BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
WASHINGTON, D.C. -- Jocelyn Samuels said she will vigorously promote patients' rights to their own medical records and will enforce HIPAA privacy provisions when healthcare organizations breach them, in what she described as her "maiden" speech on HIPAA as the new director of the HHS Office for Civil Rights (OCR).
Samuels, a veteran federal civil rights official and litigator with no direct healthcare experience, gave little indication about how she would approach the much-awaited round of HIPAA audits of healthcare groups and their business associates expected to launch in 2015.
Samuels was appointed in early summer to replace former OCR Director Leon Rodriguez. Previously she was acting assistant attorney general for civil rights at the U.S. Department of Justice. She spoke about HIPAA at ONC's 2014 Consumer Health Summit in Washington, as part of National Health IT Week.
"That right to access, whether health information is stored on paper or electronically, is critical," Samuels said. "For these reasons, the right to access patient health information is the cornerstone of the privacy rule under HIPAA."
Samuels said that two new HIPAA measures set to take effect Oct. 6 give patients the express right to their electronic health records and to get test results directly from labs, not just healthcare providers.
Jocelyn SamuelsOCR director
She said OCR is focused on educating healthcare consumers about their prerogatives under HIPAA, but "patients can only do this if they have the right information."
Meanwhile, she said OCR seeks voluntary compliance from entities both within and outside healthcare that the agency oversees for HIPAA compliance.
"That said, when faced with non-compliance, we will take enforcement action," she said.
Samuels noted that OCR in recent years has reached three major settlement agreements after illegal breaches of patient information.
These include a $4.8 million settlement in May 2014 with New York Presbyterian Hospital and Columbia University after the healthcare system breached 6,800 individual patient records; a $1.2 million agreement with Affinity Health Plan in August 2013 after protected information of 344,579 people was left un-erased on photocopier hard drives returned to a leasing company; and an $800,000 settlement in June 2014 with Parkview Health System, which left 71 boxes of patients' records in the driveway of a physician's home.
After her 10-minute address at the ONC event, Samuels declined to answer a SearchHealthIT reporter's request for more details about when HIPAA audits will start and if they will carry financial penalties. OCR officials have said Samuels will meet with the media sometime soon, but not during the week of health IT meetings in Washington.
One key speaker at the ONC consumer summit, which was oriented around patient engagement, applauded Samuels' performance and OCR's compliance actions.
"I thought she was great," said Emily Kramer-Golinkoff, a patient advocate who has cystic fibrosis and founded Emily's Entourage to raise money for researching rare mutations of the deadly lung disease. "Some of the things she was talking about regarding violations of people's privacy were absolutely mind-boggling."
Another noted patient advocate, Regina Holliday, whose blog is widely read in the health IT community, said she thinks Samuels is on the right track and that not too much should be made of her opting not to reveal much about OCR's audit strategy. As an enforcement agency, OCR is not known for being forthcoming.
"I feel like she's just learning," Holliday said.
Three tips for dodging HIPAA fines
ONC guidance on avoiding HIPAA audit surprises
HHS releases tool for HIPAA risk assessment prep