OCR is serious about enforcement!
That is a message that 3 officials from the U.S. Department of Health and Human Services’ Office for Civil Rights made clear as they presented at the 19th National HIPAA Summit. The 3 officials who presented (links below take you to their presentations [PDF] ) were:
- Susan McAndrew – Deputy Director for Health Information Privacy
- David S. Holtzman – Health Information Privacy Specialist
- Valerie Morgan-Alston – Deputy Director for Enforcement and Regional Operations
Each of their presentations went into details of how OCR has been working to enforce HIPAA regulations. I urge you to read each one fully but I will point out some of the more interesting points of their presentations.
Pointed out that there have been 241 reports of security incidents that affected 500 or more individuals and over 29,000 incidents that affected under 500 individuals. Laptops and portables devices continue to be the main cause of breaches.
She went on to state that there have been around 58,000 privacy complaints since 2003 and that 91% of the complaints have been resolved. Of the 58,000 complaints, around 19,400 have been investigated and 64% have lead to corrective actions (fines I presume).
McAndrew went into details of the latest HIPAA fines that have been handed out including the $4.3 million fine to Cignet Health/Maryland. She also discussed the training program for the 50 State Attorneys General.
David S. Holtzman
Went into details about some of the security breaches and enforcement activity. His presentation was very interesting and some of the slides are below.
He said that every complaint that the OCR receives is reviewed and analyzed and an investigation is launched if the facts look like an organization failed to comply with the HIPAA regulations
Compliance reviews include evaluating an organization’s policies and procedures. All breaches that affect over 500 individuals are reviewed
In a very interesting slide, Holtzman showed the most frequent Security Rule issues. They included lack of security incident response, lack of security training, lack of access controls and information access controls, and the lack of workstation security.
The next two slides give some good insight into the most common causes of breaches as well as where the information was located in the breach.
He ended with some valuable lessons learned including stressing that encryption should be used on data at rest on desktops as well as portable devices.
Went into details on some of the fines that have been handed down including Cignet, Massachusetts General Hospital and Rite Aid.
But in the most interesting slide she went on to say:
In light of OCR’s clearly articulated intention to aggressively enforce the HIPAA Privacy and Security Rules, covered entities and business associates should review their current HIPAA compliance programs
A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.
All in all a few clear messages were presented. OCR is serious about enforcement and used several recent cases as examples. More enforcement and more fines are coming. Make sure you have policies and procedures in place. And utilize encryption for data on desktops and portable devices.