![]() ![]() Through its investigations, the OCR found non-existent or deficient processes, such as reviews that were ad hoc and reactive. These processes not only enable such entities to determine if any ePHI is used or disclosed in an inappropriate manner, but can play a crucial role in detecting and potentially eliminating or mitigating internal and external malicious activity. HIPAA-regulated entities must also regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Once HIPAA-regulated entities identify these vulnerabilities, they must develop a plan designed to show how they will remediate them. The Security Rule also requires covered entities and business associates to implement risk management practices such as implementing sufficient security measures to reduce potential risks and vulnerabilities to a reasonable and appropriate level. ![]() A risk analysis can be carried out by qualified internal personnel or third-party vendors. ![]() It is also helpful when conducting risk assessments to map each administrative, physical, and technical safeguard standard and implementation specification required by the Security Rule to a relevant NIST Cybersecurity Framework Subcategory using the HIPAA Security Crosswalk to the NIST Cybersecurity Framework. To assist small and medium-sized health care practices and business associates in complying with the HIPAA Security Rule, the ONC and OCR have jointly launched a HIPAA SRA Tool. The OCR’s investigations found evidence of non-compliance with this requirement, such as through failing to conduct these requires risk analyses. The Security Rule requires organizations to complete a risk analysis that is an accurate and thorough assessment of the potential risks and vulnerabilities to the electronic PHI (ePHI) held by the covered entity or business associate. The OCR summarized some of the lessons learned and the areas needing improvement as follows: Of that total, the OCR completed 554 investigations and resolved two of them with resolution agreements/CAPs and collected CMPs totaling over $5.1M. For instance, in 2021 the OCR commenced investigations into 631 total breaches (609 of which affected > 500 individuals). Some notable findings also came out of the OCR’s Report on Breaches of Unsecured Protected Health Information. Report on Breaches of Unsecured Protected Health Information The OCR also continued its outreach and education efforts by conducting 218 outreach events and conference to various stakeholders focusing on OCR actions related to the pandemic, including telehealth guidance, launching a HIPAA and COVID-19 website, and hosting a series of webinars with the Office of the National Coordinator for Health Information Technology (ONC) regarding updates to the HIPAA Security Risk Assessment (SRA) Tool. However, despite these increases, the OCR did not initiate any proactive audits of covered entities and business associates in 2021 due to the lack of financial resources. During this same time period, breaches affecting 500 or more individuals rose 58%. Specifically, the Compliance Report shows that between 20 the number of complaints received by OCR increased 39% and the number of compliance reviews initiated by the OCR grew by 44%. ![]() According to the Report, the OCR resolved 17 investigations with resolution agreements and correction action plans (CAPs) and imposed civil monetary penalties (CMPs) totaling $6.1M in collections.Īlthough there was a slight decrease in breaches reported in 2021, resulting in less OCR compliance reviews initiated, complaints to the OCR rose in 2021. The Annual Report on HIPAA Privacy, Security, and Breach Notification Rule Compliance (“ Compliance Report”) provides some interesting statistics on complaints filed with the OCR and resulting investigation and enforcement trends by the OCR in 2021. Annual Report on HIPAA Privacy, Security, and Breach Notification Rule Compliance Covered entities and business associates should be aware of the trends identified in these reports and examine how to improve their HIPAA compliance program in these areas. Department of Health and Human Services (HHS) recently submitted two annual reports to Congress setting forth a summary of complaints and breaches reported to the OCR during calendar year 2021, as well as the enforcement actions taken by the OCR in response. The Office of Civil Rights (OCR) at the U.S. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |