The following are key ten enforcement issues that the OCR continues to encounter through its enforcement of HIPAA. You need to be aware of these.
HIPAA’s Privacy Rule prohibits covered entities and business associates from disclosing PHI except as permitted or required under HIPAA. Impermissible disclosures identified by OCR all center on the need for authorization, and include:
- Covered entities permitting news media to film individuals in their facilities prior to obtaining a patient’s authorization.
- Covered entities publishing PHI on their website or on social media without an individual’s authorization.
- Covered entities confirming that an individual is a patient and providing other PHI to reporters without an individual’s authorization.
- Covered entities faxing PHI to an individual’s employer without the individual’s authorization.
Lack of Business Associate Agreements – Important HIPAA Enforcement Issue
OCR continues to see covered entities failing to enter into business associate agreements. This is an often overlooked HIPAA compliance issue.
Incomplete or Inaccurate Risk Analysis
Under HIPAA’s Security Rule, covered entities are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI). According to OCR, organizations frequently underestimate the proliferation of ePHI throughout their environment, including into systems related to billing, faxing, backups, and medical devices, among others.
Failure to manage identified risks
HIPAA requires regulated entities to put in place security measures to reduce risks and vulnerabilities. According to the presentation, several OCR breach investigations found that the causes of reported breaches were risks that had previously been identified in a risk analysis but were never mitigated. In some instances, encryption was included as part of the remediation plan, but was never implemented.
Lack of transmission security
While not required in all cases, HIPAA does require that ePHI be encrypted whenever it is deemed appropriate. The presentation identified a number of applications in which encryption should be considered when transmitting ePHI, including email, texting, application sessions, file transmissions (e.g., FTP), remote backups, and remote access and support services (e.g., VPNs).
Lack of Appropriate Auditing Impact HIPAA Enforcement
HIPAA requires the implementation of mechanisms (whether hardware, software or procedural) that record and examine activity in systems containing ePHI. HIPAA-regulated entities are required to review audit records to determine if there should be additional investigation. The OCR has highlighted certain activities that could warrant such additional investigation, including: access to PHI during non-business hours or during time off, access to an abnormally high number of records containing PHI, access to PHI of persons for which media interest exists, and access to PHI of employees.
Patching of Software
The use of unpatched or unsupported software on systems which contain ePHI could introduce additional risk into an environment. OCR has pointed to other systems that should be monitored, including router and firewall firmware, anti-virus and anti-malware software, and multimedia and runtime environments (e.g., Adobe Flash, Java, etc.).
OCR has identified insider threats as a continuing enforcement issue. Under HIPAA, organizations must implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining such access. Termination procedures should be put in place to ensure that access to PHI is revoked when a workforce member leaves.
Disposal of PHI
HIPAA requires organizations to implement policies and procedures that ensure proper disposal of PHI. These procedures must guarantee that the media has been cleared, purged or destroyed consistent with NIST Special Publication 800-88: Guidelines for Media Sanitization.
Insufficient Backup and Contingency Planning
Organizations are required to ensure that adequate contingency planning (including data backup and disaster recovery plans) is in place and would be effective when implemented in the event of an actual disaster or emergency situation. Organizations are required to periodically test their plans and revise as necessary.