'No Slowdown' for HIPAA Enforcement, But Audits EndingOCR Director Roger Severino Offers Update at HIMSS18 Conference
So what's next for HIPAA enforcement efforts by the Department of Health and Human Services' Office for Civil Rights? OCR director Roger Sevrino says there is "no slowdown in our enforcement efforts," and that the agency will continue with the "same enforcement mindset."
See Also: DevOps - Security's Big Opportunity
At the HIMSS18 conference on Tuesday, Severino said: "I come from the Department of Justice Office for Civil Rights; I bring that mindset to OCR. We're still looking for big, juicy egregious cases" for enforcement.
And it's not just large entities that could be under OCR's scrutiny. "This doesn't mean that if you're smaller and quiet" you will fall out from under OCR's enforcement radar, he said.
"We're about increasing access to information" by patients. But in the meantime, entities who hold PHI "need to treat it like gold," Severino said.
No More HIPAA Audits?
While the status of OCR's phase two HIPAA compliance audits did not come up during Severino's formal presentation or question and answer session, Severino told Information Security Media Group after his presentation that OCR is compiling findings from those audits "and putting that into a usable form of best practices."
When asked by ISMG if there will be a "phase three audit program," Severino answered, "No. Phase three is the compilation of findings."
In 2016, OCR had nearly $25 million in financial collections from HIPAA-related settlements, which set a record, and 2017 came in second with $19.4 million collected, he noted. In total since 2009, OCR has had 50 settlement agreements and 3 civil monetary penalty cases.
"We want to see the number of cases come down, because we want to see increased compliance," Severino told the audience at HIMSS18. "We'd like to put ourselves out of business [as an enforcement agency.] Unfortunately, [cases] are growing steeply up."
As of Jan. 31, about 177 million records have been breached since 2009, according to major breach reports that OCR has confirmed. Thefts make up 38 percent of reported cases of breaches affecting 500 or more individuals, and paper is involved in 21 percent of those breaches, he noted. "Hacking is 19 percent of security incidents [reported] and growing."
Review of Regulations
In his presentation, Severino said OCR is examining its regulations to see if "undue burden" on the industry can be eased.
HHS, including OCR, is undergoing a review of its regulations "to reduce the burden" on the industry, examining whether benefits and outcomes outweigh the costs, he said. "We are in a deregulatory environment," where two regulations need to be removed for every one new regulation implemented, Severino noted. "We're going a take a comprehensive look to make sure [existing regulations] are not out of date and have undue burden.