As the HHS Office for Civil Rights and the HIPAA-regulated community continue waiting for the appointment by HHS of a permanent OCR director,[1] two former leaders shared with RPP some of their on-the-job experiences and offered advice for an incoming leader.
OCR has a dual role of enforcing the privacy, security and breach notification rules as well as ensuring civil rights laws are not violated in health care settings. If history is any guide, the new director will likely come from a civil rights background, and may have little or no actual experience with HIPAA issues. That was the case with Roger Severino, the most recent director, who was appointed in March 2017.
While in the Civil Rights Division in the Department of Justice, “I had to do a compliance records request subpoena in a case with medical records…I did actually take advantage of one of the HIPAA exceptions in the subpoena context,” Severino said. “It was incredibly sensitive medical information, and I was glad those protections were in place, because if that sort of information gets abused, people would be less likely to seek medical care.”
HIPAA Requires ‘Balance’
Severino recalled that “within two weeks of getting on the job, I had to give a speech at the HIPAA Summit. So I was thrown into the deep end right off the bat. It was sink or swim, and I swam very efficiently, very quickly, but it took a tremendous amount of focus and dedication and having the right team.”
He enjoyed the job “incredibly much,” Severino told RPP, adding it was “the hardest, best job I ever had, incredibly satisfying, tremendous challenges…but we had so many successes, and we helped so many people that I left just head held high that we did so much good.”
Now a senior fellow at the Ethics and Public Policy Center and director of its HHS Accountability Project, Severino said he “became fascinated with the issues involved and the industry of privacy professionals and interaction with the law and regulators. It was like solving a puzzle, helping balance the various interests of privacy, of efficiency, of keeping costs low for providers and ultimately consumers, and balancing public health, especially during [the pandemic], and the flow of information that was needed for addressing COVID while protecting privacy.”
The incoming director does “not necessarily” need to have HIPAA expertise, Severino said, but should be “willing and eager to learn it…that’s the key thing. It’s such an important part of OCR that ideally [a new director] would have HIPAA experience.” He called HIPAA a “complicated statute and regulatory regime.”
Above all else, the new director needs to “care,” to be able to give HIPAA “the proper attention it needs,” Severino said, adding that he “cared deeply” as evidenced by “the record number of enforcements, record number of collections [and] groundbreaking regulatory work and what we did for COVID.”
Severino also won praise from many for his initiative to hold organizations accountable for failures to provide patients access to their medical records, which, to date, has resulted in 19 settlement agreements. He told RPP there are perhaps two dozen more such investigations nearing a formal settlement.[2]