OCR is making HIPAA changes, are you ready?
Earlier today the Office for Civil Rights (OCR) issued a Request For Information to its constituents (that's us) soliciting feedback for potential changes in two areas. The first area relates to cybersecurity, and the second is regarding the disbursement of civil monetary penalties to harmed individuals.
The first issue under public solicitation is about the Security Rule, and what is being done by Covered Entities and Business Associates to manage their cyber exposure. In short, OCR wants to know what best practices you have implemented to protect your practice and your patient's records.
The reality is, HIPAA has fallen far short of its potential as a guidance vehicle for cybersecurity. The legislation never even mentions the word "firewall". It's great to see the folks at OCR looking for ways to sure up this deficiency. While neither the Security Rule nor the Privacy Rule was intended to provide security guidance, it's become clear the current climate demands they play a more active role. So the question they're asking you is "what have you done?". The goal is to gather a selection of best practices from the field and use that as a basis for new guidance. So what's your answer? What have you done? Well, if you haven't implemented advanced cybersecurity solutions, you're going to have to soon. But truly what's worse is you haven't hardened your IT infrastructure, the likelihood is you have been breached and don't even realize it. And by the way, Ransomware has continued its exponential growth, in fact, according to NCC Group’s Monthly Threat Pulse, in February alone Ransomware attacks increased 53%.
So when OCR asks you what have you done to improve your cybersecurity, please don't let that answer be inadequate.
Second, and this has been discussed for some time, OCR wants to implement a vehicle to compensate victims of Covered Entities and Business Associates. So if you're medical records were breached and exposed by your cardiologist, for example, and OCR then fines that group, you'll potentially be paid a sum of money for your hardship. Our position has always been this is a laudable goal, but it's also fraught with potential problems. We don't believe it's in our CE's best interest to have their patients motivated to incite a breach, or errant release of records, in hopes of getting paid for the effort. Again, we support the goal but are concerned about the realities of such legislation.
If you are ready to become more cyber secure and HIPAA compliant, we're ready to help.