Rodriguez: Privacy & security efforts must be 'ongoing exercise'

Patients want to text and call their doctors but our security needs have not caught up to patient demands, said Leon Rodriguez, director of the Office of Civil Rights (OCR).  

“I am, first and foremost, a patient advocate,” he said, and sees the role of the OCR as similar to that of the Securities and Exchange Commission. “People trust the stock market because they know there is a watchdog and there are rules of the road that, in most instances, ensure the integrity of the stock market.”

“We’re looking to be your partner,” Rodriguez told his audience, “in this sacred effort. It’s important that patients have trust in the work you’re doing.”

The HITECH Act has led to a transformation in the way we enforce the healthcare privacy laws, he said. Until HITECH, most of the OCR’s work was reactive and most likely the result of a patient complaint. “The law created a critical mechanism to look behind what the patient sees and to look at the overall picture of what we are doing to make sure that patients’ health information is confidential and secure.”

That’s happening in three ways: breach notification, privacy and security audits and enforcement tools.

There have been more than 500 reports of breach notifications involving 500 or more individuals since 2009. Nearly 4 million individuals were affected by the theft or loss of laptops or other portable electronic devices. “It’s not the technology that’s failing,” Rodriguez said. “It’s people.” When talking about theft, unauthorized access and disclosure and loss, these are “things people either choose to do or do by neglect. It’s not only about building better and stronger technology but making sure people who have protected health information understand and live by the rules of the road.”

The current auditing pilot is covering 115 entities and includes a wide variety of entities from small physician offices up to healthcare clearinghouses and health plans. “We have learned that there is no single type of deficiency that stands out regarding privacy.” However, with security, particular issues are “bubbling to the top.” The most consistent deficiency, he said, is the lack of a risk analysis which is “the very first thing you need to do when setting up a medical record system from a compliance standpoint.”  

“This is an ongoing exercise,” Rodriguez said. The regulations expect providers to periodically assess and examine their privacy and security efforts. As new technologies are added, providers must assess what new steps are required to ensure privacy and security. He noted that he has encountered numerous organizations whose leadership have turned over policies and procedures that are labeled as having been printed on the day the organization received the audit letter from the OCR.

“Although we encourage encryption, we’re far more concerned about the process,” including methods to assess and avoid risk, train and educate staff, and incident response. Whether a breach is reportable to the OCR or not, organizations should take steps to analyze that breach and determine what vulnerabilities led to that breach. Enforcement of privacy and security rules “is what brought you through the door, what brought you to our attention, but we want to know what weakness in your business process caused a breach to occur.”

“There is no single kind of healthcare entity that doesn’t end up becoming the subject of deficiencies in enforcement,” Rodriguez said. “HIPAA is a valve not a blockage. It’s meant to ensure that health records are used for the benefit of the patient.”

Smaller and rural physician practices have more vulnerabilities, he said. “The burden is on us to make sure we are effectively reaching and educating that part of the industry. We do enforcement but also education. I’d rather go out of business. I’d rather not have to be in this business. The time will come where [proper privacy and security measures] will be so second nature, we will no longer be talking about $1 million and $2 million recoveries.”