Identity, Privacy, Compliance Management

Former OCR Director on access rights, HIPAA enforcement: ‘It’s not about gotcha’

Former HHS OCR Director Roger Severino at a 2018 news conference in Washington, DC. Severino recently spoke on his tenure, HIPAA right of access, and compliance during a Clearwater presentation. (Photo by Aaron P. Bernstein/Getty Images)

Under Director Roger Severino, the Department of Health and Human Services Office for Civil Rights issued a record number of enforcement actions for potential and sometimes egregious violations of the Health Insurance Portability and Accountability Act, particularly around a patient’s right to access their health information.

As Severino put it during a Clearwater discussion on Feb. 17, his OCR team “broke a ton of records” on the HIPAA side and is “very proud of the balanced, yet firm, work in enforcing people’s privacy rights.” Specifically, Severino is most proud of his efforts wholly centered on patient privacy, right of access, and enforcement discretions enacted amid the COVID-19 response.

“We collected the most [settlements] in a single calendar year, but also the most of smaller resolutions,” even breaking a record in terms of the maximum civil monetary penalties and total amounts collected in a single entity.

Severino was referring to the $16 million civil monetary penalty handed to insurance giant Anthem over what’s still considered the largest healthcare data breach in history. While impressive, “it's not about actually getting collections and big numbers: It's about getting compliance with the law.”

The role of enforcement actions are designed to change the culture, “it's not about ‘gotcha’,” he continued. ”It's certainly about vindicating people's rights on the egregious cases, but the goal is to get a culture of compliance.” Sometimes enforcement involves monetary penalties, and for Severino’s tenure, that was often the result. 

But with HIPAA enforcement, OCR provided a lot of technical assistance to bolster compliance, as well.

“If we do our jobs, as enforcers, we will see the numbers come down because of increased compliance,” said Severino. He hopes the current administration will continue the right of access enforcement focus, particularly as his team “left a large number of cases in the pipeline for our successors.”

“Some of the cases do take a bit of time and have been working through the system. And I’m glad to see they took them to the finish line,” said Severino. The last enforcement was announced in November 2021 with five covered entities over right of access failures. A similar settlement was reached with a single provider organization two months earlier.

But with the continued pandemic response, HHS and OCR leadership have only issued a handful of HIPAA enforcement actions in the last year. It’s a staunch contrast from the previous administration, which launched a HIPAA Right of Access Initiative in 2018 and quickly went to work enforcing the oft-overlooked but highly important standard.

It remains to be seen what the new administration will prioritize and whether it will continue to center around patients’ right of access. As the media and Severino have noticed, “they've been surprisingly quiet on HIPAA.”

Particularly as HHS works to drive info blocking and interoperability rules, the right of access carved out in HIPAA can only complement those efforts. It’s one of the most important elements of coordinated care, making it as seamless as possible for someone to request their records and have them transferred to another provider.

For now, the industry waits for the direction HHS is heading. He added that “it’s important for them to continue, “because the more the word gets out that there's an enforcer making sure people are complying with the law, the more we're going to see entities actually take the right of access seriously.” 

Prioritizing compliance, over penalties

It was during Severino’s tenure that HHS adjusted the monetary penalty tiers and caps to reflect the four varying degrees of penalties based on culpability. OCR looked at the law very carefully and found there had been a mistake with the interpretation of HIPAA made early on, which gave “the same penalty caps for every penalty range,” he explained.

“It was just not supported by the statute,” said Severino. He added that “ongoing legislation” at the time, was likely going to make it clear that the initial HHS interpretation of penalty caps was wrong. 

While he didn’t name the case, the legislation referred to was likely the MD Anderson Cancer Center appeal to the U.S. Court of Appeals, Fifth Circuit in Texas. It was a highly publicized and contentious fight over a $4.3 million civil monetary penalty handed down by HHS.

Among the many arguments raised by the case, the Texas provider argued that OCR exceeded its authority when it issued the penalty that is “beyond statutory caps”.

In response to the appeal, OCR reviewed and confirmed what they believed was a mistake in translation of HIPAA statutes under Severino. Believing that the judge would find the same error, OCR made the change, which outlined that HIPAA “penalty caps actually have to be different levels, for different levels of culpability.” 

At the time of the shift in penalty caps, Severino explained that “HHS determined that the better reading of the HITECH Act is to apply annual limits as… $25,000 for no knowledge, $100,000 for reasonable cause, $250,000 for corrected willful neglect, and $1.5 million for uncorrected willful neglect.”

Previously, when each violation bore the same penalty, Severino explained that it created an “improper incentive for regulators to really not do the hard work to prove up every claim when we're getting the very large dollar amounts, when Congress actually required us to prove up the the correct level, and have a penalty before imposing the highest cap.”

“The punishments should fit the crimes,” explained Severino. “We thought it was our duty to be faithful to the law. That’s the question of ‘What does the law say?’ And the HITECH Act made it clear that we weren't doing it according to the tiers set out by Congress. So we changed it.”

The shift propelled Severino’s OCR team to looked for more cases of willful neglect, as outlined in the enforcement tiers, “to make sure that we had enough factual basis to say ‘yes, this is willful neglect,’ as opposed to saying, ‘you know, what, we're just gonna stick with reasonable cause because it's easy enough to prove.’”

Advocating for right of access

The defining of penalty tiers was certainly notable. But Severino’s decision to continue to work of the previous administration’s efforts around right of access may be the most important effort to date.

The majority of OCR enforcement actions during Severino’s tenure centered around the HIPAA right of access standard. The agency launched an initiative focused on access rights in 2018, with the highest number of settlements announced in 2019.

As Severino explained, it was previously “one of the most under enforced rules, under HIPAA. Now, people do have a right to have access to their medical records, and sometimes it is a question of life and death.”

“People should be empowered with their own medical information. If they're not informed of their own health and their own diagnosis, they can't take charge of their own health,” he explained.  “Patients have a right to their own information. It's in the privacy rule… But providers were not were not compliant. They just were flat out ignoring the rule.”

Severino was under the believe that “part of it was because there was no significant enforcement there.” Indeed HHS and Ciitizen research has consistently shown that the majority of providers fail to comply with the right of access standard. Although, data has begun to find some strong areas of improvements.

While the “dollar amounts aren't as attention-grabbing as the $16 million settlement with Anthem, it doesn't mean it's not a crucially important issue,” he explained. The impact has been significant, as patients can now “be their own best advocates.”

“Information is power,” Severino continued. “We had so many egregious cases of medical providers refusing to provide the records, even after a complaint was filed. And OCR contacted them and said, ‘This is your obligation to do so.’”

It’s a crisis when patients are dealing with their own health and not able to gain access to their medical records to find out what’s going on in their bodies, or if they can go to another provider to get a second opinion, he explained.

“These things are so crucial, and they were just getting the back of the hand. So we took massive enforcement actions. And I think we've made a tremendous difference,” said Severino.

Enforcement actions are par for the course in healthcare, as covered entities and business associates adhere to the rule to ensure the privacy and security of patients and their data. As HHS continues the final push for interoperability and info blocking, a wave of enforcement actions and technical support are likely on the horizon.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.