On September 2-3, 2015, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) hosted the 8th Annual Safeguarding Health Information: Building Assurance through HIPAA Security conference. Designed to explore the current health information technology security landscape, particularly as it pertains to the HIPAA Security Rule, this conference gave the approximately 200 attendees and other interested individuals watching the live webcast a unique opportunity to hear directly from senior leadership at OCR and other government agencies charged with enforcing health information privacy and security laws, in addition to hearing from industry participants.
As part of the opening keynote address, Jocelyn Samuels, the OCR Director, provided attendees with some particularly valuable insights into OCR’s current priorities. In addition to announcing the settlement agreement with Cancer Care Group, P.C. (analyzed by Arent Fox in the post, “Don’t Lose Your Laptop! New HIPAA Settlement Emphasizes Importance of Risk Analysis and Device and Media Controls”) and emphasizing the importance OCR places on the completion of a thorough risk analysis, Director Samuels also noted a number of additional upcoming initiatives, including:
- A new HIPAA audit protocol;
- Guidance on an individual’s right to access (including information on how the right to access connects to the President’s Precision Medicine Initiative);
- Guidance for cloud storage providers;
- An on-line portal to answer HIPAA-related questions from technology developers and others; and
- A new, more user-friendly OCR website.
Other OCR speakers at the conference were Deven McGraw, Deputy Director of the Health Information Privacy Division, and Iliana Peters, OCR’s senior advisor for compliance and enforcement. Notably, as part of her speech on OCR’s current compliance and enforcement work, Ms. Peters identified OCR’s current HIPAA enforcement priorities as (i) ensuring that covered entities and business associates have completed a risk analysis and risk assessment that considers all of the electronic protected health information (often referred to as “e-PHI”) in an enterprise, (ii) protecting the individual rights granted by HIPAA, and (iii) business associate activities. With respect to business associates, Ms. Peters specifically noted that many breaches involve business associates and that business associates often have data for multiple covered entities, so these breaches can involve information pertaining to very large numbers of individuals.
Attendees also heard speeches from representatives of the Food and Drug Administration, Office of the National Coordinator for Health IT, the Federal Trade Commission, and NIST, as well as from industry participants. The speakers provided valuable insights in sessions dedicated to topics such as security management (threat intelligence, security plans, security best practices, etc.), medical device and electronic health record security, interoperability, business associate liability issues, and the areas of overlapping jurisdiction between OCR and the Federal Trade Commission.