The Office for Civil Rights (OCR) has been busy lately. As outlined in more detail below, the OCR recently launched a new platform for mobile application (mobile app) developers to submit questions and comments to the OCR, with the ultimate goal of increasing the privacy and security of data used in those mobile apps. In addition, the OCR has promised that informal guidance on individuals' rights to access their medical records is coming in late October. Lastly, the OCR has again promised that Phase Two of the HIPAA audits will be starting shortly.
OCR Invites Mobile App Developers to Ask Questions About HIPAA
The use of mobile apps in the health care field has skyrocketed in recent years as providers and health plans have recognized the benefit of this technology to improve health outcomes. The OCR has noticed this increase as well, and has launched a new platform for health care mobile app developers and other parties interested in the interplay between health information technology and HIPAA privacy protection. The OCR will consider the input provided on this platform in developing its guidance and technical assistance efforts, with the overall goal being to better protect the privacy and security of individuals' data used in these technologies. The platform is available here: http://hipaaqsportal.hhs.gov/.
The OCR is hoping users of the platform will educate the OCR on the types of guidance the public needs on the HIPAA regulations. The OCR has asked stakeholders to provide input on issues, such as topics that should be addressed in guidance, which current provisions are confusing or need clarification, and how guidance should look in order to make it more understandable and accessible. Users can also use the platform to submit questions about HIPAA, present a use case, or see what their peers are discussing. Users can comment on the discussions and vote on which topics or use cases would be the most helpful or important.
While anyone can browse the portal, the OCR has stated that users who want to participate in the platform will sign in using their email address—although the OCR claims that identities and addresses will be anonymous to the OCR. Signing in allows users to submit questions, offer comments on other submissions, and vote on how relevant the topic is. Most importantly, the OCR has also said that posting or commenting on a question on the platform will not subject anyone to enforcement action.
For more information on mobile apps, please attend the next session in Q&B's Data Privacy & Security webinar series, on November 3, 2015.
OCR to "Informally" Clarify Individual's Right to Access Own Health Records
The OCR has also recently announced that it will soon issue informal guidance which will clarify individuals' rights to access their health records under HIPAA. The OCR has indicated the informal guidance will likely be a set of FAQs, which will enable the OCR to update the guidance more frequently. The FAQs will address exactly what constitutes a "designated record set," clarify the health and payment information an individual can access, and how much an entity can charge an individual for record access. Deven McGraw, the OCR's Deputy Director for Health Information Privacy, stated that the definition of "designated record set" is much broader than most entities realize and encompasses more than just the information in the electronic medical record (EMR).
The OCR currently has a list of FAQs about "Right To Access Medical Records" on its website. However, most of these FAQs do not squarely address an individual's right to access his/her own records and instead address issues, such as personal representatives accessing the record.
Ms. McGraw has stated that the OCR plans to concentrate more on outreach, education, and guidance, and less on enforcement. The OCR will accomplish this in part by doing more blogging, outreach through social media, and informal guidance than before. The release of this informal guidance, expected in late October, will be part of a White House campaign announced in July to promote individuals' rights to access their health records as part of the Precision Medicine Initiative.
Phase Two of HIPAA Audits are (Still) Coming Soon
At a conference in September, the OCR Director indicated that a vendor has been chosen to perform the (previously postponed) second phase of HIPAA compliance audits, and that these audits may begin soon. Phase One of these audits was conducted as a pilot program in 2011 and 2012 on 115 covered entities. In Phase One, audited covered entities were required to provide documentation of their privacy and security compliance efforts. In addition, every audit included a site visit where the OCR interviewed covered entity personnel and observed the covered entity’s processes and operations to determine if the covered entity was in compliance with HIPAA’s requirements.
The Phase Two audits will focus on monitoring compliance with the HIPAA Privacy, Security, and Breach Notification Standards, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Phase Two audits will be guided by findings and observations from the Phase One audits that indicated areas of concern in relation to privacy of protected health information or security breaches. Audited entities can expect that although some on-site audits may be conducted, the majority of audits in Phase Two will be desk audits involving paper review only. Notably, Phase Two audits are expected to cover both covered entities and business associates.
While the OCR has not yet officially begun the Phase Two audits, the OCR has started collecting and verifying covered entity contact information via pre-audit surveys. Covered entities and business associates should focus now on preparation for these audits. For example, covered entities and business associates should enter into business associate agreements where needed, update existing agreements for compliance with the Omnibus HIPAA Final Rule, ensure policies and procedures comply with HIPAA and that workforce members have been trained on those policies and procedures, and that this training is documented. Covered entities should also review their Notice of Privacy Practices for compliance.
In addition, both covered entities and business associates should conduct a thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the covered entity or business associate. Note that in the Phase One audits, 60percent of the findings and observations were based on the Security Rule, and 58 out of 59 audited health care providers had at least one Security Rule finding or observation. Furthermore, the audits revealed that two-thirds of the audited entities had not conducted a complete and accurate risk assessment.