AHLA's Speaking of Health Law

HIPAA Security Rule Compliance: A Discussion with Former OCR Director Roger Severino

AHLA Podcasts

In statements throughout his tenure as Director of HHS’ Office for Civil Rights from 2017-2021, Roger Severino was repeatedly critical of organizations for not performing a risk analysis or taking action to mitigate identified risks, as required by the HIPAA Security Rule. Clearwater Executive Chairman Bob Chaput talks to him about why he’s so passionate about this area of HIPAA compliance and previews the more in-depth discussion that will take place during a special web event on Thursday, September 30. Sponsored by Clearwater

New Health Law Daily Podcast Coming in January 2025

Coming in January 2025, AHLA’s popular Health Law Daily email newsletter will also be available as a daily podcast, exclusively for AHLA Premium members. Listen to all the current health law news from the major media outlets on this new podcast! Subscribe Now

Speaker 1:

Support for A H L A comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health IT companies. Our solutions include our proprietary software as a service-based platform, I R M Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise. An advisory support from our deep team of information security experts. For more information, visit clearwater compliance.com.

Speaker 2:

Alright, well, good afternoon, Roger. I'm, uh, so glad you can join me today to briefly discuss our Thursday, September 30th, a live web event. Glad to have you with me today. Glad to be on Bob. So, uh, as Roger just in indicated, my first name is Bob. I'm Bob Sput. I'm the founder and executive chairman of Clearwater Compliance, uh, leading compliance and cyber risk management firm. Uh, first I wanna, uh, before we dive in, uh, mention a few words about this upcoming session, which will be held at 12 noon on September 30th. This Thursday. It's entitled, understanding OCR R Quality Risk Analysis, um, a discussion with former OCR r director Roger Severino. So when we get together on Thursday, we're gonna start with a couple of facts. One of them is 89%, so think nine outta 10 of the organization's involved in enforcement actions that have, um, required comprehensive enter enterprise-wide risk analysis failed to deliver something acceptable to OCR R. That's data. The, that's a fact. Secondarily, another fact, I don't think anyone will dispute it's 2021. It's 18 years after the requirement was published in the Federal Register is part a very foundational part of the HIPAA security rule, uh, to do a risk analysis. And 16 years after full implementation was required in April of 2005. So what we're going to do in the session is explore, uh, what the heck, uh, why is that, uh, how can this be? Um, why is this the case? The, uh, purpose, uh, frankly, the overarching objective is to allow Roger, who's described as the most transformational OCR r leader to date, to share his insights, uh, and his experiences and recommendations as it relates to risk analysis and risk management requirements under the HIPAA security rule. Uh, during his, uh, three year, 10 month tenure, uh, at 63.5 million, he led all previous associa r leaders in collecting settlement amounts, negotiated settlement amounts and civil money penalties. He specifically oversaw, uh, 26, uh, enforcement actions of a total of 48 that involved risk analysis and risk management, of which 56.2 million of that 63.5 million, uh, or 80% of the monies collected, uh, resulted from an event that did in fact re involve risk analysis, risk management. So, um, Roger, um, before we dive in, um, I want to just pose a question. Where, where'd you go after you left O C R and what are you most passionate about these days?

Speaker 3:

Well, it, I never stopped my work. It's just I'm on the other side. I'm not no longer in government and outside of government advocating for the same policies, uh, with a specific focus on H H s. I run the h h s Accountability Project at the Ethics and Public Policy Center. It's a think tank in Washington DC and it's a wonderful crew. What I'm doing now is advocating to make sure that we have science-based approaches at HH h h s that ideology doesn't trump, uh, health and human services, and many of the things I worked on and cared about deeply, including on conscience and religious freedom, aren't simply put away and, and reversed. Uh, and also the work I did on hipaa, which was near and dear to my heart, I really jumped into it with both feet and really came to grow really affectionate with the privacy and the tech community. So it was a, a great partnership and I don't wanna see that being neglected either.

Speaker 2:

Well, let me just pick up on that for a moment. The, um, in, in the session, we're gonna be speaking about the, uh, the breadth of the, uh, O C R mission, uh, and the vision, uh, but, you know, which is very broad to the point that you just made. But with OCR somewhat behind you, not withstanding your comment about being on the other side. Um, why are you participating in a conversation about complying with the HIPAA security rule?

Speaker 3:

Yeah, be because it's key to health outcomes. If you don't protect people's privacy and people have confidence that the information that they give to their medical providers will be kept safe, secure, and available, if you don't have that level of confidence, people will be less likely to seek medical care. And that was the mission at h H S that I pursued, making sure medical care was available, uh, without discrimination to everybody. And part of that, that effort of availability of medical care is privacy of health information. It's, that's why it was put in the Civil Rights Office, and that's why I was proud to be very, very, uh, active in enforcing that side of the law.

Speaker 2:

Well, I'm looking forward to, uh, diving into that further when we get to the program. In terms of the format of the program, I'll mention quickly, um, it is a live web event, which will be recorded. Uh, so even if you cannot join us live, it might be a wise idea to register because we will be providing materials in, in the recording afterwards. It'll primarily be an interview. And, um, many have afscme will attendees be allowed to ask questions, and absolutely that is the plan and our intent. Um, the other question that comes up is, well, who should attend this? And, um, I would say registrations today, which are about 800, and include everyone from the boardroom to the engine room, uh, uh, joining and signing up. So the session is designed for anybody, any healthcare professional involved in all facets of the healthcare ecosystem. You might be a C-suite executive, a board member, uh, you might be, uh, inside general council, outside council, risk officers, security officers. I could go on and on. Uh, really anyone who's involved in both meeting the HIPAA compliance requirements and helping their organizations becoming more secure, I think are gonna benefit from this session. Uh, another question, if I may, Raja. So during your tenure enforcement actions resulted in, uh, record breaking settlement amounts, numbers I mentioned a moment ago in civil money, uh, penalties across all kinds of organizations, uh, large, medium, even some very small single doc medical practices. Is this Thursday's discussion focused on and only relevant to large organizations?

Speaker 3:

No, not at all. And and we did get some eye-popping numbers when we had 16 million was a single largest settlement in the Anthem breach, and that was over 79 million records. But it's, the, the HIPAA security rule applies to entities large and small and anthem, part of their violations included not doing a proper risk analysis, which will be the major focus of our talk. But risk analysis requirements apply to everybody. The HIPAA rules are scalable and they're flexible. It is not one size fits all. However, it does require certain steps from every entity that does electronic billing, that, that where HIPAA applies to them. And that includes a proper risk analysis, risk assessment and risk assessment is scalable. It varies by the size of the entity, and some of the lessons that we learn from the big settlement amounts do apply to the smaller entities and some may not. It. And, and it, it really varies because HIPAA was designed from the very beginning not to simply set very bright line rules that everybody must, must, must hit, but to actually have standards. It is standards that must be met, and those standards are applied to the size of the entity and the, the level of risk faced by that entity. And so that's a, a key factor to keep in mind. And one of the things to also bear in mind of those settlement agreements that we did reach, we were really going after the more egregious cases, and we will see it in case after case that some of the basic steps were not being followed. Where when I was at O C R, we, we weren't going after entities that did everything they could within reason. We, we are so far away from gonna have to consider the borderline cases because so many entities were still just making egregious violations and not taking the basic steps to comply. And that's, that's where, where our focus was.

Speaker 2:

Sure. Um, as you know from some of our previous conversations, uh, we maintain, uh, a very, very close database, a very tight database of all of the enforcement actions. And, uh, can't help but observe that over the recent years, uh, o OCR enforcement seems to have shifted over to a lot of attention on right of access and away from risk analysis and risk management. Does that mean nah, you know, you don't have to worry about risk analysis and risk management anymore?

Speaker 3:

No, no. And I did kick off the right of access initiative, and that's where we ended up, we shifted from getting record dollar amounts to getting record numbers of settlements. So we're still breaking records, but with a slightly different focus, and we have to adapt to the circumstances with the records access. Right. This is the ability of people to request their records and get them under the HIPAA rules in a timely fashion and at reasonable cost. You, they, it is not meant to be a profit center for healthcare providers, yet it had become that this is to the detriment of people's health. We are working very hard on pricing reform, on making sure those transparency at every step of the way, and an informed consumer is an empowered consumer. If people don't have the critical information about their own health status, they can't make informed decisions about what treatments to take or to price compare or to shop, et cetera. So it was a linchpin of a whole government approach that we were doing to address a, a multi fact fast faceted problem. And it had been under enforced under, we had one solitary settlement since we had started enforcing that rule, uh, at O C R. And it was time to shift the attention such that we didn't neglect risk analysis because we were still enforcing those cases and we were still getting some big numbers. I think it was something like 5 million in January before I left was one of the final settlements. Sure. Uh, but we are augmenting an area that has been frankly, neglected for too long, and hopefully the industry has been getting the message that this is a crucial piece of person's rights under hipaa. And it is to the benefit, especially during a pandemic, when people were coming off of not being able to go to hospitals or afraid to go to hospitals to catch up, so to speak. And they need to have their current information from their medical providers, no more excuses. And we started to actually actually issue penalties.

Speaker 2:

Yeah. Do you think that means that OCR going forward, and I know we just have an announcement of a new director, we won't get into that now, but maybe on Thursday. Does, do you think that means that OCR is gonna take their pedal off the gas when it comes to risk analysis and risk management?

Speaker 3:

Well, I, I don't know. I, I know that we had a lot of cases in the pipeline on the rite of access, and we've seen some of those settlements come to fruition Yeah. Since, since I left. So that was it. It, it's hard to change course<laugh> when you've already tacked to a direction and dedicated resources. However, there, there, I have not really seen any major hip settlements outside of the rite of access. I don't know where they, where they, where they stand, any investigations I left. But it does take a lot of effort and concentrated focus and not having a director for so long may have affected that. And if, if you don't come in with a love of hipaa, then you gotta get up to speed very, very fast. And I'd also left a regulation for regulatory reform on HIPAA already drafted, and that has not been finalized yet, and we have not heard much about that. So the new director is gonna have a lot on her plate. She was just announced. Um, and I really hope the HIPAA does not get neglected along the way in terms of the priorities.

Speaker 2:

Well, I hope what our listeners, uh, to this podcast are gaining today that, uh, what we, from a value, uh, point of view, what we hope to derive, uh, and what we hope attendees derive by attending the, uh, session on the 30th is first and foremost gaining insight from ocr R'S longest tenured and most transformational leader, uh, Roger Severino, uh, also learned the meeting of an OCR r quality risk analysis will be providing resources, uh, upon which OCR R determines whether risk analysis, ISO OCR r uh, quality. We'll be talking about specific regulatory requirements around these matters, risk analysis, risk management. And then, uh, last but not least, uh, uh, put our attendees in the position of leveraging important lessons learned from, uh, numerous socio settlement agreements, corrective action plans. Um, so as we go into the session, or think about the session on Thursday, how do you think about the responsibility in a healthcare organization for what I call enterprise cyber risk management collectively including the risk analysis work and risk treatment work, et cetera. Do you think of it as an IT problem, uh, a compliance officer's problem, patient safety issue? Is it an executive board issue? What are your thoughts on that?

Speaker 3:

Well, well, technically the standard is about the confidentiality, integrity and availability of protected health information. And that has many, many manifestations. And the risk assessment rules, they go into the standards that apply that require you to keep those goals in mind when you evaluate the operations of your organization. And the operations is much broader than just the tech side of things. There is the human side of things, the HR side of things is critically important because there's always a human being at the end of it that is gonna make a decision about a person's medical record and whether or not it's gonna stay safe, whether or not the right people have access to it, and no broader than than those people. And then where is the information stored? And it's not necessarily just in the, the web or the cloud or on a disc. It could be in physical files, many of which are still on physical files. So you have to take that inventory. And then you also have, of course, the tech side where we have so many increasing threats to cybersecurity. They're getting more sophisticated by the day. We have advanced persistent threats, many different threat vectors throughout. And it can't be a one one shot deal where you set up your firewalls, you have your consultants come in, and then you're done. It also requires constant reevaluation. So I would say it has to be enterprise wide, not just particular segments of your enterprise. And it has to be very comprehensive in terms of what you're looking at. And that's just in broad brush what the risk assessment's all about.

Speaker 2:

Yeah. Makes the world of sense. Um, just a quick reminder, uh, for people who are listening to the session. Even if you cannot attend the Thursday, uh, September 30th session, live and in person, we will be recording it. We will be providing a recorded version as well as materials that we use during the session after. So, uh, go ahead and register and, uh, be sure to receive all of those. One of the things I mentioned earlier, Raja was roughly 90% of the organizations that have been subjected to an enforcement action that, uh, wherein they were supposed to conduct a risk analysis because it involved D P H I, uh, 90%, uh, failed. Uh, will we be co will you be covering some of these reasons organizations are failing in this upcoming session?

Speaker 3:

Yeah. And there's a lot of lessons to be learned from the enforcement we did. And, and being on the inside, I got to see the best counter arguments from the industry. And because we were going against some heavy hitters and a lot of money was at stake, and, uh, a lot of security interests were at stake. And the future of how many of these entities would go forward were in play because it wasn't just monetary settlements, but there were also corrective action plans that went along with it. So we would identify the de the deficiencies, usually after a major breach of some form, identify those deficiencies. They would open up their books, uh, and their policies. And then more often than not, and way, way more often or not, there were deficiencies in the risk assessment. We did not go after cases where entities did everything they could and still got burned. We, we went after entities that did not do everything they could, where if they had done X, Y, and Z under the standards, it would have prevented the breaches and, and the violations. So those are the type of cases we went through and we, we listened and saw the counter-arguments of, of which there were many sophisticated ones, but even they came to the realization, if not the admission to the realization that yes, more could have been done. And they would do that. They'll take those steps as part our, of our corrective action plan. So there's much to be learned from particular examples in particular cases.

Speaker 2:

And I'll, I'll hasten to, um, add in that regard that<laugh> not only will we be talking about some of the reasons for failure, but as Roger just mentioned, uh, some of the lessons learned, we'll cover how to do it right. Uh, we're not gonna leave you hanging. Uh, we'll provide, uh, links to five explicit, um, what I regard as most authoritative resources that'll help conduct a comprehensive enterprise-wide ocr r quality risk analysis and additional analysis, share information about two upcoming, uh, complimentary web events that, uh, we will do specifically focus on, first and foremost risk analysis, and then secondarily risk management. Um, Roger would do, do you expect that there'll be any, um, surprises in the upcoming session on Thursday, September 30th?

Speaker 3:

There, there is always a surprise, and I, I have made a deal with myself that I will never write out a presentation<laugh>. And that has served me well for all these years because something comes up and some inspiration or some memory is jogged in the conversation and it just comes out so much better. So I'm looking forward to hearing what I have to say as I hope your listeners are too. Yeah,

Speaker 2:

I am as well. And just on one last note, um, several people have asked me if this web event has anything to do with, uh, a book I wrote. And, um, and I will say this, yes, there's a connection between the two in the sense that, uh, my professional passion, uh, even though I'm not, uh, actively in operations right now, but, uh, chairman of our board, my professional passion remains to help organizations do a much better job at enterprise cyber risk management. And, uh, in terms of the book that I wrote, it's entitled, stop the Cyber Bleeding, what Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management. And the reason I wrote it is over the last 10 years, I saw things, uh, frankly getting worse and worse and not better in healthcare. We all witnessed the explosion of data and systems and devices and to a point that, uh, Roger mentioned earlier, at the end of the day, it's all about assuring confidentiality, integrity, and availability. And while I don't know that we've ever seen a patient die as a result of a, uh, compromise of confidentiality, it certainly can be the case with a compromise of availability, allow ransomware attack where all systems are down and or patients are being diverted. So that has really been a core part of what I have been focused on and what we'll continue to talk about, uh, enterprise cyber risk management requires, in my opinion, board oversight and inspired C-suite engagement. We hope to motivate some of that, and I hope to motivate some of that in the book. And we together hope to motivate some of that in our upcoming session. Uh, this web event with Roger is just part of my continuing pursuit of that passion to help organizations save their patients, preserve their reputation, and protect their balance sheet. And, uh, hopefully we will do that. Uh, Roger I'll end on that note and provide you with an opportunity for any final thoughts that you may have.

Speaker 3:

Yeah. And you mentioned the importance of cia, a confidentiality, integrity, availability. We worked very hard on the availability side. That was part of the effort we did with the Rite of Access Initiative. Another point I want to highlight is what we did with respect to the ability of medical providers and patients to use Zoom and to use FaceTime and other chat technologies without fear of getting a HIPAA enforcement action. And during the, the, the midst of covid, I really do believe we actually saved lives because of that, because we, we, uh, were balancing our approach and made that information more accessible. People were not going to the hospital and, and not going to their medical practitioners. And I've heard from many, many doctors thanking us for providing that flexibility. And I think that was one, one of the most important things we did while we were at O C R.

Speaker 2:

Well, thank you again, Roger. Appreciate it and look forward to this coming Thursday.

Speaker 3:

Likewise.

Speaker 1:

Thank you for listening. If you enjoy this episode, be sure to subscribe to a H L A speaking of health law wherever you get your podcasts. To learn more about a H L A and the educational resources available to the health law community, visit American Health law.org.