- This year’s Safeguarding Health Information: Building Assurance through HIPAA Security conference hosted by National Institute of Standards and Technology (NIST) and the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) provided some noteworthy HIPAA statistics and audit talking points.
The conference, which took place in Washington, D.C. Sept. 23-24, covered hot-topic areas such as breach management, strengthening cybersecurity in the healthcare sector, implementing health IT security safeguards, managing risk and securing mobile devices, but HIPAA was a particular area of interest.
According to jdsupra.com, OCR Senior Adviser for HIPAA Compliance and Enforcement Illiana L. Peters presented on the HIPAA Security Rule and in doing so, offered some healthcare data breach statistics. First, OCR investigated 1176 data breach reports of 500 individuals or more between September 2009 and August 31, 2014, while there were 122,000 such incidents affecting fewer than 500 patients. And Peters said that 60 percent of data breaches could have been prevented if HIPAA covered entities or business associates (BAs) had encrypted.
Proving that there is a “low probability that the data has been compromised” is a chief focus for OCR, as Peters said that investigators and enforcers look at the risk to the data, not the individual. And when facing a breach, the organization must be able to show that it had documented “evidence that the covered entity and the business associate appropriately and competently perform the risk assessment.”
One compliance grey area that Peters said OCR is looking to shore up is the definition of “compromised” with respect to data under the HIPAA Security Rule. The report added that covered entities and BAs should expect guidance on breach safe harbors; breach risk assessment tools; minimum necessary standards; marketing involving PHI; Security Rule guidance; methods for sharing penalty amounts with harmed individuals; and accounting of disclosures.
The OCR and NIST conference included more high-level focuses on how HIPAA audits will be conducted, which aligned with the comments that OCR health information privacy senior advisor Linda Sanches made at the recent HIMSS Privacy and Security Conference. Sanches told the audience that OCR would be looking for evidence of compliance through documentation and covered entities and BAs can prepare by having everything prepared ahead of time.
Organizations can make audits easier by being in compliance. We’ll be looking for periodic risk analysis and evidence of compliance, as well as documentation of policies and procedures being in place. For example, if we’re doing a comprehensive audit and looking at you sanction process, we’ll want to see instances where you’ve sanctioned people and whether it was consistent with your sanctions policy. Having those policies updated and in place will be valuable.
The other piece of advice that I would have for covered entities is to know who your BAs are because we’ll be asking for the complete list, with contact information and the services they provide you. We’ll be using that list to select BAs for HIPAA audits. This is a good to get your house in order.
Sanches added that OCR will be doing fewer desk audits and on-site, comprehensive audits, including with BAs. Between the two conferences, it’s clear that OCR will focus on (among other things) encryption, documentation and risk analyses during audits.