The Department of Health and Human Services Office for Civil Rights (“OCR”) will soon begin auditing covered entities for compliance with the HIPAA Privacy and Security Rules, according to OCR Director Jocelyn Samuels. The time frame for and the scope of these audits are presently unknown, but we expect additional details to be released by OCR in the coming weeks and months.
OCR will likely pay close attention to whether covered entities have conducted, regularly reviewed and updated their risk assessment, as required by the Security Rule. More so than when the Security Rule was first adopted, electronic protected health information is now the norm. Threats to computer systems and networks are growing and evolving. Data is a valuable commodity. As such, covered entities not only must worry about internal threats, such as a workforce member gaining unauthorized access to electronic patient records, but also external threats such as hackers and malware that can mine computer systems and networks for valuable data.
Whether a covered entity falls victim to an attack or simply becomes aware of emerging threats, it is important to assess these threats in relation to the covered entity’s current infrastructure and safeguards in order to determine whether upgrades or changes in policies and procedures are necessary to stay ahead of such threats and to protect patient information. The risk assessment contemplated by the Security Rule is not a one-time thing. It should happen as incidents occur and as new threats are identified. Conducting the risk assessment should alert covered entities to their own vulnerabilities and enable them to reduce the risks to their systems. Also, in the event of an OCR audit, the existence of documented, thoughtful, regular risk assessments could also save covered entities from costly corrective actions or fines.
OCR has developed a video and even a security assessment tool to help covered entities meet this important Security Rule obligation. Likewise, BABC’s Privacy and Information Security Team stands ready to assist clients in meeting these obligations and in responding to threats or actual incidents affecting their businesses.
Remember that covered entities must report breaches of unsecured protected health information affecting fewer than 500 individuals to OCR annually. The end-of-the-year reporting of breaches of unsecured PHI discovered in 2014 is due Sunday, March 1, 2015. These small breaches should have been reported to each of the affected individuals already, and reports to OCR should include the actions to mitigate and remediate any breaches, even those affecting a single individual. Reports to OCR of large breaches (those affecting 500 or more individuals) are made at the time of reporting to the affected individuals—that is, without unreasonable delay and in no case greater than 60 days.
Covered entities may report small breaches electronically at the OCR Breach Portal.