2017 HIPAA Enforcement to Target Ransomware, Interoperability, Medical Apps

By | April 27, 2017

“With big data, comes big responsibility,” says Office for Civil Rights (OCR) Director Roger Severino. This is just a fragment of the insight he gave into upcoming HIPAA enforcement trends in his plenary talks at Health Datapalooza 2017.

Severino, the newly appointed Director of the Department of Health and Human Services’ (HHS) OCR, spoke about the Office’s role in the enforcement of the HIPAA Privacy and Security Rules in the changing face of medical technology and health care IT.

OCR is ready to “adapt to changing circumstances” of data security and interoperability in health care. Severino stressed the importance of security, especially as it relates to protected health information (PHI) of patients. HHS has presented a unified message of increasing the quality of patient care this morning–first mentioned by HHS Secretary Tom Price earlier in the session.

2017 HIPAA Enforcement Trends

“Security with data is essential,” said Severino. He suggested that OCR enforcement of HITECH and the HIPAA rules will be advancing to address changes in health care data and technology. He mentioned the string of ransomware incidents that have been affecting hospitals across the country over the past year, in addition to the recent $2.5 million fine that OCR levied against medical device company, CardioNet.

Mobile apps, in particular, are going to be an area of focus for OCR in the years ahead. Severino specifically mentioned the Office’s concerns about how mobile apps can work within the HIPAA rules in order to advance interoperability of health care data.

Finding a means of achieving effective interoperability for health care providers and balancing data security is going to be an area of ongoing concern. Severino spoke about the state of trust between patients and their providers. Breaches of sensitive data cause both financial hardship, and a loss of trust between patients and health care practitioners. “If health care information is not protected, the relationship [between patient and provider] breaks down.”

Data breaches are comparable to identity theft in this way–and Severino suggests that voluntary patient data collection is at risk unless this problem is remedied.