Summary:
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (most health care providers, health plans, and health care clearinghouses) and their business associates (collectively, regulated entities) must follow to protect the privacy and security of protected health information (PHI) and the required notifications to HHS and affected individuals following a breach.
Our dedicated team works every day to safeguard the privacy and security of health information through enforcing laws and regulations, promulgating rules, providing resources to assist regulated entities in protecting record systems and patients from cybersecurity, and promoting cybersecurity awareness.
In furthering cybersecurity awareness, OCR publishes cybersecurity newsletters that address threats within the health care industry and provides best practices and explanation of HIPAA Security Rule standards. Recent newsletters addressed cybersecurity authentication, addressing what is authentication, single and multi-factor authentication, the Security Rule requirements and resources for improving authentication requirements. OCR has also published a newsletter on Security Rule sanctions policies and how they can improve HIPAA compliance. Topics include functions of a sanction policy, what should it look like, sanctioning consistently, and numerous resources to consult.
In the current environment of increased cybersecurity incidents and breaches caused by hacking, malware, or ransomware, OCR is reminding regulated entities to not overlook the importance of physical security. Our latest newsletter, titled HIPAA Security Rule Facility Access Controls – What are they and how do you implement them? addresses the physical security of electronic protected health information (ePHI) – that is, equipment and devices such as laptops, external hard drives, flash drives, smart phones, servers, and medical devices containing ePHI.
This newsletter, linked here, provides an overview of key considerations when implementing Facility Access Controls, a standard that requires HIPAA regulated entities to [i]mplement policies and procedures to limit physical access to [their] electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
We encourage you to read through the newsletter to ensure compliance with HIPAA and to stay vigilant in implementing critical and comprehensive cybersecurity measures.