More than eight months into the Biden administration, the U.S. Department of Health & Human Services (HHS) announced the appointment of Lisa J. Pino as the new director of the Office for Civil Rights (OCR) on Sept. 27, 2021.
As the new director of the OCR, Pino will be responsible for enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and supporting the Biden administration’s agenda for the OCR. As we have seen with previous directors, including Severino and Samuels, an appointee’s background can give us insight into what the focus of their enforcement actions and areas of importance might be and, importantly, what HIPAA-covered entities and business associates should be paying closer attention to.
More initiatives related to COVID-19 may be on the agenda. Pino most recently served as the New York State Department of Health’s executive deputy commissioner, in which her responsibilities included overseeing the state’s operational response to COVID-19. Given Pino’s experience, it would not be a surprise if the OCR’s focus pivots to providing more information and guidance on HIPAA and COVID-19 treatment.
Cybersecurity experience might change the nature and scope of OCR investigations. Unlike other OCR directors, Pino has significant experience related to data breaches. Prior to her position with New York State, Pino served as a senior executive service official and senior counsel in the U.S. Department of Homeland Security (DHS) during the Obama administration. According to her biography, while at DHS, Pino was responsible for renegotiating hundreds of vendor procurements and establishing new cybersecurity regulatory protections in the wake of the 2015 data breach at the U.S. Office of Personnel Management that involved the information of 4 million federal personnel. This experience could potentially change the types of questions that are asked during OCR investigations, and there might be more OCR scrutiny of covered entity due diligence related to vendor agreements.
OCR’s anti-discrimination enforcement focus will most certainly change. Based on Pino’s previous work, it is unlikely that the OCR will continue to focus attention on its Division of Conscience and Religious Freedom, which was founded by Severino to address alleged discrimination by employers against healthcare providers who refuse to participate in medical services they object to. Rather, based on Pino’s experience writing the U.S. Department of Agriculture’s (USDA) first gender identity anti-discrimination program regulation as the USDA deputy assistant secretary for civil rights, the OCR will likely now focus on combating discrimination based on sexual orientation and gender identity.
Individual right of access enforcement actions may continue. Since Biden was sworn into office in January 2021, the OCR has continued to investigate and enter into resolution agreements with covered entities for alleged violations of the individual right of access under HIPAA, an initiative that began under Severino. This enforcement initiative might be something that Pino opts to continue, as prior to working for the government she worked as a legal aid attorney advocating for the rights of migrant farm workers. This experience might make her more likely to continue to focus on enforcing the individual right of access.
The future of the NPRM is still up in the air. One issue that the new OCR director will have to address is the future of the Notice of Proposed Rulemaking (NPRM) that was issued in January 2021 by HHS to modify the Standards for the Privacy of Individually Identifiable Health Information (the Privacy Rule) under HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The NPRM generated significant concerns among patients, covered entities, and business associates due to potential negative implications for patient privacy, regulatory and severe economic burdens it would impose on healthcare providers already struggling due to the COVID-19 pandemic, and the NPRM’s misalignment with the 21st Century Cures Act. The fact that the NPRM was not included in the Biden administration’s Spring 2021 Unified Agenda of Federal Regulatory and Deregulatory Actions indicated to many that it is not currently a part of the Biden administration’s regulatory plan. However, this could change with Pino at the helm of OCR.