Q&A: OCR Director Leon Rodriguez talks audits and enforcements to come
Rodriguez: Not to the KPMG work. So they were just focusing on the covered entities. The way the rule is going to work: Once the rule is issued, business associates will have 180 days to come into compliance. On most elements of the rules, once that 180 days is up, they're subject to the rule in all the same ways that a current covered entity would be. My advice to business associates is to get in compliance now, because it's what you're suppose to be doing anyway for the benefit of your clients, and it's going to avoid a lot of problems down the line. That's probably the big thing that's going to be different once the rule actually comes on.
Question: You mentioned that there are huge points for entities that act quickly and decisively about large breaches. Could you talk about an episode in the recent past where an entity acted quickly and decisively and avoided a fine?
Rodriguez: I can talk about the converse…there is a specific entity that was subject of enforcement where there was a very clear failure to have corrected the issues related to the breach for many months after the breach. That ended up really really increasing the monetary exposure of that entity. And so one of those $1.5 million wage fines you'll see if you look at our chart of recoveries was that kind of situation.
Question: You mentioned the next round of audits and that you were going to focus on looking for risk analysis more.
Rodriguez: That's actually what we did [in the way we did the KPMG audit]…We didn't do an entire map of privacy and security; instead we focused on a number of what we thought were high risk areas, and that's where KPMG was asked to audit. I think a question for us in the future is: Do we do that [and] basically stay with the KPMG model, or do we go with the model similar to what the Office of Inspector General does, where in every given year, they have a work plan next to a particularly and relatively narrower family of issues? Let's say for 2014, it will be risk analysis year. And so what we're going to do is we're going to look at a bunch of entities and focus on specifically on the question of risk analysis. That's a decision point that lies ahead for us based on the results of the evaluation we're going to be conducting in the coming months.
Question: With that in mind, how are you adapting your business plan and using things that we're aware of today to make these decisions -- the way organizations are trending in social media, the way we use predictive analytics based on a whole suite of factors publicly available? Do you find yourself in your office using more and more data and aggregating them to make more informed decisions to measure your risk at the time and to take action on certain entities that may have gone under the radar?
Rodriguez: We can have a seminar on that question. I really like that question a lot…We don't have enough resources to audit either every entity in the world and every issue an entity might have, so we need to engage in a certain amount of strategic work. One thing we're doing, for example, I talked about the 500 breaches, is analyzing those breaches. Now that we're far in, and we've conducted a lot of investigations, looking at what patterns emerge from those breaches. So we're always thinking about that; we're always fine-tuning it.