An important theme that emerges from the Department of Health and Human Services' Office for Civil Rights' dozens of HIPAA settlements and other enforcement actions is that all aspects of compliance are critical and subject to scrutiny by federal regulators, says former OCR director Leon Rodriguez.
"The question of [a weak or outdated] risk assessment has always been an issue from the very beginning of HIPAA enforcement - and it will continue to be one for the future," Rodriguez says, describing a common shortcoming OCR has frequently spotlighted in settlements that emerge from breach investigations. "That said, one of the things I think is important about ... the settlements over time is the diversity of [violations of various] sections of the HIPAA security and privacy rules," says Rodriguez, who recently became a partner at the law firm Seyfarth Shaw LLP.
"You have different violations in different cases - and that's an indicator that you need ... to be looking at all aspects of compliance," he says in an interview with Information Security Media Group.
In addition to making sure they have up-to-date risk assessments, healthcare entities "also need to be looking at their business associate relationships and they need to be looking at self-audits," he says. "There's a broad variety of things that need to be active parts of their HIPAA compliance programs in order to avoid enforcement."
'Roadmap' to Compliance
OCR's HIPAA enforcement activities offer a "roadmap" of what organizations need to do to ensure compliance, Rodriguez says.
In the interview (see audio link below photo), Rodriguez also discusses:
- Why it's critical for OCR's HIPAA compliance audits to become a permanent program;
- Whether the HIPAA Security Rule needs to be updated to reflect evolving cyberthreats and risks that didn't exist when the rule was written;
- What's most troubling about recent cyberattack trends in healthcare and other sectors;
- His transition back into the private sector after serving in two leadership roles in the Obama administration, first as director of OCR and then as director of the U.S. Citizenship and Immigration Services, a unit within the Department of Homeland Security.
As a partner at the Washington office of Seyfarth Shaw LLP, Rodriguez provides regulatory, litigation and strategic advisory services in the areas of healthcare compliance, immigration and government/congressional investigations. Before his two leadership roles in the Obama administration, he served as chief of staff and deputy assistant attorney general for the Department of Justice's civil rights division; first assistant U.S. attorney and chief of white collar crimes section in the U.S. attorney's office for the western district of Pennsylvania; and trial attorney in the civil rights division at the Department of Justice. Rodriguez also served as the county attorney for Montgomery County in Maryland.