The Society of Corporate Compliance and Ethics recently posted an 18 minute podcast interview that took place at HCCA’s Compliance Institute. Iliana Peters, HHS’s Office for Civil Rights (OCR) Senior Advisor for HIPAA Compliance and Enforcement, spoke on a number of hot topics relating to HIPAA enforcement. Ms. Peters stated that OCR often picks enforcement cases to move to settlement “that will send a message to the industry and be a teachable moment.” She noted that the number of cyber-related incidents have increased, and portable devices continue to be an issue. “If it can walk away from your enterprise, it will walk away,” she said.
OCR is still working on certain HITECH Act rules. They are working on rulemaking to allow penalties to be shared with individuals who are harmed by a HIPAA violation. The next step for those rules will be an advance notice of proposed rulemaking to get input from the public on things the rules should address. Ms. Peters said that OCR is also still working on the accounting rule.
Ms. Peters discussed the guidance issued by OCR regarding cloud storage. Covered entities need to understand the risks of this type of solution. Ms. Peters observed that, “while a covered entity is not legally liable if a breach happens at its business associate if that business associate is an independent contractor, which in many cases the cloud services providers are,” covered entities must understand that if they have an ongoing relationship with a business associate that has problems, it could create risks for their enterprise.