Annual HIPAA Conference, OCR Keynote Remarks
Jocelyn Samuel, Director, Office for Civil Rights | OCR
Dept. of Health & Human Services
The Nation’s Top HIPAA Enforcer
“We continue to see a lack of comprehensive and enterprise-wide risk analysis and risk management that leads to major breaches and other compliance problems…”
“That is why enforcement is a critical part of our arsenal of tools to ensure compliance…”
“Resolution agreements that include a monetary settlement are only a small fraction of complaint and compliance reviews we undertake. These enforcements send out an important message about compliance issues and the need for covered entities and business associates to take their obligations seriously.”
Most common compliance shortfall…
Two-thirds [of entities audited] did not do a risk assessment.
How frequently should you perform a comprehensive risk analysis?
“When there are changes in the environment… new records management, new devices.”
It’s not necessarily the breach that will bring a potential penalty…
“Did you have systems and a plan and tools in place to reduce risk? Did you do an assessment to mitigate risks?”
“We not only look at what was done to correct and remedy a breach but what led to the incident to determine if noncompliance played a part. Comprehensive enterprise risk analysis followed by … timely risk management practices is the cornerstone of any good compliance program.”
Training “Ensure that entities take the necessary steps to address and prevent future incidents and to mitigate harm to affected individuals.”
Business associates handling protected information will be subject to HIPAA compliance audits in the next phase of the program, which will begin “in the near future.”
Bottom line… you need a roadmap to “look where you are now, and where you want to be.”
We Make IT Security Easy
Do you have everything in place – systems, tools and plans – to reduce risk? Have you done an assessment to identify risks? DataLink can help you get where you need to be.