The 17th annual Health Care Compliance Association (HCCA) Compliance Institute Conference took place in National Harbor, MD and was attended by healthcare personnel and data protection and security professionals. Key topics covered in various panels related to cyber security issues including medical identity theft, data breaches and patient health information (PHI) protection as dictated in the recently released HIPAA Omnibus rule.
The “HHS/OCR Reports on the New HIPAA Rules” panel included officials from The U.S. Health and Human Services Department and Office for Civil Rights who discussed a data breach scenario, its impact and how to develop a data breach response plan. The importance the role Business Associates now play in compliance issues and protecting PHI as outlined in the HIPAA Omnibus rule was stressed as a critical area for healthcare organizations to address. In addition, new enforcement provisions as they related to the updated Omnibus Rule were also discussed.
Another panel that highlighted these issues was one where compliance experts spoke about “The Defining Moments of a Data Breach” that covered the unique vulnerabilities healthcare companies have to data breaches and medical identity theft due to their widespread access to PHI and sensitive data. The panelists explained what happens during a data loss incident and the expensive costs of a data breach including the consequences. The key takeaway here was that healthcare organizations need to increase their efforts in monitoring fraud and have an incident response plan including breach of data resolution practices in place.
A discussion called “Conducting a Privacy Risk Assessment” examined enterprise privacy risk assessments, especially topical given the HIPAA Omnibus Rule’s current definition of a data breach that directs companies to assess whether a breach compromises PHI. In addition, HIPAA Risk Analysis Requirements mandates organizations to implement policies to perform a risk assessment to prevent, detect and correct security violations therefore risk assessment is vital to any data protection program. Electronic privacy risks as they pertained to PHI was examined as well as how to evaluate risk mitigation techniques. Similar themes were again raised in a panel on “Mobile Threats and How Healthcare can Reduce Risks.” In addition to executing annual risk assessments, mobile device security and updating business associate agreements, the panelists again stressed the importance of having a breach of data resolution policy.
Clearly, adherence to HIPAA compliance and Omnibus Rule regulations were on the minds of the panelists and attendees of the 2013 HCCA conference. Compliance and security experts offered varied suggestions and solutions on how to follow government regulations in implementing a data breach protection plan. The overarching theme recommendation they all seem to agree on is prevention is the first step and resolution is the second.