HIPAA Enforcement: Leadership ChangesOCR's McAndrew Retires; Rodriguez Leaving Soon?
As the Department of Health and Human Services' Office for Civil Rights ramps up its enforcement of HIPAA with costly settlements and a new round of compliance audits, the agency is in a state of leadership transition. Susan McAndrew, a long-time OCR leader in HIPAA enforcement, has retired, and OCR Director Leon Rodriguez may be departing soon.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Meanwhile, Rodriguez, who was nominated by President Obama last December to become director of U.S. Citizenship and Immigration Services, an agency of the Department of Homeland Security, is awaiting a full Senate vote to confirm his nomination to that post.
The Senate judiciary committee in March held a hearing on Rodriguez's nomination. On April 3 the outcome of the hearing was reported as "favorable" by committee chair Sen. Patrick Leahy, D-Vt., to the Senate, and the nomination was placed on the Senate Executive Calendar for 2014. But no date on Rodriguez' nomination has been listed yet on the Senate calendar for a vote.
The OCR spokeswoman tells ISMG that there is "no update to share at this time on director Rodriguez' confirmation."
Commenting on the recent retirement of McAndrew, the spokeswoman says: "Her vision and leadership have been essential in moving OCR's work forward to keep pace with the advances of health information technology.
"McAndrew worked each day to move the department in a direction where consumers' right to the privacy of their health information dovetails with common sense standards for the health care industry to follow. She leaves a deep and lasting legacy, and her presence will be greatly missed."
McAndrew could not be reached for comment.
The attorney played a critical role in crafting HIPAA policies and enforcement activities, including the agency's first round of compliance audits that were conducted under the 2012 pilot program.
"Sue has been the guiding force behind the development and implementation of the HIPAA privacy, security and breach notification rules as well as the audit program," says David Holtzman, a former OCR senior adviser who left the agency in December to join security consulting firm CynergisTek. "The [OCR] deputy director plays a significant role in the development of regulatory policy and enforcement strategy."
Heide, an attorney, has worked with the HIPAA program at HHS since August 1999 and serves as the senior adviser for policy matters.
If Rodriguez is confirmed as director of U.S. Citizenship and Immigration Services, the HHS secretary will appoint a new director of OCR. That means the appointment could be made by Sylvia Mathews Burwell, who has been nominated by Obama to replace Kathleen Sebelius, who resigned last month as HHS secretary. Burwell is slated to face a second round of Senate finance committee confirmation hearings this week.
In the meantime, OCR is also adding to its enforcement staff. Last week, OCR posted notices that it's recruiting for several positions in its regional offices, including Kansas City, Missouri; Boston and Denver.
For example, the Kansas City job's primary duties include, "investigating complaints, conducting compliance reviews, and providing technical assistance and outreach to health and human services institutions, agencies or organizations which are covered entities to ensure compliance with civil rights laws and regulations and with the privacy of protected health information under HIPAA."
HIPAA Enforcement Activities
Last week, OCR also announced its largest HIPAA settlement to date. The settlement, which totaled $4.8 million in sanctions, was related to a 2010 HIPAA breach reported by New York-Presbyterian Hospital and Columbia University. Among other factors, the lack of a risk analysis and failure to implement appropriate security policies were cited in the settlement as reasons for OCR's enforcement actions.
Also, OCR is expected to soon resume its HIPAA compliance audit program, which will include examinations of both covered entities and business associates, which are now directly liable for HIPAA compliance under the HIPAA Omnibus Rule that went into effect last year.
OCR officials have stated that the agency plans to conduct audits of about 350 covered entities in the next phase planned to begin this fall. Additionally, 50 business associates will be audited beginning in 2015 (see HIPAA Audits: Getting Ready).
The agency will start that process by first sending pre-audit surveys to about 800 covered entities and 400 business associates.
An OCR spokeswoman declined to say when those pre-audit surveys and actual audits will begin. Until June 11, OCR is collecting public comment on its pre-audit survey plans, which were published in the Federal Register in February (see HIPAA Audits a Step Closer to Resuming).
OCR officials have said that the next round of audits of covered entities and business associates will focus on specific areas of HIPAA compliance. For covered entities, that includes 100 audits focused on the HIPAA privacy rule, especially privacy notices and compliance with individuals' right to access their protected health information; 100 audits on compliance with the HIPAA Omnibus breach notification rule; and 150 focused on the security rule, especially risk analysis.
The business associates' audits are expected to focus on compliance with the risk analysis and breach notification requirements.