A Passion for HIPAA EnforcementLeon Rodriguez is on a Privacy Mission
In an exclusive interview with HealthcareInfoSecurity, Leon Rodriguez, the new director of the Department of Health and Human Services' Office for Civil Rights, stressed: "Very often a patient who does not have confidence in the security of their information, and, by the way, in their access to that information, may not seek care in situations where they absolutely should."
Patient access is just one of many reasons why enforcing HIPAA is so important. As the nation moves toward more widespread use of electronic health records and health information exchange, assuring patients of their privacy is essential. Without consumer confidence, EHRs and HIEs are destined to fail.
It's always going to be a high priority to focus on those cases that involve the most egregious conduct - the most serious violations - and also the cases that have the most deterrent value.
In recent months, OCR has ramped up its HIPAA enforcement efforts with some headline-grabbing cases, including an $865,000 fine against UCLA Health System. It seems clear that, under Rodriguez' leadership, the effort to enforce the HIPAA privacy, security and breach notification rules will intensify.
Privacy and security are issues that "really matter to me personally," Rodriguez noted. "So we're going to be serious about our enforcement work and no less serious about making sure that we educate everybody out there, both covered entities and patients, about what the requirements are for health information privacy."
The experienced prosecutor stressed that "enforcement promotes compliance." He offered some insights on his game plan: "It's always going to be a high priority to focus on those cases that involve the most egregious conduct - the most serious violations - and also the cases that have the most deterrent value."
HIPAA Audit GoalsRodriguez also spelled out his goals for the upcoming HIPAA audit program, which will scrutinize up to 150 organizations by the end of 2012.
"Our first objective is not to go out there and start banging [organizations] with penalties; it's really to take a good look at them, find out where their opportunities for improvement are and help them improve. Having said that, I think we know that there are cases where we're going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action. And in some of those cases, we may be actually pursuing civil monetary penalties. But that's really not the primary goal of the audit program."
It's certainly good to hear the new head of OCR setting the tone for an aggressive enforcement policy coupled with a HIPAA compliance education effort. Every OCR announcement about sanctions for HIPAA violations increases the odds that more organizations will comply with the rules and do a better job of protecting patient privacy.
So we hope that under Rodrigeuz' leadership, OCR will announce many more resolution agreements, civil monetary penalties and other enforcement actions. And we also hope that Rodriguez will leverage the HIPAA audit program to educate covered entities, using audit results to illustrate compliance problems and suggest clear solutions.