The U.S. Health and Human Services’ (HHS) Office for Civil Rights (OCR) has appointed a new director, Lisa J. Pino. Originally from New York City, Pino worked as a legal aid attorney before joining the government. One of several OCR tasks is to regulate and enforce HIPAA, the Health Insurance Portability and Accountability Act of 1996. The OCR director is responsible for its enforcement and supporting the administration’s agenda. Under HIPAA and its addendums, covered entities must commit to keeping protected health information (PHI) secure.
SEE ALSO: HIPAA compliant email
HHS’ Office for Civil Rights and HIPAA
Besides enforcing federal civil rights and conscience and religious freedom laws, OCR is most known for its enforcement of HIPAA. HIPAA protects the rights and privacy of patients and combats fraud and abuse related to PHI.
OCR enforcement largely concentrations on the following HIPAA rules:
- Privacy Rule (2003) – provides guidelines on PHI use and disclosure
- Security Rule (2005) – sets necessary safeguards to protect electronic PHI (ePHI)
- Enforcement Rule (2006) – sets the standards of enforcing HIPAA and penalizing non-compliant healthcare providers
- HITECH Act (2009) – promotes the adoption and meaningful use of technology in healthcare
- Breach Notification Rule (2009) – requires healthcare providers to report data breaches
- Final Omnibus Rule (2013) – incorporates HITECH further by improving privacy protections
Any covered entity that commits a HIPAA violation may be subject to fines and a HIPAA corrective action plan. Pino takes over for Roger Severino (appointed under the Trump administration) and Robinsue Frohboese (acting director between administrations).
About Lisa J. Pino
Pino comes to OCR from the New York State Department of Health where she led New York’s COVID-19 response. Previously, she was a senior executive service official at the U.S. Department of Homeland Security (DHS) under the Obama administration. While with DHS she led the mitigation of the largest hack in federal history at the U.S. Office of Personnel Management in 2015, establishing new cybersecurity regulatory protections and renegotiating vendor procurements. Before DHS, Pino was deputy administrator of the U.S. Department of Agriculture’s (USDA) Supplemental Nutrition Assistance Program (SNAP) and served as the USDA deputy assistant security for civil rights. “Lisa is an exceptional public servant, and I am delighted to welcome her to the role of the Director of [OCR],” stated Xavier Becerra, HHS secretary, in the September announcement. “Her breadth of experience and management expertise . . . will help ensure that we protect the rights of every person across the country as we work to build a healthier America.”
A new Office for Civil Rights focus
Typically, the background of OCR’s director influences the agency’s agenda. Given that Pino is familiar with data security, a good assumption is that OCR will concentrate on data breach prevention. Sara Goldstein at BakerHostetler recently gave further insight into possible focal points:
- Initiatives related to COVID-19
- The nature and scope of OCR investigations
- Tightening of antidiscrimination regulations
- Continuation of the HIPAA Right of Access Initiative
Other possible key changes include more accessible documentation/guidance, an emphasis on breach management and risk assessment, and stronger compliance and enforcement actions. Finally, one issue to address is the future of the January 2021 Notice of Proposed Rulemaking that modifies the Privacy Rule and the HITECH Act by addressing standards that may impede healthcare coordination and communication.
No changes to the need for strong email security
One thing that won’t change when it comes to HIPAA is the need for solid HIPAA compliant email. Paubox Email Suite guarantees robust email security and HIPAA compliance by automatically encrypting all emails. Moreover, our Plus and Premium plans come with proactive inbound tools like Zero Trust Email and ExecProtect, which block different types of cyberattacks. Emails are delivered directly to inboxes without requiring extra passwords, logins, or portals. And even better, Paubox Email Suite works from an existing email platform such as Google Workspace or Microsoft 365. Our solution is HITRUST CSF certified, demonstrating that Paubox has met key regulatory requirements to appropriately manage risk and ensure HIPAA compliance as regulated by OCR.