HIMSS17 – OCR’s Expectations for HIPAA Compliance
Lessons Learned at HIMSS17
The Office for Civil Rights (OCR) made it clear at HIMSS17 - it’s time for the healthcare industry to take action NOW. Here are the top messages we heard across multiple presentations by HHS (OCR, CMS), FDA, FTC, law firms, and cyber security firms. The following were made very clear to attendees. Please note, these are not all from HHS, some were heard multiple times from various sources. The point is, learn and take action.
- Ignorance of the HIPAA law is no excuse, get your business in order. (Law firms)
- Lack of funds to address HIPAA compliance is no excuse, take action now. (Law firms)
- Conducting a Security Risk Analysis (SRA) is NOT enough - you MUST implement a risk management plan to correct the issues found in the SRA. (HHS/OCR and additional sources)
- Business Associate agreements need to be current, dated, and require proof the business associates are protecting PHI. (Law firms)
- 21% of OCR audits are now on business associates. (HHS – Desk audits underway)
- Approximately 20,000 complaints were filed by patients with the OCR in 2016. (HHS Sessions)
- On-site audits of both CEs and BAs will begin in 2017. (HHS)
- OCR expects all ePHI to be encrypted in motion and at rest (HHS). Most EHRs do NOT encrypt ePHI everywhere, so don't assume and rely on your EHR to make you HIPAA compliant, your EHR is only one component of HIPAA compliance. (Multiple cyber-security sessions.)
- MACRA will not go away even if ACA is completely repealed. The number one requirement of MACRA is a risk assessment. (Dominic Mack, MD, MBA - Executive Medical Director, GA-HITEC)
- It is very unlikely the ACA will be repealed completely, more likely parts will be updated. (Retired U.S. Rep. John Boehner)
If you have not performed an acceptable NIST-based risk assessment (privacy and security risk analysis), you should do so immediately. Then implement a risk management plan and begin remediation of all issues you found - asap! It will likely take a few months to complete the remediation, but the OCR will expect you to have the corrective actions defined for every "failed" issue identified in the risk assessment. Although any covered entity or business associate can perform a self-assessment, the OCR and other industry leaders strongly suggest having a reliable third party perform your first risk assessment and help you implement a risk management plan to correct the issues in a timely manner. Remember, you now have to have your book of evidence, your risk assessment, and corrective actions in electronic format.
Stay tuned for more posts from lessons learned at HIMSS17.
Protect Your Patients. Protect Your Practice. Protect Yourself.