Leadership
e-Newsletter
Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

OCR Unveils HIPAA Hotspots

Dom Nicastro, for HealthLeaders Media, August 16, 2011

The Office for Civil Rights has revealed the top areas of interest on its HIPAA privacy and security compliance radar.

Adam Greene, former senior health information technology and privacy advisor at OCR and now partner at the law firm Davis Wright Tremaine in Washington, D.C., recently discussed each hot topic with HealthLeaders Media.

Hotspot: Incident detection and response (OCR's top issue)

Greene: I recommend both a top-down and bottom-up approach. From the top, covered entities and business associates should evaluate whether they are reasonably logging system activities and reviewing those logs in a way that is reasonably likely to detect impermissible uses and disclosures.

From the bottom, covered entities and business associates should ensure that all staff who have access to PHI are reasonably trained to be able to spot an impermissible use or disclosure and report it to the appropriate person (since the HITECH Act makes clear that the entire organization is treated as knowing of a breach if anyone, other than the person who committed the impermissible use or disclosure, knows of the breach.

Hotspot: Review of log access

Greene: No entity can review every instance of access. The key is how to reasonably spend your limited resources in a way that will best identify problems. This generally should include looking for patterns of unusually large access by an employee and paying special attention to high risk areas such as access to patient records of VIPs.

1 | 2 | 3

Comments are moderated. Please be patient.

1 comments on "OCR Unveils HIPAA Hotspots"


Mark Meade (8/16/2011 at 11:51 AM)
The Government in its crusade to protect us from evil has singled out the business community, by demanding the creation of a gargantuan beaurocracy to control PHI. While several of the ideas are worthy of consideration the whole proposal/regulation is overly burdensome, hugely expensive and wasteful of limited resources (Anybody remember MLR limits). I have yet to see effective action against the thieves who steal and use this information where the real effort needs to be. For those familiar with history, and it seems this group gets smaller all the time, this is a Maginot Line approach to keeping PHI safe which can just as easily be breached as that folly to defensive strategies was. Any wonder the economy is frozen in place with so much effort being channeled into complying with the plethora of rules and regulations pouring from our every expanding government.