In November, the University of Cincinnati Medical Center agreed to pay the HHS Office for Civil Rights (OCR) $65,000 and follow a two-year corrective action plan to settle allegations that it had violated the privacy rule by taking too long to send a woman her medical records.
It would be the 12th such organization targeted under former OCR Director Roger Severino, who made records access a signature initiative—but it would not be the last. In fact, to date, OCR has issued 20 such settlements. According to Severino, HIPAA covered entities (CEs) should expect more to come because OCR had a backlog of investigations in the pipeline when he left.
Yet, Severino and others can only guess which way OCR will go with the initiative because, to date, the agency is still missing a new director. Eight months into its term, the Biden administration had still not appointed an OCR director, and it’s unclear when that will change.
With the pandemic resurging, ransomware attacks escalating, and misinformation about HIPAA and vaccines entering everyday conversations, the government’s most powerful agency tasked with enforcing medical privacy and security, including among applicable research, is being led by Acting Director Robinsue Frohboese. While garnering praise for her skills and competence, Frohboese cannot fulfill all the roles of a permanent director, such as launching new policy initiatives.
“There’s no person publicly advocating for HIPAA at the political level, and if you don’t have that voice, then you don’t have the full weight of the administration’s authority behind any initiatives,” Severino said. “And it’s crucially important to fly the flag and explain that [HIPAA] is a priority for the administration.”