It’s been a challenging year for HIPAA compliance. OCR levied more than $20 million in breach settlement fines. Ransomware rocked the healthcare industry.
Q: In our pharmacy dispensing system, we can enter free-form notes for certain records such as a patient record, prescription records, and physician records. This field is used to enter notes that are customer service?focused and not treatment- or payment-related in nature. Would these notes be considered PHI, and would record retention requirements apply to these notes?
As OCR's auditors wrap up the final desk audit reports for phase two of the HIPAA audit program, many covered entities (CE) are breathing a little easier. Only 167 CEs were selected for desk audits in July. Audited CEs can expect to wait several months to see the final audit reports, although they will have the opportunity to review a draft version and submit comments that will be attached to the final report.
But phase two is far from over. Business associates (BA) will be selected for desk audits this fall—the first time these entities will be subject to OCR's HIPAA audits. And early next year, OCR will launch comprehensive on-site audits of both CEs and BAs.
Social media is everywhere—even inside the walls of hospitals. Staff may log into personal accounts during lunch breaks, and many organizations maintain official social media accounts; plus, of course, patients and visitors often rely on social media to keep in touch with friends and family. For many, social media is so much a part of their everyday routine that the benefits are almost too obvious to list. Yet the risks—including potential HIPAA violations—are often not as clear, and privacy and security officers need to stay aware of them.
Threats to PHI are coming fast and furious. Although many organizations are ready to take HIPAA compliance seriously, it requires sustained attention and resources for organizations to protect PHI. That can't happen if privacy and security officers aren't being heard by the board and senior leaders.
In July, OCR announced it reached a HIPAA breach settlement with Oregon Health and Science University (OHSU), an academic health center. In its statement on the settlement, the agency drew attention to the vital role hospital executives and senior leaders play in HIPAA compliance. OHSU did complete risk analyses and identify vulnerabilities, including those that caused the two massive breaches named in the settlement, but no action was taken to mitigate these vulnerabilities. Without support from the top, OHSU's security risks remained unaddressed until it was too late. Failure to address these risks came with a $2.7 million price tag, a strict three-year corrective action plan, and the kind of bad press that's difficult to put a positive spin on.
Privacy and security officers need executive support, but obtaining it may be a challenge. Alliances with key staff and an understanding of the concerns senior leaders face can be a win for privacy and security in the boardroom.
Growing threats to PHI, particularly ransomware, have drawn attention to privacy and security this year. Senior leaders and members of the board may be feeling the pressure to change the way their organizations operate and step up security measures.
