For nearly two decades, the U.S. Health and Human Services (HHS) Office for Civil Rights (OCR) has been responsible for enforcing HIPAA requirements, starting in 2003 with enforcement of the HIPAA Privacy Rule, and then the HIPAA Security Rule beginning in 2009.
During that time, OCR has faced several changes and evolutions, and along with it we’ve seen improvements with HIPAA guidelines, as well as changes to enforcement positions and penalties.
In 2017, Roger Severino was appointed OCR’s director, a position he held until early 2021. During his tenure, Severino oversaw a gamut of changes within the organization and he recently joined Clearwater’s founder and executive chairman Bob Chaput to talk about some of those changes, as well as the evolution of healthcare regulations and challenges in recent years.
One of the biggest misconceptions people often have about OCR is that it’s strictly a HIPAA-enforcement entity. In fact, OCR’s scope is vast, ensuring compliance with all U.S. civil rights, as well as healthcare privacy and security laws.
In terms of healthcare, OCR is responsible for investigating potential violations into the HIPAA Privacy and Security rules, as well as conducting compliance reviews and audits, providing compliance guidance and assistance, and overseeing corrective and other actions, including enforcement of civil penalties for HIPAA violations.
OCR’s vision is to enforce “civil rights and conscience and religious freedom laws, and protect the privacy, security, and availability of individuals’ health information.”
By adhering to its vision, OCR helps “ensure equal access to health and human services, protects the exercise of religious beliefs and moral convictions by individuals and institutions participating in HHS programs, protects individuals’ health information, gives tools for provider awareness and full engagement of individuals in decisions related to their healthcare, and advances the health and well-being of all Americans.”
OCR and the Enforcement Evolution
During Severino’s tenure with OCR, the agency broke records related to penalties and settlements.
At the time, the Advocate Health Care breach was one of the industry’s largest, affected nearly 4 million patients after desktop computers were stolen from the medical group’s offices back in 2013. Not long after, Advocate faced two more breaches exposing thousands of more records.
That breach was immensely overshadowed by the Anthem Breach, which exposed nearly 79 million electronic protected health information (ePHI) records following attacks that began in late 2014 and continued into early 2015.
OCR’s investigation discovered that Anthem had failed to implement appropriate measures to discover these hackers and had not conducted an enterprise-wide risk analysis, among other violations.
And while there have been other notable large-scale breaches and settlements in the years that have followed, OCR’s goal is not about big collections and big numbers, it’s about getting compliance with the law, Severino explained.
That’s because if OCR does its job correctly, enforcement actions and settlement numbers will likely go down because that means more healthcare covered entities and business associates are in compliance.
For Severino that was one of his objectives at OCR, to change the culture about the organization, moving it from what some may have perceived as an “I-got-you” mentality to one that’s building a culture of compliance.
Sometimes, he recognized, building that culture of compliance does come through civil money penalties, but that also comes with technical assistance and support, an important focus for the agency.
Evolution of HIPAA Penalties
When many organizations talk about HIPAA compliance, they often do it through a lens focused on potential violations and penalties. Over the years, we’ve seen several amendments that specifically address these penalties, including caps.
The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, a HIPAA amendment, outlined expectations related to HHS assessments of Civil Money Penalties (CMPs) for HIPAA violations.
Prior to 2019, HHS regulations applied the same cumulative annual CMP limit of $1.5 million across all four HIPAA violation categories, which are based on culpability levels. Some of the statutory language did not support having the same cap, so there were enforcement issues.
The realization was, however, that HITECH’s expectation was to have four different penalty tiers based on those culpability levels.
So, in 2019, HHS issued a Notification of Enforcement Discretion that it was adjusting those limits to align with HITECH intent.
A simple way to think of this is to consider it in terms of common criminal penalties. Different types of crimes are at different degrees and therefore reflect a range of penalties based on those degrees.
The realignment on the annual limits now takes into account willful neglect. The higher level of willful neglect for a violation, the higher the penalty.
The finalized CMPs are:
|Annual Limit for Identical Violations|
|Reasonable Diligence (Did Not Know)||$100 -$50,000||$25,000|
|Reasonable Cause||$1,000 -$50,000||$100,000|
|Willful Neglect – Corrected||$10,000 -$50,000||$250,000|
|Willful Neglect – Not Corrected||$50,000||$1.5 million|
The adjusted penalty structure helped shift OCR investigation focus from reasonable cause to one that takes more into account the facts of potential willful neglect. It moved perception from OCR being an organization most focused on getting the largest dollar amount possible in settlements to one more aligned with Congress’ initial intent.
Ultimately, Severino explained, OCR had the duty to be faithful to the law, so the penalty tier annual limits were adjusted as such. These new caps now reflect the intent of the HITECH Act.
COVID Waivers and Enforcement Discretion
And while adjusting those maximum annual limits was certainly headline-grabbing attention, it’s not the only time in recent years OCR has used its discretion related to HIPAA enforcement.
In fact, some of the most recent actions have taken place during the past two years during the coronavirus pandemic.
As one might expect, laws aren’t waived during a pandemic; however, during a public health emergency, OCR has flexibility with those enforcement discretions.
“As regulators, we do have discretion in what we’re going to enforce and how strictly,” Severino said.
So, early in 2020, during the initial weeks of the coronavirus pandemic, OCR made it clear that HIPAA regulations were still applicable and must be followed, however, the agency had some leeway in its response protocols.
Among some of the many questions the agency had to consider was how did COVID-19 directly affect those HIPAA regulations? One of the most obvious emerged early-on with large-scale outdoor COVID-19 testing centers.
Unlike the traditional privacy of a medical facility, with coronavirus testing in these sites, healthcare providers were now facing large groupings of people who had the potential to see one another while undergoing a medical exam or evaluation.
Would this constitute a HIPAA violation and how would OCR respond?
Thankfully, OCR’s discretion is applicable to instances just like this and ultimately decided that these types of testing situations would be acceptable under the law.
Another example of OCR’s discretion centered on how it was going to deal with telehealth services at the height of the pandemic.
When the pandemic hit in 2020, telehealth services were not widely adopted; however, there was increased need for new health services delivery models, such as the ability to deliver video-based medical services.
Part of the reason prior to the pandemic that telehealth services were slow gaining momentum was because they brought with them increased risk of potential HIPAA violations and enforcement activities.
During the pandemic, OCR took a step back and looked at some of the companies most likely to offer these technical support services. The agency soon realized that in many regards, there were already some degrees of data security in place with these third-parties and those security measures helped decrease some potential security risks.
So here, OCR used its discretion to say that during a phase of the pandemic, it would not require business associate agreements to use these common applications and services for telehealth, for example Zoom and other video-conference-enabling apps or programs.
With this adjustment, suddenly, the healthcare industry was rapidly thrust into telehealth advancements.
“And it was because we had that enforcement discretion that people were not afraid to be able to use those apps,” Severino said.
And since during that stage of the pandemic, many people were staying home, Severino believes these decisions may likely have saved lives. It ultimately had a massive impact on the industry and delivery of health services when it was most needed.
Instead of focusing on penalties and enforcement, OCR used its discretion to find solutions to balance access to care against the ongoing health crisis.
“We do know that the discretion we allowed led to the smooth delivery of healthcare in the middle of a crisis in a way that might not have happened otherwise,” Severino said.
Want to learn more about OCR and take a closer look at some of the important legislative and enforcement changes that have happened in recent years? Check out our on-demand webinar, “The Future of Data Privacy and Privacy Law in Healthcare: A Discussion with Former OCR Director Roger Severino,” to learn more. Also, subscribe to Clearwater’s newsletter as we share future blogs and information about OCR, healthcare regulations, and how building a mature risk analysis program is essential for today’s healthcare compliance.