OCR Staff Changes & What it Means For You
The Office for Civil Rights (OCR) announced that Deven McGraw will join OCR on June 29 as deputy director for health information privacy. According to the HHS announcement, she will spearhead OCR’s policy, enforcement and outreach efforts of HIPAA Privacy, Security and Breach Notification Rules. She will also lead OCR’s efforts to work on presidential and departmental privacy and security priorities. Previously this position was held by Sue McAndrew, who retired over a year ago.
CynergisTek’s Mac McMillan, CEO, and David Holtzman, VP of compliance and a former OCR advisor, provided a few thoughts and insight regarding the announcement that CynergisTek would like to share with you. Both have worked with McGraw in the past and think she is a great fit. OCR will benefit from her ability to objectively evaluate how OCR is handling its enforcement and guidance responsibilities. McGraw brings a tremendous wealth of thought leadership on privacy issues and the role the HIPAA health information rules should play in the development of health information exchange, as well as how the Internet of Things impacts health information privacy and security.
What Does This Mean for You?
Holtzman points out that McGraw is taking on the leadership of the HIP division at a crucial time for OCR. There are expectations that OCR will fulfill its long standing commitment to provide much needed guidance on key areas of the Privacy and Breach Notification Rules, especially those areas that underwent significant change in the 2013 Omnibus Rule changes. This type of guidance could be very useful to many around the industry.
HIPAA Audit Program
As we all know, the effort to create a permanent HIPAA audit program has been a long work in progress and has been very slow to get started. OCR started distributing the surveys to covered entities and intends to audit 200(+) CEs. They then plan to audit 400 business associates to measure their compliance with the Security Rule and how they intend to approach their obligations under the Privacy and Breach Notification Rules. According to OCR the initial phase of the covered entity audits will be “desk audits”, requiring organizations to submit documentation demonstrating that it has policies and processes in place that meet the requirements of the Rules. The specific topics that will be reviewed through the audits have not been announced yet. Holtzman believes that McGraw could provide a much needed champion to the nascent HIPAA/HITECH audit program. We will continue to keep you informed as we hear more details on the permanent audit program.
More Changes Ahead Possible
Holtzman believes that OCR is experiencing tremendous fiscal pressures and leadership challenges. For example, the department is, or has plans to, consolidate some of OCR’s regional offices. He says, “Deven is the right person to advise Director Samuels on health information privacy and security matters.”