Privacy Advisor

With Rodriguez Tapped for DHS, Who’ll Call the Shots at OCR?

January 23, 2014

By Angelique Carson, CIPP/US

News that U.S. President Barack Obama has nominated Department of Health and Human Services Office for Civil Rights (OCR) Director Leon Rodriguez to direct U.S. Citizenship and Immigration Services has spiked the heart rates of some in the healthcare industry. The shift would leave the OCR director post vacant for the foreseeable future—and at an historic juncture.

Experts working on the front lines will tell you a lot has changed in healthcare over the last decade or so, and the change continues apace. This year marks the beginning of OCR’s formal HIPAA audits, not to mention the ongoing transition to electronic health records and rapidly evolving models of healthcare itself.

While HIPAA passed in 1996, its rules were enforced more like suggestions than federal mandates during the early years. The HITECH Act, which came into force in 2009, ostensibly signified that the government was putting its game face on when it came to healthcare privacy. It granted the OCR increased HIPAA enforcement powers, including the ability to impose civil monetary penalties. 

Healthcare is undergoing now one of the biggest revolutions in health information and health information technology that it ever has ... And the new director of OCR is going to need to understand healthcare, the history of healthcare policy and the laws, as well as the implications of the evolving healthcare delivery and healthcare information technology environment.
– James Koenig, CIPP/US

But the OCR didn’t serve a single fine for negligible practices until 2012. Besides its hands-off approach, said the Center for Democracy and Technology’s (CDT) Deven McGraw, there was little guidance on compliance other than an initial set of “how to” documents.

“The OCR took a counseling approach to enforcement,” said McGraw, who works as the CDT’s director of the health privacy project. “And that’s probably putting it kindly. Many people would say the office was almost irrelevant after (HITECH’s) initial regulatory stage.”

But when Leon Rodriguez took his post as OCR director in 2011, the tone shifted, healthcare insiders seem to agree. For starters, from 2003 to 2008, there were zero settlement agreements over HIPAA violations. There were four from 2008 to 2010. Rodriguez came on the scene in 2011, and from then to 2013, there were 13. The agency also issued its first monetary penalty for a HITECH violation in 2012.

And last year, it for the first time settled potential HIPAA violations affecting less than 500 individuals.

Wiley Rein’s Kirk Nahra, CIPP/US, said Rodriguez sent a clear message that the office would be a strong enforcer of those breaking the rules and a friendly street cop to those doing their best to comply.

“He was clear and helpful about what their enforcement approach was,” he said. “While they weren’t going to be letting people get away with ignoring the rules, they also weren’t out to get people who were trying to do the right thing and made a mistake somewhere. He sent a strong message, but also said, ‘Don’t panic, we’re reasonable people even though we have an enforcement job.’ He was pretty visible and upfront about that, and his predecessors were not as much.”

“I’m sad at the prospect of losing Leon in this spot,” McGraw said. “He’s really made an enormous difference in that office. We went from little to no enforcement to, I think industry would say, much more robust enforcement. There’s a lot of energy that emanates from that office that I don’t recall previously.”

It was difficult for the OCR to be effective previously in part because the office is just one agency among many under the umbrella of the DHHS. Sometimes it comes down to the fact that the squeaky wheel gets the grease.

“That’s where who the political head is can make a difference in terms of making sure the issues at that office get prioritized within the bureaucratic machinery,” McGraw said. “Given that Leon was dedicated to HIPAA issues, the staff really had a champion in the front office.”

Rodriguez was effective from the jump, experts say, thanks in part to his background. He’d been involved with HIPAA before—in private practice; he’d been a healthcare litigator, and while a county attorney in Maryland, he worked closely with the county’s Department of Health and Human Services and its office of Human Rights. As an assistant U.S. attorney in Pennsylvania, he prosecuted healthcare fraud.

Booz Allen Hamilton Global Commercial Privacy Practice Leader and Cybersecurity Co-Leader James Koenig, CIPP/US, agrees that Rodriguez has “been highly successful not only defining the OCR’s mission and agenda but also pushing that agenda forward.” But that doesn’t mean the department will revert to its former ways. Koenig, who has served as an expert to the office, said Rodriguez’s staff is highly competent and anticipates it will continue to be effective in Rodriguez’s absence.

…Who the political head is can make a difference in terms of making sure the issues at that office get prioritized within the bureaucratic machinery ... Given that Leon was dedicated to HIPAA issues, the staff really had a champion in the front office.
— Deven McGraw

McGraw agrees. OCR Deputy Director Sue McAndrew has been at the office and worked closely with HIPAA rules for more than a decade. There have been some rumblings among insiders that she should be called in from the bullpen.

“She knows the place very well; she knows the issues very well,” McGraw said. “There are a number of senior people working there, so I don’t doubt things will continue to go on.”

And it’s a good thing, because 2014 marks the year the agency implements its official audit program—aimed at ensuring organizations, including business associates, have appropriate safeguards and have conducted a risk assessment—mandated under the HITECH Act.

But more than that, the healthcare industry is undergoing a massive transformation with the adoption of electronic health records, incentivized under HITECH, and increasingly sophisticated information-sharing arrangements among healthcare institutions.

“Sparked by the funds from the stimulus bill, healthcare is undergoing now one of the biggest revolutions in health information and health information technology that it ever has,” Koenig said. “And the new director of OCR is going to need to understand how to get things accomplished at the OCR, the history of healthcare policy and the laws, as well as the implications of the evolving healthcare delivery and healthcare information technology environment.” 

Now isn’t the time to call in a rookie, Koenig added.

“To maintain confidence, continuity and momentum, this isn’t the time for on-the-job training,” he said.

Lisa Martinelli, CIPP/US, is chief privacy officer at Highmark Health, which houses covered entities, health plans and clearinghouses. She sees a trend within the healthcare industry to move toward patient and member transparency, greater access to data more quickly. But some of the federal healthcare safeguards and parameters that exist don’t always afford for that, she says.

“In looking at a change in leadership, I was hoping this individual would have a more robust understanding of healthcare than just from the regulator aspect. Somebody who might understand the care-delivery aspect of complying,” she said. “Physicians need real-time communication … and we all want to reduce cost. But some of these security safeguards are very costly, so I’m hoping OCR would have leadership that understands healthcare and not just the regulation.”

Asked who she’d have up next to the plate, McGraw said it should be someone as equally committed to candor about compliance as Rodriguez has been, as well as someone who’s committed to fair and effective enforcement.

Simply put, she said, “Can you clone Leon?”

Read More by Angelique Carson:
ICYMI: Target Fallout Continues; More Breaches Reported
Ten Years and Two Terms Later, A Look at Peter Hustinx’s Legacy
O’Connor Named CDT President and CEO

Commission Gives U.S. 13 Ways To Save Safe Harbor