Two representatives from HHS Office of Civil Rights (OCR) presented on February 19, 2014 to about 70 members of the Ohio Association of County Boards of Developmental Disabilities Tech Alliance (OACBDD Tech Alliance). Sifting through the information presented, here are a few random points of interest:
- OCR’s guiding enforcement principle is voluntary compliance. The vast majority of complaints and violations are resolved without fine. That said, they have powerful enforcement capabilities that can be used in cases of egregious violations, systemic disregard for HIPAA rules and cases of willful neglect.
- It was abundantly clear that black and white answers are rare. Exact guidance for matters such as the exact specifications for audit trails in your software, what exactly constitutes an improper email to an individual served, and the definition of “low probability” when doing a risk analysis regarding a potential breach does not exist. OCR will evaluate each situation on a case-by-case basis.
- OCR leadership is in flux. Director Leon Rodriguez is awaiting congressional approval for a position as head of United States Citizenship and Immigration Services. So we might expect more slow-going during this lame duck period. For example, the representatives were unable to make any statements regarding what the long-awaited HIPAA Random Audit program will look like, how it will operate and when it will begin.
- OCR partnered with ONC to create HIPAA training games which are available here: www.healthit.gov/providers-professionals/privacy-security-training-games.
- Many of the important principles are common sense. For example, when speaking about an individual served, use “indoor voices” and put away paper files in locked file cabinets.
