Government officials emphasized the importance of risk analysis and risk management in safeguarding PHI at the Seventh Annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference held from September 23–24, 2014, and co-hosted by the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). The following themes emerged during the conference:
- Risk Analysis and Risk Management. Jocelyn Samuels (Director of OCR—the HIPAA enforcement agency) noted that although comprehensive risk analysis and risk management are the cornerstones of a good information security program, OCR has found significant noncompliance with those two crucial HIPAA Security Rule requirements. An alarming two-thirds of the covered entities audited during OCR’s pilot audit program had not completed an accurate and thorough Security Rule risk analysis.
- Cybersecurity Framework. OCR representative Linda Sanches stated that the NIST Cybersecurity Framework, although a voluntary standard, may be useful to covered entities and business associates as support for HIPAA Security Rule compliance efforts.
- Cybersecurity Information Sharing. The National Health Information Sharing and Analysis Center (NH-ISAC) facilitates information sharing regarding cybersecurity threats affecting the healthcare sector. Deborah Kobza (Executive Director, NH-ISAC) highlighted an increased focus on information sharing regarding cybersecurity threats to medical devices, citing a recent Memorandum of Understanding between NH-ISAC and the FDA. The FDA (in collaboration with HHS and DHS) also announced an upcoming workshop on Collaborative Approaches for Medical Device and Healthcare Cybersecurity.
- Data Breach Trends. Iliana Peters (Senior Advisor for HIPAA Compliance and Enforcement, OCR) discussed trends from the 1,176 reports of breaches of PHI affecting 500 or more individuals that OCR received from September 2009 through August 2014. Of these breaches, more than half (60 percent) were caused by theft or loss of devices/media containing unencrypted PHI. OCR noted that hacking appears to be on the rise, underscoring the importance of having an incident response plan in place so that entities are prepared when a data breach occurs.
- OCR Compliance and Enforcement Efforts. OCR is working on providing additional guidance on HIPAA compliance, including additional business associate guidance (e.g., updated FAQs), breach safe harbor guidance and a breach risk assessment tool, and more Security Rule guidance. Additionally, OCR plans to initiate phase two of its audit program in the near future, which will involve desk audits performed by OCR personnel. Significantly, Iliana Peters confirmed that the agency plans to use upcoming audits as an enforcement tool and that OCR expects a number of audits to lead to full-scale compliance reviews.
As OCR prepares to roll out the next phase of its audit program, HIPAA covered entities and business associates should examine their security practices to ensure they are appropriately safeguarding ePHI in accordance with the Security Rule, including ensuring that they have conducted comprehensive risk assessments to identify risks to ePHI and put measures in place to appropriately manage those risks.
The webcast recordings of the presentations are available here.
The conference agenda with links to each presentation is available here.