HIPAA Enforcement Update: Areas of FocusNick Heesters of OCR Describes Ongoing Efforts
The Department of Health and Human Services is paying particular attention to complaints involving patients' access to their health information; it's also focusing on investigations of organizations with patterns of HIPAA noncompliance, says Nick Heesters of the HHS Office for Civil Rights.
Details about how OCR plans to ramp up enforcement of patients' record access rights are still being worked out, he says in an interview with Information Security Media Group at the HIMSS19 conference in Orlando, Florida.
Regarding how OCR will identify patient access cases to investigate, Heesters says: "Certainly, patient complaints is a main method by which OCR receives issues for potential investigations."
On Monday, two HHS units, the Office of the National Coordinator for Health IT and the Centers for Medicare and Medicaid Services, each issued proposed rules that aim to bolster the secure exchange of health information. The two proposals aim to help provide patients with better access to their records in the quest for improved coordination of care.
During a HIPAA compliance and enforcement presentation at HIMSS19, OCR Director Roger Severino noted that "empowering consumers with [access to] their own health information ... leads to better health outcomes." OCR and other HHS units are coordinating their policy efforts around the aim of balancing privacy with the right of access, he told the audience at the session, which also featured Heesters.
Another area of heightened enforcement scrutiny, Heesters says, involves focusing on those entities with "a culture of noncompliance and total disregard for the duty of care that is owed to protecting individuals' protected health information."
Those are the "egregious cases" that can also get extra scrutiny for potential HIPAA financial settlements or civil monetary penalties, he explains.
"OCR is primarily interested in pursuing enforcement in those kinds of cases where there is no evidence of any kind of compliance or even any attempts to comply with the HIPAA rules," he says.
In the interview (see audio link below photo), Heesters also discusses:
- Weak risk management practices that get OCR's attention for potential enforcement action;
- Trends in the types of breaches OCR is seeing reported;
- The status of OCR's HIPAA compliance audit program.
Heesters, an attorney, is a health information privacy and security specialist at OCR. He is a certified information privacy professional with over 25 years of experience supporting technology and information security efforts in diverse industries, including financial services, government, defense, education and healthcare.