Exclusive: Interview with HHS OCR Director Lisa PinoBiden Administration's Top HIPAA Enforcer Discusses Agency's Plans
The Department of Health and Human Services has an ambitious regulatory agenda for the months ahead, as well as plans for strong enforcement of HIPAA violations, including those involving patients' right of access, says Lisa Pino, director of the HHS Office for Civil Rights.
Among the tasks on OCR's rule-making agenda is a request for information pertaining to the agency sharing its collection of civil monetary penalties, or CMPs, and financial settlements to individuals harmed by HIPAA breaches, Pino says in a video interview with Information Security Media Group.
"We will solicit the public's view about a methodology for the distribution of CMPs and monetary settlements, which is quite novel, to those harmed by a HIPAA offense related to privacy or security," she says.
The distribution of a percentage of HIPAA settlements and CMPs collected by HHS OCR to harmed individuals was called for under an as-yet-unmet provision of the HITECH Act.
The RFI will also seek public input about the best ways for HHS OCR to implement a requirement for the agency to assess the security practices of covered entities and business associates when making certain HIPAA enforcement determinations, she says.
Meanwhile, enforcement of HIPAA remains a "top priority," Pino says, noting that HHS OCR issued 14 enforcement actions in 2021 - many focused on the HIPAA right of access provision.
"Clearly we are serious about enforcement at OCR. We will pursue civil monetary penalties for violations that are not addressed," she says.
That includes "holding covered entities responsible for providing patients with timely access to their medical records."
In the video interview, Pino also discusses:
- Other rule-making plans on HHS OCR's regulatory agenda for the months ahead and evolving trends in the protected health information breaches being reported to the HHS OCR;
- The status of HHS OCR's HIPAA audit program, which has been inactive for several years, and the effect of COVID-19 on HIPAA compliance;
- Her previous roles, including leading the Department of Homeland Security's breach mitigation of the 2015 cyberattack on the Office of Personnel Management, which affected millions of federal workers.
Prior to being named director of HHS OCR in September 2021, Pino, an attorney, served as the New York State Department of Health's executive deputy commissioner - the agency's second-highest-ranking executive. She is a former senior executive service official appointed by President Barack Obama to serve at DHS. Prior to DHS, Pino served as U.S. Department of Agriculture deputy administrator of the Supplemental Nutrition Assistance Program and USDA deputy assistant secretary for civil rights.