Last week, I heard Marissa Gordon-Nguyen, Senior Advisor for HIPAA Policy for the Office of Civil Rights (OCR), and Iliana Peters, formerly of the OCR and now with Polsinelli, speak about HIPAA enforcement. Here’s a summary of the tips they shared, as well as a few ways HIPAA might be changing.
Not encrypting? That’s “less and less persuasive”
Many providers struggle to decide whether to invest in encrypting electronic PHI. After all, encryption is addressable, but not required, under the HIPAA security rule. Iliana Peters advised that covered entities’ and business associates’ reasons for not encrypting “are becoming less and less persuasive” to the OCR. This is partly because encryption methods are increasingly available and affordable. And, encryption brings important security benefits to an increasingly high-risk environment.
The OCR is currently developing new guidance for covered entities and business associates, addressing:
- Social Media
While there is not a timeline for releasing this guidance, MPA will let you know when it’s available.
Ms. Gordon-Nguyen discussed three potential HIPAA changes that we might see soon:
- Presumption of good faith. The OCR is in the process of proposing a rule that would modify the Privacy Rule “to clarify that healthcare providers are presumed to be acting in the individual’s best interests when they share information with an incapacitated patient’s family members, unless there is evidence that a provider acted in bad faith.” In the current environment, no such presumption exists.
- Removal of the NPP acknowledgment. OCR proposes to update the Privacy Rule to remove the “requirement that health care providers obtain from individuals a written acknowledgment of receipt of the provider’s notice of privacy practices, and if not obtained, to document its good faith efforts and the reason the acknowledgment was not obtained.”
- Compensation for harmed individuals. The OCR also discussed a Request for Information, seeking public input on a rule that would distribute a portion of HIPAA settlements and penalties to the harmed individuals. This has also been referred to as the “whistleblower” provision, because patients could recover from the provider if they are damaged under HIPAA.
None of these potential changes is in effect yet – but keep an eye out for rules and comment periods if you would like to provide input.
The top 10
Wondering how the OCR would view your HIPAA compliance program? Ms. Peters shared a “top ten” list of recurring HIPAA compliance issues:
- Pattern of Disclosure of Sensitive Paper PHI
- Business Associate Agreements
- Risk Analysis
- Failure to Manage Identified Risk, e.g. Encrypt
- Lack of Transmission Security
- Lack of Appropriate Auditing
- No Patching of Software
- Insider Threat
- Improper Disposal
- Insufficient Data Backup and Contingency Planning
Share these top ten HIPAA issues with your Compliance Committee and use them to evaluate where your HIPAA compliance effort stands.