OCR audits and enforcement 2016


This week is basically part 2 from last week.  We left off just before reviewing the OCR audits and enforcement 2016 updates announced at the NIST / OCR Security Conference 2016.

Listeners questions and mentions.

  • Bill’s question on hospital apps.
  • Tiffanie’s note on TDO, AOC, and POC
  • Kevin’s note on data going outside US

Other topics for upcoming episodes

  • HIPAA and cloud computing guidance from OCR
  • $400K settlement with Care New England Health System
    • Another one from 2012
    • Unencrypted backup tapes lost by BA without BAA
  • $2,140,500 settlement with St. Joseph Health
    • Feb 2011 – Feb 2012 Server open to search engines
    • File sharing service the server was specifically installed to run defaults to publically available and no one changed it – FOR A YEAR
  • HIMSS Cybersecurity Survey Report
  • IoT has broken the internet the first time
  • Holiday episodes for Black Friday/Cyber Monday – Gift giving guide
HIPAA For MSPs by David Sims OCR Audits and Enforcement 2016
00:00:00 00:00:00

OCR Audits and Enforcement 2016

There were several discussions that related to the OCR audits and enforcement that has happened so far this year.  The status of the audit program was pretty straight forward.  We did hear more about the onsite audits and the BA audits coming in November.

  • Testing desk audit concept to determine effectiveness for future audits
  • Doing something is better than doing nothing
  • Not planning to “air less than clean white laundry”
  • 167 desk audits still in review
  • Not a true statistical sample – keep that in mind about results
  • Over 20K BAs were identified with the 167 CE audits
  • BA audits begin in November
  • BA audits will be audited on Security rule and breach response
  • Onsite for both CE & BA start in early 2017
  • BAs should review CE audit info it will basically be the same


  • We will always ask for SRA in any investigation
  • Do not ignore us
  • We could fine you way more – a settlement is not a fine because we want to leave some money for you to fix things.
    • More fines may be coming though
  • Some settlement money never came in – Cignet went bankrupt
  • Settlement dollars are paying for the audit program because that program is mandated without funding
  • Settle or we will take you to ALJ – we are prepared
    • Every count in last one OCR won them
  • At least show you are trying and we give you a break
  • The details in the settlements should be used to understand what OCR is looking for and where failures are by others according to Samuels.
    • No BAA example – two problems for every day – specifically used

Common problems found

More of the same old story. While these are from years ago I don’t see a dramatic difference in findings from issues we see now.

Second verse same as the first!

I wrote a blog article in Feb 2014 that nominated the Herman Hermits song Henry the VIII to be the theme song for OCR settlement announcements. That was because the same problems kept showing up every time. Sadly, we are still in that loop.

Risk Analysis Issues

  • Leave out departments or entire wings of facilities
  • Leave out mobile devices
  • Don’t do one
  • Did one 5 years ago but not since
  • Do one but don’t fix anything
  • Do one but plan to fix things is like 10 years long
  • Don’t ID location of all PHI in the office
  • It is not a MU assessment stressed by multiple people
  • It is not just a gap analysis of the security rule policies
  • Not doing little assessments of things along the way
  • Get help from someone who understands the security rule if you don’t
  • St Joe settlement says specifically that the RA was done by multiple contractors to look at certain risks but it was never comprehensive so it was done in a “patchwork fashion”
    • Also did not do risk analysis when implementing the new server

Lack of audits

  • Should notice if Suzy is accessing thousands of records from Russia or when she shouldn’t be doing it
  • If you don’t look at the activity it can be going on for years

No patches

  • Patch devices
  • Patch OS
  • Patch apps
  • If no patch have a plan to prevent infections


  • Screen them
  • Terminate access immediately
  • Limited access to information – everyone shouldn’t see everything

Improper disposal

  • Paper
  • EOL devices

Insufficient DR/BC

  • Covers only cyber
  • Covers only backup and restore


  • FTC had a session at the conference discussing things that later came out in guidance https://www.ftc.gov/tips-advice/business-center/guidance/sharing-consumer-health-information-look-hipaa-ftc-act

    You need to do more than just meet the requirements for a HIPAA-compliant authorization. Your business must consider all of your statements to consumers to make sure that, taken together, they don’t create a deceptive or misleading impression.

  • HIPAA does not mean you are not responsible for the same rules as all businesses to meet fair standards for consumers.