OCR Director Reveals Plans for HIPAA Enforcement in 2015

The new director of the Department of Health and Human Services’ Office for Civil Rights had her maiden speech during National Health IT Week and has explained what the OCR has in store for the healthcare industry, in particular its plans for HIPAA enforcement in 2015.

Jocelyn Samuels took over the helm of the Office for Civil Rights earlier this year, replacing former director Leon Rodriguez. The departure of Rodriguez just before the start of the second round of compliance audits was a little unfortunate as the department now has to adapt to a different leader at a particularly challenging time.

However, Samuels brings a wealth of experience that she has gained in other industry sectors. She has held positions as assistant attorney general for civil rights at the U.S. Department of Justice in addition to a post as senior policy attorney at the Equal Employment Opportunity Commission. While she lacks experience in the healthcare sector, she does have a vision for the future in line with that of the former director.

Samuels delivered a 10-minute speech at the Office of the National Coordinator for Health Information Technology (ONC) 2014 Consumer Health Summit in Washington. She told attendees that her plans for HIPAA enforcement in 2015 include an effort to ensure that privacy provisions have been implemented and patients are being allowed to obtain a copy of their medical records, on request.

There was a delay to the enforcement date of the Privacy Rule for laboratories to give them more time to adopt the new privacy rules. The deadline for compliance is October 6th, after which all laboratories will be required to obtain electronic copies of their test results, direct from the laboratory. A reminder was provided during the speech revealing the plans for HIPAA enforcement in 2015.

Samuels also spoke of the increase in OCR financial penalties that have been issued for non-compliance. She spoke of the $4.8 million settlement with New York Presbyterian Hospital and Columbia University for a HIPAA breach involving 6,800 patients. Affinity Health Plan was fined $1.2 million for potential HIPA violations, while Parkview Health System had to pay the OCR $800,000.

She said that her plans for HIPAA enforcement in 2015 include the issuing of heavy fines against healthcare providers, health plans and Business Associates that fail to implement the safeguards to protect PHI as required by the Security Rule, while covered entities must allow patients access to their records under the Privacy Rule. While breaches cannot always be prevented, the OCR is particularly keen to see the Breach Notification Rule requirements enacted swiftly and without unnecessary delay, and this too is likely to be scrutinized over the coming months.

Samuels did not take the opportunity to talk about the upcoming HIPAA compliance audits, which were scheduled to take place this fall. An announcement on the OCR audit plans is expected to be issued soon.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news