Part II: Office for Civil Rights (OCR) Offers “Lessons Learned” R

Emily M. Hord

Email

859-231-8780

Bio and Articles

Find Your Next Job !

Litigation Legal Support Specialist
Greenberg Traurig, LLP

Litigation Paralegal
Greenberg Traurig, LLP

Legal Support Specialist
Greenberg Traurig, LLP

Chief Operating Officer / Business Manager
On Balance Search Consultants

Commercial Real Estate Transactional Attorney / Real Estate Lawyer
On Balance Search Consultants

Trusts & Estates Attorney / Estate Planning Lawyer
On Balance Search Consultants

Trusts & Estates Partner / Senior Attorney
On Balance Search Consultants

Explore More Job Openings

Part II: Office for Civil Rights (OCR) Offers “Lessons Learned” Regarding HIPAA (Health Insurance Portability and Accountability Act) Compliance

by: Emily M. Hord of McBrayer, McGinnis, Leslie and Kirkland, PLLC - Health Care Law Blog

Thursday, July 3, 2014

Print Mail Download info_icon_img

/>i

On Tuesday, some of the details of OCR’s recently released Breach and Compliance Reports were discussed. In addition to detailing facts and figures from cases involving breaches in 2011 and 2012, the Breach Report includes an important “Lessons Learned” section that all covered entities and their business associates should review. Based upon reported breaches, the OCR has outlined some specific areas of concern, which include the following:

Risk Analysis and Risk Management

Covered entities should ensure that their security risk analysis is thorough and pay special attention to ePHI on hard drives, digital copies, USB drives, and mobile phones, etc.

Security Evaluation

Covered entities should conduct a security evaluation, whenever there are operational changes, such as facility or office moves or renovations, that could affect the security of PHI.

Security and Control of Portable Electronic Devices

Covered entities should ensure that any PHI that is stored and transported on portable electronic devices is properly safeguarded, including encryption when appropriate.

Proper Disposal

For electronic devices and equipment that store PHI, covered entities should ensure that the device or equipment is purged or wiped thoroughly before recycling or discarding the device or equipment.

Physical Access Controls

Covered entities should ensure that physical safeguards are in place to limit access to facilities and workstations that maintain PHI.

Training

Covered entities should ensure that employees are trained and are aware of the sanctions and other consequences for failure to follow the organization’s policies and procedures.

In the Compliance Report, OCR outlines its plan for future improved enforcement. OCR expressly stated that it will “work smarter” to cope with the increasing volume of complaints and will pay special attention to “high impact cases.” Compliance Report p. 23. In 2011 and 2012, OCR doubled the number of cases ending in Resolution Agreements, settlement, and corrective action plans and OCR promises to “continue this uncompromising enforcement posture in the future.”