OCR Stepping Up HIPAA Security Enforcement

Health Data Management (HDM) reported today, May 12, that the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) is going to strengthen HIPAA Security Rule enforcement, based on statements made on Tuesday, May 11 by the OCR Deputy Director for Privacy, Susan McAndrew, at the Safeguarding Health Information conference in Washington, DC, co-sponsored by OCR and the National Institute of Standards and Technology (NIST).  “To boost enforcement of the security rule, OCR has added investigators in 10 regional offices, McAndrew notes,” as reported by Joe Goedert in the HDM article, “OCR Boosting Security Enforcement,” which is available online.

This report comes several days after OCR’s release last Friday of its Draft Security Rule Guidance on Risk Analysis, the first in a series of guidances on security, that hipaa.com posted earlier today, and precedes the likely release later this month of the Notice of Proposed Rulemaking (NPRM):  Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, which is currently at the Office of Management and Budget (OMB) for review prior to publication in the Federal Register.

In addition, the renewed emphasis on HIPAA Security Rule compliance may be due in part to the growing number of posted “Breaches Affecting 500 or More Individuals” on the OCR Web site.

As of May 6, 2010, OCR had listed on this site 77 covered entities that had experienced such breaches, with the total number of affected individuals 2,430,167.  Of the total listed breaches, 63 involved covered entities only and 14, 0r 18%, involved a business associate in some manner.  Of the 72 reported breaches identifying whether paper or electronic protected health information (PHI) was involved, 18, or 25% involved paper and 54, or 75%, involved electronic media.  Forty-five of those 54 breaches, or just over 83%, were instances of theft or loss, most often laptop or other portable devices, highlighting the need for encrypting PHI to secure it on those electronic media according to NIST-validated standards identified in the August 24, 2009, HHS Guidance.  That Guidance was discussed in earlier hipaa.com postings and is available on this site .

With increased enforcement comes the need for greater attention paid to HIPAA Privacy and Security Rule compliance and training.  hipaa.com will announce new online HIPAA privacy and security training initiatives later this month.  You may register on hipaa.com to be notified of the training announcement.

Leave a Reply

Your email address will not be published. Required fields are marked *