OCR Director Says Patients’ Interests Define HIPAA Enforcement Priorities
October 11, 2013
The timing was perfect. On September 23, the same day that the HIPAA Final Rule on Privacy & Security kicked in, Office of Civil Rights director Leon Rodriguez spoke at the HIMSS Media and Healthcare IT News Privacy and Security Forum.
Rodgriguez talked of the increased enforcement to come, the importance of properly safeguarding patient privacy and the what-not-to-dos, or the breach blunders that have resulted in hefty monetary penalties for some groups who failed to take patient privacy and security seriously — and offered some insights about what drives OCR’s enforcement priorities.
“Today is a critical day for the Omnibus,” said Rodriguez, who explained that the agency is working to strike a balance between effective enforcement and clearly communicating what all the rules are surrounding patient privacy and security.
Rodriguez pointed out that for 10 years of his life, he represented covered entities, which has really helped him take a balanced approach to enforcement.
“On the one hand you do have to have assertive enforcement; you have to have credible enforcement, that really does play a critical role in obtaining compliance,” he said. “But at the same time you have to set rules of the road that are understandable and consistent, and you really need to make sure people know what the rules of the road are.”
Rodriguez explained the three types of cases the OCR receives and subsequently investigates. The first, he says, are cases involving major security failures, or the “records in the dumpster” types of breaches. What one of his former colleagues described as the “breach porn,” these cases typically end up on the front page in media outlets.
The second area involves egregious, borderline intentional violations. Case in point, the UCLA case where Farrah Fawcett’s information on her cancer treatment was disclosed and eventually “exposed a series of systemic failures at UCLA.”
The area of access is the third category, Rodriguez said, citing the Cignet Health case as an example. Although there was no reported breach, Cignet Health refused to grant patients access to their medical records when asked by patients. Following an investigation by OCR, the organization also refused to cooperate with OCR officials. Eventually, they were slapped with a $4.3 million fine.
Of the some 80,000 HIPAA breach cases OCR has received since 2003, only 16 of those have resulted in fines, Rodriguez said in an August interview.
“It’s a relatively small part of what we do here,” he said. Most cases OCR handles involve corrective action rather than monetary fines.
Ultimately, “It is the patient’s interests that really define what are going to be our enforcement priorities, what are going to be the judgments we make,” Rodriguez said.
Article written by Erin McCann