Compliance , Enforcement , HIPAA/HITECH

'No Slowdown' for HIPAA Enforcement, But Audits Ending

OCR Director Roger Severino Offers Update at HIMSS18 Conference
'No Slowdown' for HIPAA Enforcement, But Audits Ending
HHS OCR Director Roger Severino

So what's next for HIPAA enforcement efforts by the Department of Health and Human Services' Office for Civil Rights? OCR director Roger Sevrino says there is "no slowdown in our enforcement efforts," and that the agency will continue with the "same enforcement mindset."

See Also: Solving Third-Party Cybersecurity Risk - A Data-Driven Approach

At the HIMSS18 conference on Tuesday, Severino said: "I come from the Department of Justice Office for Civil Rights; I bring that mindset to OCR. We're still looking for big, juicy egregious cases" for enforcement.

And it's not just large entities that could be under OCR's scrutiny. "This doesn't mean that if you're smaller and quiet" you will fall out from under OCR's enforcement radar, he said.

"We're about increasing access to information" by patients. But in the meantime, entities who hold PHI "need to treat it like gold," Severino said.

No More HIPAA Audits?

While the status of OCR's phase two HIPAA compliance audits did not come up during Severino's formal presentation or question and answer session, Severino told Information Security Media Group after his presentation that OCR is compiling findings from those audits "and putting that into a usable form of best practices."

When asked by ISMG if there will be a "phase three audit program," Severino answered, "No. Phase three is the compilation of findings."

HIPAA Settlements

In 2016, OCR had nearly $25 million in financial collections from HIPAA-related settlements, which set a record, and 2017 came in second with $19.4 million collected, he noted. In total since 2009, OCR has had 50 settlement agreements and 3 civil monetary penalty cases.

"We want to see the number of cases come down, because we want to see increased compliance," Severino told the audience at HIMSS18. "We'd like to put ourselves out of business [as an enforcement agency.] Unfortunately, [cases] are growing steeply up."

As of Jan. 31, about 177 million records have been breached since 2009, according to major breach reports that OCR has confirmed. Thefts make up 38 percent of reported cases of breaches affecting 500 or more individuals, and paper is involved in 21 percent of those breaches, he noted. "Hacking is 19 percent of security incidents [reported] and growing."

Review of Regulations

In his presentation, Severino said OCR is examining its regulations to see if "undue burden" on the industry can be eased.

HHS, including OCR, is undergoing a review of its regulations "to reduce the burden" on the industry, examining whether benefits and outcomes outweigh the costs, he said. "We are in a deregulatory environment," where two regulations need to be removed for every one new regulation implemented, Severino noted. "We're going a take a comprehensive look to make sure [existing regulations] are not out of date and have undue burden.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.