The main enforcement priority for 2017 of Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR), is to find a “big, juicy, egregious” HIPAA breach to use as an example for other healthcare groups on the risks of failing to follow HIPAA Rules.
When choosing which cases to pursue, OCR considers the chance to use such a case as an educational tool to warn covered groups of the need to comply with specific aspects of HIPAA Rules.
At the recent ‘Safeguarding Health Information’ conference run by OCR and NIST, Severino said “I have to balance that law enforcement instinct with the educational component that we do.” Severino added, “I really want to make sure people come into compliance without us having to enforce. I want to underscore that.”
Mr Severino did not go into any further details as to what aspect of noncompliance with HIPAA Rules OCR wishes to highlight with its next big, juicy settlement, although no healthcare group is immune to a HIPAA financial penalty if they are found to have violated HIPAA Rules. Severino commented, “Just because you are small doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.”
Severino also remarked that the number of complaints OCR is now receiving is massive. In excess of 20,000 complaints about security incidents and privacy violations are filed each year. OCR has many staff issuing technical guidance to help covered groups with their compliance programs. The aims to significantly reduce the number of complaints and enjoy a “culture of compliance” throughout the USA.
The largest portion of HIPAA violations are resolved through technical guidance and voluntary compliance, but fines are appropriate for egregious breaches of HIPAA Rules.
Earlier in 2017, OCR has settled eight cases with covered groups to resolve HIPAA violations found during examinations of complaints and data breaches and has issued one civil monetary penalty.
The single largest HIPAA settlement of 2017 was with Memorial Healthcare System – a health system comprising of six hospitals and various other facilities in South Florida. The settlement of $5.5 million resolved potential breaches of HIPAA Rules relating to the unauthorized accessing of ePHI by employees and the impermissible disclosure of PHI to affiliated physician office staff. The settlement emphasized the importance of audit measures and the need to carefully control who has access to the ePHI.
There has been a relatively quiet period on the enforcement front during the summer, with the last settlement revealed in May. The drop is likely to see more settlements announced and this year looks set to be another record year for HIPAA enforcement.