Highlights from the IAPP Global Privacy Summit: OCR and HIPAA
This May, Timothy Noonan (“Noonan”), acting deputy director for health information privacy at the Office for Civil Rights (“OCR”), sat for a Q&A session at the International Association of Privacy Professional’s (“IAPP”) annual Global Privacy Summit in Washington, DC. Noonan discussed a variety of topics, including OCR’s HIPAA enforcement priorities, the future of the HIPAA audit program, future guidance and rulemaking, and other enforcement related topics. Although Deputy Director Noonan’s comments do not qualify as official OCR guidance, they provide valuable intelligence into OCR’s current and future plans regarding HIPAA; here are some highlights and takeaways:
- Right of Access: Noonan stated that “OCR views Right of Access as the cornerstone of the Privacy Rule,” and as an enforcement and audit priority. Generally, the Privacy Rule provides that “an individual has a right of access to inspect and obtain a copy of [PHI] about the individual in a designated record set[.]” 42 C.F.R. § 164.524 (hereinafter “Right of Access”). Through the enforcement program, OCR discovered that Right of Access was, and continues to be, a problematic area of non-compliance for covered entities. For example, individuals were provided with incomplete medical records, charged fees in excess of what is allowed under HIPAA, and completely denied access to their own medical records.
- Other Enforcement Priorities: Noonan emphasized that OCR is committed to vigorous enforcement of HIPAA and is focused on systemic non-compliance (e.g., no risk assessments or business associate agreements) or egregious abuses of privacy rights (e.g., ABC filming cases) regardless of a covered entity’s or business associate’s size or availability of resources. Noonan also explained that OCR tries to highlight trends and educate the industry through its enforcement actions.
- Audit Program: When asked about the status and future of the HIPAA audit program, Noonan stated that OCR will issue its formal findings from the phase 2 audits later in 2019, and that OCR intends to maintain the audit program as an enforcement program, focusing initially on covered entities and business associates that DO NOT report breaches. Noonan also confirmed that OCR’s audit activity is influenced by various media sources (e.g., tv, internet, blogs, etc.).
- Guidance and Rulemaking: Noonan acknowledged that OCR continues to develop its much-anticipated texting guidance and social media guidance, but he did not provide an update on when such guidance would be published. While Noonan declined to comment on potential amendments to the HIPAA Privacy Rule, he opined that the risk-based, technology-neutral framework of the Security Rule has held up well overtime and is not overly prescriptive.
- Cyber Security: Noonan stated that covered entities and business associates need to be prepared for the “changing nature of health care data breaches.” Hacking and infiltration has become “the single largest category for breaches,” and the stolen/lost laptop breach scenario has significantly decreased over the past few years. Noonan indicated that OCR expects covered entities and business associates to take a proactive approach to information security rather than a reactive approach.