As some of the last HIPAA Megarule deadlines pass, the Office of Civil Rights has begun discussing enforcement in 2015. Joceyln Samuels, director of the OCR, said during a conference call that the OCR will focus on the failure to conduct risk evaluations of data breaches, ignoring security threats, and poor training of staff. Covered entities should renew efforts to follow their individual HIPAA compliance plans:
- Adopt HIPAA-compliant privacy and security measures for all protected health information (PHI).
- Conduct security risk assessments to identify vulnerabilities.
- Review business associate agreements and ensure that EHRs used by the doctor or practice can verify all assertions about the privacy and security of the medical records.
- Develop formal policies and training procedures for staff members that are tailored to the workflow of the organization.
- Conduct regular training to change the behavior of employees who don't comply with privacy and security measures or aren't aware of them.
- Conduct self-audits to test procedures for ensuring confidentiality and security of PHI.
- Bring-your-own-device policies and perform a mock audit to determine exposures.
The OCR is also contemplating a proposed rule giving those persons harmed by breaches of their protected health information a percentage of any civil penalty paid by the offending covered entity. The OCR will provide additional guidance of cloud computing and protected health information.