OCR officials: Electronic data the 'most vulnerable'

All providers updating software to comply with the Meaningful Use program's 2014 edition of certification, or upgrading for any other reason, should be conducting a security risk analysis to test for vulnerabilities that may compromise patients' electronic data, according to Iliana Peters, a privacy specialist with the U.S. Department of Health & Human Services Office for Civil Rights.

"Every time you change your software, do a risk analysis," Peters said, speaking at the American Bar Association's Health Law Section's Annual Washington Health Law Summit in Washington, D.C., last week.

Providers seem to be having a particularly difficult time complying with HIPAA's security rule, leaving patient records in electronic form the "most vulnerable." The vast majority of security breaches reported to HHS have involved the compromise of electronic protected health information in EHRs, laptops, and mobile devices, added OCR privacy specialist Anna Watterson, who also spoke at the summit. OCR's pilot HIPAA audit program found only 11 percent of audited entities in "good HIPAA compliance shape," Peters said.

Protecting patients' electronic records will become even more critical since OCR has "significantly stepped up enforcement and that aggressive enforcement will continue," warned Peters, who also said that the amounts that entities have paid in settlement of alleged HIPAA violations were a "fraction" of what OCR could have been imposed on the entities. Some of the settlement agreements--known as "resolution agreements"--have been for more than $ 1 million, she said. 

Peters and Watterson recommended, among other things, that entities store electronic records on a secure network, train work force members on safeguarding patient data, and encrypt all data.

"Since there is no real alternative to encrypt, encrypt," Peters said. "Encryption would make life so much easier."

OCR Director Leon Rodriguez noted at the ABA's annual Emerging Issues Conference last February that the audit program found that entities were lax about encrypting data, with many of them not even thinking about doing so. HIPAA's security rule considers encryption to be "addressable," meaning that either the covered entity encrypts the data or opts not to, but documents its rationale for not doing so. The topic, he said, can't simply be ignored.

To learn more:
- read about the Summit and the Health Law Section
- view the settlement agreements