HIPAA Q2 Enforcement Under New OCR Director Roger Severino

It’s a new year and a new administration. The transition is over and Roger Severino has been appointed as the new director of the OCR. While his opposition to gay and transsexual rights have LGBT activists up in arms, he hasn’t given us many concrete clues about how his appointment will affect the OCR’s actions on HIPAA matters. In his most recent position Severino was the director of the Heritage Foundation, a think tank known for its goals of limited regulation, as evidenced by its mission statement: “Free enterprise, limited government, individual freedom, traditional American values, and a strong national defense.” It’s possible that this might signify a decrease in enforcement and the release of OCR guidelines that reduce the scope of the law. 

Prior to working for the Heritage Foundation, Severino was a trial attorney for the Department of Justice’s Civil Rights Division. His legal writings haven’t conveyed his views concerning health information privacy or health IT issues either. However, this is not an unusual occurrence; govinfosecurity.com quotes privacy attorney Adam Greene, a former adviser at OCR: “Historically, the OCR director has been a political appointee with more of a civil rights background and little to no experience in the area of HIPAA. So I am not surprised that the new director is someone who may not have much privacy and security experience.” 

In light of that, let’s look at the OCR’s enforcement activities in Q2.

Despite the appointment of a possibly anti-regulatory director, the OCR’s enforcement activities have not diminished. While the number of settlements this quarter have hovered around the quarterly average of four, the settlement amounts have been astronomically high.Of the four settlements, three were over $2 million and the highest was $5.5 million! 

Common themes run throughout. While the breaches occurred in a variety of ways, half of the settlements involved companies that had not completed risk assessments; while the other half were companies that had completed proper risk assessments and possessed the correct policies and procedures, yet failed to follow them. The latter is particularly important to note. A risk assessment is not enough to ensure compliance and earn favorable treatment in the event of a breach. A Risk Assessment must be followed with action and risk remediation. In all of the settlements this quarter, the companies could have saved millions of dollars if they had completed risk assessments and followed through with the findings.

Take-Aways:

  • Even though a regulatory conservative has been appointed director, don’t count on the OCR limiting their enforcement activities.

  • Completing a risk assessment is not enough. Action must be taken to follow the policies and procedures that result.