I recently attended the Health Care Compliance Association’s (HCCA) Compliance Institute and the annual HIPAA Summit, both in the Washington, D.C. area, where representatives from the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) delivered remarks on what to expect from their office in 2017. I reported on my experiences at these events in an article for RACmonitor; here are some highlights.
New Director of the OCR
Attendees at the HIPAA Summit had the great honor of hearing the first public remarks from the newly appointed Director of the OCR, Roger Severino, in his new capacity. Prior to his appointment, Severino had a long and distinguished public service career.
In his remarks at the Summit, Severino emphasized the important role of health information privacy and security to the overall functioning of the healthcare system. This focus will lead to increased patient confidence in the system, which, according to the new director, is paramount for the system to function.
OCR Priorities for 2017
Following Severino’s remarks, OCR Deputy Director Deven McGraw shared the OCR’s outlook for 2017. McGraw and her team plan to work with Severino over the coming weeks to identify priorities for policy and guidance.
Update on HIPAA Audit Program
Speaking on Phase 2 of the HIPAA Audit Program, McGraw reiterated that the audits are a tool for learning, not a tool for enforcement, and should eventually yield best practices. She stated that the OCR hopes to develop a continuous compliance monitoring program moving forward, as opposed to the sort of periodic audits enacted currently.
Iliana Peters, Attorney and Senior Advisor at the OCR, spoke on OCR enforcement at both the Compliance Institute and the HIPAA Summit. She highlighted lessons learned from 2016 resolution agreements and civil money penalties, including the need for regular and thorough risk analyses, encryption, access and audit controls, and timely breach notification.
For more information on the OCR, join MRO for the first installment of our free privacy and security webinar series, “Lessons Learned from OCR Enforcement Actions,” Monday, April 17, 1pm Eastern.