WJ: We all know that you are currently the Director of the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), but you also served as chief health care advisor at the California Department of Justice, you spent several years at the Center for Medicare & Medicaid Services, and also served as a senior aide in the Senate, where you were involved in the passage of several healthcare laws. What drives your passion for healthcare?
MFR: I grew up in a single-mother household. My mom worked for the U.S. Postal Service and was part of the union. I am incredibly lucky that I was raised by her, and that her government job meant that our family had healthcare. While the Affordable Care Act has made tremendous progress in getting Americans access to healthcare, for too many working families across the country, healthcare is still either difficult to obtain or completely out of reach. Every day, when I get up, this reality makes me want to do everything I can to help as many people as possible. Healthcare is a human right and an economic empowerment agent for communities. If people have healthcare, they can work; if people have healthcare, they can live. This is such a critical right, and working to make sure everyone has the best quality, affordable accessible healthcare is my life’s mission.
WJ: I also want to note that you were, at the start of your career, a math teacher for 7th- and 8th-grade students. As a parent and compliance officer, I must ask: What’s harder, teaching math to kids that age or shaping the nation’s healthcare policy?
MFR: Teaching. One thousand percent. Teachers have the hardest job on the planet. Teaching a middle schooler algebra or geometry is just one aspect of the job. As a teacher, you are not only educating, but also serving as a social worker, parent, friend, and so much more every day. And for most teachers, the work doesn’t end when they get home; there is preparation, planning, and sometimes engagement with students and families in your free time. Society would fail without teachers. Teachers have the most important job and are too often not compensated appropriately—or respected.
My job is incredibly important and helps people, and I love it, but it is not as important as the work of a teacher—nor is any other job I have ever had.
WJ: Let’s move on to some key issues you and your compliance teams manage. HIPAA has been the law since 1996 and is far from something new in healthcare. Yet, organizations often still struggle with it. What are the problems your office is finding these days?
MFR: We continue to see misinformation about HIPAA, whether it’s about what is being covered, who is covered, and what it protects. And with the advent of smartphones, the pandemic’s telehealth explosion, and the increased use of technology in care, we are seeing an uptick in misinformation about HIPAA. For example, phone apps say that they are “HIPAA certified,” but these apps are not regulated by HIPAA. Other concerns are the increased use of web tracking technologies to track consumer/patient behavior, a lack of forethought in entering into a business associate agreement, and not ensuring that protected data is not improperly used or disclosed in violation of HIPAA. Healthcare continues to evolve, and we are taking steps to ensure that our enforcement and guidance are keeping up.
Cyber threats and the need to bolster our security of health information systems is a key priority for OCR—one that has grown in importance since 1996 and with the evolution of our healthcare system. The substantial increase in large data breaches of unsecured protected health information (PHI) reflects the rise of hacking and IT incidents. This trend is continuing, and this year, to date, hacking accounts for 69% of the large breaches OCR has received. Over the past five years, large breaches caused by hacking have increased by 239%. For ransomware, these numbers are up 278%.
In our investigations, the most common compliance issues and violations we see are regulated entities failing to conduct a risk analysis, perform risk management, and implement access controls to prevent the wrong people from gaining access to electronic (ePHI), as well as failing to implement audit controls to examine activity in the information system and other basic requirements of the HIPAA Security Rule.