Top HIPAA Enforcer Names His Top Enforcement PriorityOCR's Roger Severino Discusses Agency's Goals, Sector Challenges
The new head of the federal agency that enforces HIPAA says his top enforcement priority for the coming year is to find a "big, juicy, egregious" breach case to use as an example from which others can learn.
See Also: The Power and Scale of XDR
Roger Severino, who was named in March as the Trump administration's new director of the Department of Health and Human Services' Office for Civil Rights, noted in a presentation at a Monday conference: "I haven't zoomed in on a particular area, whether it will be cybersecurity, ransomware, physical security etc. It wouldn't be the best tactic to say what we're looking for, but I think coming into this job, I've gotten up to speed on HIPAA, and as the threats evolve, we have to evolve in how we approach it - and we have to be smart about who we target.
"At most I will say the big, juicy case is going to be my priority and the methods for us finding it - stay tuned."
Speaking at the 10th annual "Safeguarding Health Information" HIPAA conference, jointly hosted by OCR and the National Institute of Standards and Technology, Severino added: "I have to balance that law enforcement instinct with the educational component that we do. I really want to make sure people come into compliance without us having to enforce. I want to underscore that."
When another OCR official - Iliana Peters - was later pressed during another conference session for details about what might qualify as a "big, juicy, egregious" incident, Peters said, OCR "doesn't comment on open, ongoing or potential investigations."
So far this year, the largest of eight OCR enforcement actions was a $2.5 million settlement and corrective action plan with wireless health services provider Cardionet in a case involving a stolen unencrypted laptop computer.
'Wall of Shame' Changes
In his presentation, Severino also noted changes that OCR made recently to its HIPAA Breach Reporting Tool web portal - commonly called the "wall of shame" - which lists major health data breaches impacting 500 or more individuals (see HHS Makes Changes to 'Wall of Shame' Breach Reporting Site).
"We've gotten a lot of feedback from the industry and covered entities about the website over time," he noted. "It was outdated and ... when you first clicked on it, it was alphabetical and whoever happened to be letter 'a' - [that breach] was [listed] first even if they had resolved the breach long ago," he says.
"We try to provide as much information as possible. When all you see is alphabetical, it can leave a misimpression of when things were relevant and occurring. So, we have listened and we have made changes and we are happy to report it's a new website structured so that it is listed by the most recent breaches."
Any breaches reported over two years ago get publicly archived, he added. "[That] is a requirement under the statute - that we do compile and publicize the breaches - and it's incredibly useful to see trends and see what is going on in the industry and to see the type of corrective actions that are taken," he says.
"That is really our goal through the enforcement actions and technical assistance is to get compliance so that the breaches get [fewer] and the number of the security incidents get [fewer] and we all get less cases over time. Our caseload has been growing significantly. We are up to about 20,000 complaints a year. That is an extraordinarily large number. We have a lot of staff that work on technical assistance."
Ultimately, Severino says he wants "to see those 20,000 complaints start to go down so we can have a culture of compliance throughout our country so that we will achieve all of our goals and do it efficiently with as little burden as possible on all of you so we can have some wonderful results."
Small Healthcare Entities
But no one is off the hook from potential OCR enforcement actions, including smaller providers with slimmer resources to address health data security and privacy, he stressed.
"Small providers are integral to our healthcare system. We know that. They provide more choice than just centralized institutions," he said. But smaller provider organization have the same responsibilities as large institutions, he stressed.
"Just because you are small doesn't mean we're not looking and that you are safe if you are violating the law. You won't be."
All business sectors, including healthcare, face an increasingly threatening cyber landscape, Severino noted.
"Most recently I had the incredible experience of being with [HHS] Secretary [Tom] Price the moment it was announced to him that the WannaCry attack was underway," Severino told the audience.
"It was a sobering moment. We gathered the senior staff and we had our information. The initial thought was that it could've been a state actor attack against America. It was a very grim moment and then the secretary was whisked away to the situation room in the White House to handle it," Severino says.
"It was not as terrible of an attack as it could have been, but it was still a major disruption to our healthcare system and it certainly caused a major disruption overseas in England and some European countries," he noted.
The United Kingdom's National Health Service was attacked, and in the U.S., some healthcare systems were also impacted, but not to the same extent, he noted (see Wannacry: What's the Impact on U.S. Healthcare Sector?).
"It underscores the role that all of you play in cooperation with NIST and OCR to make sure we are ready because the best solution is to make sure that no one is vulnerable to these attacks so that the confidentiality, integrity and availability of our health information is always preserved."
In the wake of the WannaCry attack, OCR issued guidance, he noted.
"It was a large-scale attack - and our guidance gave some best practices to make sure we are not vulnerable again," he said. "Patching is good for that sort of attack. If you fall under attack, the FBI says you should not pay the ransom. That is their guidance. You don't want to be in a position where you have to make that tough choice. Better always to be prepared to make sure you are not vulnerable."