Friday, November 11, 2011

HIPPA Enforcement Promotes Compliance

Leon Rodriguez, the new director of the Department of Health and Human Services' Office for Civil Rights, describes his HIPAA enforcement agenda.

"As I've learned as a prosecutor and then as a defense lawyer, enforcement promotes compliance," Rodriguez says in an interview with HealthcareInfoSecurity's Howard Anderson. "The fact that covered entities out there know that they are at risk for penalties is something that, in fact, in many cases will promote compliance."

The full article can be found by clicking here.  Some excerpts are below. 

ANDERSON: In recent months, as you just alluded to, the Office for Civil Rights has significantly ramped up its HIPAA enforcement efforts.  Under your leadership can we expect to see your office announce more resolution agreements in civil monetary penalties and other enforcement actions?
RODRIGUEZ: I think you can expect that; absolutely you can expect that.

ANDERSON: The Office for Civil Rights recently hired KPMG to launch a HIPAA audit program. What would you like to see that program achieve, and is it possible that any of those audits will result in sanctions or penalties?
RODRIGUEZ: This is the first time we're doing it, so the first thing ... is for us to 'go to school' on how best we will run an audit program. In part, this is what you might call a pilot. We're going to look at it and learn: How do we use an audit program? How does an audit program best advance our enforcement goals?

The second purpose, and this is really different than enforcement, is to promote compliance among the covered entities that are subject to the audit.  Our first objective is not to go out there and start banging [organizations] with penalties; it's really to take a good look at them, find out where their opportunities for improvement are and help them improve.  Having said that, I think we know that there are cases where we're going to find some significant vulnerabilities and weaknesses.  And in those cases, we may be pursuing significant corrective action.  And in some of those cases, we may be actually pursuing civil monetary penalties.  But that's really not the primary goal of the audit program.

Rodriguez’s goal is to audit and learn, but even then he acknowledges they will pursue significant corrective action.  You can interpret the interview in several ways and they may all be correct to some extent.  What I suggest you walk away with is that the casual compliance days are over.  If you are found at-fault for a data breach, you will be subject to fines and other penalties.

In a post breach situation, there is no moderator.  Your organization will be held accountable.  Your client base will lose confidence in your operations and unless you are the only one performing that service, your clients will go elsewhere.  The publicity of the lawsuits will ensure a degradation of reputation and client base.

The only real course of action is to address your Risk Quotient in a pre breach environment.  Your organization will have the luxury of being able to take the time to plan and prevent data loss.  Preparation is like a fire drill for data security.  Plan and practice in the hopes you never need to use what you know.  But, if you do, then you will know what to do and when and the result will be a defensible position for the regulators.

Dolvin Consulting works with Cyber Security Auditors & Administrators (CSA2) and your organization to prepare, plan and implement a Written Information Security Program (WISP) plan.  The WISP plan is your key to sleeping well at night.  Contact us today to start a conversation that will help you connect with resources that can help with your compliance challenges.

No comments:

Post a Comment