Recent enforcement activities of the Department of Health and Human Services’ Office for Civil Rights (OCR) have shown an increase in fines and penalties assessed against smaller providers for failing to comply with the privacy, security, and breach notification requirements of the Health Insurance Portability and Accountability Act (HIPAA). Historically, OCR has focused on larger providers, such as hospitals and health systems, and breaches involving more than 500 individuals; however, OCR is now aggressively enforcing HIPAA compliance of smaller providers, including sole practitioners, and investigating smaller breaches affecting fewer than 500 individuals. As a result, 2016 is expected to be a critical year for HIPAA enforcement and a record year for fines and penalties for noncompliance.
Explore this issue:May 2016
Reason for the Change
In fall 2015, the Office of Inspector General (OIG) issued a report regarding OCR’s HIPAA enforcement practices. The report found that OCR actively investigated all large breaches (affecting more than 500 individuals), but failed to document investigations of small breaches (affecting fewer than 500 individuals), suggesting that small breaches are often overlooked. This variance is largely due to limited federal resources and the fact that OCR simply does not have the time or manpower to investigate small breaches.
The OIG’s report also suggests that certain covered entities routinely violate HIPAA regulations and exhibit compliance issues that warrant increased fines and penalties. In response, OCR is increasing its enforcement activities by reviewing covered entities with previous breaches to reassess compliance and markedly increasing the fines assessed against repeat offenders. In addition, on March 21, 2016, OCR announced that phase 2 of its HIPAA audit program had begun, which is undoubtedly an effort to overcome any scrutiny cast on OCR by the OIG’s report.