OCR Provides Update on HIPAA Enforcement Efforts

HIPAA privacy rulesThe recent WannaCry ransomware attack impacting hospital and healthcare information systems worldwide shone a bright light on the vulnerabilities of most healthcare provider’s networks.

But the problem extends far beyond this one case. In fact, there are near daily reports of patients’ private information being accessed due to a lack of appropriate security measures. And, it’s not just healthcare information, but addresses, phone numbers, social security numbers, financial information, the list goes on.

In the wake of these attacks, Office for Civil Rights Senior Advisor for HIPAA Compliance and Enforcement, Iliana Peters, provided an update on OCR’s enforcement activities in a recent Health Care Compliance Association podcast. It is OCR’s job to investigate all data breaches involving the exposure or theft of more than 500 healthcare records.

Peters notes that her agency picks cases to move to settlement on those that not only are “egregious,” but also those that “send a message to the industry” about the kinds of things they are looking for.

She recommends that healthcare organizations conduct an enterprise-wide risk analysis and follow up with appropriate safeguards.

Peters said many of those in the industry don’t understand the rules relating to how and when they can disclose information outside of their own organization. As a result, her agency is seeing increasing problems relating to the distribution of information to the media that isn’t permissible under the rule and which requires permission from a patient before information is shared.

Peters says matters relating to removable media such as thumb drives, other portable electronic devices and even paper records containing patient information that can “walk away” is a continuing problem.

Although matters relating to cybersecurity are relatively new, compared to other HIPAA-related problems plaguing the healthcare industry, Peters noted that the healthcare industry “is not doing a good job of preparing for cyber incidences.”

Peters said her agency is working on rules relating to the sharing of penalties or other recoveries with individuals who might be harmed as a result of a HIPAA violation. However, she noted that trying to determine and quantify harm, as well as finding the best way to share a recovery with an individual who has been harmed, is proving to be a challenge.

Electronic Health Record (EHR) technology is another area of concern for OCR. And while this technology makes it easier to share healthcare information with providers, insurers and even patients, it raises additional concerns. While such technologies must be certified to do certain things, Peters said her agency is working with the Office of the National Coordinator, (the agency that provides oversight) to determine what steps can be taken to better protect the information.

OCR provides those in the healthcare industry with specific guidance on matters relating to cyber threats including data backup, contingency planning, incidence response and how to work with a healthcare organization’s IT team on how to protect data. It also provides comprehensive guidance for those healthcare entities using cloud services and how a breach might impact them.

OCR had received 150,507 complaints by the end of March, with 24,879 being resolved with corrective action measures or technical assistance.  At the current rate, OCR is estimating receiving 17,000 complaints in 2017. Since February, OCR has announced settlements relating to HIPAA violations with seven healthcare organizations ranging from $31,000 to a whopping $5.5 million.

Having a compliance program in place is the first step in protecting yourself and your practice. The Health Law Offices of Anthony C. Vitale’s highly skilled team of experienced legal professionals can help you to create a HIPAA Privacy and Security compliance program designed to meet your unique needs. Give us a call at 305-358-4500 or send an email to info@vitalehealthlaw.com and let’s discuss how we might be able to assist you.

Material presented on the Health Law Offices of Anthony C. Vitale's website is intended for information purposes only.

It is not intended as professional advice and should not be construed as such.