HIPAA Enforcement Under New OCR Director Roger Severino

It’s a new year and a new administration. The transition is over and Roger Severino has been appointed as the new director of the OCR.

Photo Credit: AP

Roger Severino: Background

While his opposition to gay and transsexual rights have LGBT activists up in arms, he hasn’t given us many concrete clues about how his appointment will affect the OCR’s actions on HIPAA matters. In his most recent position Severino was the director of the Heritage Foundation, a think tank known for its goals of limited regulation, as evidenced by its mission statement: “Free enterprise, limited government, individual freedom, traditional American values, and a strong national defense.” It’s possible that this might signify a decrease in enforcement and the release of OCR guidelines that reduce the scope of the law. 

Prior to working for the Heritage Foundation, Severino was a trial attorney for the Department of Justice’s Civil Rights Division. His legal writings haven’t conveyed his views concerning health information privacy or health IT issues either. However, this is not an unusual occurrence; govinfosecurity.com quotes privacy attorney Adam Greene, a former adviser at OCR: “Historically, the OCR director has been a political appointee with more of a civil rights background and little to no experience in the area of HIPAA. So I am not surprised that the new director is someone who may not have much privacy and security experience.” 

OCR’s HIPAA Enforcement in Q2 of 2017

In light of that, let’s look at the OCR’s enforcement activities in Q2.

Company Settlement Amount Individuals Affected Breach Additional Information
Presence Health $475,000 836 Paper-based operating room schedules went missing Failed to notify individuals, media and the OCR within 60 days. Did not have a breach action plan.
MAPFRE Life Insurance Company of Puerto Rico $2.2 million 2,209 Unencrypted USB storage device stolen Failed to conduct its risk analysis and implement risk management plans, contrary to its prior representations
Children’s Medical Center of Dallas $3.2 million 6,262 Unencrypted laptop and Blackberry stolen Failed to implement risk management plans, contrary to its prior external recommendations to do so.
Memorial Healthcare System $5.5 million 115,143 Two unauthorized employees used the login credentials of authorized employees to steal PHI Failed to implement their own procedures with respect to reviewing, modifying and/or terminating users’ right of access.

Despite the appointment of a possibly anti-regulatory director, the OCR’s enforcement activities have not diminished.

While the number of settlements this quarter have hovered around the quarterly average of four, the settlement amounts have been astronomically high.

Of the four settlements, three were over $2 million and the highest was $5.5 million! 

Patterns of HIPAA Enforcement under Roger Severino

Common themes run throughout these cases. While the breaches occurred in a variety of ways, half of the settlements involved companies that had not completed risk assessments; while the other half were companies that had completed proper risk assessments and possessed the correct policies and procedures, yet failed to follow them.

The latter is particularly important to note. A risk assessment is not enough to ensure compliance and earn favorable treatment in the event of a breach. A risk assessment must be followed with action and risk remediation. In all of the settlements this quarter, the companies could have saved millions of dollars if they had completed risk assessments and followed through with the findings.

Takeaways

  • Even though a regulatory conservative has been appointed director, don’t count on the OCR limiting their enforcement activities.
  • Completing a risk assessment is not enough. Action must be taken to follow the policies and procedures that result.

The OCR’s enforcement isn’t slowing down! Gazelle Consulting can help you ensure that you are meeting compliance standards and conducting the necessary risk assessments.

Give us a call at (503) 389-5666 or email us at info@gazelleconsulting.org today!

Nav close