Breach Notification , Governance & Risk Management , HIPAA/HITECH

Exclusive: Interview with HHS OCR Director Lisa Pino

Biden Administration's Top HIPAA Enforcer Discusses Agency's Plans
Lisa Pino, director of the Department of Health and Human Services' Office for Civil Rights

See Also: Reducing Complexity in Healthcare IT

The Department of Health and Human Services has an ambitious regulatory agenda for the months ahead, as well as plans for strong enforcement of HIPAA violations, including those involving patients' right of access, says Lisa Pino, director of the HHS Office for Civil Rights.

Among the tasks on OCR's rule-making agenda is a request for information pertaining to the agency sharing its collection of civil monetary penalties, or CMPs, and financial settlements to individuals harmed by HIPAA breaches, Pino says in a video interview with Information Security Media Group.

"We will solicit the public's view about a methodology for the distribution of CMPs and monetary settlements, which is quite novel, to those harmed by a HIPAA offense related to privacy or security," she says.

The distribution of a percentage of HIPAA settlements and CMPs collected by HHS OCR to harmed individuals was called for under an as-yet-unmet provision of the HITECH Act.

The RFI will also seek public input about the best ways for HHS OCR to implement a requirement for the agency to assess the security practices of covered entities and business associates when making certain HIPAA enforcement determinations, she says.

Pino says a final rule for modifications to the HIPAA privacy rule, "which would strengthen individuals' rights to access their own health information, is also planned.

Enforcement Priorities

Meanwhile, enforcement of HIPAA remains a "top priority," Pino says, noting that HHS OCR issued 14 enforcement actions in 2021 - many focused on the HIPAA right of access provision.

"Clearly we are serious about enforcement at OCR. We will pursue civil monetary penalties for violations that are not addressed," she says.

That includes "holding covered entities responsible for providing patients with timely access to their medical records."

In the video interview, Pino also discusses:

  • Other rule-making plans on HHS OCR's regulatory agenda for the months ahead and evolving trends in the protected health information breaches being reported to the HHS OCR;
  • The status of HHS OCR's HIPAA audit program, which has been inactive for several years, and the effect of COVID-19 on HIPAA compliance;
  • Her previous roles, including leading the Department of Homeland Security's breach mitigation of the 2015 cyberattack on the Office of Personnel Management, which affected millions of federal workers.

Prior to being named director of HHS OCR in September 2021, Pino, an attorney, served as the New York State Department of Health's executive deputy commissioner - the agency's second-highest-ranking executive. She is a former senior executive service official appointed by President Barack Obama to serve at DHS. Prior to DHS, Pino served as U.S. Department of Agriculture deputy administrator of the Supplemental Nutrition Assistance Program and USDA deputy assistant secretary for civil rights.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.