Seyfarth Synopsis: The Director of HIPAA enforcement agency cautions that many covered entities are not meeting the basic HIPAA requirements and sees "low-hanging fruit" for enforcement activity.
The Director of the Office for Civil Rights at HHS, Roger Severino, recently gave an interview to Law360 about his office's enforcement of the Health Insurance Portability and Accountability Act ("HIPAA"). Severino noted, "for enforcement purposes, there's still a lot of low-hanging fruit." He observed that many covered entities subject to HIPAA are not covering the basics of HIPAA compliance, such as conducting a comprehensive risk analysis and providing sufficient HIPAA training.
While enforcement activity in some federal government agencies has shifted under the current administration, enforcement of HIPAA has continued to be strong. Severino warned he "expect[s] that the number of cases brought to enforcement will also be fairly substantial this year."
What can covered entities, such as employer group health plans, do?
First and foremost, make sure you have conducted (and documented) a thorough risk analysis. If it has been a while, you will want to dust it off and update it along with your full HIPAA security policies. Technology and the way we work evolves quickly. Covered entities are always adding new places where protected health information may be stored — new tablets here, a new copier there. Some of these changes may be subtle, but reviewing and updating the risk analysis may remind you of changes or help you identify areas that could impact HIPAA compliance and/or would be helpful to include in the risk analysis.
Reviewing OCR's audit protocol provides good insight into the types of questions you'll be asked in the event of a HIPAA audit. Reviewing that in advance can help you conduct your own internal audit to help gauge and improve HIPAA compliance.
Finally, one of the greatest protections a covered entity has against a HIPAA breach is its workforce. Make sure your workforce receives HIPAA training upon initial entry into a role with access to protected health information and that they also receive periodic refresher training. Practical examples as well as tailoring the training for the particular group can help make the HIPAA training more effective and, hopefully, will help avoid HIPAA breaches in the first place so you can avoid your organization being part of next year's OCR statistics.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.