The 2015 HIPAA Security conference held by the National Institute of Standards and Technology (“NIST”) and the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) kicked off last week with OCR’s announcement of a new settlement. In its latest settlement with a small health care provider, OCR emphasized comprehensive risk assessments and securing mobile devices. This comes on the heels of the recently released NIST draft guide for securing electronic health information on mobile devices. The conference also brought a much anticipated audit update. And newly appointed Deputy Director, Deven McGraw, promised new guidance as early as October (2015).

What This Means for You

OCR continues to emphasize the importance of securing electronic protected health information in an increasingly connected world. For small and large health care providers alike, the use of laptops, smartphones, and other portable devices is commonplace. HIPAA covered entities and business associates should regularly update their risk analyses, implement controls to safeguard electronic information, develop policies and procedures for the receipt and removal of devices that store or access electronic protected health information, and sanction employees for non-compliance. 

While we wait for additional HIPAA guidance ranging from breach notification to cloud security guidance, OCR promised its audit program is moving forward with a contractor selected to help staff the next round of audits. OCR confirmed it remains in the address verification phase – meaning your organization still could be in the running. In an interview following the conference, Deputy Director McGraw is reported to have announced that OCR will submit its audit plans for public comment later this year or early next year before moving forward with additional audits. This means the next round of HIPAA audits will begin in 2016 at the earliest.

Summary of the Latest HIPAA Settlement

OCR’s most recent settlement with a small Indianapolis-based oncology radiation practice, Cancer Care Group, P.C. (“Cancer Care”), stemmed from a breach reported to OCR in 2012. Cancer Care notified OCR of a breach of electronic protected health information after a laptop and unencrypted backup media were stolen from an employee’s car. OCR reported that approximately 55,000 current and former Cancer Care patients were affected by this incident, with potentially compromised information including patient names, dates of birth, Social Security numbers, insurance information, home addresses and clinical information. OCR alleged that Cancer Care failed to conduct an enterprise-wide risk analysis, and failed to implement policies that accounted for the removal of mobile devices or portable media. To settle the alleged HIPAA violations, Cancer Care agreed to pay $750,000 and entered into a three year corrective action plan. Under the corrective action plan, among other things, OCR requires Cancer Care to:

• Conduct a comprehensive risk analysis, reviewing and updating it as needed on an annual basis;
• Develop and implement a comprehensive risk management plan to “address and mitigate any security risks and vulnerabilities” identified in the risk analysis (emphasis added);
• Revise policies and procedures for security of electronic protected health information based on the findings of the risk analysis and the implementation of the risk management plan; and
• Review and revise its training program for security of electronic protected health information based on the findings of the risk analysis, implementation of the risk management plan, and any revisions to its policies and procedures.

OCR Director Jocelyn Samuels emphasized that “[o]rganizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information.” Director Samuels reminded that “proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.” 

Next Steps

This recent settlement and the promise of upcoming audits serve as a good reminder to do a check-up on your HIPAA security compliance. Your HIPAA security risk analysis should be reviewed and updated periodically, and at minimum, whenever there are environmental or operational changes. An OCR official stated at the conference that the risk analysis is the cornerstone of HIPAA security compliance.

DWT’s team of experienced privacy and data security attorneys can help you implement a targeted, repeatable risk assessment that aligns with OCR and NIST guidance. We offer a fixed fee and tiered model that allows us to offer a customized Confidential Risk Assessment with a predictable budget. Contact Anna Watterson for more information.

You also should have policies and procedures that address the increasingly mobile environment, including protected health information and other sensitive information on both corporate-owned and personally-owned devices. Without proper training, employees and other workforce may not know the proper practices for accessing and storing electronic protected health information on mobile devices, including prohibited practices. Whether a comprehensive refresher or periodic reminders, training also provides an opportunity to help workforce understand the potential harm to patients and the organization when electronic protected health information is not properly secured.