On September 2-3, 2015, the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services Office for Civil Rights (OCR) co-hosted the 8th annual conference, Safeguarding Health Information: Building Assurance through HIPAA Security, at the Grand Hyatt in Washington, D.C.
The conference explored the current health information technology security landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. It highlighted the present state of health information security, and practical strategies, tips and techniques for implementing the HIPAA Security Rule.
Live Compliance president, Jim Johnson, was among the conference attendees and stressed the importance for all organizations, regardless of size, to stand up and take action. In reviewing the conference, Johnson identified three key takeaways from the sessions including:
It’s only the beginning
Iliana Peters, J.D., LL.M, Senior Advisor for HIPAA Compliance and Enforcement at the HHS Office for Civil Rights acknowledged that HIPAA is in its infancy, but also stated that this initiative is only the beginning for rule making. The more instances of non-compliance discovered by the OCR, the greater number of fines and penalties that will be levied against organizations that do not want to play by the rules.
Not just for large organizations
The penalties we hear most about are the expensive and exciting newsworthy ones that are charged against large organizations. The simple translation by smaller organizations is that the OCR won’t bother auditing a practice of their humble size when they have bigger battles to fight and larger penalties to collect. Contrary to that belief, the OCR will be assessing more $5,000 and $10,000 fines, emphasizing and demonstrating that these rules apply to every person and organization that handles PHI. A single-physician practice has as much obligation to comply as does a 40-doctor surgery center.
The importance of risk assessments
With the continuous development of regulations addressing patient privacy and the far-reaching consequences for non-compliance, an annual risk assessment is critical. Many organizations run a vulnerability scan and believe they have satisfied their assessment responsibility. In actuality, they’ve only completed one component of an effective risk assessment. During an assessment, organizations need to consider where their PHI is located and who has been given access to it. Continually evaluating who requires access to the data should be the driving factor in an effective evaluation.
In summarizing the event, Johnson stated “HIPAA regulations apply to all organizations that work with protected or personally identifiable patient information, not just large organizations. Forty-doctor offices and under need to take notice that the Office for Civil Rights is standing strong behind these rules and will ensure that everyone is in compliance.”