ORLANDO ― As with any administration transition, there are new priorities. While OCR has a laundry list of items to accomplish for 2017, the priority may shift as the new team comes into place, according to Deven McGraw, deputy director, health information privacy, OCR.

These remarks opened McGraw’s HIMSS17 session on Monday: “HIPAA privacy, security -- Lessons from 2016 and what’s next in 2017.”

For now, McGraw said OCR’s 2017 goals are as follows:

• OCR partnership that will focus on security barriers and guidance to address interoperability issues.
• Provisions for researchers accessing data.
• Guidance for mental health providers about sharing data on mental health patients with family members, without first contacting the patient.
• HITECH provisions to create a methodology for patients harmed by HIPAA violations.
• Regulatory agenda for precision medicine access rule.
• Developing a set of FAQs for individuals asserting their right to send personal data to a research provider.
• Text-messaging guidance, answering questions on whether a provider can text with patients
• Social media usage when it comes to patient health information, which will govern when this data can be used.
• Working with ONC on EHR usage and what that means for HIPAA security, including encryption.

There may be others that come up with the new administration. But for now, McGraw said, these are the OCR’s priorities.

Audits are also top of mind for OCR. It’s currently in the middle of Stage 2 of its audits. And while scheduled to be finished by the end of the new year, these may still be in progress by 2018, McGraw said.

The results of the first round of desk audits will come out as early as next week, McGraw said. Those already audited may be in line for an on-site audit in the future, as well.

But what’s important for providers to understand is that the purpose of the audits is not to phish to find noncompliance, McGraw explained.

“The audit is really about identifying best practices and risks across identities,” McGraw said. “It’s about figuring out where we need to be doing more.”

“Also, the fact audits are out there, makes providers think about their own practices. It moves the priority of HIPAA up for these organizations,” she continued. “It’s intended to be non-punitive. But we always have the authority to open up a compliance review if there are significant concerns raised during an audit.”

A lot of organizations frequently underestimate ePHI risk in their enterprise, she explained. And OCR is updating its risk assessment tools based on recommendations sent from providers.

“We’re trying to give you the tools to help you -- but at the end of the day, you have to use it and do it,” McGraw said.

This article is part of our ongoing coverage of HIMSS17. Visit Destination HIMSS17 for previews, reporting live from the show floor and after the conference.

Like Healthcare IT News on Facebook and LinkedIn