OCR Acting Deputy Director Talks Risk Management at Advocacy Summit

Anne Zender reports:

Risk management, risk analysis, and enabling individual access to information are three areas where healthcare organizations have room for improvement, according to forthcoming findings from the Department of Health and Human Services’ Office for Civil Rights’ (OCR) HIPAA audit program. Timothy Noonan, acting deputy director, health information privacy at OCR, spoke about these issues and more on Monday during AHIMA’s Advocacy Summit in Washington, DC.

For several years, OCR has been conducting audits of HIPAA-covered entities and business associates to better understand what organizations are doing well and where they can improve. An update and summary of the findings will be published this year, he said. Audits also found organizations had the best performance in delivering timely notice of breaches, posting notices of privacy practices online, and providing required notice of privacy practices. OCR will share lessons learned from the audits as well as guidance and technical assistance, he said.

Noonan also gave an overview of the varieties of complaints and investigations OCR’s enforcement program performs. The health information privacy division annually receives 25,000 complaints, with 350 breach reports investigated in 2018, Noonan said.

The risks and challenges to the regulatory community with regard to breaches are constantly changing, Noonan said. So far in 2019, according to OCR data, 41 percent of breaches were related to email activity such as phishing. Laptops continue to be a concern as well. “If it’s mobile, your data will walk,” Noonan said. Hacking was the most common type of breach in the first two months of 2019.