- While 2015 and 2016 saw the Office for Civil Rights (OCR) enter into a record number of settlement agreements, most of its received complaints do not involve an alleged HIPAA violation, according to HHS Director Jocelyn Samuels.
Healthcare technology continues to evolve, and organizations are implementing new tools to improve patient care. However, this also means that there is more potential risk to the privacy and security of individuals’ health information, Samuels explained in an OCR email.
OCR will continue to focus “its enforcement efforts and its resources” in areas of alleged non-compliance and “where corrective action under HIPAA may be the only remedy.”
“We hope that our resolution agreements will provide a template for other health care entities to take the proactive steps necessary to ensure compliance with HIPAA requirements,” Samuels wrote. “We’ve also initiated Phase II of our Audit Program, which will enable us to target our technical assistance to emerging challenges, provide information about replicable practices, and correct problems before they ripen into HIPAA violations.”
In terms of OCR investigations though, Samuels added that most of the complaints received by OCR involve situations that are difficult to prove whether HIPAA violations took place. For example, in some of these cases evidence is either missing or doesn’t exist, witnesses are no longer available for interviews, or evidence is insufficient to sustain a case.
“It’s hard for us not to be able to investigate every complaint, and we absolutely agree that every individual’s complaint is vital to that person,” she stated. “But we, as a federal agency, must invest our very limited investigatory resources to maximize the benefit for the American public—to get the most ‘bang for the taxpayers’ buck,’ if you will.”
Overall, “OCR is laser-focused on breaches occurring at health care entities,” especially as healthcare cybersecurity threats evolve and patient data increases in value on the black market. The agency is working to ensure that healthcare organizations of all sizes understand the necessary steps to take that will keep health information secure.
“We will continue our vigorous efforts to provide guidance and technical assistance, as well as to maintain an effective enforcement program that addresses industry-wide noncompliance and provides corrective action to protect the greatest number of individuals,” concluded Samuels. “We look forward to partnering with all stakeholders in this work and are confident that, together, we can meet the challenges ahead and ensure the privacy and security of health information.”
Healthcare cybersecurity has been a key issue for the industry in 2016 thus far. A Health Care Industry Cybersecurity Task Force was even created under the Cybersecurity Information Security Act of 2015.
Task force representatives were selected by the Secretary of Health & Human Services, in coordination with the Department of Homeland Security and the National Institutes of Standards and Technology.
“Enhancing cybersecurity in the health care sector can help reduce risks for the industry and give patients peace of mind,” Stephen Curren, Director of ASPR Office of Emergency Management, Division of Resilience, explained in a blost post. “The Task Force will use these inputs to augment its work and to support the broader goals of gathering information to disseminate to health care industry stakeholders; creating a single system for the Federal Government to share actionable cyber threat information; and developing the final report to Congress.”
The task force is also investigating current practices being used in other sectors to combat data security threats, as well as seeing what the biggest gaps are in the development and deployment of medical devices and EHRs. Finally, the task force is working to determine the challenges that healthcare organizations need to overcome when it comes to sharing cybersecurity information.