"As I've learned as a prosecutor and then as a defense lawyer, enforcement promotes compliance," Rodriguez says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below). "The fact that covered entities out there know that they are at risk for penalties is something that, in fact, in many cases will promote compliance."
Nevertheless, Rodriguez stresses the need for also using education to help boost compliance. "It's going to be important for us to make sure that we do everything we can to assist those covered entities that want to understand what the rules are. ... So we're also going to be focused on outreach and education no less than on enforcement."
Noting that OCR has announced several high-profile HIPAA enforcement actions in recent months, Rodriguez says he "absolutely" plans to continue the office's ongoing efforts to ramp up enforcement of HIPAA with resolution agreements, civil monetary penalties and other enforcement actions.
"It's always going to be a high priority to focus on those cases that involve the most egregious conduct - the most serious violations - and also the cases that have the most deterrent value," he stresses.
HIPAA AuditsOCR recently hired the consulting firm KPMG to launch a HIPAA compliance audit program, with 150 audits anticipated by the end of 2012. Rodriguez explains his expectations for the audits: "Our first objective is not to go out there and start banging [organizations] with penalties; it's really to take a good look at them, find out where their opportunities for improvement are and help them improve. Having said that, I think we know that there are cases where we're going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action."
In the interview, Rodriguez also:
- Stresses that the HIPAA privacy and security rules help ensure access to care. "Very often a patient who does not have confidence in the security of their information ... may not seek care in situations where they absolutely should."
- Points out that a key component of his continuing effort to ramp up enforcement will be to make sure his staff has the right training.
- Emphasizes that privacy and security are issues that "really matter to me personally and really matter to the secretary [of HHS]. So we're going to be serious about our enforcement work and no less serious about making sure that we educate everybody out there, both covered entities and patients, about what the requirements are for health information privacy."
Rodriguez, formerly chief of staff and deputy assistant attorney general for the Department of Justice Civil Rights Division, became director of HHS' Office for Civil Rights in early September. The office enforces the HIPAA privacy and security rules as well as the HIPAA breach notification rule. He succeeded Georgina Verdugo, who held the post for about two years. From May 2007 to January 2010, Rodriguez served as the county attorney for Montgomery County, Md. Before that, he served in private practice specializing in health law and was a federal and state prosecutor in several jurisdictions.
HOWARD ANDERSON: For starters, why don't you tell us why you decided to take on this new challenge? What was appealing about the job?
LEON RODRIGUEZ: For me this is a convergence of different, but ultimately related, strands in my professional history. I've spent the majority of my time as an attorney involved in law enforcement in one capacity or another, and a significant portion of that was actually in both healthcare and civil rights at different points. I was a civil rights prosecutor at the Department of Justice in the mid-1990s, and immediately after that I was a healthcare fraud prosecutor in Pittsburg.
This really gives me an opportunity to take all those strands and all those experiences and apply them in what I think is a very important mission to help the American people, both by enforcing our non-discrimination laws in federally funded programs, but, as importantly, in protecting security and privacy of American's health information.
Experienced ProsecutorANDERSON: How will your extensive experience as a prosecutor influence your efforts to enforce compliance with the HIPAA privacy and security rules, as well as the breach notification rule?
RODRIGUEZ: It's going to inform it in two different ways. One, we're certainly going to be focused on enforcement here. And when we say focused on enforcement, part of that means is making enforcement a priority, but it also means making sure that your people are fully equipped - that they have the right training, that they understand the statutes and that they understand how to put a case together and put it together in the best timeframe possible.
We are going to be focused on enforcement because, as I've learned as a prosecutor and then as a defense lawyer, enforcement promotes compliance. The fact that covered entities out there know that they are at risk for penalties is something that, in fact, in many cases will promote compliance in situations where it wouldn't exist before.
But at the same time, it's going to be important for us to make sure that we do everything we can to assist those covered entities that want to understand what the rules are, to know what the rules are. ... So we're also going to be focused on outreach and education no less than on enforcement.
HIPAA Enforcement PrioritiesANDERSON: What are your top priorities when it comes to enforcement for your first year on the job?
RODRIGUEZ: The top priority [now is] ... the process of taking stock of where we are. We obviously have some pretty significant enforcement actions and I'm sure you're aware of stuff like Massachusetts General, CVS, Rite-Aid. These are pretty big, sophisticated institutions that were still at risk of significant penalties. I'm in the process right now of taking the inventory of what cases do we have in our case inventory, what kinds of cases are they and what are the enforcement opportunities.
That said, it's always going to be a high priority to focus on those cases that involve the most egregious conduct - the most serious violations - and also all the cases that have the most deterrent value - where if we bring successful enforcement action it will have a significant deterrent value.
ANDERSON: In recent months, as you just alluded to, the Office for Civil Rights has significantly ramped up its HIPAA enforcement efforts. Under your leadership can we expect to see your office announce more resolution agreements in civil monetary penalties and other enforcement actions?
RODRIGUEZ: I think you can expect that; absolutely you can expect that.
HIPAA Audit ProgramANDERSON: The Office for Civil Rights recently hired KPMG to launch a HIPAA audit program. What would you like to see that program achieve, and is it possible that any of those audits will result in sanctions or penalties?
RODRIGUEZ: ... This is the first time we're doing it, so the first thing ... is for us to 'go to school' on how best we will run an audit program. In part, this is what you might call a pilot. We're going to look at it and learn: How do we use an audit program? How does an audit program best advance our enforcement goals?
The second purpose, and this is really different than enforcement, is to promote compliance among the covered entities that are subject to the audit. Our first objective is not to go out there and start banging [organizations] with penalties; it's really to take a good look at them, find out where their opportunities for improvement are and help them improve. Having said that, I think we know that there are cases where we're going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action. And in some of those cases, we may be actually pursuing civil monetary penalties. But that's really not the primary goal of the audit program.
Passionate About PrivacyANDERSON: Finally, what's the single most important message you would like to offer healthcare organizations about compliance in your new role?
RODRIGUEZ: Well I want to backtrack, maybe talk a little bit personally about why, from my perspective as both a healthcare lawyer and civil rights lawyer, privacy and security matter. They matter really for two reasons. One, they actually are an access to care issue, in the sense that very often a patient who does not have confidence in the security of their health information, and, by the way, in their access to that information, may not seek care in situations where they absolutely should. That not only has an impact on those individual patients, but it also has an impact on their family, on their community and also it may have an overall impact on our healthcare system in the country.
It's also a matter of dignity for those patients. Privacy and security really matter, and I think every patient has a fundamental right to dignity of what is very personal information. ... The message that I would put out there is this really matters to me personally and really matters to the secretary [of HHS]. So we're going to be serious both about our enforcement work and no less serious about making sure that we educate everybody out there, both covered entities and patients, about what the requirements are for health information privacy.