OCR's Leon Rodriguez: HIPAA enforcement more critical with transition to EHRs

Keeping patient records confidential is more important than ever with the advent of electronic health records, according to Leon Rodriguez, director of the U.S. Department of Health & Human Services' Office of Civil Rights, speaking at the most recent HIPAA Summit West earlier this month.

"We need to make sure that Americans have confidence in the EHR….Only through that confidence will they be full participants in their health care," Rodriguez said at the event.

He noted that there has been a "dramatic increase" in enforcement of HIPAA's privacy and security rules since the HITECH Act was passed in 2009. The HITECH Act both strengthened HIPAA and created the Meaningful Use incentive program.

"HITECH reflected a realization and concern that as we were ramping to EHRs there were still concerns that great parts of the industry were not in compliance with HIPAA," he said.

The audit pilot program, also created by the HITECH Act, will become a permanent fixture, he announced. Rodriguez noted that the pilot program, slated to end in December 2012, has uncovered "many" deficiencies.

"One issue with the security rule in the audits is electronic protected health information," Rodriguez said. "With EHRs, there's a wide variety of places where ePHI is stored. So you need a real analysis of where it exists so if media is sold or a lease ends, [entities will] deal with the ePHI."

As of Oct. 3, OCR has received more than 60,000 reports of security breaches involving fewer than 500 individuals and more than 500 involving more than 500 individuals. The latter reports are made public on HHS' "wall of shame," as required by the HITECH Act.

To avoid breaches, "the most important thing is to create a culture of compliance within an organization where it's understood that accountability for privacy and security issues rests with everyone who has access to that information," Rodriguez said.

"These are common sense requirements that I hope covered entities would be observing whether there was a HIPAA rule or not," he added.

To learn more:
- read about the HIPAA Summit
- here's HHS' wall of shame