Interview: The New HIPAA Enforcer

'Enforcement Promotes Compliance,' Leon Rodriguez Stresses

By , October 3, 2011.
Interview: The New HIPAA Enforcer

Leon Rodriguez, the new director of the Department of Health and Human Services' Office for Civil Rights, describes his HIPAA enforcement agenda."As I've learned as a prosecutor and then as a defense lawyer, enforcement promotes compliance," Rodriguez says. "The fact that covered entities out there know that they are at risk for penalties is something that, in fact, in many cases will promote compliance."

Nevertheless, Rodriguez stresses in an exclusive interview with HealthcareInfoSecurity the need for also using education to help boost compliance. "It's going to be important for us to make sure that we do everything we can to assist those covered entities that want to understand what the rules are. ... So we're also going to be focused on outreach and education no less than on enforcement."

Noting that OCR has announced several high-profile HIPAA enforcement actions in recent months, Rodriguez says he "absolutely" plans to continue the office's ongoing efforts to ramp up enforcement of HIPAA with resolution agreements, civil monetary penalties and other enforcement actions.

"It's always going to be a high priority to focus on those cases that involve the most egregious conduct - the most serious violations - and also the cases that have the most deterrent value," he stresses.

HIPAA Audits

OCR recently hired the consulting firm KPMG to launch a HIPAA compliance audit program, with 150 audits anticipated by the end of 2012. Because this is the first time the office is conducting audits, the effort amounts to a pilot, Rodriguez says. As a result, he'll be reviewing "how an audit program best advances our enforcement goals."

He explains his expectations for the audits: "Our first objective is not to go out there and start banging [organizations] with penalties; it's really to take a good look at them, find out where their opportunities for improvement are and help them improve. Having said that, I think we know that there are cases where we're going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action. And in some of those cases, we may be actually pursuing civil monetary penalties. But that's really not the primary goal of the audit program." In the interview, Rodriguez also:

  • Stresses that the HIPAA privacy and security rules help ensure access to care. "Very often a patient who does not have confidence in the security of their information, and, by the way, in their access to that information, may not seek care in situations where they absolutely should."
  • Points out that a part of his continuing effort to ramp up enforcement will be to make sure his staff has the right training.
  • Emphasizes that privacy and security are issues that "really matter to me personally and really matter to the secretary [of HHS]. So we're going to be serious about our enforcement work and no less serious about making sure that we educate everybody out there, both covered entities and patients, about what the requirements are for health information privacy."

Rodriguez, formerly chief of staff and deputy assistant attorney general for the Department of Justice Civil Rights Division, became director of HHS' Office for Civil Rights in early September. The office enforces the HIPAA privacy and security rules as well as the HIPAA breach notification rule. He succeeded Georgina Verdugo, who held the post for about two years. From May 2007 to January 2010, Rodriguez served as the county attorney for Montgomery County, Md. Before that, he served in private practice specializing in health law and was a federal and state prosecutor in several jurisdictions. For example, he prosecuted healthcare fraud cases as assistant U.S. attorney in Pittsburgh.

Follow Howard Anderson on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE House Passes Cyberthreat Info-Sharing Bill

Legislation to encourage businesses to share voluntarily cyberthreat information with the federal...

Latest Tweets and Mentions

ARTICLE House Passes Cyberthreat Info-Sharing Bill

Legislation to encourage businesses to share voluntarily cyberthreat information with the federal...

The ISMG Network