At the recent HIMSS 2019 Conference in Orlando, I was able to attend a number of informative sessions focused on risk management. One session in particular that stood out was the update from the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR), given by Roger Severino, Director, and Nick Heesters, Health Information Privacy Security Specialist.
During their presentation, the speakers reviewed recent HIPAA enforcement actions and presented recurring patterns of noncompliance areas. Although they mentioned that the reported number of breaches have decreased yearly since 2014, the number of hacking activities reported have increased consistently.
The speakers covered greater detail on encountered challenges during their engagements, and offered best practices to mitigate intruder activity and encourage enterprise privacy risk management.
The OCR has seen two prominent issues appearing regularly: lack of accuracy and lack of thoroughness in providing documentation to regulators. Basic PowerPoint presentations used to communicate to the board were deemed far too insufficient. The OCR would prefer to see backup documentation showing that a protected entity knows, understands, and addresses obligations to mitigate the risk of protected health information (PHI) leakage across their enterprise.
A Risk Assessment Landscape in Healthcare that is Too Siloed
Their opinion was that the scope of PHI Risk Assessment activity should be considered as an enterprise-wide undertaking and must address all PHI exposure. Frequently, they are seeing examples where the activity is too narrow and centered solely on EHR-driven audits and assessments. Because the current risk assessment landscape still is far too siloed and not holistic enough, a full hardware and software PHI inventories review would further elevate its strategic importance to senior management, the board, regulators, and examiners.
HIPAA & PHI Best Practices to Implement
Their final discussion on valuable best practices included utilizing strong access controls, leveraging strong audit controls, developing consistent information system activity review programs, and employing documented procedures for handling security incidents and contingency planning for Disaster Recovery. In summary, the OCR and HHS are looking for healthcare organizations to embrace continuous risk assessments as normal business operating processes, and not solely as an internal annual check off.
As the OCR engagements evolve, the OCR understandably will look toward other federal agencies for guidance and expectation levels for healthcare organizations to deploy safe, consistent, and ongoing risk assessment programs.