HIPAA Risk Analysis Tip – Part 6 - Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez

Questions and Answers #51-60


51. Leon, what is the best way to contact OCR with questions or to discuss confidential situations? I have left several messages on the 800# and email addresses on the OCR website but have received no responses. 

The URL for OCR is: https://www.hhs.gov/ocr/. And this is the direct link to Regional Offices for OCR:  https://www.hhs.gov/ocr/about-us/contact-us/index.html


52. How many of the 50 enforcement actions resulted from random OCR audits as opposed to audits that followed reported breaches?


There have actually been 52 enforcement actions as of May 23, 2017- none from “random audits” but here’s a break-down:

  • 10 (almost 20%) from complaints
  • 4 from media stories (OCR saw it in the news)
  • 5 from other government department initiation (DOJ or FTC or OIG)
  • The remainder from breaches reported to OCR


53. How many compliance reviews has OCR conducted to date?


OCR may conduct compliance reviews to determine if covered entities or business associates are in compliance with the regulations. Compliance reviews can result from breaches, complaints or audits.  We don’t know the number resulting from breaches or complaints, but we do know that the Phase 1 and Phase 2 Audits specifically were focused on the level of compliance.  There were 115 covered entities audited in Phase 1 or the Pilot Audit Program and  167 in the Phase 2 Audits.


54. It sounds like the expectation around audits is that the broader program won't resume until 2018. Is that correct?


At the HIMSS 17 conference in February, Deven McGraw, deputy director of OCR, indicated that the extended on-site audits have been delayed in order to assess the results of the desk audit process. She also indicated that OCR was beginning to finalize reports on the covered entity desk audits that they hoped would be shared with those organizations “in the next few weeks” at which point OCR would start the drafting of the reports on the business associate desk audits.  In September 2015, OIG conducted a study and issued a report recommending that OCR strengthen its oversight of covered entities HIPAA compliance including a recommendation that OCR “fully implement a permanent audit program.”  It appears that OCR is taking a careful approach to this initiative.  No specific guidance has been given on the timing, but OCR will need to take into account recent budget cuts.


55. Do you have any commentary or input on HHS OCR's new director Roger Severino? His background seems deep but his commentary to date has been quite limited.  Thanks for joining in today's webinar.  


Newly appointed Secretary of HHS, Tom Price, named Roger Severino as the new Director of OCR in April. Not unlike Leon Rodriguez and Jocelyn Samuels before him, Mr. Severino had been working in the Department of Justice’s Civil Rights Division.  He previously worked as COO and legal counsel for the Becket Fund for Religious Liberty.  In his first 6 weeks, Mr. Severino signed five (5) settlement agreements totaling $5.7 million in fines.  Of course, investigations and settlements take months, if not years, to bring to a close, yet the decision to finalize these cases so early in his tenure may be an indication of his commitment to enforcement as patients’ privacy and the security of their information remain at the forefront of concerns by Democrats and Republicans alike.


56. Will OCR ever provide detailed guidance on hybrid organizations? The regulation is unclear and not detailed enough - slide 31 - should we list each site or just each legal corporation?  


On the HHS website, under “Multiple Roles & Responsibilities – Hybrid Entities”, there are these instructions but not much detail:

  • Some public agencies perform both covered entity functions (e.g. provider, health plan) and other functions (e.g. public health).
  • These agencies may choose to be hybrid entities, so that the information held by the non-covered component would not be subject to the Privacy Rule.
  • Special provisions apply; basically, the covered component (provider, health plan) must limit information shared with the rest of the organization the same way that it limits disclosures to other entities.
  • Specific questions should be addressed to the agency. The agency's privacy official should be of assistance.


But it might not be as onerous as one might think.  We have worked with Hybrid Entities who have created a formal document stating that the organization has elected to be treated as a Hybrid Entity in accordance with the Privacy Rules.  They then list the health care components which may or may not be separate legal entities, but could be providing different covered services such as clinics, home health, pharmaceuticals, etc.  They then list any departments as business associates to those covered entities which are under the organization’s control, such as legal, information services, quality assurance, etc.  The formal document then outlines the HIPAA regulations that these HIPAA covered entities must adhere to including the requirements of those workforce members and outside business associates.  Then follow the rules – make sure no PHI is accessible outside of the designated covered components.


57. What does OCR expect with regard to a privacy risk assessment separate from a security risk assessment? Does OCR expect a gap analysis for privacy or a risk register?  


Unlike the Security Rule where there are explicit requirements to conduct a risk analysis (at 45 C.F.R. §164.308(a)(1)(ii)(A)) and a compliance gap assessment (a.k.a., non-technical evaluation (at 45 C.F.R. §164.308(a)(8)), the Privacy Rule does not call for either. However, we recommend both be conducted on the basis of good business practice, exercising reasonable and appropriate duty of care and to prepare for a potential OCR enforcement action.


58. Is Trump turning auditing into a profit center for the government?


Following a $4 million increase (10%) in its 2017 budget to $43 million, OCR is facing a $5 million cut to $38 million in 2018 …. and with President Trump’s most recent proposal, that amount could be cut to $33 million. With a possible 9% cut in staff, some speculate that HIPAA (and civil rights) investigations will actually decrease.  Even though fines and penalties resulting from HIPAA investigations do go into OCR’s coffers, one-time payments aren’t consistent enough to add permanent staff.  While hiring full-time employees might not be wise, hiring contractors might be.  Congress has yet to weigh in.  In his OCR FY2018 Congressional Justification, Director Severino wrote “To minimize the impact of reduction in budget authority, OCR will increase use of funds from monetary settlements collected via OCR’s HIPAA enforcement activities to cover other items related to health information privacy (HIP) enforcement activities.”


59. How much does OCR prioritize auditing government hybrid entities?


We don’t know of any government hybrid organizations that have been audited by OCR. But there have been 3 organizations that had adverse findings for hybridization in settlement agreements:  the University of Massachusetts – Amherst, Skagit County WA, and Idaho State University.  According to the Settlement Agreements:

  • “UMass failed to include each component that would meet the definition of a covered entity or business associate if it were a separate legal entity in its hybrid entity designation”
  • Skagit County’s CAP included this requirement under “Hybrid Entity and Business Associate Documentation: “Within 60 days of the Effective Date, Skagit County shall submit for HHS’s review and approval hybrid entity documents designating its covered health care components in accordance with 45 C.F.R. §164.105.
  • Idaho State University’s CAP included this requirement under Hybridization: “ISU shall provide HHS with documentation designating it a hybrid entity and identifying all of its components that have been designated”

It wasn’t until the breaches occurred that OCR investigated the organizations and examined their hybrid status. 

60. For organizations who are involved in a highly delegated model, will OCR release guidance in how much oversight may be needed of the Business Associate or is an attestation sufficient?  


We doubt that OCR will get too specific on the level of oversight needed for BAs. We believe that too much oversight, including the receipt of a BA’s risk analysis or remediation plan, exposes the covered entity to responsibility and liability of the weaknesses and the business associates to exploitation of known vulnerabilities.  We believe Attestations are a good middle of the road solution. Here are a couple of responses to FAQs on their website:


Question:  Do the HIPAA Rules require Business Associates to provide documentation, or allow auditing, of their security practices by their customers who are covered entities or business associates?



No. The HIPAA Rules do not expressly require that a Cloud Service Provider (CSP) provide documentation of its security practices to or otherwise allow a customer to audit its security practices.   However, customers may require from a Business Associate (through the BAA, service level agreement, or other documentation) additional assurances of protections for the PHI, such as documentation of safeguards or audits, based on their own risk analysis and risk management or other compliance activities.


Question:  Are we required to “certify” our organization’s or business associates compliance with the standards of the Security Rule?



No, there is no standard or implementation specification that requires a covered entity or business associate to “certify” compliance. A covered entity may make the business decision to have an external organization perform these types of services.   It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.


Stay tuned for Part 7 next week, and be sure to register for Clearwater's In-Person BootCamp(TM) in August. Leon Rodriguez will be attending!

This event is open to the public (not just AHIA members) and will be held in Boston, MA on August 27, 2017.

About the Author: Bob Chaput

Bob Chaput

Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.

Subscribe for News