Last week, the Department of Health and Human Services (HHS) and the National Institute for Standards and Technology (NIST) hosted the Safeguarding Health Information: Building Assurance Through HIPAA Security 2024 conference after a 5-year absence. Attendees learned about the current cybersecurity landscape in healthcare, how compliance with the HIPAA Security Rule can help HIPAA-regulated entities combat cyber threats, and were provided with practical tips and techniques for implementing the requirements of the HIPAA Security Rule.

On October 24, 2024, in a keynote speech, OCR Director Melanie Fontes Rainer provided an update on OCR’s main priorities. One of the key priorities is an update to the HIPAA Security Rule to add new cybersecurity requirements. OCR has been working on an update to the HIPAA Security Rule this year and has now finalized its proposed rule. The proposed rule is now being reviewed by the Office of Management and Budget (OMB) and Fontes Rainer anticipates publishing a Notice of Proposed Rulemaking (NPRM) before the end of the year.

Fontes Rainer did not share any of the cybersecurity measures that have been added, only confirming that since this will be the first time in two decades that the HIPAA Security Rule has been updated, there will be “substantive updates.” The process of rulemaking has been informed by thousands of investigations of healthcare data breaches and complaints, which has allowed OCR to develop a more robust HIPAA Security Rule to make sure the healthcare sector is much more secure. When the NPRM is published, likely to be in December 2024, healthcare industry stakeholders will be able to submit their feedback and have their say. Fontes Rainer said the department is looking forward to the opportunity to engage with the healthcare community through the public commenting process.

Fontes Rainer explained that OCR has continued to investigate complaints and data breaches and has imposed several financial penalties this year to resolve noncompliance issues. This year, as well as its enforcement actions over the past 15 years, have uncovered the same noncompliance issues time and time again. One of the most commonly identified issues, and one of the main areas of noncompliance to result in financial penalties, is noncompliance with the risk analysis provision of the HIPAA Security Rule. In many investigations, OCR has discovered the failure to conduct a comprehensive, organization-wide risk analysis to identify risks and vulnerabilities to ePHI, incomplete risk analyses, and compliance with that requirement but a failure to act on the information gathered during the risk analysis and manage and reduce risks to a low and acceptable level. The importance of compliance with this issue is why OCR has made the risk analysis requirement an enforcement initiative.

OCR has received many complaints in recent years about the failure to provide individuals with a copy of their requested records, as required by the HIPAA Right of Access. It is one of the most common reasons for individuals filing complaints with OCR. In response, OCR launched a HIPAA Right of Access enforcement initiative in 2019 and in the years since has imposed 50 financial penalties for the failure to provide timely access to medical records.

Investigations of complaints and data breaches will remain a key priority for the department but financial penalties are relatively rare. The majority of investigations where noncompliance is discovered are resolved through technical assistance, highlighting how OCR works with HIPAA-regulated entities to help them comply with the regulations. Fontes Rainer said the reason compliance issues are flagged is because compliance is important and must be addressed.

The other main focus of OCR is to engage with the healthcare sector on cybersecurity matters but Fontes Rainer said the department is fairly small, has an extensive workload, and limited budget, so OCR’s efforts to engage with the community need to be highly focused and strategic. She said it is vital that OCR and the healthcare community work together to drive forward compliance and improve cybersecurity. OCR has increased engagement through webinars, YouTube videos, and newsletters in an effort to reach more members of the community and combat the growing threat of cyberattacks and data breaches – which affected more than 160 million individuals last year.

The post OCR Explains Department’s Key Priorities at HHS-NIST Conference appeared first on The HIPAA Journal.