Director of OCR Rodriguez presented today at the ONC Grantee and Stakeholder Summit and had some very interesting things to say regarding HITECH / HIPAA enforcement. First of all, as summarized in this post, he indicated that the Business Associate NPRM would be coming soon and to "stay tuned." However, he did not indicate whether this was the much rumored Omnibus Rule that purported to cover much more than Business Associate issues, but we suspect that it is.
Here's a summary of his presentation in a bulleted format:
- Half of data breaches are "low tech" involving paper and loss of laptops and mobile devices (i.e. as opposed to sophisticated hacking operations).
- He reinforces the fact that HIPAA was designed to be flexible and scalable, a nod the "flexibility principle" contained within the Security Rule.
- He emphasized that the following basic principles were important: a) minimum necessary; b) patient access; and c) transparency of access (e.g. system audit logs).
- With respect to meeting the privacy and security requirements of meaningful use he re-iterated that the following was required: a) conduct a security risk analysis; b) implement security updates as necessary; and c) live by the program that you create (although not stated explicitly this is a nod to process and tracking driven compliance).
- With respect to compliance governance he made the following points: a) executive management needed to be on board and aware of the risks (i.e. not sufficient to delegate responsibility to an individual without the authority to exercise it); b) training was a key compliance factor and also informing staff of the organization's sanction policy; and c) reviewing current HIPAA program (i.e. implied with respect to the HITECH Act).
- He had the following to say about basic principles of a compliance program: a) training critical; b) implement policies and procedures; c) perform internal audits; d) have a security incident management system in place (i.e. rapid response ready); and e) document, document, document (implied in this in process tracking results not just policies).
- He laid the groundwork, and explicitly stated, that from an enforcement perspective OCR was going after organizations that demonstrated "willful neglect" of the law. Along these lines he also indicated that every organization that ends up on the "wall of shame" triggers an automatic investigation.
Looking for best of breed HIPAA Training?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Are you for an Internet Lawyer with HITECH /HIPAA experience?
Comments