During the HCCA Compliance on Monday, April 20, 2015, Iliana Peters, Senior Advisor for HIPAA Compliance and Enforcement, HHS Office of Civil Rights, presented “Lessons Learned from Recent HIPAA Enforcement Action, Breaches and Pilot Audits”.
What’s to Come: Peters noted that OCR is still working on Rule making concerning the accounting of disclosures requirement and method for sharing of penalty amounts with harmed individuals. She emphasized the importance of guidance issued by OCR and noted that topics which OCR plans to address include the breach safe harbor, more on marketing, business associates, minimum necessary, and further guidance on the Security Rule. She also noted that a breach risk assessment tool is in the works.
Breach: Peters commented that in the event of a breach, OCR does not care whether the covered entity or business associate notifies OCR, the individual and (when required) the media. The covered entity, however, remains ultimately liable for notification. For breaches involving 500 or more individuals, OCR statistics indicate that fifty-one percent (51%) of breaches result from theft and while so much of the focus these days is on e-PHI, Peters reminded attendees not to underestimate the risk to paper records.
During the period of September, 2009 – February 27, 2015, OCR has received approximately 1,144 reports of a breach of PHI involving 500 or more individuals and over 157,000 reports of breaches involving less than 500 individuals. Peters commented that a “[b]reach is what brings us to the entity, but noncompliance is what makes us stay.”
Security Rule: Peters emphasized the importance of performing a risk analysis within the organization and the need to take reasonable and appropriate measures to safeguard e-PHI such as:
- Encrypting data on portable/moveable devices and media
- Using a remote device wipe
- Appropriate data backup
- Training workforce members on how to effectively safeguard data and timely report security incidents
Peters also reminded attendees that under the Security Rule, “ ‘Addressable’ does not mean optional.”
Investigations and Enforcement: In 2014, OCR received approximately 17,000 complaints and is on track to receive even more in 2015. During the period of April 14, 2003 – January 31, 2015, OCR received over 109,000 complaints. While only one case has resulted in civil monetary penalties, Peters commented that when OCR approaches an organization to enter into a settlement agreement, it is prepared to prove its case and seek civil monetary penalties if a settlement agreement is not reached. She noted, however, that OCR prefers to settle issues via corrective actions plans which generally involve monitoring by OCR.
Today’s post was contributed by Shannon Reed.