« Return to List
Posted on 05.14.2010
No, really. They are serious about it.
HIPAA Enforcement is Hiring and Gearing Up for More Activity
Alerting all healthcare communications staff: we have fresh confirmation that a new era of diligence has begun at the Office of Civil Rights (OCR) for HIPAA enforcement of privacy and security. And as you know, security breaches lead to public relations nightmares, especially when a regulatory investigation is involved. And, officials are reminding us that they can now impose penalties of up to $1.5 million per violation.
Since the enforcement of HIPAA regulations moved from HHS to OCR in 2009, and actual enforcement began in February of 2010, there have been more than 75 health information security breaches reported that affect 500 or more people. OCR is taking this trend very seriously. In fact, Susan McAndrew,
deputy director for privacy for OCR, made some enlightening comments earlier this week at an OCR-sponsored conference held in Washington, D.C.
It turns out OCR has added more investigators to their staff in 10 regional offices with the goal of investigating even more security breaches per year than had been projected when the office first staffed up. Right now they are conducting “compliance reviews” to help the 75 organizations with existing data breach issues to take corrective and preventative actions.
But consultants from Booz Allen Hamilton are in the process of helping OCR launch a new model for security rule audits – one that prioritizes pre-emptive action. Later this year OCR plans to begin these proactive audits of covered entities and business associates. Their goal is to identify and address security weaknesses in advance so that breaches are prevented.
Reports from the conference indicate that the auditors will be checking to see if organizations have completed their risk assessment and implemented appropriate administrative, technical and physical safeguards for protected health information (PHI). They will also be evaluating the organization’s efforts to uphold an individual’s right to access their own medical record and confirming that internal controls have been put into place to control unauthorized access to PHI.
from the Information Security professionals on the front lines?
- Create comprehensive security policies and procedures based on thorough risk assessments;
- Train and re-train staff on steps to keep information secure;
- Consider whether to store sensitive patient data on fewer mobile devices; and
- Be sure to shred paper documents before disposal and destroy hard drives no longer in use.
Most of the security breaches to date have been the result of hardware theft – laptops, hard drives, thumb drives, etc. As a result, most information security officers are starting with enhanced protocols around encryption and making strategic determinations about what data should be stored on these devices, as well as enhancing physical security.
This doesn’t end at the doors of your organization. A new report from New Mexico serves as a warning to healthcare organizations nationwide to check on the security protocols of subcontractors. The New Mexico Medicaid program is currently advising almost 10,000 people that their medical data has been compromised due to a computer theft from the car of a subcontractor.
Some other risk factors have come up that are less obvious. Leased copiers with a hard drive may be a security risk if the hard drive is not wiped before returning it at the end of the lease. Likewise, phones and voice mail, as well as email, are not generally encrypted, leading to another set of risks. And in one case, a security patch download for one software program endangered the security of PHI held in another program on the same system.
But honestly, the most prevalent risks stem from inadvertent actions by employees. One of the most important things that an organization can do to avert breaches is to adequately train employees and provide clear guidelines about protocols, the reasons for those protocols, and the risks associated with breaking those protocols.
As the person charged with communicating the value of the brand, you are in a unique position to assist in this kind of employee communications in a way that will bring it all home to them and people will remember what is at stake when protocols are inconvenient.
The bottom line is that communicators have a key role to play. Let’s face it. For all of their good intentions the CIO, CFO, and legal officers of a healthcare organization may not be able to provide a good calculation of the impact this kind of breach will have on your market reputation and the costs required to repair it after a breach. Patient loyalty, brand reputation, and good relations with other health information business associates are assets with value, and this value needs to be reflected in the organization’s thorough risk assessment.
So is your healthcare organization ready for an OCR audit?
Have you included all of the true risks in the risk assessment?
What are you doing to better protect your data, train your employees, and prevent data breaches?
Any advice for your peers in other organizations?
Andrea White specializes in communications issues related to health information technology and the HITECH Act. Stay tuned for more blog entries on this subject in coming weeks!
“Breach List: A Call to Action? With so many incidents, security funding could get a boost,” http://www.healthcareinfosecurity.com/p_print.php?t=a&id=2505
“HIPAA Audits: A Status Report,” http://www.healthcareinfosecurity.com/articles.php?art_id=2517&rf=2010-05-12-eh
“OCR Boosting Security Enforcement,” http://www.healthdatamanagement.com/news/privacy_security-40268-1.html?ET=healthdatamanagement:e1267:25859a:&st=email&utm_source=editorial&utm_medium=email&utm_campaign=HDM_Daily_051210
“N.M. Medicaid Breach Affects 9,600,”
“Civil rights office steps up health privacy enforcement,” http://govhealthit.com/newsitem.aspx?nid=73735