As OCR promises more fines, two CIOs offer tips on risk assessments
Asked when we will finally see the omnibus Final HIPAA Privacy and Security Rule, Rodriguez said only that "We, like you, are eagerly awaiting its issuance."
In the meantime, he said, OCR has been focused on transforming its organizational culture "to an enforcement oriented culture"
Until three or so years ago, he said, the agency's strategy was focused on "specific investigations into specific incidents."
Since HITECH, however, the mandate has been to do something far broader in focus, said Rodriguez. "We have moved into an area of more assertive enforcement."
There have been – and will continue to be – "more monetary settlements," be they from physician practices, hospitals, health plans or state social services agencies.
"Everyone of those is a message to the rest of the industry," he said.
Still, OCR is committed to "doing enforcement in a balanced way that is coupled with education," said Rodriguez.
With experience both as a former prosecutor and as a counsel for healthcare providers, he says he sees these issues from all sides. "Enforcement does breed compliance," said Rodriguez. "But enforcement also needs to be mindful of business realties."
Still, he said, "We expect compliance because the patient expects compliance." For the grand project of electronic health records and health information exchange to work, "There has to be bedrock patient trust.
To the question of why risk assessments are so difficult for so many providers, Rodriguez admitted that many larger organizations have experience, having learned the hard way of their vulnerabilities "because they had experience with fraud and abuse."
For other, perhaps smaller providers, there's always the question of where to direct management attention and resources. "There has been some real progress made, but there's still a long way to go," he said.
For his part, Rodriguez said OCR's workload has quintupled in the years since the HITECH privacy rule came along.
The threats are manifold, he said – "theft, loss and unauthorized disclosure" are the biggest ones. Hacking? Not as much. That's just one reason why, "In addition to technological safeguards," providers need to focus on administrative and physical safeguards."
Rodriguez noted that, as part of OCRs moves toward a culture of enforcement and education, it has been moving away from "breach porn" – splashy press releases about troves of paper records found in a hospital's dumpster, say – and more toward an assiduous effort of ensuring that organizations nationwide "are engaging in the process."