Former OCR Director sees no downturn in HIPAA enforcement future

Iliana Peters joined Polsinelli this week after a 12-year run in the Office for Civil Rights at the U.S. Department of Health and Human Services. She most recently served as the OCR’s acting deputy director and its senior adviser for HIPAA compliance and enforcement.

In an interview Thursday, Peters said that a conspicuous uptick in HIPAA enforcement during the past two years is likely to be the new normal. “I don’t see any reason why there would be any change in terms of enforcement,” Peters said.  The OCR netted $23.5 million for HIPAA lapses in 2016 and more than $19 million in 2017. Those were easily the largest annual recoveries on record, but there was a seven-month lull in enforcement last year, leading some observers to question whether the new administration was taking its foot off the gas.

But Peters cautioned against such speculation. She noted that new OCR Director Roger Severino needed time to take stock of things, and that the OCR recently ended its enforcement pause, inking two multimillion-dollar settlements for HIPAA failings since late December. “There has been a bit of a lag lately. But [Severino] is getting up to speed. Leadership is getting up to speed on how this works,” Peters said. “And I think the last two cases are good indicators of where the enforcement program is headed.”

It’s clear that the OCR has plenty of enforcement fodder. It expects to receive 17,000 HIPAA complaints in 2018, and it usually receives hundreds of reports each year of sizable data breaches. The OCR also recently finished more than 200 audits, and many of those had dismal findings, with the OCR reporting “negligible efforts to comply” or no serious efforts to comply among many health care providers and their business associates.

“There's a lot of continuing noncompliance when it comes to just the foundational elements of a good security program,” Peters said. She added that many health care companies still seem to be unaware of helpful tools — such as encryption and audit-trail functions — that are already embedded in commonly used software platforms. “A lot of things are very simple, but people just don't realize that the tools are available for them,” Peters said.

Have questions? I’m here to help.