Last week saw a great migration of healthcare compliance, privacy, and risk officers to sunny Las Vegas for the annual HCCA Compliance Institute. Wandering the halls of the event, you were likely to overhear people on their phones between sessions, urgently relaying what they’d just learned to their teams back home. This need to quickly disseminate information learned at the conference speaks to the quality of the conference content and the value of the speakers at the event.
One of my favorite things about events like this is the opportunity to connect with regulators and hear them discuss trends in the field, how organizations can do better when it comes to protecting sensitive data, and insights into where their attention will be drawn in the year to come.
Below are a few takeaways from my two favorite sessions at this year’s event - I would love to hear yours as well! And I hope to see you all at next year’s event in Boston.
OCR Updates Draws Standing Room Only Interest
Earlier this year I wrote about how the HIPAA Update on Policy and Enforcement from OCR is always a popular session, and this year was no exception. Marissa Gordon-Nguyen, HHS OCR Senior Advisor, and Iliana Peters, formerly of OCR and now with Polsinelli, drew a standing-room only crowd on the first day of sessions at HCCA. Their policy update ranged from previews of future HIPAA guidance to come, to enforcement trends and recent breach highlights.
It was interesting to note that one of the cited recurring compliance issues was the prevalence of paper based PHI disclosed. Our benchmarking series, analyzing anonymized metadata in RADAR, reinforces this reality, having found that paper incidents in the healthcare industry are roughly three times more common than electronic incidents.
Another interesting point of discussion from this session was in regards to the shakeup at OCR with new administration and ongoing battles for budget. There has long been talk in the media that OCR may be waning in enforcements, given the flat fiscal 2018 funding and change in administration. Iliana Peters addressed that idea head-on, arguing that Roger Severino, newly appointed director of OCR, implied in a session at the HIPAA summit that he intends to be tough on data breaches, and had previously stated that his top enforcement priority is to find a “big, juicy, egregious” data breach to use as an example. Ms. Peters went on to add that, regardless of how aggressively OCR appears to pursue data breaches, you need to keep your compliance program up to date, because if OCR enforcements don’t get you, it’s very possible the state attorneys general will.
Growing influence of State Attorneys General
Speaking of state attorneys general, this regulatory group was a focus for another great session titled “Cyber threats, data breaches, privacy issues and the health care provider - what are the state enforcers looking at?” What made this session particularly valuable was the well-informed speakers, George Breen, shareholder at Epstein Becker Green, and Esther Chavez, Senior Assistant Attorney General at the Office for the Texas Attorney General. The session reviewed federal and state regulatory bodies, trends in enforcement actions, and trends in changing state laws - which concurred with several points we’ve written about before, that state laws are:
- Becoming increasingly specific with regard to what constitutes regulated data
- Typically adding a requirement to notify state attorneys general
- Providing more specificity in notification timeframes
- Being more prescriptive of the notification letter contents for affected individuals.
Chavez also detailed ongoing trends in enforcement actions taken by state regulators, noting the complexity of compliance across now 50 different state data breach notification laws, each with different requirements and timeframes to provide notice. She also noted the growth of multistate enforcement efforts, in which states join investigations to pool resources, centralize response, and simplify an otherwise very complicated process.
Stay Sharp and Continue Learning
Privacy and compliance professionals are tasked with a difficult job, in a constantly changing landscape. That’s why these opportunities to learn and stay abreast of trends and emerging regulations are critical - and why we all continue to flock to events like Compliance Institute every year.
Now here’s a word of caution - you can’t afford to limit your learning to once a year. Take the knowledge you gained at Compliance Institute and implement it into your work year round. Make sure you’re staying on top of the latest regulations, subscribe to the OCR updates and make the most of any chance you get to learn more about what’s out there. Because if there’s anything you can take away from this event, it is that change is the only constant, and it is on us to keep up.