Q&A: OCR Director Leon Rodriguez talks audits and enforcements to come

'Huge points' go to entities that act responsibly, decisively
By Erin McCann
01:54 PM

For the coming new year, healthcare groups and their business associates (BAs) need to get their privacy and security houses in order, as they will be facing new audits and more monetary enforcement surrounding data breaches – this according to Leon Rodriguez, director of the Office of Civil Rights (OCR) at the Department of Health and Human Services.

Although Rodriguez expects the coming year will see a higher number of data breaches being reported, partly as a precipitate of an increase in data analytics and risk assessment procedures, entities that respond decisively and responsibly to data breaches most likely won't be the subject of monetary enforcement.

Although fiscal year 2012 was the agency's biggest year of enforcement collections, approaching the $4 million mark, Rodriguez says, "We're still talking about a relatively small number of entities affected. We've only had, all told, about 10 of these cases."

[See also: As OCR promises more fines, two CIOs offer tips on risk assessments.]

Speaking to an audience at Healthcare IT News/HIMSS Media Privacy & Security Forum Dec. 12, Rodriguez made it clear the agency's job is to focus on entities that have clearly failed to address and remedy patient privacy and security issues, even after a breach.

"One of the first things we look at is what did the entity do to analyze the root cause of the breach," he said. "[And] what did it do to remedy the root causes. Huge points for the entity that acts decisively to deal with those issues, to identify the reasons for the breach." Overall, Rodriguez says, a very tiny fraction of reported breaches result in enforcement cases.

Following is a question and answer session with the forum's attending audience and OCR Director Leon Rodriguez on future audits, breaches and enforcements:

Question: I appreciate your point on the human factor being one of the major sources of breaches. How many breaches are actually going on that don't become breaches we know about?

Rodriguez: We do have a safe harbor for breach reporting, and that is where the information lost is in a form that is unusable, unreadable or undecipherable. And I am aware of entities that have conducted and, more or less, correctly conducted analysis. I think there is another group of entities out there that don't even do that, and I think we're going to find them soon. So far, we haven't had that case where there was a clearly reportable case that wasn't [reported]…I think there is a lot of breach activity out there that's not getting reported.

Question: It's almost not in an organization's best interest to be hypersensitive in collecting and analyzing a lot of data about some of the things going on because that may lead to the discovery of additional breaches that, right now, we're blissfully unaware of.

Rodriguez: I think that's why I'm here…We're looking for that high level of sensitivity…Another one of the big audit findings was activity monitoring, and failure to conduct activity monitoring was a consistent issue among a broad variety of agencies. So we are looking at that issue, and that is an issue that could easily turn into an enforcement issue.

[See also: Breaches: Take is from one who knows]

Question: You mentioned that KPMG [the OCR's auditing firm] would take monitoring coverage into 2013 and put together the protocol going forward. Will business associates be incorporated into that? If so, when?

Rodriguez: Not to the KPMG work. So they were just focusing on the covered entities. The way the rule is going to work: Once the rule is issued, business associates will have 180 days to come into compliance. On most elements of the rules, once that 180 days is up, they're subject to the rule in all the same ways that a current covered entity would be. My advice to business associates is to get in compliance now, because it's what you're suppose to be doing anyway for the benefit of your clients, and it's going to avoid a lot of problems down the line. That's probably the big thing that's going to be different once the rule actually comes on.

Question: You mentioned that there are huge points for entities that act quickly and decisively about large breaches. Could you talk about an episode in the recent past where an entity acted quickly and decisively and avoided a fine?

Rodriguez: I can talk about the converse…there is a specific entity that was subject of enforcement where there was a very clear failure to have corrected the issues related to the breach for many months after the breach. That ended up really really increasing the monetary exposure of that entity. And so one of those $1.5 million wage fines you'll see if you look at our chart of recoveries was that kind of situation.

Question: You mentioned the next round of audits and that you were going to focus on looking for risk analysis more.

Rodriguez: That's actually what we did [in the way we did the KPMG audit]…We didn't do an entire map of privacy and security; instead we focused on a number of what we thought were high risk areas, and that's where KPMG was asked to audit. I think a question for us in the future is: Do we do that [and] basically stay with the KPMG model, or do we go with the model similar to what the Office of Inspector General does, where in every given year, they have a work plan next to a particularly and relatively narrower family of issues? Let's say for 2014, it will be risk analysis year. And so what we're going to do is we're going to look at a bunch of entities and focus on specifically on the question of risk analysis. That's a decision point that lies ahead for us based on the results of the evaluation we're going to be conducting in the coming months.

Question: With that in mind, how are you adapting your business plan and using things that we're aware of today to make these decisions -- the way organizations are trending in social media, the way we use predictive analytics based on a whole suite of factors publicly available?  Do you find yourself in your office using more and more data and aggregating them to make more informed decisions to measure your risk at the time and to take action on certain entities that may have gone under the radar?

Rodriguez: We can have a seminar on that question. I really like that question a lot…We don't have enough resources to audit either every entity in the world and every issue an entity might have, so we need to engage in a certain amount of strategic work. One thing we're doing, for example, I talked about the 500 breaches, is analyzing those breaches. Now that we're far in, and we've conducted a lot of investigations, looking at what patterns emerge from those breaches. So we're always thinking about that; we're always fine-tuning it.

Question: You touched upon compliance for BAs. I am that BA. Unfortunately, or fortunately, I am on the hook, as is the covered entity. Except the covered entity is clueless…they don't know, understand or are resigned to the fact that they have to obey the rules. BAs are responsible for maybe the technological end. I wish there was more clarity, as an IT professional, about the rules with specific technology, which should change as technology changes…IT people do well when they have specifics.

[See also: Health IT guru reflects back on data breach and the right way to respond.]

Rodriguez: I will still stand by the basic point, which is that we're technologically agnostic. I think that is a correct statement of our position. That doesn't mean that there is a complete absence of technological guidance out there…That's an important point for us to hear because we're on an ongoing discussion with the National Institutes of Standards Technology that has put out a list of acceptable encryption standards and, I think, is open to doing more if that's what turns out to be useful for the industry…I do return to my basic point: We are looking more at a process than a particular technological decision, and so I think we're far away from the day that we're going to say, 'Well, we don't like the particular technology you chose, and that's the basis of enforcement.' We're nowhere near that kind of environment at this point.