On January 13, 2015, Jocelyn Samuels, director of the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services, briefed reporters on the agency’s HIPAA enforcement priorities, noting a focus on threats to electronic health information, or ePHI. Samuels highlighted an increase in infiltration of computer networks reported under the breach notification requirements, explaining that hacking and other cyberthreats are affecting not just covered entities like health care providers, insurers and clearinghouses, but also business associates handling ePHI on behalf of covered entities. Despite this concern, it is unclear when OCR will launch its HIPAA compliance audits of covered entities and business associates, which were slated to begin in early 2015.
High Impact Breaches and Security Precautions Still OCR’s Top Priorities
OCR anticipates receiving 17,000 HIPAA complaints in 2015, as compared to the 13,000 complaints it received in 2013, the most recent year for which complete data are available. Samuels stated that the agency will continue to focus on “high-impact” breaches, such as the data breach involving New York Presbyterian Hospital and Columbia University that compromised ePHI for 6,800 individuals and resulted in a $4.8 million settlement with OCR in 2014. Samuels encouraged organizations holding ePHI to regularly assess and address risks by “reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
Timing and Scope of HIPAA Compliance Audits Uncertain
Samuels has not released a timeline for OCR’s HIPAA compliance audits, which for the first time will apply to business associates as well as covered entities. Samuels explained that OCR is still determining how the investigations will be performed, noting only that the audits will be added to OCR’s “existing arsenal of tools” to “proactively identify areas of compliance concerns.” Covered entities are encouraged to check OCR’s website for updated information about the audits, which may include financial penalties for HIPAA violations.
Other HIPAA Priorities for 2015
Along with monitoring cyberthreats and implementing compliance audits, in 2015 OCR plans to issue:
- A proposed rule for allocating a percentage of any civil penalties issued for PHI breaches to individuals harmed by HIPAA violations;
- New guidance on cloud computing, PHI, and security, and;
- Updates to make its website easier to use for covered entities.