The New HIPAA Enforcement: HIPAA Audits

The New HIPAA Enforcement: HIPAA Audits

Leon Rodriguez, the new enforcer at the Department of Health and Human Services' Office for Civil Rights, describes his HIPAA enforcement agenda.

woman inside laboratory

"As I've learned as a prosecutor and then as a defense lawyer, enforcement promotes compliance," Rodriguez says. "The fact that covered entities out there know that they are at risk for penalties is something that, in fact, in many cases will promote compliance."

Nevertheless, Rodriguez stresses in an interview the need for also using education to help boost compliance. "It's going to be important for us to make sure that we do everything we can to assist those covered entities that want to understand what the rules are. So we're also going to be focused on outreach and education no less than on enforcement."

Noting that OCR has announced several high-profile HIPAA enforcement actions in recent months, Rodriguez says he "absolutely" plans to continue the office's ongoing efforts to ramp up enforcement of HIPAA with resolution agreements, civil monetary penalties, and other enforcement actions.

"It's always going to be a high priority to focus on those cases that involve the most egregious conduct the most serious violations and also the cases that have the most deterrent value," he stresses.

OCR recently hired a consulting firm to launch a HIPAA compliance audit program with many audits anticipated by the end of 2012. Because this is the first time the office is conducting audits, the effort amounts to a pilot, Rodriguez says. As a result, he'll be reviewing "how an audit program best advances our enforcement goals."

He explains his expectations for the audits: "Our first objective is not to go out there and start banging organizations with penalties; it's really to take a good look at them, find out where their opportunities for improvement are, and help them improve. Having said that, I think we know that there are cases where we're going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action. And in some of those cases, we may be actually pursuing civil monetary penalties. But that's really not the primary goal of the audit program." In the interview, Rodriguez also:

* Stresses that the HIPAA privacy and security rules help ensure access to care. "Very often a patient who does not have confidence in the security of their information, and, by the way, in their access to that information, may not seek care in situations where they absolutely should."

* Points out that a part of his continuing effort to ramp up enforcement will be to make sure his staff has the right training.

* Emphasizes that privacy and security are issues that "really matter to me personally and really matter to the secretary of HHS. So we're going to be serious about our enforcement work and no less serious about making sure that we educate everybody out there, both covered entities and patients, about what the requirements are for health information privacy."