As a service to our readers, we have distilled last week’s joint HHS Office of Civil Rights (OCR) and National Institute of Standards in Technology (NIST) conference, “Safeguarding Health Information: Building Assurance through HIPAA Security” into three phrases: (i) risk assessment, (ii) workforce training, and (iii) adequate encryption. For those of you willing to read more than three phrases, we elaborate on them below and provide our view on the important takeaways from the conference.
Risk Assessment. From the opening remarks of new OCR Director Jocelyn Samuels to the closing OCR Update presentation and almost every presentation in between, the risk assessment was highlighted as a critical compliance measure. Director Samuels pointed out that “an enterprise-wide risk assessment is the cornerstone of compliance.” She also noted that OCR continues to see failures on this issue, including failure to conduct a risk assessment, incomplete risk assessments, and failure to review and update risk assessments regularly. Director Samuels stated that enforcement will be important to address these failures. Iliana L. Peters, OCR’s Senior Advisor for HIPAA Compliance and Enforcement, echoed the importance of the risk assessment as a compliance measure in her presentation and highlighted the tools available through NIST, the Office of the National Coordinator, and OCR to assist in this effort, such as the Security Risk Assessment Tool that we profiled in a previous post.
Takeaway: There is really no excuse for not conducting a risk assessment, and those who are out of compliance should not expect sympathy from OCR.
Workforce Training. Training and education were additional compliance measures highlighted throughout the conference. Education is “the best compliance tool” according to Matthew Scholl, Acting Chief of NIST’s Computer Security Division. OCR acknowledged that breaches were inevitable, but critical to any OCR enforcement decision is the existence of compliance measures and systems in place to address the inevitable breach, such as workforce training. As many of the speakers emphasized during the conference, during OCR’s Pilot Audit Program, 58 out of the 59 health care providers audited had at least one negative finding regarding Security Rule compliance. Government officials who spoke at the conference indicated their belief that inadequate workforce training was a key factor in yielding these audit findings. Moreover, their presentations made it clear that the agency may take an expansive view of who is part of a covered entity’s workforce.
Takeaway: No compliance program is effective if employees and contractors don’t know anything about it!
Adequate Encryption. Encryption was highlighted throughout the conference as a critical security measure and an entire panel was dedicated to Safeguarding Data Using Encryption. The NIST speakers in this session pointed out that encryption cannot prevent attacks or other losses of data, but can prevent a world of problems if the data is actually compromised. OCR enforcement officials echoed this theme by pointing out that 60% of breaches reported on OCR’s so-called “Wall of Shame” for data breaches affecting 500 individuals or more, resulted from theft and loss. According to OCR, encryption would have prevented all of these breaches. Further, the speakers in the encryption session made it clear that as breaches by outside actors get more and more sophisticated and medical identity theft gets increasingly lucrative, health care organizations need to ensure that the level of encryption is sufficient for their security needs.
Takeaway: Encryption is an addressable (not mandatory) security standard under HIPAA. However, in the event of a breach, investigation or audit, it will be extraordinarily difficult to convince OCR that encryption is not a reasonable security measure for your organization.