In March of 2017, Roger Severino was appointed to be the new Director of the Department of Health and Human Services Office for Civil Rights (HHS OCR), the office responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA). The change made headlines in the healthcare IT space after Mr. Severino stated that his main enforcement priority for 2017 was to find a “big, juicy, egregious HIPAA breach” and to use it as an example for other healthcare organizations.

For the past year, Mr. Severino has lived up to that promise. In 2017, the OCR collected almost $20 million in penalties. The largest HIPAA settlement of 2017 was agreed upon with Memorial Healthcare System. The settlement of $5.5 million resolved potential violations of HIPAA Rules relating to the impermissible accessing of ePHI by employees and the impermissible disclosure of PHI to affiliated physician office staff.

So, what can we expect from Mr. Severino in 2018 and beyond? Last month, Mr. Severino gave an update on HIPAA compliance and enforcement at the HIMSS conference. Here are a few important takeaways from his session.

3 Potential OCR Changes (and How They Impact HIPAA Compliance)

  1. Simplification of Regulations—During his presentation, Mr. Severino highlighted the fact that the OCR is examining its regulations to see if “undue burden” on the industry can be eased. This is good news for many cybersecurity professionals in the healthcare space. In response to questions, Severino indicated that the OCR is considering ways to reduce administrative burden. He also responded to a question about texting, indicating that texting should be treated like email and that because HIPAA is patient-centric, a patient should be able to opt-in to receiving PHI through unsecured texts.
  1. Broader Enforcement—During the session, Mr. Severino made it clear that the OCR is still looking for big, juicy egregious cases for enforcement. He went on to point out that it’s not just large entities that could be under OCR’s scrutiny. “This doesn’t mean that if you’re smaller and quiet you will fall out from under OCR’s enforcement radar,” he said during the presentation. 
  1. No New Audits—OCR did not discuss audits in the session, but in an interview with, Severino indicated that there will not be a “phase three audit program” other than compiling findings from phase two. While this is welcomed news, hospitals need to embrace a proactive stance for implementing cybersecurity best practices. And while the regulations and requirements for HIPAA compliance may change, the fact that organizations will be penalized for non-compliance will always exist. As a healthcare organization, maintaining proper compliance should be a priority, regardless of who is leading the Office for Civil Rights.

As the requirements for HIPAA compliance continue to evolve, our team at LBMC Information Security is committed to helping you stay ahead of the changes. Whether you’re proactively working to protect PHI or responding to a potential risk, BALLAST is a cybersecurity risk management tool created with healthcare organizations specifically in mind. To learn more about how BALLAST can help eliminate the guesswork and heavy lifting around HIPAA compliance, connect with our team for a free product tour.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.