“OCR Enforcement Update” was the topic of the presentation by Iliana Peters, HHS Office for Civil Rights (OCR) Senior Adviser for HIPAA Compliance and Enforcement at the 2017 Health Care Compliance Association (HCCA) Compliance Institute. She provided an update on enforcement, current trends, and breach reporting statistics. Peters stated that the OCR continues to receive and resolve complaints of Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) violations of an increasing number. She cited that OCR has received 150,507 complaints to date, with 24,879 being resolved with corrective action measures or technical assistance. At the rate of reports being received, the OCR is estimating receiving 17,000 complaints in 2017. She said that this year OCR has placed a major priority on privacy issues and will be issuing guidance on this, ranging from social media privacy, certification of electronic health record technology, and the rationale for penalty assessment. She spoke about OCR’s Phase 2 audits that are underway, involving 166 covered entities (CEs) and 43 business associates (BAs). These audits are to ensure CEs’ and BAs’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules that include mobile device compliance. They address privacy, security, and breach notification audits. It is expected that among the results of this effort will be increases in monetary penalties this year. Phase 3 will follow the same general approach currently being used, which includes review of control rules for privacy protection, breach notification, and security management.
In her comments about what the OCR has learned from its audits and investigations, Peters made the point that most HIPAA breaches still commonly occur as a result of poor controls over systems containing protected health information (PHI). A particular vulnerability has been mobile devices, such as laptops computers, that failed to be properly protected with encryption and password.
Peters provided in her slide presentation considerable advice as what CEs and BAs should do to prevent breaches and other HIPAA-related problems. CEs and BAs should:
- ensure that changes in systems are updated or patched for HIPAA security;
- determine what safeguards are in place;
- review OCR guidance on ransomware and cloud computing;
- conduct accurate and through assessments of potential PHI vulnerabilities;
- review for proliferation of electronic PHI (ePHI) within an organization;
- implement policies and procedures regarding appropriate access to ePHI;
- establish controls to guard against unauthorized access;
- implement policies concerning secure disposal of PHI and ePHI;
- ensure disposal procedures for electronic devices or clearing, purging, or destruction;
- screen appropriately everyone in the work area against the OIG’s List of Excluded Individuals and Entities (LEIE);
- ensure departing employees’ access to PHI is revoked;
- identify all ePHI created, maintained, received or transmitted by the organization;
- review controls for PHI involving electronic health records (EHRs), billing systems, documents/spreadsheets, database systems, and all servers (web, fax, backup, Cloud, email, texting, etc.);
- ensure security measures are sufficient to reduce risks and vulnerabilities;
- investigate/resolve breaches or potential breaches identified in audits, evaluations, or reviews;
- verify that corrective action measures were taken and controls are being followed;
- ensure when transmitting ePHI that the information is encrypted;
- ensure explicit policies and procedures for all controls implemented; and
- review system patches, router and software, and anti-virus and malware software.