Leon Rodriguez, Director of the Department of Health and Human Services' Office for Civil Rights (OCR,) said his office has an "inventory" of ongoing investigations that he expects will conclude with monetary settlements.

In an interview with Marianne Kolbasuk McGee of Healthcare Info Security,  Rodriguez said healthcare organizations should expect to see more and larger monetary penalties for HIPAA non-compliance in the months to come.

Click here to listen to Healthcare Info Security's interview with OCR Director Leon Rodriguez


"What we've been learning from the monetary settlement cases we've done so far is that there is plenty of non-compliance out there, plenty of room for improvement," Rodriguez says.

One particular area that has shown deficiencies during the 2012 HIPAA audits, according to Rodriguez,  is with Risk Analysis, a fundamental component of HIPAA that requires Covered Entities to identify threats and vulnerabilities, and correct them to prevent data breaches.

Rodriguez also said many organizations have outdated policies and procedures-- or no policies or procedures at all-- and also have no contingency plans in place.

Tips from the federal HIPAA Enforcer

Executive Sponsorship- HIPAA compliance must be owned by the leadership of a covered organization, and the messages must percolate down to all staff members who touch protected health information. "Focus on your people," Rodriguez said.

Business Associates - Business Associates are already subject to HIPAA requirements in their Business Associate Agreements. When the new HIPAA Omnibus rules are released, Rodriguez said Business Associates will have 180 days to fully comply with HIPAA before OCR begins enforcement. His advice? "Get ready."

The omnibus package contains changes to the HIPAA regulations and data breach rules. It is being reviewed by the Office of Management and Budget before being released.

Rodriguez, a former prosecutor, said additional audits will take place in late 2013 or in 2014.