2017 HIPAA Security Conference – What Were the Significant Points?

by ih-coc admin

by Jay Hodes, President - Colington Consulting

On September 5-6, the 10th annual Safeguarding Health Information: Building Assurance through HIPAA Security conference was held in Washington, D.C. This conference was hosted by the HHS Office for Civil Rights (OCR) and the National Institute for Standards and Technology (NIST) and primarily covered some of the latest trends concerning HIPAA enforcement, cybersecurity, and overall best security practices.

The first speaker was Roger Severino, the newly confirmed Trump administration appointee, who is the Director of OCR. As his official bio indicates, he “was a trial attorney for seven years in the Department of Justice’s Civil Rights Division where he enforced the Fair Housing Act, the Religious Land Use and Institutionalized Persons Act, and Title II and Title VI of the Civil Rights Act of 1964.” Severino’s comments included “enforcement is a key aspect of HIPAA” and organizations must embrace a “new posture of preventive security.”

As a former Assistant Inspector General for Investigations at HHS, I understand government speak and interpret Severino’s overall comments to reflect a more proactive enforcement approach by OCR in the future. Severino indicated OCR was looking for that “big, juicy, egregious” breach that can be used to make a point and as an example of what not to do by an organization when it comes to not meeting compliance requirements.

Many of the speakers seemed focused on the cybersecurity threat environment, offering valuable insight and best practices. They emphasized that it is imperative for healthcare organizations to ensure their technical safeguards are adequate to prevent ransomware and malware attacks. This focus on security speaks to Severino’s point of that preventive security posture.

Although there was a presentation titled “Reducing Risk for Small Provider Practices,” it really did not focus on the smaller healthcare provider. These presenters were knowledgeable about cybersecurity threats and best practices, but in my opinion, they were overly technical and too distant from the small provider community. I have a great deal of experience in that sector and the reality is these types of practices need a lot more practical guidance from OCR. Most do not have the resources or technical expertise, or know what type of information systems support is needed regarding what must be in place and how to achieve it.

The presentation I always look forward to is the update on OCR’s enforcement activities. Iliana Peters, OCR’s Senior Advisor for Compliance and Enforcement, provided some updated statistics regarding breaches and enforcement activities.  Based on those OCR statistics, 78% of breaches are still being caused by human error and are preventable. Theft, loss, and unauthorized access/disclosures account for most of that high percentage. Peters said that almost 175 million individuals have been affected by HIPAA data breaches through July 31, 2017. That is a staggering number but not very surprising to me.

My overall impression after two days at the conference is that more must be done to prevent cybersecurity attacks in the healthcare sector and that HIPAA enforcement continues. Both are the ongoing reality and norm for healthcare providers.