In the keynote presentation at the HIMSS Privacy and Security Forum in Boston on 23rd September, the Director of the Office for Civil Rights (OCR), Leon Rodriguez addressed the areas of focus for the HIPAA enforcement actions to be undertaken by OCR, and gave specific perspective advice for organizations that are under the purview of OCR. He also offered insights into how OCR will proceed with the audit program.
The Three Focus Areas
According to Rodriguez, the three areas of focus for enforcement actions will be:
- Major deficiencies or breakdowns in security. Often, a data breach is the catalyst for an investigation, but the security breakdown that is identified by OCR has little to do with the cause of the breach that triggered the investigation.
- Egregious disclosures of patient information. This is with reference to cases where the exposure of PHI was totally unwarranted, and had nothing to do with the ‘quantity’ of patient records involved.
- Failure to provide access. The HIPAA Omnibus rule allows patients to have access to information in their electronic medical record. Quoting the Cignet case where access was not provided, and no cooperation was extended to OCR during its investigation, Rodriguez described it as the ‘sleeper’ category for enforcement.
Following this, Rodriguez stated that OCR has a new portal where complaints will be captured, and that around 18,000 complaints are expected on this portal annually. He also said that the majority of these complaints will be potential HIPAA violations.
Advice and Guidance
Rodriguez provided valuable advice to covered entities and business associates about complying with the omnibus rule and avoiding breach incidents. Emphasizing the importance for every organization to know where PHI is stored and what the most significant vulnerabilities are, he reiterated that the key to compliance begins with a thorough security risk analysis which can identify the weakest link that may be the one causing an entire organization to face scrutiny.
Speaking about the value of encryption, Rodriguez said that there is a widespread misperception that encryption is not a cost-effective solution to avoiding unauthorized disclosure of PHI, but in reality encryption is of great value for any covered entity or business associate.
Permanent Audit Program
Delving into the learnings of the recently concluded pilot audit program, Rodriguez also gave some perspective into what would be the key focus of the permanent audit program. Reiterating the importance of the role played by security risk analysis, he said that one of the key findings of the pilot audit was that failure to conduct risk analysis increases the chances of a breach.
Rodriguez also said that he would like the permanent audit program to address a larger population of entities, and that in order to accomplish this, OCR is in the process of adding permanent staff to complement outside auditors. Another noteworthy point is that OCR will continue to use civil monetary penalties as a tool in their enforcement actions going forward.
Rodriguez’s talk clearly expressed themes that have been constantly emphasized by OCR. He stressed the need for a security risk analysis, and its value as the cornerstone of a positive HIPAA compliance posture. He also highlighted the value of encryption technology for maintaining an appropriate security posture.
With ‘meaningful use‘ driving more healthcare entities to adopt electronic health record (EHR) systems, there may be an increase in the number of complaints arising from challenges that patients will have in gaining access to their health records. So entities should address these challenges even as they adopt EHR systems.
OCR is likely to carry out rigorous enforcement actions under the permanent audit program, which will cast a wider net to identify many more entities lacking in security and privacy controls and compliance. At this juncture, healthcare organizations can greatly benefit by adopting comprehensive security solutions such as Aegify Security Posture Management or Aegify SecureGRC to ensure compliance with HIPAA rules and to effectively handle the upcoming audit.