OCR Director Leon Rodriguez: ‘Enforcement breeds compliance’

The HITECH Act tasked the Office for Civil Rights (OCR) within the Department of Health and Human Services with auditing HIPAA-covered entities to ensure personal health information (PHI) is being protected. Since then, the office has turned its attention to enforcement, according to OCR Director Leon Rodriguez, JD, who spoke Dec. 13 at the Privacy and Security Forum hosted by the Health Information and Management Systems Society and Healthcare IT News.

“The biggest challenge is transforming organizational culture into an enforcement-oriented culture,” Rodriguez said. OCR has traditionally focused on healthcare violations more clearly associated with civil rights, such as discrimination, than compromised PHI. Rodriguez estimated that the office’s workload has quintupled since HIPAA was amended by the HTIECH Act.

OCR’s primary mode of operation had been to conduct educational outreach, receive complaints, investigate complaints and help organizations voluntarily comply with nondiscrimination regulations. Now, OCR is taking a much more proactive approach to enforcing compliance with privacy and security regulations. “HIPAA and HITECH call on us to do something more specific,” Rodriguez said.

Through the HIPAA privacy and security audit program, covered entities are randomly selected and their security controls are assessed by OCR investigators for compliance. Noncompliant entities are subject to fines and there have been more monetary settlements due to noncompliance since the program went into effect, according to Rodriguez.  “Enforcement breeds compliance.”

When an entity is selected for an audit, OCR focuses on security processes rather than technologies. Most entities found in noncompliance have either failed to conduct a risk analysis, conducted an inadequate risk analysis or doesn’t actively monitor electronic activity. “What we’re looking for in investigations is adherence to a process that’s clearly laid out in regulations,” Rodriguez said. “The real issues for us are, did you do a risk analysis, do you train on an ongoing basis, do you have contingency plans?”

In addition to IT processes for securing information, organizations should also maintain administrative safeguards, or “a lot of basic precautions that really relate to recognizing that there are always going to be human frailties,” according to Rodriguez. While security breaches are sometimes the result of hostile cyber attacks, they are more often than not the result of a stolen laptop or a healthcare worker digging up dirt on a former lover. Provider organizations should have policies in place to prevent these types of breaches. These could cover how physical buildings should be secured or how careless employees should be disciplined.

The audit program is in the final month of a pilot phase and HHS is working on implementing a permanent program, according to Rodriguez. Rule-makers are considering how to conduct audits in a business-friendly manner, where to focus resources and how to use analytics to determine patterns. “We’re going to school now on what our future audits will look like,” Rodriguez said.