OCR Enforcement Actions: Prioritize HIPAA Security & Vendor Management Requirements

David Holtzman

Thus far in 2017, the Office for Civil Rights (OCR) has announced that they have negotiated settlements or levied penalties in seven cases that have resulted in covered entities and business associates paying over $14.3 million. In all but one of these cases, organizations have also been saddled with multi-year corrective action plans in which HHS will exercise oversight of their compliance with the HIPAA standards. At this pace, OCR will eclipse its record-setting performance of 2016 in which there were 13 formal enforcement actions that had covered entities and business associates paying $23.5 million in fines and penalties for HIPAA violations.

For several years, we have seen OCR treat a breach report as an opportunity to undertake a broad-based review of an organization’s compliance with the Privacy and Security Rule to determine the root cause of the incident. Accordingly, the size of the breach is often a less important factor when compared to the magnitude of the issues that led to the breach, as well as the size of the organization.

There are several key lessons and best practices healthcare organizations can glean from the most recent OCR enforcement actions.

  • Risk Assessment  There is no substitute for an enterprise-wide risk analysis and a program to address threats to PHI found during an assessment. In every breach incident involving e-PHI, OCR tied the organization’s failure to safeguard data with the absence of an adequate enterprise-wide risk analysis and development of a risk management plan to mitigate the vulnerabilities that were, or would have been, identified through an assessment.
  • Auditing and Monitoring Controls – OCR called out that some healthcare organizations are not doing enough to monitor information system activity and putting into place an effective process for auditing the activity on networks and applications that maintain PHI. The agency recently issued Audit Control Guidance emphasizing the role of access monitoring and audit controls in safeguarding PHI.
  • Documentation – Two recent enforcement actions have highlighted OCR’s expectations for covered entities and business associates to maintain records of which devices and media maintain PHI. It should also be documented if the data is encrypted and the location and/or workforce member assigned to the asset.
  • Business Associate Agreements  Another settlement focused attention to the absolute obligation of covered entities and business associates to have a current business associate agreement in place with contractors and vendors who handle PHI when performing an activity or function on their behalf.  We strongly encourage you to take the time to review all of your organization’s vendor agreements. Identify each contract that requires the vendor to create or maintain PHI. Verify if your Business Associate Agreement (BAA) is updated to current requirements of the HIPAA Rule. If a BAA is not in place, have one executed at once. If your vendor refuses to sign a BAA, OCR’s position is you should cease disclosing PHI to the contractor and have all PHI in their possession returned or securely disposed of. This can create a very real business risk for your organization.

If you have questions about strategies to safeguard PHI, compliance with the HIPAA Privacy or Security Rules, or preparing for an OCR enforcement action, please contact us.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter
Previous Content
Improving Readiness: Meeting Cyber Threats | 2018 Annual Report
Improving Readiness: Meeting Cyber Threats | 2018 Annual Report

Our report aggregated data from assessments performed in 2017 at hundreds of healthcare organizations acros...

Next Article
Business Associate Risks in Healthcare
Business Associate Risks in Healthcare

Business associates pose one of the top security threats to healthcare organizations. Our infographic highl...