2012 OCR/NIST Annual Conference

What a great conference again this year.  Kudos to David Holtzman, OCR, and Kevin Stine, NIST, for outstanding job they did putting the conference together and hosting it. Great turn out, more than in previous years, to keep their track record in tact on steady growth.  Lots of good speakers as always and especially good to hear from the folks in Washington with respect to what is coming.  It was also a pleasure to be able to speak for the fourth straight year in a row, and I had a great panel with me to discuss Cloud computing security.

Another speaker provided some much anticipated information about the first twenty OCR random compliance audits, started last December and completed this March.  Ms. Linda Sanches, OCR Senior Advisor, Health Information Privacy and Lead, HIPAA Compliance Audits, not only provided information on the program and what to expect, but she also provided the first real peek under the covers, so to speak, with respect to how the first sites performed.  She provided approximately fifteen slides that analyzed the results from those audits and identified the leading issues for both Privacy and Security.  Issues such as Conduct of Risk Analysis, Contingency Planning, User Activity Monitoring, Media Reuse and Disposal, Authentication/Integrity, Encryption, Physical Access Controls, Incident Response and Granting/Modifying Access were all identified as problem areas.  She did the same for Privacy, and while there were many more areas identified the top five were procedures around handling Deceased Individuals, Personal Representation, Business Associate Contracts, Disclosures for Judicial and Administrative Purpose and Verification of the identity of those requesting PHI.  The focus has not changed.  It remains compliance measurement, but she did say that at least one out of the twenty could expect another visit since they had done nothing prior to the audit.

Also of interest was the announcement that the Audit Protocol would soon be out, this week supposedly, so that everyone can see for themselves exactly the level of scrutiny they can expect if audited.  The audits continue and will be completed by the end of the year.  Following this an evaluation of the audits and their results will be undertaken and report published.

There were a lot of other great presentations to include Leon Rodriguez, Head of OCR, who talked about the convergence of Privacy and Security and the importance of sound controls and well constructed programs.  Looking forward to 2013.  Hopefully we’ll see even more folks there and on line.