HIPAA Enforcer Reveals Audit TimelineOCR's Leon Rodriguez Discusses Next Phase of Program
HIPAA audits will resume within about a year, and healthcare organizations have plenty of work to do to improve their compliance, says Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights.
The results of a recently completed OCR pilot program of 115 HIPAA audits revealed several common shortcomings among healthcare organizations, including inadequate risk analysis, outdated policies and procedures, and non-existent contingency plans, Rodriguez says in an interview with HealthcareInfoSecurity (transcript below).
"What we're learning from the audits, and from the monetary settlement cases we have done [after investigations], is there's plenty of noncompliance out there and plenty of room for improvement," Rodriguez says.
Preparing for Next Round of Audits
Organizations looking to ramp up their compliance efforts in 2013 should start by having HIPAA compliance owned by the entire organization, Rodriguez explains. "It needs to be owned by the leadership of the organization," he says. "They need to empower their CIOs and empower their compliance officers."
But that empowerment and responsibility must move down the ladder to the entire staff, Rodriguez says, because many employees within an organization touch protected health information.
"A lot of these cases turn on some kind of human frailty - people losing things, permissions getting stolen, information getting misused for either fraud or to embarrass somebody else," he says.
Rodriguez also advises organizations to continue with employee training. "Focus obviously on the quality of the training and that it's thorough and completed," he says.
Healthcare organizations need to better understand that HIPAA offers "a common-sense process for how to protect the privacy and security of patient information," he says. "It gives you a bunch of things to do - conduct a risk analysis, train your employees, have disciplinary policies and have technological safeguards, such as automatic log-offs, and have contingency plans. One thing we're going to keep emphasizing is it's that menu of common-sense steps, not a particular technological solution. Those are the things that we're going to be looking for in an enforcement manner."
In the interview, Rodriguez also:
- Describes plans for resuming the HIPAA audits.
- Offers an update on the pending accounting of disclosures rule.
- Outlines specific steps healthcare organizations should take to improve their HIPAA compliance.
As head of the HHS Office for Civil Rights, Rodriquez is the nation's lead HIPAA enforcer. The agency oversees the ongoing HIPAA compliance audit program. Before joining OCR in 2011, Rodriguez was the chief of staff and deputy assistant attorney general for the Department of Justice's Civil Rights Division. From May 2007 to January 2010, he served as the county attorney for Montgomery County, Md.
HIPAA Audit Pilot Program
MARIANNE KOLBASUK MCGEE: First, let's talk a little bit about OCR's pilot program for HIPAA audits as they wrap up in 2012. When will the final report on those audits be ready, and what have you learned so far?
LEON RODRIGUEZ: We're in a position already to talk about some of the things that we've learned so far. For example, one area [where] we found deficiencies among a wide variety of entities is in the area of risk analysis, which is really one of the most fundamental privacy and security elements - to conduct a thorough and complete risk analysis and then to take action based on the findings of that risk analysis. We're now going to go into our evaluation contract over the next few months, evaluating both our findings and what that says about our program, but then also evaluating the audit itself to determine what our permanent audit program is going to need to look like.
MCGEE: When do you expect you'll begin the next phase of audits?
RODRIGUEZ: At this point, my best guess is it will probably be sometime in the latter part of 2013 once we conclude the audit. A lot of that is going to be dependent on what our resources look like, but certainly by 2014, we're going to be back in business again.
MCGEE: In terms of HIPAA enforcement, will there will be more penalties ... for noncompliance?
RODRIGUEZ: ... I think what we're learning from the audits, and from the monetary settlement cases we have done [after investigations], is there's plenty of noncompliance out there and plenty of room for improvement. From that perspective alone, I expect that we're going to continue to see monetary settlements for a long time to come. The other thing is I know that we have, in inventory, cases that we're already doing that are sort of moving through the investigative and findings process, and that will result in settlements. So the answer is absolutely yes, I think we're going to be seeing more of those monetary settlements.
MCGEE: The HIPAA omnibus package of regulations has not yet been released. ... When might that might happen?
RODRIGUEZ: As is public information, it's with the Office of Management and Budget. I think we sent it over in about March. We're certainly hopeful that we're going to be in a position to have it issued soon.
MCGEE: How about the accounting of disclosures rule? Is that a separate final rule that's coming, and when would that be?
RODRIGUEZ: Yes, that will be a separate rule. We're still at a point where we're analyzing a fairly large volume of comments that we got for that ... so that's work that's still ahead for us.
MCGEE: What privacy and security regulations should healthcare entities be preparing for in 2013?
RODRIGUEZ: As I've said in several other venues, the main thing that they need to be preparing for is understanding that what HIPAA gives you is a common-sense process for how to protect the privacy and security of patient information. From soup to nuts, from birth to death, it gives you a bunch of things to do - conduct a risk analysis, train your employees, have disciplinary policies, have technological safeguards, such as automatic log-offs, and have contingency plans. One thing we're going to keep emphasizing is it's that menu of common-sense steps, not a particular technological solution. Those are the things that we're going to be looking for in an enforcement manner.
Privacy, Security Shortcomings
MCGEE: Besides risk assessments and risk analysis, what are other weaknesses, based on the audits and the breach investigations that you've done so far?
RODRIGUEZ: We see examples of audited entities that either have outdated policies and procedures or no policies and procedures at all. We see entities that don't have appropriate contingency plans in place. We talk about reportable breaches, but really any kind of breach should be a signal to an entity to look at its operations and understand what vulnerabilities led to that breach. We're finding that's not always happening. That sort of self-analysis is not always happening the way it should.
HIPAA Compliance Tips
MCGEE: If you had one or two tips to give healthcare entities for 2013 to improve their HIPAA compliance, what would those tips be?
RODRIGUEZ: One of the key things is that HIPAA compliance needs to be owned by the entire organization. It needs to be owned by the leadership of the organization. They need to empower their CIOs and empower their compliance officers, but at the same time, they need to make sure that those messages percolate down to all the staff that touches protected health information. Because at the end of the day, a lot of these cases turn on some kind of human frailty - people losing things, permissions getting stolen, information getting misused for fraud or to embarrass somebody else. You've really got to focus on your people and policies related to your people.
MCGEE: Of covered entities, who seems to have the most problems? Is it the larger entities that have a lot of people, where they kind of lose control of what people are doing, or is it the smaller entities that don't have the resources to devote to this sort of effort?
RODRIGUEZ: I think that honestly we're finding problems across all kinds of entities and all sizes of entities. We do detect certainly at least an educational challenge for smaller providers. I think there's still a lot of work to be done in that area, but honestly I think we find issues across all provider types and across all provider sizes.
MCGEE: Any tips on how entities can improve their HIPAA training?
RODRIGUEZ: The main thing is to just keep doing it. Focus obviously on the quality of the training and that it's thorough and completed, and if you're using a vendor, it [should] be a good vendor. The other thing, where a lot of entities seem to fall down, is they'll do it one day and then they'll stop, so new employees coming through the door don't get the training or the training isn't updated on an ongoing basis. That's more of the kind of failings that we see.
MCGEE: Looking ahead to regulations that will likely happen in 2013, is there any advice that you have for business associates that deal with covered entities?
RODRIGUEZ: Get ready. That's the basic advice. They will become subject to the HITECH requirements [for HIPAA modifications] within 180 days of the issuance of the rule. They were already subject to it as a matter of their business associate agreements anyway, so the best advice I can give them is to get ready right now.