Leadership Changes at HIPAA Privacy Office

At a Consumer Health IT Summit on Sept. 12, U.S. Dept. of Health & Human Services Secretary Kathleen Sebelius made two announcements that will impact patient privacy and access to data, including naming a new director of the Office for Civil Rights (OCR), the agency responsible for administering and enforcing HIPAA’s privacy, security and breach notification rules.

As part of National Health IT Week, Sebelius announced proposed rules that would allow patients to gain access to test results reports directly from labs. Labs covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) would be required to provide such information, upon request, directly to patients or their personal representatives.

The Notice of Proposed Rulemaking proposes to amend the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations and HIPAA privacy regulations to strengthen patients’ rights to access their own laboratory test result reports.

The new leader of OCR is Leon Rodriguez, a former prosecutor who previously worked in the Department of Justice Civil Rights Division, where he served as the Deputy Assistant Attorney General and chief of staff.

In a blog posting, Davis Wright Tremaine attorney Adam Greene, a former HHS staff member, said the biggest question for covered entities and business associates is what impact the new leadership may have on enforcement, adding that under Rodriquez’s predecessor, Georgina Verdugo, enforcement increased considerably. “While it is unlikely that we will be seeing HIPAA penalties and settlements on a daily or weekly basis,” Greene writes, “the days of a strictly ‘voluntary compliance’ approach are likely behind us. Covered entities that have been lulled into a belief that HIPAA violations carry no more than a slap on the wrist may be well served to reconsider this position and internally audit the effectiveness of their privacy and security programs.”