses and disclosures of PHI. OCR recently revealed that two settlements have been agreed with covered entities that have disclosed patients’ health information to employers and the media within proper permission.
Peters described how the healthcare industry is not doing a good job at preventing cybersecurity incidents. She said that and that warrants attention, but it is important for OCR not to just focus on the currently ‘sexy’ issues. OCR is also concentrating efforts on addressing the lack of safeguards for paper records and the failure to secure removable media.
In the case of the latter, there have been many instances where ePHI has been shown up due to the failure to use encryption. Peters said that if “[a device] can walk away from your enterprise, it will walk away.” OCR has settled cases with many organizations in recent months as a result of the lack of appropriate safeguards and policies and adequate procedures covering removable devices.
Peters stated that OCR has been working on sharing penalties with individuals that have been harmed by privacy violations, although that has been a challenging process as it is difficult to define and quantify harm. OCR is working on an advanced notice of proposed rule making and will be seeking direction from the public as to how funds should be shared.
The OCR is also working on initiatives to enhance privacy protections at non-HIPAA covered entities. For instance, patients are being advised to share their health data with research organizations and through the “All of Us” initiative. For those programs to make a difference, patients need to be sure their data will be protected. OCR is providing guidance to organizations and partners to ensure that patient data is protected, even if they are collected and stored by non-HIPAA-covered entities.
Peters also spoke of working with Certified EHR technology and how HIPAA applies to cloud computing, malware, and ransomware.