OCR Acting Deputy Director Talks Risk Management at Advocacy Summit

For several years, OCR has been conducting audits of HIPAA-covered entities and business associates to better understand what organizations are doing well and where they can improve. An update and summary of the findings will be published this year, he said. Audits also found organizations had the best performance in delivering timely notice of breaches, posting notices of privacy practices online, and providing required notice of privacy practices. OCR will share lessons learned from the audits as well as guidance and technical assistance, he said.

Noonan also gave an overview of the varieties of complaints and investigations OCR’s enforcement program performs. The health information privacy division annually receives 25,000 complaints, with 350 breach reports investigated in 2018, Noonan said.

The risks and challenges to the regulatory community with regard to breaches are constantly changing, Noonan said. So far in 2019, according to OCR data, 41 percent of breaches were related to email activity such as phishing. Laptops continue to be a concern as well. “If it’s mobile, your data will walk,” Noonan said. Hacking was the most common type of breach in the first two months of 2019.

Speaking of investigations, “we look for systemic noncompliance, cases that have more than one violation, systemic failure to implement HIPAA rules, egregious violation of privacy rights,” Noonan said. “The obligation to comply with HIPAA is complete.”

Noonan also discussed the Request for Information (RFI) on modifying HIPAA rules—including information sharing, responding to the opioid crisis, accounting of disclosures of PHI, and changes to the notice of privacy practices—issued by OCR in December 2018. Noonan said the office received 1,300 comments, totaling more than 3,800 pages. “We read every single comment, every single page,” he said.

Noonan said he knows there are challenges related to patient right to access information. “I’ve had my own challenges in getting records. I was told mine were archived. I still don't have my records,” he said.

One issue OCR has identified is difficulty sharing records between providers. There is no required time frame or limitations on fees for records to be shared between providers, Noonan said. “Is it appropriate for the burden to be on the individual and the family for getting records from Doctor A to Doctor B?”

In the area of mental and behavioral health, Noonan said the office is responding to reports from patients’ families who did not know when an opioid-related incident had occurred until it was too late. “There is a reluctance to share data,” he said. OCR wants to ensure proper balance between individual patients and the need for loved ones to participate in individual care, he added.

With regard to the notice of privacy protection, Noonan said the office is looking at whether this HIPAA feature serves anyone’s interest—and what alternatives may exist. “The burden may be greater than the benefit,” Noonan said.

Noonan discussed several high-profile examples of enforcement actions that had resulted in significant fines. For example, three separate settlements were reached following the filming of an ABC television network documentary series that did not obtain authorization from patients in a hospital. “When you go to a hospital, you’re not expecting to be filmed; you’re distracted,” Noonan said.

Noonan also pointed to the hacking of Anthem, Inc., which resulted in the largest health data breach in the US—affecting 78 million individuals. OCR identified issues with risk analysis, information system activity review, security incident response and reporting, and access controls.

Healthcare organizations should not only have good defenses to prevent hackers from getting in, he advised; they should also have safeguards to make it difficult for hackers to get around a system if they do get in. “Once somebody has broken in, you [should be] making it as hard as possible for them to access the data or extract the data,” Noonan said.