Gazelle Consulting

HIPAA Enforcement Under New OCR Director Roger Severino

It’s a new year and a new administration. The transition is over and Roger Severino has been appointed as the new director of the OCR.

Roger Severino: Background

While his opposition to gay and transsexual rights have LGBT activists up in arms, he hasn’t given us many concrete clues about how his appointment will affect the OCR’s actions on HIPAA matters. In his most recent position Severino was the director of the Heritage Foundation, a think tank known for its goals of limited regulation, as evidenced by its mission statement: “Free enterprise, limited government, individual freedom, traditional American values, and a strong national defense.” It’s possible that this might signify a decrease in enforcement and the release of OCR guidelines that reduce the scope of the law. 

Prior to working for the Heritage Foundation, Severino was a trial attorney for the Department of Justice’s Civil Rights Division. His legal writings haven’t conveyed his views concerning health information privacy or health IT issues either. However, this is not an unusual occurrence; govinfosecurity.com quotes privacy attorney Adam Greene, a former adviser at OCR: “Historically, the OCR director has been a political appointee with more of a civil rights background and little to no experience in the area of HIPAA. So I am not surprised that the new director is someone who may not have much privacy and security experience.” 

OCR’s HIPAA Enforcement in Q2 of 2017

In light of that, let’s look at the OCR’s enforcement activities in Q2.

CompanySettlement AmountIndividuals AffectedBreachAdditional Information
Presence Health$475,000836Paper-based operating rooms schedules went missingFailed to notify individuals, media and the OCR within 60 days. Did not have a breach action plan.
MAPFRE Life Insurance Company of Puerto Rico$2.2 million2,209Unencrypted USB storage device stolenFailed to conduct its risk analysis and implement risk management plans, contrary to its prior representations
Children’s Medical Center of Dallas$3.2 million6,262Unencrypted laptop and Blackberry stolenFailed to implement risk management plans, contrary to its prior external recommendations to do so.
Memorial Healthcare System$5.5 million115,143Two unauthorized employees used the login credentials of authorized employees to steal PHIFailed to implement their own procedures with respect to reviewing, modifying and/or terminating users’ right of access.

Despite the appointment of a possibly anti-regulatory director, the OCR’s enforcement activities have not diminished.

While the number of settlements this quarter have hovered around the quarterly average of four, the settlement amounts have been astronomically high.

Of the four settlements, three were over $2 million and the highest was $5.5 million! 

Patterns of HIPAA Enforcement under Roger Severino

Common themes run throughout these cases. While the breaches occurred in a variety of ways, half of the settlements involved companies that had not completed risk assessments; while the other half were companies that had completed proper risk assessments and possessed the correct policies and procedures, yet failed to follow them.

The latter is particularly important to note. A risk assessment is not enough to ensure compliance and earn favorable treatment in the event of a breach. A risk assessment must be followed with action and risk remediation. In all of the settlements this quarter, the companies could have saved millions of dollars if they had completed risk assessments and followed through with the findings.

Takeaways

  • Even though a regulatory conservative has been appointed director, don’t count on the OCR limiting their enforcement activities.
  • Completing a risk assessment is not enough. Action must be taken to follow the policies and procedures that result.

The OCR’s enforcement isn’t slowing down! Gazelle Consulting can help you ensure that you are meeting compliance standards and conducting the necessary risk assessments.

Give us a call at (503) 389-5666 or email us at info@gazelleconsulting.org today!

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

Popular Posts

  • How to Handle the Loss or Destruction of Medical Records

    Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients...

  • 2018’s Most Interesting HIPAA Violation Cases

    2018’s Most Interesting HIPAA Violation Cases

    Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches.

  • The Specter of HIPAA Enforcement

    Who Enforces HIPAA?

    HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

  • Stronger HIPAA enforcement

    HIPAA Consent Form – How to Obtain HIPAA Authorization

    Earlier this month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016.

  • What is the Purpose of HIPAA?

    What is the Purpose of HIPAA?

    HIPAA compliance can be confusing. Is it HIPAA or HIPPA? Do I need to be HIPAA compliant? Who enforces HIPAA? Gazelle Consulting is here to answer your questions and help you to achieve compliance quickly and painlessly!