Governance & Risk Management , HIPAA/HITECH , Privacy
HIPAA-Enforcer OCR Gets New LeadershipBut What About New Leadership for ONC?
The Trump administration has named Roger Severino as the new director of the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA and protects patients rights.
An OCR spokesperson confirmed on March 24 that Severino had been named to the position, and his bio has been posted on the office's website.
Meanwhile, former Rep. John Fleming, R-La., has reportedly been selected for the newly created position of deputy assistant secretary for health technology. It's not yet clear whether Fleming would lead HHS' Office of the National Coordinator for Health IT. ONC oversees standards and policies for the HITECH Act electronic health records "meaningful use" financial incentive program, and also carries out various health IT-related provisions in the 21st Century Cures Act, which was signed into law last year.
HHS did not immediately respond to Information Security Media Group's request for comment on Fleming's reported nomination.
Prior to being named OCR director, Severino was director of the Heritage Foundation's DeVos Center for Religion and Civil Society, Institute for Family, Community, and Opportunity.
Before joining the Heritage Foundation in 2015, he was a trial attorney for seven years in the Department of Justice's Civil Rights Division, where he enforced the Fair Housing Act, the Religious Land Use and Institutionalized Persons Act, and Title II and Title VI of the Civil Rights Act of 1964.
Severino has litigated cases under sex, race, national origin, religion, disability, and familial status discrimination and served as the Housing and Civil Enforcement Section's e-discovery officer, as well as attorney adviser to the fair housing testing program, according to his bio. Prior to that, Severino was chief operations officer and legal counsel for the Becket Fund for Religious Liberty.
While at the Heritage Foundation, a conservative political think tank, Severino authored or co-authored a number of columns critical of the Obama administration's handling of issues related to the LGBTQ community, which could have potential implications for his views on privacy issues.
In a recent Heritage Foundation report he co-authored, he opposed OCR's implementation of the Affordable Care Act's Section 1557.
Section 1557 "prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities," according HHS, which issued a final rule for the regulations in May 2016. The rule calls for anti-discriminatory protections for patients regardless of gender identity and includes privacy protections.
Some civil rights organizations criticized the appointment of Severino based on what's known about his views about same-sex marriage and gender-identity issues.
"Severino repeatedly denounced and actively worked to oppose OCR's implementation of Section 1557," says Wade Henderson, president and CEO of The Leadership Conference on Civil and Human Rights. "These actions call into question his ability to ... protect communities of color and other underserved populations, who are most at risk for unequal access to health and health care."
OCR's work related to patient privacy and security goes beyond data breach investigations and other HIPAA-related enforcement actions. The agency also frequently issues educational guidance to help covered entities and business associates navigate confusing areas of HIPAA.
For instance, in January, OCR issued privacy guidance aimed at clarifying that the HIPAA Privacy Rule permits disclosures of health information to a patient's loved ones regardless of whether they are recognized as relatives under applicable law.
Related to that, OCR also issued updated guidance that the agency said "makes clear that the terms 'marriage, spouse and family member' include, respectively, all lawful marriages - whether same-sex or opposite-sex - lawfully married spouses and the dependents of all lawful marriages, and clarifies certain rights of individuals under the Privacy Rule."
The OCR guidance was developed, in large part, to address confusion following the 2016 Orlando nightclub shooting about whether and when hospitals may share protected health information with patients' loved ones, OCR said.
Sizing Up Qualifications
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek - and a former senior adviser at OCR - says that Severino "has not written extensively on his views concerning health information privacy or health IT issues."
He notes, however: "It is encouraging he spent a number of years with the Department of Justice Civil Rights Division, which is responsible for overseeing the enforcement of the HIPAA criminal statutes as well as developing guidance to other federal agencies on the application of the HIPAA privacy and security rules. Past history has shown that OCR directors with experience in Justice's CRD come to their position with a good grounding of the responsibilities of the agency."
Privacy attorney Adam Greene, who was also previously an adviser at OCR before joining the law firm Davis Wright Tremaine a few years ago, adds: "Historically, the OCR director has been a political appointee with more of a civil rights background and little to no experience in the area of HIPAA. So I am not surprised that the new director is someone who may not have much privacy and security experience."
Green hopes that OCR "continues to be reasonable on enforcement, resolving most cases through voluntary compliance rather than financial settlements or penalties. It is important for them to continue to bring a significant number of more formal enforcement actions, but I hope that the recent upward trend in settlement amounts stabilizes a bit. "
Over the last two years under the leadership of former OCR director Jocelyn Samuels, the agency issued a record number of HIPAA enforcements, collecting millions of dollars in financial settlements and fines. It also kicked off phase two of a long-delayed HIPAA compliance audit program that's still under way.
New Leader for ONC?
Although no formal announcement has been made by HHS, Politico reported on March 21 that Fleming says he has accepted the new position of deputy assistant secretary for health technology.
Fleming told Politico that he thought he was interviewing with HHS to head the ONC. "I think it's the same or a similar position," he told Politico, adding that ONC "may be reorganizing ...But that's purely speculation. No one from HHS has told me that."
Holtzman notes that an appointment to a deputy assistant secretary position requires Senate confirmation. That's not the case for the OCR director job.
If Fleming is ultimately confirmed by the Senate, Holtzman believes he'd likely have a portfolio of responsibilities that includes cybersecurity. If that's indeed the case, Holtzman suggests Fleming "should take the opportunity to receive and implement the yet-to-be delivered recommendations of the Cybersecurity Task Force, which has been working largely behind the scenes over the last year."
That task force was formed under the Cybersecurity Information Sharing Act signed into law in 2015. "Other opportunities exist in supporting and collaborating with the National Institute of Standards and Technology and the National Health Information Sharing and Analysis Center to promote the application of the Cyber Security Framework across healthcare," Holtzman says.