With A New Leader, OCR to Focus on Risk Analysis, HIPAA Enforcement

October 11, 2021 - HHS’ Office for Civil Rights (OCR) recently announced the appointment of a new director, Lisa J. Pino, who will take over the office’s oversight of civil rights enforcement, HIPAA regulations, security, privacy, and breach notification rulemaking.

Pino will follow Roger Severino, OCR’s former director under the Trump Administration, and Robinsue Frohboese, the office’s acting director between administrations.

Pino’s resume includes time as the executive deputy commissioner of the New York State Department of Health, where she led New York’s COVID-19 operational response, and a previous role as a senior executive service official at the US Department of Homeland Security (DHS).

At DHS, Pino led cyber breach mitigation efforts surrounding the largest breach in federal history. Prior to DHS, Pino served as the deputy administrator of the US Department of Agriculture’s (USDA) Supplemental Nutrition Assistance Program (SNAP) and as the department’s deputy assistant secretary for civil rights.

Sara Goldstein, a partner at BakerHostetler and member of the firm’s digital access and data management team as well as its healthcare compliance team, shared her thoughts on the direction that the agency might go based on Pino’s past experiences and OCR’s recent focus areas.

READ MORE: OCR Clarifies HIPAA Rules Surrounding Vaccination Status

“I think it's really helpful to have a director of OCR who is more familiar with data security, data security incidents, and the aftermath and steps that need to be taken to help prevent something like this from happening again,” Goldstein told HealthITSecurity.

Signs of change: new leadership brings new focus areas

“The background of the director always has an influence on the focus and agenda of the Office for Civil Rights,” Goldstein explained.

“I think I could definitely see there being more of an emphasis on the OCR as it relates to guidance on COVID-19, as well as perhaps investigations of potential violations of civil rights related to lack of access.”

OCR recently released guidance clarifying HIPAA rules surrounding COVID-19 vaccines, explaining that HIPAA does not prohibit anyone from asking an individual about their vaccination status. It is possible that due to Pino’s background with COVID-19 efforts in New York, the agency will put an emphasis on patient rights and regulations surrounding the pandemic.

Goldstein also predicted that OCR may spearhead efforts to make documentation from other government agencies more accessible in other languages to ensure equity.

READ MORE: How the FTC’s Health Breach Notification Rule Will Impact Health Apps

Due to Pino’s leading role in handling the 2015 Office of Personnel Management (OPM) data breach, Goldstein suggested that data breach management and guidance will become an increased focus for the office.

Specifically, Goldstein predicts that OCR will enhance its guidance on how to form a risk assessment, analysis, and management plan.

“I think that historically if you look at the enforcement actions from the OCR, almost all of the entities that have entered into a resolution agreement with the OCR have been dinged for not having that proper documentation in place,” Goldstein maintained.

“Over the years, OCR has put together guides and there is software that you can download to help with this documentation but because the director has lived that process in the aftermath of the OPM data breach, perhaps there will be more helpful guidance so that organizations have better documentation that aligns with the safeguards that they're supposed to be complying with.”

As healthcare data breaches continue to occur daily, it is possible that OCR will narrow in on compliance and enforcement actions to protect patient data and ensure that healthcare organizations are doing everything in their power to mitigate risk.

The future of HIPAA enforcement

READ MORE: Data Management, Cybersecurity Top Priorities for New FDA Office

HIPAA enforcement is one of the cornerstones of OCR, and that is unlikely to change under its new leadership.

Recently, OCR settled its twentieth case under the HIPAA Right of Access Initiative, which was founded in 2019 to advocate for individuals trying to obtain their health records in a timely manner, as required in the HIPAA Privacy Rule.

With her previous experiences as vice president and general counsel of MRO Corporation, Goldstein saw firsthand the issues that organizations face with HIPAA and patient access to information.

“I saw all of the archaic HIPAA related questions that can come up when it comes to people wanting to access information, and really needed to keep a pulse on the OCR and what guidance they were issuing, as well as any resolution agreements or civil money penalties that they were enforcing,” Goldstein explained. “I've always had an interest in OCR and the leadership of this office.”

Under Pino’s direction, OCR will likely shift its focus and introduce new initiatives while continuing to address the office’s top HIPAA enforcement areas.

OCR proposed a modification to the HIPAA Privacy Rule in January 2021 that would give individuals the right to transmit certain protected health information (PHI) in an electronic format to any third party, among other key provisions.

The Notice of Proposed Rulemaking (NPRM) was met with mixed feedback by industry stakeholders who were concerned about the rule’s potential negative implications on patient privacy. Many argued that the rule was not in alignment with the 21st Century Cures Act. As of now, the future of the NPRM is largely uncertain.

“I think the biggest thing to watch is what happens with the Notice of Proposed Rulemaking,” Goldstein added.

“The public comment period ended in May, and the way that it was written had a number of provisions and measures that would have significant implications not only for patients, but also for covered entities and business associates.”

As of now, OCR has not announced a final publication date for the rule. When the final rule is eventually released, it will impact how providers and vendors interact with protected health information.

OCR has settled seven cases under the HIPAA Right of Access Initiative in 2021 so far, but Goldstein remarked that it is unclear whether that focus will continue.

“I think that's one area of HIPAA that perhaps there is some agreement on both sides of the spectrum politically, so I could see that potentially continuing,” she explained.

“We definitely saw a number of those resolution agreements well into the Biden administration under the acting director, but we'll have to see if that remains a focus.”

This year marks the 25th anniversary of HIPAA, and the rule continues to evolve and adapt to constant changes in the healthcare sector. Under new direction and with an impending final rule announcement, it is likely that HIPAA rulemaking and enforcement under OCR will continue to progress.