OCR official shares enforcement plans
The Office of Civil Rights (OCR) may not have received more federal resources to do their job, but their efforts to better leverage technology and centralize activities will enable their enforcement goals, said Iliana L. Peters, JD, OCR’s senior advisor for HIPAA compliance and enforcement, at the National Institute of Standards and Technology and the OCR’s joint conference, “Safeguarding Health Information: Building Assurance through HIPAA Security,” on Sept. 24.
“As we reported to Congress, we would love more resources. That being said, we are doing our best to work smarter,” said Peters. Part of that effort entails a centralized intake for the 10 regional offices that conduct most of OCR’s enforcement work, so cases can be analyzed and “we can separate the wheat from the chafe.”
This will enable the agency to handle the thousands of complaints it receives every year. Last year, OCR resolved 14,000 of them, with 4,500 being investigated. “People are incredibly concerned about the privacy and security of data. We look at every complaint, even with limited resources.”
The agency also is working to better guide the industry. It soon will put out new documents, including: breach safe harbor update; accounting of disclosures; methods for sharing penalty amounts; and the National Instant Criminal Background Check System final rule. The agency additionally is working on more guidance governing business associates; a breach risk assessment tool and more general factsheets on HIPAA provisions. Peters said the breach risk assessment tool will include information on what constitutes compromised data.
Under recent changes of the rule, breaches are presumed, unless the data were encrypted or destroyed. The covered entity or business associate also can demonstrate that there is a low probability that the protected health information has been compromised—which she termed the “LoProCo.”
“We want you to look at the risks of data itself rather than just focusing on harm to the individual,” she said. This includes understanding what data were lost; types of identifiers contained in the data; likelihood that it would be identifiable; whether the protected health information (PHI) was actually acquired or viewed; and the extent to which the risk to the protected health information has been mitigated, she said.
“All of these things we’d be looking for in regard to your risk assessment,” she said.
Also, Peters said that if the agency is informed about a breach—even when not officially reported—it may approach an organization about why the incident was not reported and request documentation showing a risk assessment was put into place.
OCR officials are notified through a web portal when a breach takes place, and that information is passed along to the regional office closest to the involved covered entity or business associate. Before that data is publicly disclosed on the agency’s website, an official will verify the incident with the entities involved.
“There is a bit of a lag between when you notify us of a beach, when we contact you to verify facts of the breach and when it shows up on the website,” she said. “We are working to expedite that.”
From September 2009 to Aug. 31, 2014, there have been approximately 1,200 breaches involving more than 500 individuals. Theft and loss are the large majority of breaches, representing about 60 percent. “What’s the message? That they could have been prevented with encryption.”
About 122,000 reports of breaches of PHI involved fewer than 500 individuals.
Breaches caused by unauthorized access and hacking are on the rise. “It’s really important covered entities and business associates prepare as much as possible because these events will happen. If we come to you because of a breach, we will stay if you are noncompliant with either part of the rule.”
Peters advised the following safeguards to prevent breaches:
- Evaluate the risk to electronic PHI when at rest on removable media, mobile devices and computer hard drives
- Take reasonable and appropriate measures to safeguard electronic PHI
- Store all PHI to a network
- Encrypt data stores on portable, movable devices and media
- Employ a remote device wipe to remove data when lost or stolen
- Consider appropriate data backup
- Train workforce members on how to effectively safeguard data and timely report security incidents
She added the culture of an institution plays heavily into compliance. “Senior leadership sets the tone for organization and this needs to be a priority for everyone.”
In the area of audits, Peters said the majority will be desk audits, and the agency will send out a pre-audit survey to a wide range of entities to determine possible auditees. Data entities submit to the agency the first time will be what is audited, she said. OCR also is planning some onsite audits and is working to design the second phase of its permanent audit program.
If audited, she said organizations must prepared to present the names of their business associates to enable OCR to identify and audit them.