Leon Rodriguez, director of the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) recently conducted an interview with HealthcareInfoSecurity. Click on the link to listen to the full interview.
Rodriguez gave some valuable insight into OCR’s plans for 2013 and beyond as well as guidance that organizations should follow to protect patient information.
Rodriguez made it clear that HIPAA is a straightforward process to protecting patient information.
(It is) a common sense process for how to protect the privacy and security of patient information
When asked what medical organizations can do to comply with the HIPAA regulations, he gave the following recommendations:
- Preform a risk analysis
- Train employees
- Have disciplinary policies
- Ensure technical safeguards such as contingency plans are in place
Policies and Training
Rodriguez stated that many organizations are lacking policies and procedures or have outdated policies and procedures. He went on to say that some organizations implement training but fail to follow through and ensure that new employees are properly trained. Training needs to occur on an ongoing basis.
More Monetary Penalties
Monetary penalties that OCR imposes as a result of its various HIPAA enforcement actions will fund continuation of the audit program, he notes. Over the last year, OCR has collected about $4 million in a handful of settlements.
And be warned: Rodriguez says healthcare organizations should expect to see OCR issue more and larger monetary penalties for HIPAA non-compliance in the months to come. OCR has an “inventory” of ongoing investigations that Rodriguez expects will conclude with monetary settlements.
“What we’ve been learning from the monetary settlement cases we’ve done so far is that there is plenty of non-compliance out there, plenty of room for improvement.” Rodriguez says.
When asked if he had any advice for Business Associates he said:
Yes get ready, they will become subject to the HITECH regulations with 180 days of issuance of the rule. Best advice I can give them is to get ready now.
Some of the messages that Rodriguez sent include the fact that OCR will be very active in 2013 and more fines will be handed out. OCR is seeing a lot of non-compliance and will continue to enforce the HIPAA regulations. Organizations should ensure that they have performed a risk assessment, properly trained their employees and have the required policies and procedures in place. Finally, Business Associates need to get ready now and ensure they are complying with the HIPAA regulations.