Healthcare , HIPAA/HITECH , Industry Specific

How HHS OCR Is Boosting HIPAA Enforcement; Here Come Audits

Director Melanie Fontes Rainer Discusses Agency's Top Priorities
Melanie Fontes Rainer, director, U.S. Department of Health and Human Services' Office for Civil Rights

As the Department of Health and Human Services works on a proposed update to the HIPAA Security Rule this year, regulators are also ratcheting up enforcement efforts - including resuming long-dormant HITECH Act HIPAA audits, said Melanie Fontes Rainer, director of HHS' Office for Civil Rights.

See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape

A critical area of enforcement focus overall is the HIPAA Security Rule's requirement for conducting risk analysis, which continues to be a significant weakness among many regulated organizations of all sizes, but especially for medium- and smaller-sized organizations. Poor risk analysis practices persist as a major contributing factor to many significant breaches reported to the agency, she said.

"This is a big issue that affects our entire healthcare system. It's one in which we're really trying to drive compliance across the system working through with our HHS partners," she said. "We're thinking about it both in the enforcement end and also as we think about policy and updating the HIPAA Security Rule," she said.

HHS OCR plans by the end of the year to publish a proposed update to the HIPAA Security Rule to better reflect the evolution of technology and healthcare delivery that's occurred over the last two decades since the regulations were first issued, she said.

"The beauty of the HIPAA Security Rule is that it's 20 years old - it is technology-neutral, and it's scalable. So we're still able to use it and enforce the law vigorously," she said in a video interview with Information Security Media Group.

But at the same time, "the downside of the HIPAA Security Rule is that it's 20 years old and doesn't reflect how we receive healthcare today," she adds. "That's why we're taking a look at it to make sure we're building into it practices - like end-to-end encryption - and things like that."

While the agency is busy with that rule-making project and a variety of other regulatory priorities, it is also dusting off a critical but labor-intensive program that's been on the shelf for about the last seven years (see: They're Back: HHS OCR Plans to Resurrect Random HIPAA Audits).

"We have reopened our HITECH audits. And so we're proactively doing audits as well right now," she said

In the video interview, Fontes Rainer also discussed:

  • Lessons emerging so far from the Change Healthcare cyberattack and its "unprecedented in size and nature" HIPAA breach;
  • Recently finalized changes to the HIPAA Privacy Rule to enhance protections over reproductive health information and what that means to regulated entities and patients;
  • The unrelenting surge in ransomware and other incidents leading to record-breaking levels of breaches;
  • HIPAA considerations involving the use of online tracking technologies;
  • HHS OCR's other top enforcement, compliance and regulatory priorities.

Prior to being named director of HHS OCR in September 2022, Fontes Rainer served as counselor to HHS Secretary Xavier Becerra, providing guidance on issues including patient privacy, reproductive health and the Affordable Care Act. Before joining the Biden-Harris administration, she served as special assistant to the attorney general and chief healthcare advisor at the California department of justice. Fontes Rainer also previously served in the U.S. Senate as a senior aide and women's policy director to former chair Sen. Patty Murray on the Health, Education, Labor and Pensions and the Budget committees.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.