Share this article on:
The new director of the Department of Health and Human Services’ Office for Civil Rights, Roger Severino, has hinted that last year’s increase in settlements for non-compliance with HIPAA Rules was not a blip.
OCR started the year with two settlements in January and a further two in February. While there was a break in March, April has seen three settlements announced. Financial penalties will continue to be issued when covered entities are discovered to have committed serious violations of HIPAA Rules.
Speaking at the Health Datapalooza yesterday, Severino said he viewed himself as the ‘top cop’ of health IT and confirmed he is taking his new role seriously and that he “came into this job with an enforcement mindset.”
Further settlements with covered entities found to have ignored HIPAA Rules are to be expected. Severino highlighted the most recent OCR settlement – the $2.5 million penalty for CardioNet – as an example of just how important it is for healthcare organizations of all types to ensure that reasonable steps are taken to safeguard patient data and ensure ePHI remains confidential. He also referenced the introduction of HITECH explaining how it increased the allowable fines for non-compliance with HIPAA Rules.
Ransomware attacks have attracted his interest. While ransomware is mostly used to extort money from healthcare providers, Severino pointed out that ransomware attacks can result in “data being compromised, destroyed, gone for ever,” and confirmed that “it’s very likely the organizations will have to report it to OCR.” As with all breaches impacting more than 500 individuals, ransomware attacks will be investigated. OCR could fine organisations that fail to implement defences against ransomware and ensure all sensitive data are backed up.
Enforcement of HIPAA Rules is only one aspect of Severino’s job. Severino is also committed to promoting interoperability and data sharing, but emphasized that data security is an essential element of data sharing. He said a culture of trust must be developed to support the safe exchange of healthcare data.
Severino also confirmed that emerging technologies can be used within the confines of HIPAA Rules to improve data sharing with consumers. OCR will be offering assistance to covered entities in this regard, to help them use new technology while keeping data secure and protecting patient privacy. OCR will also be taking steps to ensure that covered entities are made aware about the difference between covered and non-covered entities and the data that covered entities are permitted to disclosed.