On Sept. 12, 2011, HHS announced the appointment of Leon Rodriguez as the Director of the Office for Civil Rights, the agency responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security, and breach notification rules. Mr. Rodriguez is coming from the Department of Justice Civil Rights Division, where he served as the Deputy Assistant Attorney General and chief of staff. He has extensive experience as a prosecutor at Department of Justice, a defense attorney in private practice, and as the county attorney for Montgomery County, Maryland.
The biggest question for covered entities and business associates is what impact, if any, this will have on enforcement. It is no secret that formal HIPAA enforcement increased significantly under Mr. Rodriquez’s predecessor, Georgina Verdugo. This was evidenced by a number of resolution agreements (four since July 2010), the first civil monetary penalty (CMP) of $4.3 million against Cignet Health Center, a reorganization of the agency that created the first Deputy Director of Enforcement and Regional Operations, and public statements that regularly focused on a message of strong enforcement.
It is likely that the current pace of enforcement will continue or increase significantly under Mr. Rodriguez for several reasons. First, pursuant to the HITECH Act, OCR is likely to seek financial settlements or civil money penalties in more cases (specifically, cases involving indications of willful neglect) after the final rule implementing the HITECH Act modifications is published and the compliance date comes to pass. Second, we should see over a hundred audits in 2012 and, based on recent statements by OCR, it is likely that at least some of those audits will find “major violations” that will be dealt with through the formal enforcement process. This may lead to an increased number of settlements and CMPs in 2013 and later. Finally, Mr. Rodriguez’s experience as a prosecutor may suggest a continued emphasis on enforcement.
While it is unlikely that we will be seeing HIPAA penalties and settlements on a daily or weekly basis, the days of a strictly “voluntary compliance” approach are likely behind us. Covered entities that have been lulled into a belief that HIPAA violations carry no more than a slap on the wrist may be well served to reconsider this position and internally audit the effectiveness of their privacy and security programs.