The Department of Health and Human Services Office of the Inspector General, the agency’s watchdog, has released its annual work plan. It is 117 pages specify hundreds of work items reviewing every nook and cranny of the health system.
Medicare and Medicaid contractors, and hospitals will be scrutinized for their security controls to prevent the loss of HIPAA Protected Health Information stored on portable media including laptops, jump drives, backup tapes and disposed equipment. They cited NIST Special Publication 800-53 and NIST Special Publication 800-53A as accepted control frameworks for the Medicare and Medicaid Contractors.
The Office of Civil Rights (OCR) itself will be reviewed to determine whether its oversight and enforcement of the HIPAA regulations. They will look at two separate pieces of OCR’s enforcement obligation: first, they will look OCR’s investigation policies, procedures and mechanisms to assess broadly whether they are adequately enforcing the Privacy Rule.
The second OCR probe will focus on their enforcement of the new Breach Notification Rule, enacted in August of 2009. They will evaluate their policies for investigating breaches, and explore whether Medicare Part B-covered entities (which include physician practices, home health agencies, physical therapy clinics and a variety of other providers) have policies in place to mitigate breaches.
This scrutiny reflects the ever increasing number of data breaches resulting from the rapid proliferation of mobile devices. All organizations should take the time to review their policies, controls, and technologies to protect against data breaches. Encryption technologies have become mainstream and should be implemented, with proper attention to employee training regarding proper use of the new technologies.
