Whether you’re a family healthcare practitioner, surgeon, chiropractor, dentist, or any other covered entity affected by the Health Insurance Portability and Accountability Act (HIPAA) of 1996, you should keep up with news surrounding the Office for Civil Rights (OCR).
The OCR is a branch of the Department of Health and Human Services (HHS). Among other things, it’s focused on protecting Americans’ civil rights, including healthcare privacy. With a new year upon us, however, the OCR is looking to make some changes to HIPAA and the way in which it is enforced.
So, what can you expect to see from the OCR in 2017?
According to a report by HealthcareITNews, the OCR will conduct on-site HIPAA audits of hospitals in 2017. When speaking about the upcoming audits, OCR senior advisor Linda Sanches said the organization will target a “small number” of hospitals, adding that the chances of getting an audit are “very, very low.”
Nonetheless, hospitals should still use this as an opportunity to ensure they are compliant with the HIPAA Security, Privacy and Breach Notification Rules. If a hospital is selected for an on-site audit, it will receive a notification via email, after which OCR compliance investigators will visit the hospital within the next 3-5 days.
Greater Enforcement for Small Breaches
Covered entities can also expect to see greater HIPAA enforcement of small breaches.
On August 18, 2016, the OCR announced plans to increase enforcement efforts involving breaches of Protected Health Information (PHI) that affect fewer than 500 individuals. PHI breaches are classified as either small, if they affect fewer than 500 individuals, or large, if they affect 500 or more individuals.
When announcing this news, the OCR cited several recent settlements from investigations of small breaches. Of the six settlements mentioned, four of them involved stolen laptops, smartphones or other devices on which encrypted data was stored. The bottom line is that small breaches affecting just a few individuals can result in costly fines and the enforcement of corrective actions.
After taking office, President Trump selected Tom Price as the next HHS secretary. With the HHS under new direction, we’ll likely see some new changes coming to HIPAA and the healthcare industry as a whole.
Tom Price has voiced criticism of the Affordable Care Act, for instance. Last year, he introduced a bill titled “Empowering Patients First,” which would require healthcare insurance companies to report claim information, including PHI, to a health plan or sponsor. Some lawmakers are worried that this new bill will encourage transparency while placing patients’ privacy rights on the backburner.
There’s a good chance we’ll see more guidance issued by the OCR in regards to cloud computing. An article published by Forbes suggests that 83% of healthcare organizations use cloud-based apps. Cloud computing creates several challenges for covered entities, as certain steps must be taken to prevent the disclosure of PHI.
While the OCR issued a statement about cloud computing in 2016, the technology continues to change and evolve. As such, many privacy experts believe new guidance is right around the corner.
In addition to increased enforcement of small PHI breaches, covered entities can also expect to see bigger fines for these and other HIPAA violations.
In July 2016, the OCR announced the organization’s largest HIPAA settlement to date. To settle allegations of numerous violations, Advocate Health Care Network agrees to pay a record-setting $5.55 million and implement a corrective action plan.
This incident was reportedly one of the largest breaches of electronic PHI, affecting more than 4 million patients. The breach occurred after four computers were stolen from Advocate’s administrative building in Illinois on 2013. PHI disclosed in the breach included medical information, payment details, names, addresses, birth dates and more.