OCR Director Provides an Update, Announces a HIPAA Settlement
Marianne Kolbasuk McGee (HealthInfoSec) • September 2, 2015
The Department of Health and Human Services' Office for Civil Rights is getting closer to resuming the random HIPAA compliance audit program. In addition, it's completed another HIPAA settlement related to a breach, and it's planning a number of compliance-related initiatives for the fall, OCR Director Jocelyn Samuels said in a Sept 2 presentation.
Samuels' comments came during a keynote address at an annual HIPAA security conference in Washington, D.C., hosted by OCR and the National Institute of Standards and Technology.
More HIPAA compliance audits "are coming," Samuel said, but she stopped short of offering a timeline or revealing how many covered entities and business associates that will be audited. "Audits are a critical tool. It enables us to get in front before [HIPAA noncompliance results in] a breach," she says. The audits provide technical assistance to address the most common problems in HIPAA non-compliance, she notes.
OCR recently hired a vendor to assist in the audit program, Samuels revealed in her presentation. An OCR spokeswoman tells Information Security Media Group that FEi Federal recently signed a contract to provide support management services for the audits, which will actually be performed by OCR staff.
The majority of the audits will be "desk" or remote audits, but there will also be "some" onsite audits, Samuels said. The audits will look a key areas of HIPAA compliance, especially those problem areas pinpointed during OCR's breach investigations, such as a lack of comprehensive, timely risk assessment and mitigation. "We're hopeful the audit program will send a message that complying with HIPAA is serious business," Samuels said.
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, who attended the HIPAA conference, says Samuels' announcement about the audit program is "reaffirmation" that OCR is ramping-up HIPAA enforcement efforts. "The biggest change is OCR saying it will use a contractor" to assist in the audits, he says, which could help OCR to better utilize its own stretched internal resources.
The lack of a timely risk analysis has been a reoccurring theme in OCR enforcement actions, including a new settlement and resolution agreement announced by Samuels during her Sept. 2 keynote.
OCR has reached to a $750,000 settlement with Cancer Care Group, P.C., a radiology oncology practice in Indiana with 13 clinicians, which suffered a health data breach in 2012 as a result of the theft of an unencrypted laptop computer and back-up media from an employee's car. The computer and storage device contained names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care Group patients.
An OCR investigation into the breach found widespread non-compliance issues, she says, including the lack of an enterprise-wide risk analysis. In addition, Cancer Care Group did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI from its facilities, even though this was common practice within the organization, she says.
"An enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care's ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility," she says.
A resolution agreement signed with the cancer practice includes a corrective action plan that includes a number of steps, including conducting a risk analysis, that the organization must take to improve its HIPAA compliance.
Other OCR projects in the works that Samuels highlighted in her keynote address included:
- Working with the National Institutes of Health on President Obama's Precision Medicine initiative announced in January. OCR is working with NIH on patient privacy protections "to be built into" the efforts, which focuses on the use of genomic, lifestyle and other patient information for "transformative developments" related to more personalized medical treatments.
- Preparing new OCR guidance this fall that will provide patients and healthcare providers with information about patients' rights to access their health information and send it to third parties.
- Developing guidance on cloud computing and HIPAA privacy and security.
- Introducing a new Web portal, likely this fall, to help software developers navigate HIPAA compliance for emerging technologies. "We want to offer those developers of new technologies to have a dialogue with us," Samuels said.