On September 23 and 24, 2014, the National Institute of Standards and Technology (“NIST”) and the Department of Health and Human Services Office of Civil Rights (“HHS OCR”) hosted their annual HIPAA conference “Safeguarding Health Information: Building Assurance through HIPAA security.”
OCR officials and key industry leaders engaged in dialogue regarding developments and trends in data breach incidents with respect to health information as well as stakeholder responses and best practices to mitigate risk and respond to potential incidents.
VULNERABILITY AWARENESS: ASSESSING RISK
In her opening remarks, OCR Director Jocelyn Samuels highlighted the observation that information privacy compliance is poorly prioritized within organizations. Specifically, Samuels identified the lack of widespread risk analysis and vulnerability assessment activities at the enterprise level as a key area meriting internal and agency prioritization. Samuels reiterated that organizations dealing in protected health information (“PHI”) should, and in fact must, undertake to routinely assess and investigate vulnerability as part of an effective compliance program.
The aspiration of enterprise-wide security protocol for PHI, and adoption thereof, continues to be an ongoing work-in-progress. This is especially true given the often divergent priorities within large provider systems and the endemic evolution of “local” IT systems that integrate with the sanctioned IT environment but often create network porosity and points of vulnerability. Embracing comprehensive, end-to-end, privacy and security policies and procedures that serve the IT needs of the organization while operating within the security protocol established by the system is imperative to establish and maintain network integrity and compliance with the HIPAA Security Rule (“Security Rule”).
IF YOU LOOK FOR IT, YOU WILL FIND IT
OCR representative Linda Sanches proposed the thesis that “the question is not if you will have a breach, but more so when.” To this end, the initial step to preparedness is the undertaking of a risk analysis as required by the Security Rule. Stakeholders expressed frustration with the broadly stated requirements of the Security Rule that are non-specific as to what precise set of activities constitute compliance and how much is in fact enough. This uncertainty adds to existing organizational tensions between resource allocations to business objectives versus compliance obligations with respect to the establishment and implementation of a reasonable compliance program. Sanches indicated that a defensible and reasonable approach is what is required to establish compliance.
LESSONS FROM THE FIELD: REPORT FROM OCR
Iliana Peters, Senior Advisor for HIPAA Compliance and Enforcement at HHS OCR, reported on recent enforcement activities as well as OCR’s regulatory agenda. With respect to reported incident activity, through August 31, 2014, theft and loss accounted for 51% and 9% of breach incidents, respectively followed by unauthorized access/disclosure at 18% among a total of 1176 reported breaches involving more than 500 people and in excess of 122,000 smaller breaches.
With respect to OCR’s regulatory agenda, Peters indicated that OCR is working on providing additional guidance and clarification to the Omnibus Final Rule including a breach safe harbor update, breach risk assessment tool, and clarification of the standards for minimum necessary. Peters also explained how the audit pilot program which is anticipated to go live in the near future will create a new enforcement channel for OCR outside of the breach response protocol. She commented that although the audits will be mostly desk audits with shorter timelines than investigations, they will require covered entities and business associates to have their documents in order and respond quickly to requests. Peters continued to state that “audits will be an enforcement tool which will result in compliance reviews and could result in enforcement actions up to and including civil monetary penalties. Peters stated “we may come to you because of an audit or a breach, but if we find gaps in the compliance program while there, we can’t walk away; it is our job to see it through”
RISK ELIMINATION: THE HOLY GRAIL
The global advice from OCR over the course of the conference was preparedness. To that end, however, the best that healthcare stakeholders can aspire to is effective mitigation of risk. OCR repeatedly stressed that “it is really important that covered entities and business associates prepare as much as possible” and take affirmative steps to protect their data. A comprehensive and documented risk analysis is the key to identifying system vulnerabilities and stakeholders should undertake to conduct or update their risk analyses and work in concert with organizational management to prioritize security compliance.