Although fewer than the planned 150 HIPAA compliance audits will be conducted this year, the audit program likely will continue in 2013, says Leon Rodriguez, the nation's lead HIPAA enforcer.
"I don't think it's actually going to be quite 150," says Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights. "It will be something close to that," he says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below). That's because of the office's funding level and the capacity of KPMG, the firm hired to conduct the audits, Rodriguez explains.
In the interview last month at the Healthcare Information and Management Systems Society Conference in Las Vegas, Rodriguez says there's a "reasonable likelihood" the audit program will continue beyond this year, despite budget cuts. "This audit program has exposed vulnerabilities and issues that we can't find any other way," he notes. "I think it will be good policy for us to really keep this audit program going.
Although Rodriguez declines to provide any insights based on the initial 20 audits, he notes that his agency has identified several common HIPAA compliance shortcomings in its breach investigations so far. "You really still do have significant security vulnerabilities out there," he says. "And sometimes those issues are as fundamental as no evidence of a risk analysis, no policies and procedures and no adequate technical safeguards for data."
In the interview, Rodriguez also:
- Notes that his office will issue a report on the aggregate results of the audits once all the 2012 reviews are complete;
- Explains that the Obama Administration's proposed $2 million cut in the OCR budget for fiscal 2013 will likely be more than offset by income from monetary penalties the office collects from HIPAA violators, which can be used to fund enforcement. He notes, however, that fines and penalties also must be used to offer restitution to victims, as required under the HITECH Act.
- Acknowledges that "it's quite possible" that the long overdue omnibus package of privacy and security regulations won't be issued in March, which HHS recently announced as the target date. The package will include the final HIPAA breach notification rule, HIPAA modifications and the privacy provisions under the Genetic Information Nondiscrimination Act.
Rodriguez, formerly chief of staff and deputy assistant attorney general for the Department of Justice Civil Rights Division, became director of HHS's Office for Civil Rights in early September 2011. The office enforces the HIPAA privacy and security rules as well as the HIPAA breach notification rule. He succeeded Georgina Verdugo, who held the post for about two years. From May 2007 to January 2010, Rodriguez served as the county attorney for Montgomery County, Md. Before that, he served in private practice specializing in health law and was a federal and state prosecutor in several jurisdictions. For example, he prosecuted healthcare fraud cases as assistant U.S. attorney in Pittsburgh.
20 Initial Audits
HOWARD ANDERSON: In the preliminary round of 20 HIPAA compliance audits that KPMG is conducting on behalf of your office, can you tell us about some of the most common compliance issues that have been identified so far?
LEON RODRIGUEZ: No, I don't think we're in a position just yet to talk about what we're finding under audit. I think it's worth pointing out what we've been seeing in breach notification, what we've been seeing in enforcement. And it will be interesting to see if audit sort of corroborates with what we've been seeing in breach notification and enforcement in that, you really do still have significant security vulnerabilities out there. Sometimes those issues are as fundamental as no evidence of a risk analysis, no policies and procedures, no adequate technical safeguards. For data, we're still seeing those issues widely out there. It will be interesting to see, as we get into a position to report our findings from audit, whether, in fact, in a randomly selected population we're seeing similar issues.
ANDERSON: Are those 20 pilot audits complete, or are you still working on them?
RODRIGUEZ: I think those might be approaching some kind of completion pretty soon, actually.
ANDERSON: Will you issue an aggregate report, on them?
RODRIGUEZ: Toward the end; I don't think we will until we're done with the whole...
ANDERSON: The whole 150 [audits as originally planned]?
RODRIGUEZ: I don't think it's actually going to be quite 150. It will be something close to that, just in terms of our funding and KPMG's capacity, but I think when we're at the end of it, we will be in a position to give sort of an aggregate report and it's also going to be a time where we're going to be able to start talking about what will be the future of this audit function.
HIPAA Compliance Priorities
ANDERSON: What advice would you give folks about what their HIPAA compliance priorities should be, based on the audits and the breach notifications?
RODRIGUEZ: I think their HIPAA compliance priorities are going to be to really make sure they understand what the requirements are, that they make a real plan to come into compliance, and this is the stuff that I talked about just now in the conference. It's the risk analysis; it's the education; it's the disciplinary policies; it's the assessment of what kind of technical and physical safeguards are required, and then to implement the products of those assessments. It's like a muscle that needs to continuously be worked out; and that means that part of it is doing the stuff up-front, but then it means you've got to keep doing it. You've got to have a routine of checking the risk assessment, checking the training, because, if not, what happens is they sort of deteriorate over time. They have the best of intentions at the beginning and then deteriorate over time, and that's when the vulnerabilities and the breaches start happening.
ANDERSON: Will KPMG refine audit procedures after the first 20 audits are complete, and can you describe the approach they're taking now and how that might evolve?
RODRIGUEZ: I'm not in a position right now to be able to talk much about that. I mean, I can give you kind of a very mechanical overview in a sense. ... They're asking for documents. They're doing a desk review of the documents. They're then doing on-site visits, but I don't know if that's necessarily that informative. That's just the mechanical process of what they're doing.
ANDERSON: When will the remainder of those to be audited this calendar year be notified?
RODRIGUEZ: They're either being notified or should be notified pretty soon. ...
ANDERSON: After the initial pilot of 20 audits, when will the second phase begin?
RODRIGUEZ: Almost immediately ... in a matter of the next few weeks actually.
ANDERSON: So if you're going to be audited, you'll know, if you don't already, in the next couple of weeks then?
RODRIGUEZ: I would say so, yes.
OCR Budget Cut
ANDERSON: The president's fiscal 2013 budget calls for a 5 percent cut in the budget for your office. I know the 2012 calendar year audit program is funded with money from the HITECH Act. Will there be HITECH money to continue the audit program next year, or will your office be able to fund the audits itself?
RODRIGUEZ: I guess the answer is we're not sure exactly. The administration has put forth a budget that would cut us by 5 percent. That's about $2 million. If you translate that into, for example, personnel - it's not necessarily where the cut's going to come - we're talking about approximately 10 full-time equivalents. ... We will be able to, given the pace we've already had of monetary recoveries - and this is just the opening threshold of our work - the monetary recovery is really what will provide us a pretty decent way of keeping our investigative capacity up and perhaps adding some.
ANDERSON: Do you anticipate the audit program continuing in 2013 then?
RODRIGUEZ: I think there's a reasonable likelihood that it will be continued. It is what HITECH requires. ... I think it's a very good likelihood that we will. This audit program has exposed vulnerabilities and issues that we can't find any other way. I think it will be good policy for us to really keep this audit program going.
ANDERSON: You don't anticipate that the budget cut would affect your office's ability to investigate and enforce HIPAA violations because the income you get from penalties and monetary settlements would make up for it?
RODRIGUEZ: I think it will provide us a way to. [The budget cut is] a hit; it is absolutely. We're giving our fair share, as other agencies are, but fortunately, for our ability to keep our enforcement work at the level it needs to be, we do have another stream of income here that will enable us to keep our enforcement going.
ANDERSON: Just so people are aware, under HITECH you're enabled to use penalties and sanctions that you collect toward your enforcement expenses, right?
RODRIGUEZ: Yes, toward enforcement ... but also for restitution for victims. One of the things that HITECH directs us to do is to basically create formulas for how restitution is going to be made to victims. We're working on that. As you know, we have a pretty long queue of policy products that need to come out, and so that's in the queue with those other products.
ANDERSON: And the higher penalties for HIPAA violations called for under the HITECH Act are in effect now, even though the final HIPAA modifications rule is not yet complete?
RODRIGUEZ: They are in the interim final rule that basically lays out a structure based on what was in HITECH for the penalties, ranging from penalties based on strict liability all the way up to willful neglect without any effort at corrective action by the entity at the highest end of the spectrum, and then the discussion of factors that we look at as we assess the imposition of penalties. There are also investigative policies that we're going to have internally that are going to drive which cases get prioritized for monetary enforcement. They're going to focus on the overall privacy and security health of the entity under investigation.
ANDERSON: I just want to make sure people were aware that those higher penalties can be imposed now, not months from now when the rule is final.
RODRIGUEZ: Yes, absolutely, and [it's] probably worth laying out what they are. At the low end of the spectrum, it's strict liability. You can go from $1,000 to $50,000 per individual violation up to an aggregate of $1.5 million a year per provision violated during that year. And then at the high end of the spectrum, where you have willful neglect without corrective action, you're talking about $10,000 to $50,000 a year up to the same cap of $1.5 million. But if you look at all the different provisions that you can violate, those can become some pretty scary numbers pretty fast. We know that, and clearly the industry knows that as well.
ANDERSON: We've got pending the omnibus package of regulations, including the HIPAA modifications and the final HIPAA breach notification rule and the privacy provisions under the Genetic Information Nondiscrimination Act. HHS indicated in January that the target date was March. ... Is that March date achievable?
RODRIGUEZ: I think it's quite possible it won't be in March. I should tell you that I really welcome that question whenever it comes. I apologize that all I can say is that it's in process, but I really welcome the interest in this issue from people.