I’m sure fellow bloggers Bill Maruca and Michael Kline join me in giving three cheers for the recent growth in our firm’s health care practice (welcome, Minneapolis!) and ever-deepening pool of attorneys dealing with clients’ privacy and data security issues. But one recent addition to our team, Margaret (“Margie”) Davino, gets a fourth cheer for jumping into her new position as a partner practicing out of our New York City and Princeton, NJ offices and immediately leading a HIPAA webinar for HFMA’s Region 2 (metro NY) entitled “HIPAA: What to Expect in 2016”.
Margie covered a wide range of HIPAA topics, discussing how OCR investigations arise, preparing for Phase 2 of OCR’s audits, and how HIPAA might overlap or interplay with other laws (the FTC Act, state law causes of action, and the Telephone Consumer Protection Act, to name a few). For HIPAA nerds like me, it was a satisfying smorgasbord of HIPAA tidbits, past, present and future. But several of Margie’s take-aways are particularly useful additions to the 2016 HIPAA compliance “To-Do” list:
- Make sure your security risk analysis encompasses all entities within your “family” – in other words, don’t just analyze your electronic health record, but focus on each entity and location from which protected health information (PHI) might be stolen or lost.
- If you are a small entity, make use of HHS’s Security Risk Assessment Tool to identify whether corrective action should be taken in a particular area. (In other words, there’s no excuse for ignoring item #1 on this list!)
- Encrypt data, if at all possible (and make sure it’s up to NIST encryption standards).
- Check that you have updated Business Associate (BA) Agreements in place for all BA relationships (and check first to make sure it’s really a BA relationship).
- Have a mobile device policy – and include mobile devices in your security risk analysis.
I like this short “To-Do” list because it helps prioritize HIPAA compliance tasks for 2016 based on what we have learned from breaches and enforcement actions in 2015 and prior years.