The government agency that enforces the HIPAA privacy and security rules has a new leader.
Georgina C. Verdugo, former deputy assistant attorney general during President Clinton's administration, will lead HHS' Office for Civil Rights (OCR), HHS announced this week.
The department is the civil rights and health privacy rights law enforcement agency. It investigates complaints filed by the public and provides technical assistance and public education for federal nondiscrimination and health information privacy laws.
Verdugo takes over at a crucial time for OCR. The agency recently inherited the role of enforcing the HIPAA Security Rule from CMS. OCR had only enforced the Privacy Rule prior to the announcement.
OCR is also responsible for carrying out the HIPAA privacy and security regulations in the HITECH Act, which calls for more stringent HIPAA enforcement, larger monetary fines, greater breach notification requirements, and increased privacy rights to patients. HHS Secretary Kathleen Sebelius appointed Verdugo, whose experience includes:
- Leading the Washington, D.C. office of the Mexican American Legal Defense and Educational Fund, one of the nation's preeminent Latino civil rights organizations
- Served as deputy assistant attorney general in the U.S. Department of Justice's Office of Legislative Affairs during the Clinton administration, where she directed and supervised the legislative agenda for the Division of Civil Rights and other Department Divisions
- Chief of staff for Congresswoman Lucille Roybal-Allard of California
- Executive director of Americans for a Fair Chance, a collaborative civil rights project
Verdugo was assistant United States attorney in the U.S. Attorney's Office in San Diego from 2002 to 2003. She worked on border crime cases and advised on civil rights matters. Beginning in 2004, she was associate counsel for the Los Angeles Unified School District, where she provided legal and policy advice, and advised the district on civil rights, First Amendment, and other issues affecting the students and the school district.
Her most recent gig was a partner in private practice in Los Angeles, in which she represented public entities.
OCR has only levied two major HIPAA fines—Providence Health & Services in July 2008 ($100,000 fine and corrective actions) and CVS in February 2009 ($2.25 million fine).
Since the HIPAA privacy compliance date in April 2003, OCR, according to its Web site, has received 44,911 HIPAA privacy complaints, of which 19.4% (8,756) led to enforcement actions (8,756).
More than half (57.5%) of the cases were closed because they were not eligible for enforcement. Another 10% of investigations led to no violations.