OCR Cyber Security Guidance for 2022

While not rising to the level of regulation, the OCR has provided guidance on what they see as critical best practices to perform to protect electronic health records. These best practices are largely in response to the threat of ransomware. As part of reviewing risk management policies and procedures, some best practices to include:

  • Maintain offline encrypted backups and regularly test backups
  • Conduct regular vulnerability scans on internet facing devices
  • Regularly patch operating systems and software
  • Train users on phishing and other common IT attacks

Recommended OCR Randsomware Resources

Breach Notification Rule of HIPAA

Requirements for data breach notification involving less than 500 individuals were modified in 2021.

https://deandorton.com/wp-content/uploads/2022/04/Hippa-Cyber-Graphic-scaled-e1649350088638.jpg

*Change from previous Breach Notification Rule

Breach Notification to OCR Portal

Possible Modifications to HIPAA Rules

Healthcare organizations are the driver for updating HIPAA rules due to their desire to decrease the administrative burden of the current rules as well as remove provisions that limit or discourage the coordination of care. Changes to the rules are due sometime this year. Some of the elements under consideration are:

  • Changing the time frame for responding to patient requests to obtain copies of health information
  • Removing the requirement to obtain written confirmation of receipt of an organization’s notice of privacy practices
  • Easing the restrictions on disclosures of PHI without authorization
  • Changes to HITECH Act requirements for the tracking disclosures of PHI for treatment, payment, and healthcare operations
  • Encouragement of information sharing for treatment and care coordination
  • Changing the Privacy Rule to make sharing PHI with other providers mandatory rather than permissible
  • Expansion of healthcare clearinghouses access to PHI

Upcoming OCR Changes

HIPAA Violation Penalties May Change

While penalties don’t necessarily relate to data security, availability and sharing, the reality is a data breach is typically going to be significantly costlier than paper-based or process-based violations. It takes knowing the penalty of “losing” to justify the investments needed. Doing everything to avoid a data breach still can’t guarantee avoiding it. Unfortunately, it’s a contest between us and the bad guys, with a data breach being a lost battle.

https://deandorton.com/wp-content/uploads/2022/04/HIPPA-Journal-Graphic.pngCurrent HIPAA Violation Information

Kevin Cornwell, CPA, CISA, CITP
IT Audit Associate Director
kcornwell@ddaftech.com • 502.566.1011