Roger Severino, Director of the U.S. Health & Human Services’ Office for Civil Rights (OCR), recently provided an update on OCR’s HIPAA enforcement priorities at a conference in Washington, D.C. During his talk, Director Severino noted that patient access to records is a top OCR priority. Severino explained that denial of requests is not the sole issue. Instead, the cost levied on patients for medical records is a growing issue, despite OCR supplying guidance on reasonable and allowable charges. In 2016, for example, OCR published numerous videos explaining patient access rights and provided covered entities with a fact sheet detailing provider responsibility. Severino also discussed OCR’s new set of FAQs, which were issued in April 2019, addressing HIPAA right of access related to health apps. His conference presentation noted that a “[a] covered entity cannot withhold sending ePHI to a health app selected by an individual because of concerns about how the health app developer will use or disclose ePHI.” Further, under certain circumstances, a covered entity may “not [be] liable for the re-disclosure of ePHI by a health app.”

During his talk, Director Severino also discussed cybersecurity. Severino’s presentation included recent enforcement actions resulting in two $3 million recoveries from covered entities for unsecure servers in December 2018 and April 2019. Severino also presented disturbing statistics related to breaches, which may fuel OCR’s aggressive enforcement and increased IT scrutiny. According to OCR, in 2018, hacking and IT breaches made up 43% of all HIPAA breaches. From January through September 2019, hacking and IT breaches made up 61% of all HIPAA breaches – a 18% increase from the previous year. OCR statistics show that emails and network servers are dominant sources of breaches. In 2018, emails and network servers made up 29% and 18% percent, respectively, of all breach sources. From January through September 2019, emails and network servers made up 40% and 25%, respectively, of all breach sources. During his talk, Severino also highlighted the following major cybersecurity concerns and trends: (1) ransomware; (2) phishing attacks; (3) remote desktop vulnerabilities; (4) weak authentication; and (5) access controls for current and former employees.

Director Severino’s remarks, combined with the recent increase in OCR’s HIPAA investigations and enforcement activity related to cyber attacks, highlight the continued and ever-increasing importance that both covered entities and business associates take proactive steps to strengthen their cybersecurity and protect against the ever-increasing threat of cyber attacks and other PHI-related vulnerabilities.