HHS Puts Increased Emphasis On Cybersecurity

In January, 2015, the Office for of Civil Rights (OCR) at the Department of Health and Human Services (DHHS), highlighted increased cybersecurity risks for healthcare companies under strict obligations to protect sensitive patient data.  As cyber-attacks of these entities increase, so do HIPAA privacy breaches.  The OCR is seeing a rise in the number of people affected by hacking and IT breaches as reported by entities under the breach notification requirements, especially those due to malware compromising the security of IT resources.

The OCR is emphasizing that any organization that holds sensitive data is at risk. That’s why it is critical that HIPAA covered entities and their business associates assess and address the risks to the ePHI that they are responsible for on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.

The director of the OCR also addressed the timing of the next round of HIPAA compliance audits by the OCR.  The next round of audits – the first stage of which was conducted in 2011 and 2012 – will be implemented “expeditiously” and will be accompanied by new audit guidelines.  However, no specific timetable for beginning the audits was announced. The OCR has encouraged HIPAA-covered entities to monitor the OCR website in the next weeks and months for additional timing updates and guidance.  When asked whether these upcoming audits will be “educational” or whether they will also be used for enforcement, the OCR stated that the audits will join their “existing arsenal of tools…to proactively identify areas of [HIPAA] compliance concern[s].”

If you have any questions about your cybersecurity preparedness and how it relates to HIPAA requirements going forward give ITPAC a call today.