Recap of the OCR/NIST Conference on Safeguarding Health Information
- Encryption. Organizations storing or transmitting PHI without encryption should take note that nearly every speaker and several audience questions discussed the need for encryption in the healthcare sector. Iliana Peters (Senior Advisor for HIPAA Compliance and Enforcement, OCR) reminded the audience that encrypting PHI provides a safe harbor for breach notification purposes. Ms. Peters and Deven McGraw (Deputy Director, Health Information Privacy Division, OCR) both emphasized that “addressable” does not mean “optional” in the HIPAA Security Rule, and Ms. Peters suggested that it was difficult for her to imagine a scenario in which an organization could justify not encrypting laptops. One scenario discussed at the conference that may justify a decision to not encrypt involves a medical device in an emergency care setting would be slowed down by encryption; even in such a scenario, Ms. Peters reminded the audience of the need to document such decisions to not encrypt and to identify compensating controls (such as increased physical safeguards). Deputy Director McGraw noted another scenario is unencrypted email communication with patients in cases where the patient has been alerted to the danger of communicating PHI over unencrypted email, alternative means of communication have been offered and the patient has elected to accept the risk of using unencrypted email.
- FTC and OCR Enforcement Overlap. The FTC offered some comfort to entities concerned that HIPAA Security Rule compliance may not be enough to satisfy the FTC. Conference participants raised a concern that overlapping enforcement by OCR and the FTC is creating uncertainty regarding security standards. Cora Tung Han (Senior Attorney, Division of Privacy and Identity Protection, FTC) addressed those concerns by stating her view that (1) the standards applied by OCR and the FTC are generally consistent and (2) the FTC generally will not be interested in initiating an action based on inadequate security measures against any entity that is complying with the HIPAA Security Rule. Ms. Han spent much of her presentation highlighting the FTC’s “Start with Security” initiative and walking through the key lessons present in the FTC’s guidance, “Start with Security: A Guide for Business.”
- Insider Threats and Access Controls. OCR made it clear that security strategies that focus exclusively on external threats are inadequate. Jocelyn Samuels (Director, OCR) emphasized a need for internal processes to manage workforce access to PHI. Ms. Han focused on the need for organizations to implement access controls and require strong passwords. Ms. Peters also discussed the danger of insider threats to the privacy and security of PHI—such as when an employee downloads and sells PHI, uses PHI to blackmail a patient, engages in identity theft, or speaks to the press about a famous patient—and stated that OCR has referred over 500 insider threat cases to DOJ.
- Business Associates. Business associates should expect, and prepare for, greater scrutiny from OCR. Ms. Peters identified risks associated with business associates as one of the OCR’s top three enforcement priorities for the coming year. Ms. Peters noted that because of the nature of their work, business associates often have more data than covered entities, and that many recent breaches have involved business associates. She also commented that a lack of a (or an inadequate) business associate agreement is a problem OCR frequently encounters in its investigations.
- Precision Medicine. The shift towards precision medicine is likely to bring an even greater emphasis on privacy and security to the healthcare sector. Several presenters identified various initiatives associated with the White House’s precision medicine initiative. Director Samuels noted that potentially game-changing benefits of precision medicine depend on the willingness of the public to participate. Because precision medicine requires genetic and other highly sensitive data, the public likely will be willing to participate only to the extent that they can rely on strong privacy and security protections. Among other efforts to support the precision medicine initiative, Director Samuels indicated that HHS will be releasing guidance regarding the right for patients to access their data and working with PHI in the cloud. Deputy Director McGraw suggested that the guidance regarding patients’ right of access will be released by the end of October 2015 and that the cloud guidance will be released sometime this fall as well.
- Audit Program. The audit program remains under development. Director Samuels announced that OCR is nearing the launch of the next phase of its audit program, although she did not provide specific dates. The next phase of the audit program will emphasize remote “desk audits” rather than on-site audits and will involve the use of a third-party contractor to support OCR’s audit efforts. OCR plans to post an updated audit protocol as the launch of the audit program approaches.
- Data Breach Trends. The loss, theft, or improper disposal of devices or media containing PHI continue to be the leading causes of breaches, although hacking is on the rise. Ms. Peters discussed trends in the approximately 1,310 large breaches of PHI (i.e., affecting 500+ individuals) that have been reported to OCR to date. Of these breaches, 42 percent of the incidents involved theft or loss of mobile devices, laptops or desktops containing unencrypted PHI. Ms. Peters also noted that 22 percent involved paper records and urged the audience not to forget to manage paper records properly. The number of breaches involving hacking or IT errors continues to rise each year, according to OCR, and now comprises 10 percent of all large breaches. Ms. Peters noted that in terms of the number of records disclosed, however, hacking incidents would constitute the vast majority of the total. Ms. Peters stated that many large breaches lately have involved business associates, and urged the audience to consider whether the covered entity or business associate is best positioned to report the breach to OCR in such circumstances. OCR separately noted that there have been approximately 179,000 reported breaches affecting <500 individuals to date.
The conference agenda with links to each presentation is available here.
Nathan Salminen, an associate in our Washington, D.C. office, contributed to this entry.
This entry was originally posted on Hogan Lovells’ Chronicle of Data Protection