Roger Severino Provides Update on OCR HIPAA Enforcement Priorities


Roger Severino, the HHS’ Office for Civil Rights Director, gave a report on the priorities of OCR’s HIPAA enforcement during the OCR/NIST 11th Annual HIPAA Conference held in Washington D.C.

Severino stated that a top policy initiative of OCR is still the enforcement of patient rights under the HIPAA Privacy Rule and the provision of quick access to their health records at an affordable cost.

The HIPAA gives patients the right to access and verify their health records and get a copy of the said documents, however, there are still healthcare providers that make this process troublesome. OCR already settled a case this year with Bayfront Health St Petersburg because it did not deliver a patient’s copy of her health records within 30 days of receiving the request. OCR had to get involved before the patient got her records. The HIPAA-covered entity paid $85,000 financial penalty to settle the HIPAA violation.

According to Severino, OCR will issue more financial penalties after Bayfront Health’s financial penalty to covered entities that do not comply with this important HIPAA provision. OCR already released guidance to assist covered entities to adhere to this facet of HIPAA. Now is the time for serious enforcement.

Severino additionally explained that patients can have their health records sent via health apps. Such requests can only be refused if there’s a security risk to the covered entity in using the health app. Severino mentioned that a covered entity is not responsible for what happens to the PHI after sharing it with a health app upon the patient’s request.

In several cases, patients are able to access their medical records upon their requests, but they are charged very high fees. In 2016, OCR released guidance regarding the figures that healthcare providers can charge for giving copies of health records and more clarification was given on the fee structures. There are financial penalties for charging an overpriced fee for copies of health records.

The attack on patient access problems is one of the HHS Regulatory Sprint to Coordinated Care project and matches the Trump Administration’s drive to enhance the transparency of healthcare fees and the lowering of healthcare costs in the United States.

OCR is also considering how HIPAA may be kept up to date to deal with the problem of price transparency, for example asking healthcare providers and health plans to give information in relation to the estimated out-of-pocket expenses for healthcare services or equipment prior to providing products or services to patients.

Contractors present quotes for work beforehand and banks give customers details on mortgages costs prior to giving the funds, however, that is not what always happens in healthcare. That must change.

Severino also discussed the problem of cybersecurity. A high percentage of health-related data breaches is due to phishing and ransomware attacks. In a lot of cases, the attacks could have been avoided by following good cybersecurity hygiene.

Ransomware is frequently occurring along with exploited vulnerabilities in Remote Desktop Protocol. Not addressing those RDP vulnerabilities has resulted in a number of big healthcare ransomware attacks and security breaches.

Phishing attacks are a serious cause of healthcare data breaches for many years. All attacks can’t be prevented, however by adhering to HIPAA, the risk could be considerably minimized. HIPAA requires covered entities to give employees training in identifying and avoiding phishing scams. Doing phishing simulation exercises is also critical to know the susceptibility of employees to phishing.

Other cybersecurity problems that resulted in data breaches were the deficiency of multi-factor authentication, inadequate access controls, and not terminating employee access to systems promptly upon the end of the contract.

To date, OCR may have issued only four OCR financial penalties in 2019 to address HIPAA violations, however, the year is not yet over. More penalties will be reported, including a civil monetary penalty worth $2.1 million. Severino did not provide details concerning the reason for the penalty except for stating that OCR has reached a final determination to announce the penalty soon.