Impact of New HIPAA Enforcement LeaderAre New Strategies, Directions on the Horizon?
As the Department of Health and Human Services' Office for Civil Rights prepares for a change in its top leadership, information security leaders are watching to see whether the strategies of the HIPAA enforcement agency might shift as well.
On July 9, OCR Director Leon Rodriguez, who held the post of the nation's top HIPAA privacy and security rules enforcer at HHS since 2011, was sworn in as the new director of U.S. Citizenship and Immigration Services, a unit of the Department of Homeland Security.
But his successor at OCR, Jocelyn Samuels, who currently serves as the acting assistant attorney general for the Civil Rights Division at the U.S. Department of Justice, won't be starting in her new post for a while.
"Transition demands at the Department of Justice have delayed Ms. Samuel's arrival for a few weeks," an OCR spokeswoman tells Information Security Media Group. "In the interim, HHS leadership are acting in her stead."
Samuels was named last week by HHS Secretary Sylvia Mathews Burwell to replace Rodriguez. He was nominated by President Obama in December and confirmed by the Senate in June 2014 as the director of U.S. Citizenship and Immigration Services, which has nearly 18,000 employees and administers the nation's immigration and naturalization system.
While Samuels has served in the civil rights division at DOJ, the agency has paid particular attention to pursuing Americans With Disabilities Act cases and enforcement actions related to the Supreme Court's Olmstead ruling, which provides rights to individuals with disabilities to live outside of institutionalized care, notes the Boston Globe in a June 24 article about the 15th anniversary of the court's decision. Other healthcare-related cases pursued by the DOJ during Samuel's tenure involved rights of the hearing impaired, notes Elizabeth Hodge, a healthcare compliance attorney at the Tampa, Fla.-based office of national law firm Akerman LLP. "There were cases fining hospitals as well as smaller practices" over their lack of access to healthcare for the hearing impaired, she says.
In addition to enforcing HIPAA compliance through activities that include breach investigations and random compliance audits, OCR also enforces protection against unfair healthcare treatment or discrimination based on race, color, national origin, disability, age, gender or religion. While Samuel's arrival to OCR will not change the mission of the agency, how its limited resources are divvied up for its various enforcement activities could potentially shift.
The greatest challenge facing Samuels is OCR's need for additional financial and human resources, says David Holtzman, a former senior adviser at OCR who's now a vice president at the security consulting firm CynergisTek.
OCR's mission and responsibility was significantly expanded through Congressional mandates in the HITECH Act and the Affordable Care Act, he notes. "For example, the HITECH Act required OCR to expand enforcement of the HIPAA rules to business associates, required investigation and imposition of penalties on HIPAA violations due to willful neglect, and established an audit program. The ACA expanded the rights of individuals to access healthcare without regard to their sexual orientation or gender identity. However, Congress did not appropriate additional funding to carry out this mission."
Holtzman calls on Samuels to "continue the efforts begun by her predecessor to use her 'bully-pulpit' to raise the visibility of OCR and work with Secretary Burwell for appropriation of additional support for OCR's mission."
Striking a Balance
Even when it comes to OCR's various HIPAA enforcement activities, which range from breach and complaint investigations to the planned resumption this fall of the HIPAA compliance audit program, Samuels will be faced with a delicate juggling act, says privacy and security attorney Adam Greene, a partner with Davis Wright Tremaine in Washington.
"One of the biggest challenges for Ms. Samuels will be to ensure that the agency continues to strike a reasonable balance with respect to enforcement," says Greene, who also formerly was a member of the OCR staff. "OCR initially focused on voluntary compliance rather than seeking financial penalties and settlements, and some within healthcare complained that the lack of enforcement led to insufficient resources allocated to HIPAA. Now, we have started to see more multi-million dollar settlements, and some question whether the penalties are disproportionate to the conduct and harm."
A challenge for Samuels, Greene says, is "to strike the balance where HIPAA is seen as having 'teeth' but covered entities and business associates can still count on OCR as being reasonable when there are areas of ambiguity or privacy or security issues occur despite good efforts at compliance."
In OCR's latest HIPAA enforcement activity, the agency in June announced an $800,000 settlement with Indiana-based community health system Parkview Healthcare for a 2009 breach involving paper medical record dumping and affecting between 5,000 and 8,000 patients. That settlement followed a $4.8 million resolution agreement revealed in May involving two New York healthcare organizations - New York-Presbyterian Hospital and Columbia University. The OCR investigation into that incident, which involved unsecured patient data on a network and affected about 6,800 patients, uncovered other HIPAA compliance issues, including the lack of a risk analysis and failure to implement appropriate security policies.
Those OCR settlements are among 21 HIPAA resolution agreements that included financial payments since 2008, plus one case that involved a civil monetary penalty, which is considered more punitive. However, since the HIPAA Omnibus Rule took effect last year, OCR has indicated that it's ramping up HIPAA enforcement, which includes plans to resume the HIPAA compliance random audit program later this year (see HIPAA Enforcement: A Reality Check).
OCR's enforcement strategy to date of issuing HIPAA resolution agreements and sometimes hefty financial settlements to a small number of select covered entities has been an effective compliance tool, Hodge contends.
"Given OCR's limited resources, targeted resolution agreements that bring focus on a variety of compliance issues and breaches, and a range of different kinds of covered entities, grab attention," she says. "The next thing we might see are resolution agreements involving business associates."
Under HIPAA Omnibus, business associates are directly liable for HIPAA compliance.
But those cases also take up OCR resources. "I believe it is important that director Samuels work with secretary Burwell to put into place the resources needed to effectively respond to the large number of complaints being received by OCR," Holtzman says.
"All too often, complaint investigations and compliance reviews begun by OCR drag on for many, many months because there are not enough investigators in the regional offices to keep up with the complaints filed by consumers. Almost all complaint investigations can be resolved informally through the voluntary corrective action of covered entities," he says. "Covered entities and business associates deserve the opportunity to a prompt investigation and resolution of these agency enforcement activities."