HIPAA Enforcement: Leadership Changes

OCR's McAndrew Retires; Rodriguez Leaving Soon?
HIPAA Enforcement: Leadership Changes

As the Department of Health and Human Services' Office for Civil Rights ramps up its enforcement of HIPAA with costly settlements and a new round of compliance audits, the agency is in a state of leadership transition. Susan McAndrew, a long-time OCR leader in HIPAA enforcement, has retired, and OCR Director Leon Rodriguez may be departing soon.

See Also: Unlocking IAM - Balancing Frictionless Registration & Data Integrity

McAndrew, whose official title was OCR deputy director for health information privacy, but who some insiders at OCR called "the mother of HIPAA," retired from federal service on May 2. "Sue was instrumental in spearheading the development and implementation of health information privacy policy and enforcement at HHS," an OCR spokeswoman tells Information Security Media Group.

Meanwhile, Rodriguez, who was nominated by President Obama last December to become director of U.S. Citizenship and Immigration Services, an agency of the Department of Homeland Security, is awaiting a full Senate vote to confirm his nomination to that post.

The Senate judiciary committee in March held a hearing on Rodriguez's nomination. On April 3 the outcome of the hearing was reported as "favorable" by committee chair Sen. Patrick Leahy, D-Vt., to the Senate, and the nomination was placed on the Senate Executive Calendar for 2014. But no date on Rodriguez' nomination has been listed yet on the Senate calendar for a vote.

The OCR spokeswoman tells ISMG that there is "no update to share at this time on director Rodriguez' confirmation."

Privacy Leadership

Commenting on the recent retirement of McAndrew, the spokeswoman says: "Her vision and leadership have been essential in moving OCR's work forward to keep pace with the advances of health information technology.

"McAndrew worked each day to move the department in a direction where consumers' right to the privacy of their health information dovetails with common sense standards for the health care industry to follow. She leaves a deep and lasting legacy, and her presence will be greatly missed."

McAndrew could not be reached for comment.

The attorney played a critical role in crafting HIPAA policies and enforcement activities, including the agency's first round of compliance audits that were conducted under the 2012 pilot program.

"Sue has been the guiding force behind the development and implementation of the HIPAA privacy, security and breach notification rules as well as the audit program," says David Holtzman, a former OCR senior adviser who left the agency in December to join security consulting firm CynergisTek. "The [OCR] deputy director plays a significant role in the development of regulatory policy and enforcement strategy."

Filling Positions

Christina Heide, OCR's senior adviser for health information privacy policy, is serving as acting deputy director for OCR's Health Information Privacy Division, the OCR spokeswoman says. Heide will be responsible for leading decision-making on enforcement, policy, and strategy.

Heide, an attorney, has worked with the HIPAA program at HHS since August 1999 and serves as the senior adviser for policy matters.

If Rodriguez is confirmed as director of U.S. Citizenship and Immigration Services, the HHS secretary will appoint a new director of OCR. That means the appointment could be made by Sylvia Mathews Burwell, who has been nominated by Obama to replace Kathleen Sebelius, who resigned last month as HHS secretary. Burwell is slated to face a second round of Senate finance committee confirmation hearings this week.

In the meantime, OCR is also adding to its enforcement staff. Last week, OCR posted notices that it's recruiting for several positions in its regional offices, including Kansas City, Missouri; Boston and Denver.

For example, the Kansas City job's primary duties include, "investigating complaints, conducting compliance reviews, and providing technical assistance and outreach to health and human services institutions, agencies or organizations which are covered entities to ensure compliance with civil rights laws and regulations and with the privacy of protected health information under HIPAA."

HIPAA Enforcement Activities

Last week, OCR also announced its largest HIPAA settlement to date. The settlement, which totaled $4.8 million in sanctions, was related to a 2010 HIPAA breach reported by New York-Presbyterian Hospital and Columbia University. Among other factors, the lack of a risk analysis and failure to implement appropriate security policies were cited in the settlement as reasons for OCR's enforcement actions.

Also, OCR is expected to soon resume its HIPAA compliance audit program, which will include examinations of both covered entities and business associates, which are now directly liable for HIPAA compliance under the HIPAA Omnibus Rule that went into effect last year.

OCR officials have stated that the agency plans to conduct audits of about 350 covered entities in the next phase planned to begin this fall. Additionally, 50 business associates will be audited beginning in 2015 (see HIPAA Audits: Getting Ready).

The agency will start that process by first sending pre-audit surveys to about 800 covered entities and 400 business associates.

An OCR spokeswoman declined to say when those pre-audit surveys and actual audits will begin. Until June 11, OCR is collecting public comment on its pre-audit survey plans, which were published in the Federal Register in February (see HIPAA Audits a Step Closer to Resuming).

OCR officials have said that the next round of audits of covered entities and business associates will focus on specific areas of HIPAA compliance. For covered entities, that includes 100 audits focused on the HIPAA privacy rule, especially privacy notices and compliance with individuals' right to access their protected health information; 100 audits on compliance with the HIPAA Omnibus breach notification rule; and 150 focused on the security rule, especially risk analysis.

The business associates' audits are expected to focus on compliance with the risk analysis and breach notification requirements.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.