Updated on: April 4, 2017

New OCR Director Emphasizes Privacy, Security at HIPAA Summit

By
Original story posted on: April 5, 2017

I recently attended the Health Care Compliance Association’s (HCCA) Compliance Institute (March 25-29, 2017) in National Harbor, MD, where healthcare compliance experts gathered to discuss the challenges faced in today’s complex regulatory environment.

From there, a short ride to Washington, D.C., took me to the annual HIPAA Summit (March 29-31, 2017), where healthcare privacy and security professionals and compliance wonks heard the latest HIPAA updates.

Representatives from the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) delivered remarks at both events on what to expect from their office in 2017.

New Director of the OCR

Attendees at the HIPAA Summit had the great honor of hearing the first public remarks from the newly appointed Director of the OCR, Roger Severino, in his new capacity. Prior to his appointment, Severino’s long and distinguished public service career included seven years as a trial attorney with the Department of Justice’s Civil Rights Division. He also served as the Housing and Civil Enforcement Section’s E-Discovery officer and attorney advisor to the fair housing testing program. Most recently, Severino served as director of the DeVos Center for Religion and Civil Society, part of the Institute for Family, Community, and Opportunity at the Heritage Foundation, a prominent conservative think tank.

In his remarks at the Summit, Severino shared his unique perspective, as well as what he brings to his new position, emphasizing the important role of health information privacy and security to the overall functioning of the healthcare system. This focus will lead to patient faith and confidence in the system, which, according to the new director, is paramount for the system to function.

Severino said he will approach the position from both the civil rights side and the privacy and security side, using this dual approach to focus on the people impacted by the OCR’s work, including patients, as well as employees of regulated entities. He also seeks to eliminate burdens on regulated entities wherever possible.

OCR Priorities for 2017

Following Severino’s remarks, OCR Deputy Director Deven McGraw shared the OCR’s outlook for 2017. McGraw and her team plan to work with Severino over the coming weeks to identify priorities for policy and guidance.

Update on HIPAA Audit Program

Speaking on Phase 2 of the HIPAA Audit Program, McGraw reiterated that the audits are a tool for learning, not a tool for enforcement, and should eventually yield best practices. She noted that Stage 1 is nearly complete, with draft reports sent to auditees; Stage 2 Security Rule and Breach Notification audits continue for Business Associates; and finally, plans for onsite audits as part of Stage 3 will be finalized once the first two stages are completed.

McGraw stated that the OCR hopes to develop a continuous compliance monitoring program moving forward, as opposed to the sort of periodic audits enacted currently.

OCR Enforcement

Iliana Peters, Attorney and Senior Advisor at the OCR, spoke on OCR enforcement at both the Compliance Institute and the HIPAA Summit. She highlighted lessons learned from 2016 resolution agreements and civil money penalties. Peters noted that providers should complete regular and thorough risk analyses, ensuring knowledge of where Protected Health Information (PHI) is stored.

Another focus for providers should be encryption. PHI needs to be encrypted whenever possible, and anytime something is not encrypted, providers need to explain why. Peters also touched on the need for access and audit controls, as well as timely breach notification. The OCR’s hope is to continue with the same rate of resolution agreements in the months ahead.

The OCR is undoubtedly in a state of transition, where the only certainty is uncertainty. It should be very interesting to see what the OCR designates as priorities over the next few months.

Sara Goldstein, Esq.

Sara Goldstein, Esq. is an established author and speaker on health information privacy and security compliance. As general counsel for MRO, she is responsible for providing legal direction and guidance for the company and overseeing MRO’s compliance with HIPAA. She is also an adjunct professor of law at Drexel University, where she teaches a course on HIPAA and patient privacy.

This email address is being protected from spambots. You need JavaScript enabled to view it.

Related Articles

  • Mixed Messaging from DOJ at HCCA Conference for Second Straight Year
    Federal officials seem wary about their words and their dissemination. At the Health Care Compliance Association’s (HCCA’s) fourth annual Healthcare Enforcement Compliance Conference, top U.S. Department of Justice (DOJ) officials provided an update on current developments related to criminal and…
  • Emergency Preparedness 101: Going Beyond “Process and Roll”
    Accounting for socioeconomic factors is critical to the sustainability of healthcare. Editor’s Note: This article was written as Hurricane Florence was heading directly for the United States’ East Coast. Stores from the Georgia to Delaware have barren shelves where staples,…
  • Hurricanes, the Social Determinants of Health, Costs, and Compliance
    The government of Puerto Rico's official Hurricane Maria death toll at 2,975. The 2017 hurricane season devastated entire regions of the globe, especially states and territories of the United States. Harvey, Irma, and Maria were a storm trifecta that yielded…