Leon Rodriguez, Director of the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services, celebrated September 23, 2013, the first day for enforcement of the HIPAA Omnibus Rule, by addressing the HIMSS Health Privacy Forum in Boston.
Rodriguez shared his 3 priorities for enforcement:
- cases of major security failures that are characterized by a failure to implement important processes for multiple years. Breaches or other incidents that bring these cases to their attention will usually be the tip of the iceberg.
- egregious, intentional violations, for example, incidents like the UCLA case where details of Farrah Faucett’s cancer treatment were sold to a tabloid, and
- cases where patients are refused access to their health information.
OCR will use its judgment to be lenient in instances where good faith efforts have been made for compliance yet a violation still occurs.
“The most consistent single threads that has emerged from enforcement activities is that many organizations are still failing to conduct a thorough risk analysis,” said Rodriguez. If organizations do not even know where PHI is located, they simply cannot protect privacy and security.
Regarding new enforcement from the Omnibus rule, Rodriguez shared that he anticipates new enforcement cases against business associates will emerge “before long”.
Enforcement audits will return in early 2014, he predicted. Unlike the pilot audit program that ran from 2011 through 2012, the permanent audit program will pilot program started in 2011. The ongoing program will include more entities and audits will be more targeted. He anticipated that this will begin in early 2014.
Budgeting in Washington is an uncertain matter as of late so Rodriguez does not have final details regarding the enforcement budget. He did share that the OMB has agreed to allow OCR to keep fines recovered and to carry funds from fiscal year to fiscal year. So, for this upcoming fiscal year, he anticipated his funding to consist of $38M plus $4.5M of remaining funds from this year’s settlements.
The key takeaways from Rodriguez’s presentation:
- Business Associates should get into compliance
- All entities regulated by HIPAA should begin with a thorough risk analysis
- Random audits will begin in 2014, audits will be shorter and targeted, and more audits will be conducted
- Enforcement action will increase based on funding arrangement worked out with OMB
