HIPAA Enforcement: A Rise in OCR Sanctions?
Updated: Jun 21, 2022
In recent years, we have focused our HIPAA compliance guidance on the HITECH-driven HIPAA enforcement audits. However, as a result of leadership vacancies at the Office for Civil Rights (“OCR”) and a reduction in funding allocated to OCR, the HIPAA audits have come to a halt (at least temporarily). Practices must be careful not to use this inaction as an excuse to become lax in their HIPAA compliance efforts. OCR remains legally obligated to investigate: (1) all HIPAA breaches involving the protected health information (“PHI”) of 500 or more patients and (2) any complaints that, if substantiated, would constitute a violation of HIPAA due to willful neglect. Further, OCR is incentivized to investigate and sanction practices for HIPAA violations since it is permitted to re-allocate a portion of the funds that it receives through those enforcement actions (i.e., through monetary penalties, sanctions and settlements) for its operations. As a result, while practices are likely safe from HIPAA audits for the foreseeable future, their risk of OCR investigations and sanctions as a result of self-disclosed breaches or patient, staff or other third party complaints may have increased. The 2018 statistics for HIPAA enforcement supports this proposition. OCR set a new record for enforcement activity in 2018 with a total of $28.7 million charged against covered entities and business associates in the form of settlements and judgments. This amount represents a 22% increase from the previous enforcement record of $23.5 million set in 2016. The variance in the enforcement actions also makes clear that OCR’s enforcement is not limited to a specific type of entity or only those entities which are likely subject to large fines. The settlements/judgments by OCR in 2018 ranged from $100,000 to $16 million dollars and included business associates and covered entities, DME providers and private practices, and medical centers and insurance plans. Accordingly, all entities and individuals subject to HIPAA are at risk for OCR investigation and sanction. Therefore, it is critical that practices and other entities covered by HIPAA continue to take HIPAA compliance seriously and implement and enforce policies and procedures to prevent violations of HIPAA and breaches of PHI.