Former DHS Official to Lead HHS' HIPAA Enforcement AgencyLisa J. Pino Served at DHS During OPM's Mega-Breach Mitigation
The Department of Health and Human Services has named Lisa J. Pino - a former Department of Homeland Security official charged with mitigating the massive 2015 cyberattack on Office of Personnel Management - as the new director of its Office for Civil Rights, the agency that oversees HIPAA enforcement.
In a statement Monday, HHS noted that Pino was appointed by President Barack Obama. At DHS, she was a senior counselor who drove breach mitigation in the 2015 cyberattack on OPM, which compromised the records of 4 million federal personnel and 22 million "surrogate profiles," HHS says.
Pino led efforts to renegotiate 700 vendor procurements and establish new cybersecurity regulatory protections in the wake of that incident, HHS says.
Prior to DHS, Pino served at the U.S. Department of Agriculture in roles including deputy assistant secretary for civil rights.
Most recently, Pino, who is an attorney, served as the New York State Department of Health's executive deputy commissioner - the agency's second-highest executive. In that role, she led New York's operational response to the COVID-19 pandemic, as well as several other critical health programs in the state, HHS says.
"Her breadth of experience and management expertise, particularly her hand in advancing civil rights regulations and policy at the USDA … will help ensure that we protect the rights of every person across the country as we work to build a healthier America," said Xavier Becerra, HHS secretary, in the statement.
Typically, it is difficult for HHS to find an OCR director who has experience in both traditional civil rights and health information privacy and security, notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine. Greene served as an OCR senior adviser during the Obama administration.
In addition to HIPAA enforcement, OCR is also charged with enforcing laws dealing with patients' federal civil rights, conscience and religious freedom, HHS notes.
Thus, Pino's background dealing with "traditional civil rights" combined with her cybersecurity work at DHS will serve her well at OCR, Greene notes.
"I expect that Ms. Pino’s experience with the OPM data breach will give her a strong understanding of both the challenges that covered entities and business associates face in protecting data from hackers, and the many challenges that are involved in responding to a large breach."
Privacy attorney Iliana Peters of the law firm Polsinelli, who is also a former senior adviser at OCR, offers a similar assessment.
Pino's civil rights experience in healthcare, along with some data privacy and security experience from her time at DHS, "is a fantastic development, from my perspective, as both are crucial to the day-to-day issues in HHS OCR," Peters says.
"I think her managerial experience will also be essential, given HHS OCR’s diverse workforce located across the country, including federal contractors."
The appointment of Pino to lead HHS OCR comes more than nine months into the Biden administration - and at a pivotal time, other experts note.
"It's very important to have a leader in this office, to continue the critical activities that they are undertaking to protect individuals and promote the effective operation of the healthcare system," says privacy attorney Kirk Nahra of the law firm WilmerHale.
"The office has been continuing the patient access cases, which is important, but has not moved too far forward with a variety of other investigations," Nahra notes.
One of the issues facing OCR's HIPAA enforcement moving forward is the January ruling by a U.S. Court of Appeals that vacated a $4.3 million HIPAA civil monetary penalty levied by federal regulators in 2017 against the University of Texas MD Anderson Cancer Center in the wake of three breaches involving unencrypted mobile devices.
The court called the penalty "arbitrary, capricious and contrary to law." In its ruling, the 5th Circuit U.S. Court of Appeals in Louisiana was critical of HHS OCR's interpretation of HIPAA requirements and how it sets civil monetary penalties.
The appeals court ruling creates new challenges for HHS OCR in its HIPAA enforcement, Nahra says. "They have some critical strategy issues in terms of applying the MD Anderson case to the office’s overall enforcement approach," he says.
HHS OCR is faced with pending rule-making on "very important issues" that presumably could not move forward without a new director being named, Nahra notes.
That includes ongoing rule-making pertaining to a notice of proposed changes to the HIPAA privacy rule that was published in January, just before the end of the Trump administration (see: The Final HIPAA Actions Under Trump Administration).
"Given the wealth of [Pino's] experience appears to have been focused on more classic civil rights issues, she’ll need some time to get up to speed on important data privacy and security issues at HHS currently, including HIPAA access complaints and data breach questions, information blocking, interoperability, patient safety issues, and ongoing rule-makings," Peters says.
Roger Severino was OCR director during all four years of the Trump administration, the agency's longest-serving leader to date.
Since Severino's departure, Robinsue Frohboese, an attorney, has served as acting director of OCR. During her 21-year tenure with OCR, Frohboese has held a variety of leadership positions, including acting OCR director during four administration transitions.
HHS OCR did not immediately respond to Information Security Media Group's request for comment on Pino's appointment.