Today, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its May 20, 2014 release to Congress of reports on HIPAA Privacy, Security and Breach Notification Rule Compliance for calendar years 2011 and 2012 and on Breaches of Unsecured Protected Health Information for the same years. The reports can be accessed at http://www.hhs.gov/ocr/privacy/hitechrepts.html .
In addition to providing statistics for 2011 and 2012, the reports reveal noteworthy (though not surprising) information regarding OCR’s plans for HIPAA audits in 2014 and safeguards that OCR feels warrant particular attention in order to minimize the risk of breaches of protected health information (PHI).
OCR intends to implement the next round of HIPAA audits this year. The compliance report notes that OCR is updating its audit protocol to reflect changes under the 2013 HIPAA Omnibus Rule and will post the updated protocol to its website so that covered entities and business associates can use it for their internal compliance assessments. This report also indicates that OCR will be developing additional guidance and that the audits will focus on particular requirements and on subsets of covered entities and business associates, but the report does not provide specifics in this regard.
The breach report recommends particular focus on the following six areas that it has identified as particularly important in reducing breach exposure:
- Risk analysis and risk management addressing all electronic PHI (ePHI) (reflecting a common theme of recent OCR settlements);
- Security evaluations upon any changes that can affect the security of PHI;
- Safeguards (including encryption) to ensure the security and control of portable electronic devices;
- Proper disposal of PHI in all forms (e.g.,electronic or paper);
- Physical safeguards limiting access to facilities and workstations maintaining PHI; and
- Proper workforce privacy and security training.
These reports provide another reminder of the need for covered entities and business associates to focus on compliance with the HIPAA rules and related safeguards to protect the privacy and security of PHI.