New OCR HIPAA Compliance Guidance on the Way

At this year’s Health Information and Management Systems Society (HIMSS) annual meeting, OCR officials have explained that 2017 will see a swathe of new OCR HIPAA compliance guidance issued.

While there have been no changes to HIPAA Rules for a number of years, the pace at which technology is progressing has seen many gaps appear in HIPAA legislation. New medical devices have come to market, wearable technology has been adopted by many healthcare providers, text messaging platforms are now being used to communicate ePHI, and more breaches of protected health information are now occurring than at any time in the long history of HIPAA.

Consequently, covered entities need further information on how HIPAA Rules applies to the new technologies. With respect to data breaches, questions have been asked of OCR about what constitutes harm following a breach of HIPAA Rules. OCR plans to provide further guidance to confirm how HIPAA applies to all of these issues.

One of the roles of OCR is to enforce HIPAA Rules and hold covered entities accountable for HIPAA violations that have contributed to the exposure or theft of protected health information. OCR is also responsible for ensuring that HIPAA Rules are followed, and one of the main ways that the agency achieves that is by issuing HIPAA compliance guidance for covered entities.

So, what can we expect in the way of OCR HIPAA compliance guidance in 2017? According to Deven McGraw, Deputy Director for Information Privacy at OCR, quite a lot.

OCR is currently working on new guidance for covered entities on text messaging. OCR is frequently asked about the use of text messaging to communicate ePHI. Text messages are fast, convenient, and in many ways much easier to use than older communication systems such as healthcare pagers. However, text messages are insecure. Secure text messaging platforms have been developed which comply with HIPAA Privacy and Security Rules and those platforms can be used to communicate ePHI securely, although the use of text messaging services that are not secure are causing some confusion.

This year, OCR plans to release guidance for covered entities on the use of text messages to answer the many questions that are asked of OCR via its website. We can expect guidance on texting patients, the use of text messages by healthcare employees to communicate with one another, and texting business associates and public health departments.

OCR HIPAA compliance guidance will also be issued to help covered entities navigate the potential minefield of social media. In the past, there have been a number of instances of covered entities accidentally – and deliberately – disclosing PHI on social media platforms and other Internet sites.

OCR will also be explaining how covered entities are investigated following a breach of protected health information. OCR will essentially provide a walkthrough of a typical case, from receipt of the breach notification, through the investigation of that covered entity, to how penalties are calculated and the criteria used to settle cases. The walkthrough has a working title of “Anatomy of a Case,” and it is expected to be issued at some point this year.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of