The government agency that enforces the HIPAA privacy and security rules has a new leader.
Georgina C. Verdugo, former deputy assistant attorney general during President Clinton's administration, will lead HHS' Office for Civil Rights (OCR), HHS announced this week.
The department is the civil rights and health privacy rights law enforcement agency. It investigates complaints filed by the public and provides technical assistance and public education for federal nondiscrimination and health information privacy laws.
Verdugo takes over at a crucial time for OCR. The agency recently inherited the role of enforcing the HIPAA Security Rule from CMS. OCR had only enforced the Privacy Rule prior to the announcement.
OCR is also responsible for carrying out the HIPAA privacy and security regulations in the HITECH Act, which calls for more stringent HIPAA enforcement, larger monetary fines, greater breach notification requirements, and increased privacy rights to patients. HHS Secretary Kathleen Sebelius appointed Verdugo, whose experience includes:
Verdugo was assistant United States attorney in the U.S. Attorney's Office in San Diego from 2002 to 2003. She worked on border crime cases and advised on civil rights matters. Beginning in 2004, she was associate counsel for the Los Angeles Unified School District, where she provided legal and policy advice, and advised the district on civil rights, First Amendment, and other issues affecting the students and the school district.
Her most recent gig was a partner in private practice in Los Angeles, in which she represented public entities.
OCR has only levied two major HIPAA fines—Providence Health & Services in July 2008 ($100,000 fine and corrective actions) and CVS in February 2009 ($2.25 million fine).
Since the HIPAA privacy compliance date in April 2003, OCR, according to its Web site, has received 44,911 HIPAA privacy complaints, of which 19.4% (8,756) led to enforcement actions (8,756).
More than half (57.5%) of the cases were closed because they were not eligible for enforcement. Another 10% of investigations led to no violations.