Friday, May 24, 2013

Safeguarding Health Information: Building Assurance through HIPAA Security

The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) co-hosted the 6th annual conference Safeguarding Health Information: Building Assurance through HIPAA Security on May 21 & 22, 2013. The conference explored the current health information technology security landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This event highlighted the present state of health information security, and practical strategies, tips and techniques for implementing the HIPAA Security Rule. The Security Rule sets federal standards to protect the confidentiality, integrity and availability of electronic protected health information by requiring HIPAA covered entities and their business associates to implement and maintain administrative, physical and technical safeguards.

At the conference OCR Director Leon Rodriguez provided an overview to the new impact of the Omnibus HIPAA Rulemaking and highlighted OCR’s commitment to enforcement, audit and education initiatives in the coming year.



Discussing the tension between patient access to patient information and an organization’s safeguarding of protected health information (PHI) inherent in HIPAA, Director Rodriguez characterized OCR’s HIPAA guidance as providing the “super highways” to ensuring patient access as well as privacy and security. An organization must first figure out the “surface streets.” To adequately safeguard PHI, HIPAA defines a process and provides an organization with a series of decisions, policies and procedures, analyses, and plans. Patient expectations are what govern.

The key factors of the he size of a penalty for HIPAA violations are the lack of a timely risk assessment and the failure to address ongoing security issues. Failure to take action quickly ratchets up the penalties," he said. As an example, he pointed to a $1.7 million settlement last year with the Alaska Department of Health after an investigation of a relatively small breach incident that uncovered bigger issues. "The issues of the underlying breach went on for a year after the breach - that's why the fine was so big," he stated. OCR has a tool on their website which posts all breaches of more than 500 individuals.

Director Rodriguez acknowledged that breaches of PHI are certainly going to occur, and that risks exist even where organizations are doing everything right. OCR is interested in what an organization is not doing, and whether the proper security analysis is being conducted. An organization must identify, remedy and then if necessary change. He also also commented on the vulnerabilities associated with mobile devices, which remains a topic of interest for OCR. Of the breach reports received by OCR, 25% are related to paper records and vulnerability of mobile devices. Director Rodriguez encourages all organizations to focus on securing mobile devices, which he termed a “great vulnerability,” and to use HHS resources regarding mobile device security.

He concluded by saying that we must "Be smart and implement best practices, and conduct ongoing risk analysis." And remember that the patient is most important and should be at the center of our thinking. Organizations must determine how to best ensure patient access to PHI while also adequately safeguarding PHI. "A risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program," he said.

Earlier in the event there was a panel discussion with Deven McGraw, Center for Democracy & Technology (Co-Chair, Tiger Team); Walter Suarez, Kaiser Permanente, (Co-Chair, Privacy & Security Working Group, HITSC); Peter Tippett, Chief Medical Officer, Verizon; Elizabeth Franchi, Director, Veterans Health Administration Data Quality Program; Paul Uhrig, Chief Administrative, Legal & Privacy Officer, Surescripts. The slide deck is below: