Cliff Notes from the Joint Office for Civil Rights (OCR)/National Institute of Standards and Technology (NIST) HIPAA Security Conference

From: The National Law Review

Dianne J. Bourque, Kimberly J. Gold, Kate F. Stewart,  Stephanie D. Willis/Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

As a service to our readers, we have distilled last week’s joint HHS Office of Civil Rights (OCR) and National Institute of Standards in Technology (NIST) conference, “Safeguarding Health Information: Building Assurance through HIPAA Security” into three phrases:  (i) risk assessment, (ii) workforce training, and (iii) adequate encryption.  For those of you willing to read more than three phrases, we elaborate on them below and provide our view on the important takeaways from the conference.

Risk Assessment.  From the opening remarks of new OCR Director Jocelyn Samuels to the closing OCR Update presentation and almost every presentation in between, the risk assessment was highlighted as a critical compliance measure.  Director Samuels pointed out that “an enterprise-wide risk assessment is the cornerstone of compliance.”  She also noted that OCR continues to see failures on this issue, including failure to conduct a risk assessment, incomplete risk assessments, and failure to review and update risk assessments regularly.   Director Samuels stated that enforcement will be important to address these failures.   Iliana L. Peters, OCR’s Senior Advisor for HIPAA Compliance and Enforcement, echoed the importance of the risk assessment as a compliance measure in her presentation and highlighted the tools available through NIST, the Office of the National Coordinator, and OCR to assist in this effort, such as the Security Risk Assessment Tool that we profiled in a previous post.


Takeaway:  Encryption is an addressable (not mandatory) security standard under HIPAA.  However, in the event of a breach, investigation or audit, it will be extraordinarily difficult to convince OCR that encryption is not a reasonable security measure for your organization.    

The entire agenda from the OCR/NIST conference is available here, along with links to the presentations and webcast audio.

Read Complete Article


Leave a Reply

Your email address will not be published.

Please Answer: *