I recently attended the Health Care Compliance Association’s (HCCA) Compliance Institute (March 25-29, 2017) in National Harbor, MD, where healthcare compliance experts gathered to discuss the challenges faced in today’s complex regulatory environment.
From there, a short ride to Washington, D.C., took me to the annual HIPAA Summit (March 29-31, 2017), where healthcare privacy and security professionals and compliance wonks heard the latest HIPAA updates.
Representatives from the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) delivered remarks at both events on what to expect from their office in 2017.
New Director of the OCR
Attendees at the HIPAA Summit had the great honor of hearing the first public remarks from the newly appointed Director of the OCR, Roger Severino, in his new capacity. Prior to his appointment, Severino’s long and distinguished public service career included seven years as a trial attorney with the Department of Justice’s Civil Rights Division. He also served as the Housing and Civil Enforcement Section’s E-Discovery officer and attorney advisor to the fair housing testing program. Most recently, Severino served as director of the DeVos Center for Religion and Civil Society, part of the Institute for Family, Community, and Opportunity at the Heritage Foundation, a prominent conservative think tank.
In his remarks at the Summit, Severino shared his unique perspective, as well as what he brings to his new position, emphasizing the important role of health information privacy and security to the overall functioning of the healthcare system. This focus will lead to patient faith and confidence in the system, which, according to the new director, is paramount for the system to function.
Severino said he will approach the position from both the civil rights side and the privacy and security side, using this dual approach to focus on the people impacted by the OCR’s work, including patients, as well as employees of regulated entities. He also seeks to eliminate burdens on regulated entities wherever possible.
OCR Priorities for 2017
Following Severino’s remarks, OCR Deputy Director Deven McGraw shared the OCR’s outlook for 2017. McGraw and her team plan to work with Severino over the coming weeks to identify priorities for policy and guidance.
Update on HIPAA Audit Program
Speaking on Phase 2 of the HIPAA Audit Program, McGraw reiterated that the audits are a tool for learning, not a tool for enforcement, and should eventually yield best practices. She noted that Stage 1 is nearly complete, with draft reports sent to auditees; Stage 2 Security Rule and Breach Notification audits continue for Business Associates; and finally, plans for onsite audits as part of Stage 3 will be finalized once the first two stages are completed.
McGraw stated that the OCR hopes to develop a continuous compliance monitoring program moving forward, as opposed to the sort of periodic audits enacted currently.
Iliana Peters, Attorney and Senior Advisor at the OCR, spoke on OCR enforcement at both the Compliance Institute and the HIPAA Summit. She highlighted lessons learned from 2016 resolution agreements and civil money penalties. Peters noted that providers should complete regular and thorough risk analyses, ensuring knowledge of where Protected Health Information (PHI) is stored.
Another focus for providers should be encryption. PHI needs to be encrypted whenever possible, and anytime something is not encrypted, providers need to explain why. Peters also touched on the need for access and audit controls, as well as timely breach notification. The OCR’s hope is to continue with the same rate of resolution agreements in the months ahead.
The OCR is undoubtedly in a state of transition, where the only certainty is uncertainty. It should be very interesting to see what the OCR designates as priorities over the next few months.