Rodriguez outlines OCR's enforcement priorities

BOSTON--Speaking at the second annual HIMSS Privacy & Security Forum on Sept. 23, Office for Civil Rights (OCR) Director Leon Rodriguez acknowledged the significance of the date. “Critical elements of the Omnibus Rule go into effect. Despite the changes, I would like to point out that the sun has risen in the same way today.”

Rodriguez said that his office has spent the past year working on its enforcement approach and a pattern of “where we’re going to utilize our performance and compliance energies” is now visible which sets the stage for what’s coming in the years ahead. “On the one hand we have to have assertive, credible enforcement and at the same time, we have to set the rules of the road that are understandable and consistent and then make sure people are aware of those rules.”

He cited the following three broad categories of cases OCR manages:

1. Major security failures. Particular breaches can get a lot of attention in the media but they often represent just the tip of the iceberg, Rodriguez said. “We’re looking at the set of processes set out by HIPAA that entities are expected to follow and determine whether those processes have been followed. With those entities that have not utilized those processes over a long period of time, we’re going to prioritize those cases for enforcement.”
2. Egregious and borderline intentional violations of HIPAA involving disclosure of patient information. Rodriguez cited the case at the University of California-Los Angeles a few years ago in which actress Farrah Fawcett’s information was disclosed which then revealed a series of systemic security failures at the organization.
3. Access. The single largest monetary penalty, he said, was in the Cygnet Healthcare case which was fined $4.3 million because they failed to give patients access to their own records and they failed to cooperate with the OCR investigation.

“Patients’ interests define enforcement priorities and judgments we make in particular cases,” he added.

Rodriguez discussed several recent cases including Affinity Health Plan’s failure to clear protected health information (PHI) from rented photocopiers, which were then put to use by another company. The PHI of some 600,000 patients were contained on the copiers. “We’re discovering over and over again in investigations as well as audits, a failure of entities to do a thorough risk analysis—identifying where PHI resides, what are the vulnerabilities of that information, determining the possible risks of those vulnerabilities and then implementing the necessary measures to protect that information. That is a consistent single thread that runs through all of our security cases.”

The resolution with Affinity resulted in a corrective action plan with the health plan using their best efforts to retrieve the hard drives from the photocopiers and take other measures going forward to safeguard electronic PHI.

OCR resolved a case with WellPoint regarding a series of breaches that were exposed as security weaknesses in its online application database. More than 600,000 patient records were exposed. The organization did not have an appropriate technical evaluation when conducting a software upgrade to its information system and had no verification that the people seeking access were authorized.

Rodriguez said he has learned several lessons from OCR’s enforcement activity experience. Most significant is the need for entities to conduct risk analyses and understand where their ePHI is. He admitted that he originally presumed that it would be more difficult for smaller providers to manage these issues. “I thought they would be more vulnerable to these sorts of problems because they would, presumably, have less sophisticated systems. But, we’re seeing problems in all kinds of entities."

With new technology constantly being introduced, he said that just means there are more places to store information. That “requires a more affirmative, proactive thought process.” Those entities going through a transition—whether changing IT systems or physically moving locations—have a higher risk of experiencing vulnerabilities. “Senior leadership needs to take responsibility for privacy and security. It’s not enough to delegate those functions.”  

Sept. 23 also marks the first time business associates (BAs) are directly accountable. “This is an area where you will start seeing some enforcement activity,” Rodriguez warned. “It’s also an area where lots of learning is going on.” Many businesses don’t understand that they are business associates and must follow these rules. That means there is a big educational challenge going forward.

Also looking ahead, Rodriguez said that ever since OCR launched an online complaint system, their traffic has almost doubled. The electronic complaint portal is expected to result in about 18,000 complaints a year. “We are looking for more and more efficient ways to handle that traffic of cases. And, we will be more aggressive about finding the single most impactful cases because those are the ones that provide learning opportunities for the industry.”

Rodriguez said he plans to leverage his office’s budget to fund audit activity and breach analysis. Speaking of which, he said OCR has learned a lot from its pilot audit project. “We’re in the midst of planning our process for the coming year of how to conduct a permanent audit program. We’re hiring dedicated audit personnel and will work with contract auditors as well.” The pilot only allowed for audits of 115 entities. “We want to reach more than 115 entities annually, so we need to think about how to leverage our funds. You’re going to see much more targeted audits and you’ll see, perhaps, the areas we focus on change year by year depending on where we see vulnerabilities. Risk analysis will be one focus of our audit activity but as new vulnerabilities are uncovered, we’ll see others come to the forefront.”

Rodriguez said OCR also is emphasizing technical assistance with a “fair amount targeted to the individual provider level.” OCR created videos and established a consumer-facing Youtube channel and a Spanish language channel. Of the 1.6 million views to date, he said the Spanish video has had 500,000 views. “That tells you something about our immigration populations, limited English-speaking populations, about their level of interest in privacy and security and access issues. We don’t know why that is, so there is an interesting deep dive ahead for us and the entire healthcare industry as a whole in understanding where that interest comes from and what it means as we develop our health information infrastructure.  

Rodriguez ended his talk by acknowledging that the 500-page Omnibus Rule probably has some room for improvement. “We’re open to feedback. There are exciting times ahead. There is an opportunity to put patients even more in control of their healthcare. A critical aspect of that ability is having control over their information. As we move forward, we want to ensure their confidence in the privacy and security of that information so we will be able to realize the promise of the EHR.