OCR Warns Electronic Data Most Vulnerable

By Katie Wike, contributing writer

Office for Civil Rights advising providers to conduct security risks protecting patients’ electronic data

Iliana Peters, a privacy specialist with the U.S. Department of Health & Human Services Office for Civil Rights, says providers hoping to meet 2014 MU standards - or even simply updating software - should be running security risk assessments to test for vulnerability. At the American Bar Association's Health Law Section's Annual Washington Health Law Summit in Washington, D.C., last week, Peters said, “Every time you change your software, do a risk analysis.”

Fierce EMR reports “Providers seem to be having a particularly difficult time complying with HIPAA's security rule, leaving patient records in electronic form the ‘most vulnerable.’ The vast majority of security breaches reported to HHS have involved the compromise of electronic protected health information in EHRs, laptops, and mobile devices, added OCR privacy specialist Anna Watterson, who also spoke at the summit. OCR's pilot HIPAA audit program found only 11 percent of audited entities in ‘good HIPAA compliance shape,’ Peters said.”

Compliance is essential since, as Peters said, the ORC has "significantly stepped up enforcement and that aggressive enforcement will continue.” Other recommendations include:

• store electronic records on a secure network
• train work force members on safeguarding patient data
• encrypt all data

This comes after the OIG released a report which “concluded that the OCR had not assessed risks, established priorities, or implemented controls to provide for periodic audits of covered entities to ensure their compliance with the HIPAA Security Rule.” According to Data Guidance, this report makes it likely the OCR would begin cracking down on providers in its investigations.