OCR Recently Detailed the Top 5 HIPAA Issues
The Health and Human Services Office of Civil Rights (OCR) recently detailed the 5 most common mistakes that organizations make in their HIPAA compliance programs, as reported by TechTarget’s SearchHealthIT coverage. According to OCR, the 5 most common HIPAA violations and mistakes are:
- Improper handling of Business Associates including lack of a HIPAA Business Associate Agreement (BAA)
- Failures in risk management and risk analysis
- Poor data security relating to failure to properly encrypt data at rest, improper data transmission security and the use of unpatched or unsupported software
- Weak internal controls such as improperly implemented access controls, sloppy employee termination procedures and/or the lack of an internal audit program
- Data management problems including lack of a rigorous backup procedure, failure to create a robust data recovery plan or improper disposal processes
Jocelyn Samuels, Director, Office for Civil Rights (OCR)
It is no surprise to see risk management and risk analysis failures on the list since OCR’s has been preaching the importance of these for years. In particular, they stress that the importance of a thorough inventory of ePHI. And another OCR mantra has been “encrypt, encrypt, encrypt.” OCR statistics from some years shows that 25% of breached data is caused by business associates so no surprise with the emphasis on managing BAs.
OCR has not previously highlighted data backup and recovery plans, an area that Eagle often prioritizes as the most important control of all. We suspect that the rise of ransomware attacks, and the loss of data by some organizations, is the reason for this new emphasis from them.
It is appropriate for OCR to highlight the need to patch software, since unpatched software is a major attack vector leading to malware infections. One item of confusion for health providers, however, is that the word “patching” never appears in the HIPAA regulations. By design the regulations are “scalable” so organizations must interpret how the specific standards should be implemented based on the size, complexity and sophistication of their organization. Interested readers may want to review a previous Eagle post, Top 20 Security Controls Updated for details of an up-to-date, prioritized itemization of top security controls.
Until such time as the HIPAA regulations are re-written to be more clear and specific, health providers and other covered entities are advised to obtain good advice regarding how to best comply with these requirements.
