Editor’s Note: This is the third in a continuing end-of-year series.
The year ahead promises to be a busy one for those with responsibility for HIPAA compliance, as the Office of Civil Rights (OCR), charged with enforcing HIPAA, continues to lean in to compliance initiatives and addresses new questions in the rapidly-evolving healthcare information technology environment.
OCR has explicitly identified two key areas for continued effort in 2017:
(1) audits; and
(2) modernizing HIPAA and supporting innovation in healthcare (as well as hinting at possible further updates based on changing technology).
Additionally, OCR has recently released guidance on cloud computing, signaling its interest in this fast-growing field.
The HIPAA Audit Program
OCR is currently in Phase II of its HIPAA audit program, in which OCR identified covered entities for audit in the summer and business associates in the fall. In early 2017, OCR is set to identify additional entities for audit.
OCR intends to identify a “broad spectrum of audit candidates,” with such criteria as “size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity.” With respect to the last of these, OCR will not audit entities that are currently under investigation or undergoing a compliance review by OCR.
The initial stages of Phase II focused primarily on “desk audits,” essentially reviews of documents submitted by auditees. The 2017 stages of Phase II will move to onsite audits and will examine a broader scope of HIPAA requirements than did the desk audits. While OCR describes the audits as “primarily a compliance improvement activity,” OCR has noted that serious issues identified in the audit process could lead to compliance reviews.
Modernizing HIPAA and Supporting Innovation in Healthcare
As HIPAA celebrated its twentieth anniversary in the past year, OCR has turned its attention to addressing aspects of medical privacy that were not anticipated at the time the law was enacted. OCR has specifically identified three major areas for “modernizing”:
– Addressing cybersecurity risks. OCR particularly intends to implement the Cybersecurity Information Sharing Act (CISA) of 2015 by issuing guidance for cybersecurity management by covered entities and business associates. This guidance will incorporate the National Institute of Standards and Technology (NIST) Framework. OCR will also expand its investigation of cyber-attacks and breaches.
– Addressing big data. Like many observers, OCR sees both tremendous promise and considerable risk in the gathering of health data now possible due to the widespread adoption of electronic medical records and cloud computing. Accordingly, OCR is committed to creating “a more robust system for the collection, use and sharing of the personal health information and other data necessary” to fuel research reliant on big health data. This system will require “adequate protection for the privacy and security of […] personal health information as well as [the] right to access the information and gain the benefits of the initiatives underway.” These are lofty aspirations, and it is not yet clear what OCR intends to do make these goals a reality.
– Addressing new questions. OCR notes that, because of the age of HIPAA and the rapid proliferation of data-producing devices in our daily lives — everything from wearable technology to internet-enabled refrigerators and electrical meters — there now exists data “beyond traditional medical records” that “encompass genomic, lifestyle, financial, environmental and other information.” OCR’s observation is as much a call for legislative action as it is a hint for future administrative change, as OCR acknowledges that HIPAA “may not extend” to covering all of these types of information. But the question remains where OCR will locate what it sees as the boundaries of permissible regulation.
Focus on Cloud-Computing
OCR’s recently released guidance on cloud computing is an example of an attempt to tackle new technology, and indicates that OCR will be keeping a close eye on cloud services providers in the future. OCR makes clear that cloud services providers are business associates for the purposes of HIPAA once engaged to receive, maintain, and transmit electronically stored Protected Health Information (PHI). Accordingly, the relationship between a covered entity and a cloud services provider should be governed by a written, HIPAA-compliant business associate agreement.
Cloud services providers are subject to HIPAA as business associates even if they are unable to view PHI, such as in an arrangement whereby a business associate receives and stores encrypted data but does not have a decryption key. Encryption alone does not satisfy the security requirements of HIPAA but, the guidance makes clear, plays a role in apportioning responsibility for security. The guidance gives the example of a covered entity providing encrypted data but no decryption key, and states that where such a covered entity implemented its own appropriate user authentication controls, the cloud services provider would not be required to verify user authentication also. The guidance states that where a business associate agreement puts the lion’s share of security responsibility on the covered entity, a cloud services provider would not be responsible for “compliance failures that are attributable solely to the actions or inactions” of the covered entity.
The guidance, beyond making specific recommendations, also signals that OCR will be taking a hard look at the activities of cloud services providers in the years to come.
Together, OCR’s plans encompass both old and new. The audits, while not new, are envisioned by OCR to lay groundwork for a more permanent audit program. The march of technology too is not new to HIPAA, but the pace of change and sprawling, often consumer-facing nature of new technology is already posing challenges for interpretation of the two-decade old law. OCR seems to intend to meet these challenges head-on, and so must covered entities, business associates, and the attorneys who advise them.