Q&A: OCR Director Leon Rodriguez talks audits and enforcements to come
'Huge points' go to entities that act responsibly, decisivelyBOSTON | December 18, 2012
For the coming new year, healthcare groups and their business associates (BAs) need to get their privacy and security houses in order, as they will be facing new audits and more monetary enforcement surrounding data breaches – this according to Leon Rodriguez, director of the Office of Civil Rights (OCR) at the Department of Health and Human Services.
Although Rodriguez expects the coming year will see a higher number of data breaches being reported, partly as a precipitate of an increase in data analytics and risk assessment procedures, entities that respond decisively and responsibly to data breaches most likely won't be the subject of monetary enforcement.
Although fiscal year 2012 was the agency's biggest year of enforcement collections, approaching the $4 million mark, Rodriguez says, "We're still talking about a relatively small number of entities affected. We've only had, all told, about 10 of these cases."
Speaking to an audience at Healthcare IT News/HIMSS Media Privacy & Security Forum Dec. 12, Rodriguez made it clear the agency's job is to focus on entities that have clearly failed to address and remedy patient privacy and security issues, even after a breach.
"One of the first things we look at is what did the entity do to analyze the root cause of the breach," he said. "[And] what did it do to remedy the root causes. Huge points for the entity that acts decisively to deal with those issues, to identify the reasons for the breach." Overall, Rodriguez says, a very tiny fraction of reported breaches result in enforcement cases.
Following is a question and answer session with the forum's attending audience and OCR Director Leon Rodriguez on future audits, breaches and enforcements:
Question: I appreciate your point on the human factor being one of the major sources of breaches. How many breaches are actually going on that don't become breaches we know about?
Rodriguez: We do have a safe harbor for breach reporting, and that is where the information lost is in a form that is unusable, unreadable or undecipherable. And I am aware of entities that have conducted and, more or less, correctly conducted analysis. I think there is another group of entities out there that don't even do that, and I think we're going to find them soon. So far, we haven't had that case where there was a clearly reportable case that wasn't [reported]…I think there is a lot of breach activity out there that's not getting reported.
Question: It's almost not in an organization's best interest to be hypersensitive in collecting and analyzing a lot of data about some of the things going on because that may lead to the discovery of additional breaches that, right now, we're blissfully unaware of.
Rodriguez: I think that's why I'm here…We're looking for that high level of sensitivity…Another one of the big audit findings was activity monitoring, and failure to conduct activity monitoring was a consistent issue among a broad variety of agencies. So we are looking at that issue, and that is an issue that could easily turn into an enforcement issue.
[See also: Breaches: Take is from one who knows]
Question: You mentioned that KPMG [the OCR's auditing firm] would take monitoring coverage into 2013 and put together the protocol going forward. Will business associates be incorporated into that? If so, when?