The U.S. Department of Health and Human Services (HHS) is refocusing its HIPAA privacy enforcement efforts on seeking monetary penalties in cases of “abject failure” to comply, the head of HHS’ Office for Civil Rights (OCR) indicated.
“The majority of matters we handle are going to be resolved through education” as they have in the past, OCR Director Leon Rodriguez told a privacy conference. But OCR plans to do fewer of those cases and more penalty cases where it finds “an abject failure of due diligence,” he said. “We’re seeing a lot of cases like that.”
Rodriguez cited past million-dollar settlements for incidents involving protected health information (PHI) left on a subway train or disposed of in a publicly accessible dumpster. Although those OCR actions came in response to specific incidents, “the big issue for me is what’s going on inside the entity that makes those things happen,” he said. OCR is seeing those kinds of organizational failures to assess and manage risk at many HIPAA-covered entities, he warned.
Lawmakers and others have criticized OCR for spotty enforcement of HIPAA’s privacy and security rules, even after the HITECH Act of 2009 greatly increased HIPAA penalty amounts and other enforcement authorities.
HITECH’s breach notification rules are another space we’ll see enforcement activity, Rodriguez said. “I’m not sure about the level of compliance” with the requirement to notify affected individuals, and sometimes HHS, of PHI breaches. HHS’ list of major breaches includes “way too many familiar names and not enough unfamiliar names,” so an enforcement action for failing to report “an obvious reportable breach” might help get the message out, he said.
Rodriguez spoke March 8 at the International Association of Privacy Professionals’ Global Privacy Summit.
HIPAA privacy and security enforcement and breach notification are detailed in the Employer’s Guide to HIPAA and Employer’s Guide to HIPAA Privacy Requirements.