A great post from the folks at FierceHealthcare as a wrap up to the recent annual meeting on HIPAA and Cybersecurity outlines the challenges for everyone involved. Two pertinent paragraphs outlined talks from fed officials. These point to the future of audits and enforcement that covered entities and BAA's need to pay close attention to:

Update on HIPAA Audits:

An update from OCR Deputy Director for Health Information Privacy Deven McGraw likewise brought attendees up to speed regarding the HIPAA audits, which are underway. She explained that the audits are designed to be educational, to identify best practices and get OCR in front of HIPAA problems before they result in breaches. She also said to expect more guidance on patients' rights to access their records.

HIPAA Enforcement:

Meanwhile, a session on HIPAA enforcement presented by Iliana Peters recounted how investigations work, what HIPAA violations OCR is seeing frequently, that theft/loss account for the highest percentage of reported breaches and that the settlement agreements OCR is entering into are meant to be instructive to the industry.

Other highlights to note:

• We learned that the most cutting edge ransomware is being hidden in “malvertizing.”
• OCR has resolved more alleged HIPAA violations in 2016 than in prior years, and for the largest amounts ever recorded.
• McGraw informed us that the long anticipated audits of business associates will begin this November.
• Seems that year after year the same issues are recurring, but why?
  • Business associate agreements are still missing or out of date
  • Risk analyses are still incomplete
  • Networks are still unpatched
  • Data is still unencrypted and being disposed of improperly

Those four items point to the four most critical items to address for covered entities and BA's.